Solved

ASA Client locked down by Mac Address

Posted on 2013-12-16
3
479 Views
Last Modified: 2016-11-23
Experts,
We have a third party company based in Europe that needs to log into our production environment to do some off hour work for us.  The way we are planning on accomplishing access for them is through VPN by way of a Dell Wyce Thin Client.

The thin client is running windows 8 and a Cisco ASA VPN client.  Our firewalls are ASA 1500.  My goal is to lock this company down so they can only access our production environment through the thin client.  Is it possible to create a VPN account that locks a user down by Mac Address ?

If not, I would appreciate some suggestions on how I can do this using ASA client /  Firewalls.

Thanks
John
0
Comment
Question by:hexvader
3 Comments
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 500 total points
ID: 39722658
You can use certificate based login and import the certificate on the thin client but leave the "export" checkbox unticked.

This way the cannot export the certificate to another client.

NOTE: There are "tools" like mimikatz which can export those certificates so it is not 100% safe.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 39723284
Agreed, Certificates are the best option, it's pretty simple to setup
Securing Cisco SSL VPN's with Certificates

PL
0
 

Author Closing Comment

by:hexvader
ID: 39953742
Although I didn't use Henk's certificate based solution to solve the problem, his idea led me to do more research and I came across a function of my firewalls called Host Scan that allowed me to solve the problem
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now