How to control/prevent the profile (.pcf) files on VPN client?
My setup is like this:
VPN client-->Concentrator 3030 --> PIX--> Microsoft IAS (Radius)-->Microsoft ActiveDirectory.
I use group authentication enabled for the client to authenticate with the concentrator and then for the user authentication MS Active directory is used through a Radius server (microsoft IAS).
a) All the remote users connect to the Cisco VPN concentrator using the local profile(.pcf). There are two profiles available with one having more access privileges on the lan and other is having very limited access.
(b) The remote client first uses Group Authentication method to authenticate to the VPN concentrator using the username and encrypted password stored in the local profile (*.pcf).
(c) After that the user will get authenticated on to the LAN by the Active Directory through IAS (RADIUS) server.
Since the local profile(.pcf) is stored on the client side, which also has a factor which determines the type of privilege (either more or less privileges), he gets on the network. So currently, if a remote client who supposed to have very limited access on the LAN, obtains a privileged access profile to connect, the risk is high since he gets more privileges on the LAN.
Currently I noticed that some users copy the more privileged access profile themselves and replaced it with their original profile file to obtain more access.
Any help/advice on how to control this or is there any alternate solution available on VPN concentrator or on Microsoft IAS (RADIUS)/Active Directory?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :