Options
Site to Site VPN / Computer Authentication
fid500
Member Posts: 71 ■■□□□□□□□□
* I have posted this under CCNP forum too. Sorry for double post.
I am in the process of setting up a site to site vpn using an ASA5505 on the remote side and ASA5510 on the main office. The ASA 5510 side hosts all the servers and the ASA5505 will have one user connecting to the same domain in the main office. The remote side will contain one Laptop and one VOIP phone. The vpn works fine and the user has access to email and voip and able to deploy policies.... I am trying to setup EAP-tls authentication on the remote side. I already have a CA server and NPS for 802.1x working in the main location. My goal is to issue a certificate to the remote user laptop and authenticate using EAP-TLS in order to be able to connect to the main site. The goal is to prevent the user from connecting her personal PC to the ASA and have access to the main site. The user at the remote site will be connecting directly to the ASA5505. If certs cannot be used, is there another way of controlling what devices will have access (I don't want to create ACl using the static IP on the device)
Note: I am not looking to setup site to site vpn using certificate. I already have that working.
I am in the process of setting up a site to site vpn using an ASA5505 on the remote side and ASA5510 on the main office. The ASA 5510 side hosts all the servers and the ASA5505 will have one user connecting to the same domain in the main office. The remote side will contain one Laptop and one VOIP phone. The vpn works fine and the user has access to email and voip and able to deploy policies.... I am trying to setup EAP-tls authentication on the remote side. I already have a CA server and NPS for 802.1x working in the main location. My goal is to issue a certificate to the remote user laptop and authenticate using EAP-TLS in order to be able to connect to the main site. The goal is to prevent the user from connecting her personal PC to the ASA and have access to the main site. The user at the remote site will be connecting directly to the ASA5505. If certs cannot be used, is there another way of controlling what devices will have access (I don't want to create ACl using the static IP on the device)
Note: I am not looking to setup site to site vpn using certificate. I already have that working.
Comments
-
Optionsmillworx
Member Posts: 290
yes you can. On the remote ASA, you will need to setup cut-through-proxy. and specify they use certificate based authentication. If the machine certificate doesnt match when they put in their credentials, the firewall will not pass the traffic.
Heres a link on cut-through-proxy: PIX/ASA : Cut-through Proxy for Network Access using TACACS+ and RADIUS Server Configuration Example - Cisco Systems
Thats just personally how I would set it up. It's how we are doing our remote-access deployments currently. Works nice, since even if you know your username and password. If you dont have the machine certificate, your boned.
You could also look into something else if thats too much, lwhich works just as well, use softoken for secondary authentication, which is matched to the machine serial. If serial doesnt match, softoken wont generate a token for authentication.Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide