• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1713
  • Last Modified:

Cicso ASA 5510 - AnyConnect(VPN) + Network Policy Server (Radius) Delema

This is going to be a bit stumper for a few people.

Hardware and Software involved,  
Windows  2003 Active Directoy Server
WIndows 2008 R2 box with Network Policy Server running in Hyper V (radius)
ASA 5510 in which we are using AnyConnect VPN
All of it is configured and functioning correctly.
I can authenticate through through radius via Anyconnect SSL from an IP address.

Just a run down on how this is how it works,

You go to the internet https:// xxx.xxx.xxx.xxx
accept the certificate
you get the login screen, use AD login, Radius lets me in,
it installs Anyconnect according to the policy I have set in the ASA 5510
**********your in.... (do what you have to do)  ***************
You disconnect from AnyConnect.
Everything uninstalls, cache, temp files  etc...are flushed.
Our information is very sensitive and needs to be secure to access.

This is nice and dandy... BUT
Question i have....
What I would like to do is make sure that only the designated laptops can login, meaning I would NOT like the user to do the above steps from their home computer.... hence comprimising our security and inviting people to hack.
After discussion with a few other people, certificates are a good idea BUT if i have to revoke one,  everyone is down.

I am not sure of there is a way that when someone goes to the https://xxx.xxx.xxx.xxx (which gets you to the ASA) that after 3 or so  tries, it bans the IP etc...

Also this is probably a dumb question... but the answers escapes me,   how to I setup the Windows 2008 R2 Network Policy Server (radius) to limits the login attemps to say "3" before the person is locked out.   AND that I can ban the IP for 24-48 hours or so.  
This is also to discourage people from hacking.

Possible solution which i have thought of,

RSA dongles - hmmmmm NO - they would lose it in 5 minutes (the human factor comes into play here)

Individual certificates ( 125 people ) may be an option but how and what should I use to setup with Radius and ASA 5510.
Advantage if this is that it makes it easier to remoke if a laptop is stolen, but the certificate has to be installed individually, which is not an issue.  
Would be nice if I could do this from the ASA...

MAC address filtering is not an option since people hooking up remotly user home routers..etc....

Secondary set of login is also an option but where can I do so.  

Anyways, I hope I explained everything clearly, if not, ask away.
Essentially I would like to have either a secondary means of authentication or a hardware identity solution.  

Any suggestions or scenerios which have come up with the solutions would be appreciated.




+ Network Policy Server Question
  • 8
  • 4
1 Solution
Here's a thought....  

Have you looked at the Cisco Secure Desktop?   The CSD can be setup to lock down sessions based on criteria found on the connecting system.   This can take many forms, but it will also do a registry check for items if configured.    

Perhaps you caould setup a special registry key on the company laptops...  something hidden away in 3 or 4 different areas with whatever garbage in the key you want.   Then have the CSD check for these keys and deny access if not found.    

If all the laptops are windows, then that might be an options for you.   Definately not as secure as individual certificates, but a sneaky way to keep all but the most technical from accessing the VPN from other machines....  

Heres some info:

booboo613Author Commented:
Thanks for the suggestion, unfortunatly , when AnyConnect Essentials is enabled, Secure Desktop does not work.
I bleive this was done by design from Cisco.  
booboo613Author Commented:
Sorry for the spelling mistakes.
Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Bummer...  then the only other suggestion I would offer is to go with the individual certificates...  
booboo613Author Commented:
If certificates are the only way I can ensure this, Is ther documentation on this anywhere for Win2008 R2.  I have nerver used to setup a cert server before.  

If there would be a way to prevent people from downloading the client from the outside interface via the https://  but from I gather that image is needed for connecting.
This is a rela stupmper.
booboo613Author Commented:
Maybe on the Radius server or does it have to be on the DC?
booboo613Author Commented:
By this you mean "easy" or "pain"
"usually an exercise in drunken goat herding..."

That is an expression I will be using in the future.!!!!!
That gave me a good laugh.  
Ya - Its a pain...  
booboo613Author Commented:
I was afraid of that....Because that is what it looks like.

booboo613Author Commented:
booboo613Author Commented:
By far Experts Exchange has never let me down.  .  

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now