Cicso ASA 5510 - AnyConnect(VPN) + Network Policy Server (Radius) Delema
This is going to be a bit stumper for a few people.
Hardware and Software involved,
Windows 2003 Active Directoy Server
WIndows 2008 R2 box with Network Policy Server running in Hyper V (radius)
ASA 5510 in which we are using AnyConnect VPN
All of it is configured and functioning correctly.
I can authenticate through through radius via Anyconnect SSL from an IP address.
Just a run down on how this is how it works,
You go to the internet https:// xxx.xxx.xxx.xxx
accept the certificate
you get the login screen, use AD login, Radius lets me in,
it installs Anyconnect according to the policy I have set in the ASA 5510
**********your in.... (do what you have to do) ***************
You disconnect from AnyConnect.
Everything uninstalls, cache, temp files etc...are flushed.
Our information is very sensitive and needs to be secure to access.
This is nice and dandy... BUT
Question i have....
What I would like to do is make sure that only the designated laptops can login, meaning I would NOT like the user to do the above steps from their home computer.... hence comprimising our security and inviting people to hack.
After discussion with a few other people, certificates are a good idea BUT if i have to revoke one, everyone is down.
I am not sure of there is a way that when someone goes to the https://xxx.xxx.xxx.xxx (which gets you to the ASA) that after 3 or so tries, it bans the IP etc...
Also this is probably a dumb question... but the answers escapes me, how to I setup the Windows 2008 R2 Network Policy Server (radius) to limits the login attemps to say "3" before the person is locked out. AND that I can ban the IP for 24-48 hours or so.
This is also to discourage people from hacking.
Possible solution which i have thought of,
RSA dongles - hmmmmm NO - they would lose it in 5 minutes (the human factor comes into play here)
Individual certificates ( 125 people ) may be an option but how and what should I use to setup with Radius and ASA 5510.
Advantage if this is that it makes it easier to remoke if a laptop is stolen, but the certificate has to be installed individually, which is not an issue.
Would be nice if I could do this from the ASA...
MAC address filtering is not an option since people hooking up remotly user home routers..etc....
Secondary set of login is also an option but where can I do so.
Anyways, I hope I explained everything clearly, if not, ask away.
Essentially I would like to have either a secondary means of authentication or a hardware identity solution.
Any suggestions or scenerios which have come up with the solutions would be appreciated.
+ Network Policy Server Question
Hardware and Software involved,
Windows 2003 Active Directoy Server
WIndows 2008 R2 box with Network Policy Server running in Hyper V (radius)
ASA 5510 in which we are using AnyConnect VPN
All of it is configured and functioning correctly.
I can authenticate through through radius via Anyconnect SSL from an IP address.
Just a run down on how this is how it works,
You go to the internet https:// xxx.xxx.xxx.xxx
accept the certificate
you get the login screen, use AD login, Radius lets me in,
it installs Anyconnect according to the policy I have set in the ASA 5510
**********your in.... (do what you have to do) ***************
You disconnect from AnyConnect.
Everything uninstalls, cache, temp files etc...are flushed.
Our information is very sensitive and needs to be secure to access.
This is nice and dandy... BUT
Question i have....
What I would like to do is make sure that only the designated laptops can login, meaning I would NOT like the user to do the above steps from their home computer.... hence comprimising our security and inviting people to hack.
After discussion with a few other people, certificates are a good idea BUT if i have to revoke one, everyone is down.
I am not sure of there is a way that when someone goes to the https://xxx.xxx.xxx.xxx (which gets you to the ASA) that after 3 or so tries, it bans the IP etc...
Also this is probably a dumb question... but the answers escapes me, how to I setup the Windows 2008 R2 Network Policy Server (radius) to limits the login attemps to say "3" before the person is locked out. AND that I can ban the IP for 24-48 hours or so.
This is also to discourage people from hacking.
Possible solution which i have thought of,
RSA dongles - hmmmmm NO - they would lose it in 5 minutes (the human factor comes into play here)
Individual certificates ( 125 people ) may be an option but how and what should I use to setup with Radius and ASA 5510.
Advantage if this is that it makes it easier to remoke if a laptop is stolen, but the certificate has to be installed individually, which is not an issue.
Would be nice if I could do this from the ASA...
MAC address filtering is not an option since people hooking up remotly user home routers..etc....
Secondary set of login is also an option but where can I do so.
Anyways, I hope I explained everything clearly, if not, ask away.
Essentially I would like to have either a secondary means of authentication or a hardware identity solution.
Any suggestions or scenerios which have come up with the solutions would be appreciated.
+ Network Policy Server Question
ASKER
Thanks for the suggestion, unfortunatly , when AnyConnect Essentials is enabled, Secure Desktop does not work.
I bleive this was done by design from Cisco.
I bleive this was done by design from Cisco.
Bummer... then the only other suggestion I would offer is to go with the individual certificates...
ASKER
If certificates are the only way I can ensure this, Is ther documentation on this anywhere for Win2008 R2. I have nerver used to setup a cert server before.
If there would be a way to prevent people from downloading the client from the outside interface via the https:// but from I gather that image is needed for connecting.
This is a rela stupmper.
If there would be a way to prevent people from downloading the client from the outside interface via the https:// but from I gather that image is needed for connecting.
This is a rela stupmper.
ASKER
Maybe on the Radius server or does it have to be on the DC?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
By this you mean "easy" or "pain"
---------------
"usually an exercise in drunken goat herding..."
That is an expression I will be using in the future.!!!!!
That gave me a good laugh.
---------------
"usually an exercise in drunken goat herding..."
That is an expression I will be using in the future.!!!!!
That gave me a good laugh.
Ya - Its a pain...
ASKER
I was afraid of that....Because that is what it looks like.
Anyways
thanks
Anyways
thanks
ASKER
Thanks
ASKER
By far Experts Exchange has never let me down. .
Have you looked at the Cisco Secure Desktop? The CSD can be setup to lock down sessions based on criteria found on the connecting system. This can take many forms, but it will also do a registry check for items if configured.
Perhaps you caould setup a special registry key on the company laptops... something hidden away in 3 or 4 different areas with whatever garbage in the key you want. Then have the CSD check for these keys and deny access if not found.
If all the laptops are windows, then that might be an options for you. Definately not as secure as individual certificates, but a sneaky way to keep all but the most technical from accessing the VPN from other machines....
Heres some info:
https://supportforums.cisco.com/docs/DOC-1247;jsessionid=2934AD302F0C957364342A8EBC3A98B1.node0