• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 428
  • Last Modified:

VPN on ASA based on computer name

I have VPN setup and working fine on our ASA 5550 using LDAP.  I have a Windows 2k8 server setup and successfully running NPS (new name for IAS) which is working great so far for other things.  Now I'd like to join the two together and use "Radius" on the NPS server to authenicate my VPN users.  But I'd also like it to look at the computer name they are coming from so we can allow only company owned laptops/PCs to connect.  I see in the policies on NPS that you can specify a group that the machine needs to belong to as an additional criteria but looking at the event logs on the NPS server it looks like the client's computer name is not being passed to NPS so it ignores a policy that has this additional criteria in it and goes on to other policies.  If I take the computer name critera out of the policy then it gets used.  Anyone got something like this working?
0
robbie_woodley
Asked:
robbie_woodley
1 Solution
 
arnoldCommented:
In this case you should certificates.  I.e. each system will need a certificate to establish the IPSEC connection and then radius will be used as the second form of authentication (X-auth).
You would need to have an internal CA (PKI) that will be issuing and signing the certificates used by the client systems and will be setup on the ASA.

The ASA only sees the IP from which the request comes.  And all it passes to the radius server is its IP and the username/password provided by the user.  The NPS/IAS validates the user/password and makes sure the user belongs to a group authorized for VPN access.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now