I have a question about remote VPN client authentication via ASA. The client has to meet the following requirement in order to get access to company's network.
1. username/password should match windows Active directory user info
2. The client computer must be registered domain computer. ( the reason for this requirement is to prevent the following incident - one manager knew teammate's username/password. After he terminated his job at the company, he was able to access the company network using his personal PC and teammate's username and password "
I can complete the user authentication via Kerberos, LDAP or Radius. However, I can not find a way to meet the second requirement.
Could you please kindly adivse if there is anyway to meet both requirement to authenticate remote client?
Re: Remote client - Windows Computer Authentication
I was faced with a similar requirement that you are. One way to check if a computer is part of the domain is to verify that the host computer has a certificate that is signed by the domain's Certificate Authority. Not sure if you domain has that configured but that's a one way of checking. When the employee leaves and tries to connect with home computer it will fail even before he/she gets the username prompt.
Some other way is using Cisco Secure Desktop under Config > Remote Access VPN > Secure Desktop Manger> Setup. In the you could check for things like OS version, specific Registry keys, files, processes running...etc.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...