Site to site VPN

fid500fid500 Member Posts: 71 ■■□□□□□□□□
I am in the process of setting up a site to site vpn using an ASA5505 on the remote side and ASA5510 on the main office. The ASA 5510 side hosts all the servers and the ASA5505 will have one user connecting to the same domain in the main office. The remote side will contain one Laptop and one VOIP phone. The vpn works fine and the user has access to email and voip and able to deploy plocies.... I am trying to setup EAP-tls authentication on the remote side. I already have a CA server and NPS for 802.1x working in the main location. My goal is to issue a certificate to the remote user laptop and authenticate using EAP-TLS in order to be able to connect to the main site. The goal is to prevent the user from connecting her personal PC to the ASA and have access to the main site. The user at the remote site will be connecting directly to the ASA5505. If certs cannot be used, is there another way of controlling what devices will have access (I dont want to create ACl using the static IP on the device)

Note: I am not looking to setup site to site vpn using certifcate. I already have that working.

Comments

  • creamy_stewcreamy_stew Member Posts: 406 ■■■□□□□□□□
    Sorry, I can't help, but I think you might want to post this over at the CCSP forums.

    Couldn't you implement this in Windows AD instead? I.e. let the VPN work as it does now, but require clients to use a cert to authenticate to the domain?
    Itchy... Tasty!
    [X] DCICN
    [X] IINS

    [ ] CCDA
    [ ] DCICT
  • millworxmillworx Member Posts: 290
    You can look into something like software token based authentication, which allows the user to connect with randomly generated passwords that are tied only to the serial of that PC.
    Currently Reading:
    CCIE: Network Security Principals and Practices
    CCIE: Routing and Switching Exam Certification Guide
  • shednikshednik Member Posts: 2,005
    I was going to suggest use 802.1x authentication but then I realized the ASAs don't seem to support that for whatever reason.

    Are you set on using a 5505 for the remote side?

    The other suggestion and I'm not sure if it will work or not and won't be using EAP-TLS is the cut through proxy, but that just requires a username and password. We deploy a remote home office solution with an 881w that uses an ezvpn tunnel and 802.1x authentication.


    joe
Sign In or Register to comment.