This is going to be a bit stumper for a few people.
Hardware and Software involved,
Windows 2003 Active Directoy Server
WIndows 2008 R2 box with Network Policy Server running in Hyper V (radius)
ASA 5510 in which we are using AnyConnect VPN
All of it is configured and functioning correctly.
I can authenticate through through radius via Anyconnect SSL from an IP address.
Just a run down on how this is how it works,
You go to the internet https://
accept the certificate
you get the login screen, use AD login, Radius lets me in,
it installs Anyconnect according to the policy I have set in the ASA 5510
**********your in.... (do what you have to do) ***************
You disconnect from AnyConnect.
Everything uninstalls, cache, temp files etc...are flushed.
Our information is very sensitive and needs to be secure to access.
This is nice and dandy... BUT
Question i have....
What I would like to do is make sure that only the designated laptops can login, meaning I would NOT like the user to do the above steps from their home computer.... hence comprimising our security and inviting people to hack.
After discussion with a few other people, certificates are a good idea BUT if i have to revoke one, everyone is down.
I am not sure of there is a way that when someone goes to the https://xxx.xxx.xxx.xxx
(which gets you to the ASA) that after 3 or so tries, it bans the IP etc...
Also this is probably a dumb question... but the answers escapes me, how to I setup the Windows 2008 R2 Network Policy Server (radius) to limits the login attemps to say "3" before the person is locked out. AND that I can ban the IP for 24-48 hours or so.
This is also to discourage people from hacking.
Possible solution which i have thought of,
RSA dongles - hmmmmm NO - they would lose it in 5 minutes (the human factor comes into play here)
Individual certificates ( 125 people ) may be an option but how and what should I use to setup with Radius and ASA 5510.
Advantage if this is that it makes it easier to remoke if a laptop is stolen, but the certificate has to be installed individually, which is not an issue.
Would be nice if I could do this from the ASA...
MAC address filtering is not an option since people hooking up remotly user home routers..etc....
Secondary set of login is also an option but where can I do so.
Anyways, I hope I explained everything clearly, if not, ask away.
Essentially I would like to have either a secondary means of authentication or a hardware identity solution.
Any suggestions or scenerios which have come up with the solutions would be appreciated.
+ Network Policy Server Question