How to deny Lan resource access to non authorized computer

By fabianodepaula ·
We are a small company using Cisco VPn for remote users, one user copied the Cisco profile from his PC and was able to connect to our network with his personal MAC laptop, we are using Domain authentication. Is it possible to block unauthorized computers from connecting to the VPN. i see this as a problem since any user that has an AD account could simply install cisco VPN software on their home pcs and connect to our resources with any computer.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

ACL's are our friends!

by warpedlogic In reply to How to deny Lan resource ...

You could implement an access list on the vpn router in your network that limits what IP addresses are allowed to access the vpn tunnel. The downside to this is you need to get all the employee's home IP addresses and would have to add them as their modem dhcp leases expires. The good news is usually modems are only given a block of 2 to 3 ip addresses, but that can still become a very ugly acl very quickly depending on how many people are accessing it.

Collapse -

Reponse To Answer

by robo_dev In reply to ACL's are our friends!

Don't forget that the external IP of all your home PCs is the same, from an ACL standpoint, since it's the router/firewall that the VPN would see from the outside.

The only possible way I can think of to lock this down is to force the usage of certificates for authentication. But even then, this would simply make it more difficult and complex to setup another computer....

In general, if the VPN is configured not to allow split tunneling, and the authentication is setup properly, then there is really not a big risk in terms of allowing any PC to make the connection.

Collapse -

Several Solutions

by IcebergTitanic In reply to How to deny Lan resource ...

The certificate route is one way to go for certain. It is much more complex to set up, but does allow you to assign rights to a specific computer. Once you have the infrastructure in place it's not horribly hard to add a new computer, but it is definitely another layer of complexity added to your mix.

Another option is to limit logon times for users. If you use RADIUS authentication you should be able to specify what time of the day and what days of the week your users can log on. Since they're most likely to use their home computers in off-hours, this can help alleviate the problem.

Another way to go would be a bit more complex as well, but you could configure the end-user computers as domain machines, and set up the VPN client for "Start Before Logon" which would then let the computer log in directly to the domain. If you required that and removed your Remote Desktop access, you could limit it to domain machines.

If your users are operating only from specific locations (like a satellite office or home office) then you could go the more expensive route and give them their own ASA to use there, with port security on the unit to keep other devices from connecting to it, then a site-to-site vpn on the unit itself.

Collapse -

Use MAC Addresses

by igtddave In reply to How to deny Lan resource ...

I set up a VPN for a client's dr. office. I used the VPN router to restrict the access to not only the internal network but the external network by the MAC address for each individual computer and device (including networked printers) that were connected. MAC address not entered, no access.

Related Discussions

Related Forums