<div>
Thanks for the free site advertising :)<br />
<br />
Do a search on the site you will find..<br />
<a href="http://www.petenetlive.com/KB/Article/0001030.htm" rel="ugc">http://www.petenetlive.com/KB/Article/0001030.htm</a><br />
<br />
Spin up a Microsoft PKI server and secure the VPN with Computer certs, or User Certs (or both!) &nbsp;full instructions on that helpful and informative technical website ;)<br />
<br />
Pete
</div>


Thanks for the free site advertising :)

Do a search on the site you will find..
http://www.petenetlive.com/KB/Article/0001030.htm [http://www.petenetlive.com/KB/Article/0001030.htm]

Spin up a Microsoft PKI server and secure the VPN with Computer certs, or User Certs (or both!)  full instructions on that helpful and informative technical website ;)

Pete

<div>
The solution I provided was the solution used to address the issue.
</div>


The solution I provided was the solution used to address the issue.

<div>
<div class="content wysiwyg-content">
I have a Cisco ASA 5515 failover pair and a Windows 2008 R2 server that has Network Policy Server installed and uses RADIUS to authenticate Cisco AnyConnect VPN clients.<br />
<br />
I am looking for options on how to limit Cisco AnyConnect VPN connections to company laptops.<br />
<br />
I considered this - <a href="http://www.petenetlive.com/KB/Article/0000335.htm" rel="ugc">http://www.petenetlive.com/KB/Article/0000335.htm</a>&nbsp;- but understand that Cisco ASA failover pairs cannot be used as local certificate authorities.<br />
<br />
My RADIUS server uses the logic of if a user is a member of an AD security group &quot;VPN Access&quot; - they can authenticate. &nbsp;Is it possible to incorporate something similar for computers that are part of the AD domain? &nbsp;Are there any other options I can consider?
</div>
</div>


I have a Cisco ASA 5515 failover pair and a Windows 2008 R2 server that has Network Policy Server installed and uses RADIUS to authenticate Cisco AnyConnect VPN clients.

I am looking for options on how to limit Cisco AnyConnect VPN connections to company laptops.

I considered this - http://www.petenetlive.com/KB/Article/0000335.htm - but understand that Cisco ASA failover pairs cannot be used as local certificate authorities.

My RADIUS server uses the logic of if a user is a member of an AD security group "VPN Access" - they can authenticate.  Is it possible to incorporate something similar for computers that are part of the AD domain?  Are there any other options I can consider?

How to restrict Cisco AnyConnect VPN connections to domain computers

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Cisco

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.