djhath
asked on
How to restrict Cisco AnyConnect VPN connections to domain computers
I have a Cisco ASA 5515 failover pair and a Windows 2008 R2 server that has Network Policy Server installed and uses RADIUS to authenticate Cisco AnyConnect VPN clients.
I am looking for options on how to limit Cisco AnyConnect VPN connections to company laptops.
I considered this - http://www.petenetlive.com/KB/Article/0000335.htm - but understand that Cisco ASA failover pairs cannot be used as local certificate authorities.
My RADIUS server uses the logic of if a user is a member of an AD security group "VPN Access" - they can authenticate. Is it possible to incorporate something similar for computers that are part of the AD domain? Are there any other options I can consider?
I am looking for options on how to limit Cisco AnyConnect VPN connections to company laptops.
I considered this - http://www.petenetlive.com/KB/Article/0000335.htm - but understand that Cisco ASA failover pairs cannot be used as local certificate authorities.
My RADIUS server uses the logic of if a user is a member of an AD security group "VPN Access" - they can authenticate. Is it possible to incorporate something similar for computers that are part of the AD domain? Are there any other options I can consider?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The solution I provided was the solution used to address the issue.
Do a search on the site you will find..
http://www.petenetlive.com/KB/Article/0001030.htm
Spin up a Microsoft PKI server and secure the VPN with Computer certs, or User Certs (or both!) full instructions on that helpful and informative technical website ;)
Pete