This content has been marked as final. Show 4 replies
The question is:
what you trying to achieve here Jeff?
If you worry about rouge usage of your VPN may be its better to consider NAC or certificates as second factor authentication on VPN concentrator?
The only thing that I was able to do with VPN clients is to create different software\DAT deployment policy that run every 10 minutes instead every 90 minutes for LAN clients.
But in any case I have to wait until client agent will initiate connection with ePo server, update IP, then it moved to VPN group, then it has new policy.
Since Cisco VPN blocking all inbound connection I can't do more than this.
Future plans are enforce strict NAC policy, since I able to identify client by IP and run different set of checks.
We do use 2 factor authentication. We require a group logon/password within the client as well as AD creds. The problem that I have run into is there are some people that have the vpn installer with built-in group logon/pass so they install the client on their home pc's that are not managed by me. I need to know when these clowns connect so I can remove their access...
Have same problem - going to use machine certificates when marking private key unexportable (please use for CA key size of 2048 - VPN 3000 limitation).
So if VPN concentrator will be not able to identify certificate + group password + AD account user will be not able to access.
and first who I will catch with trying to use his personal PC will go to HR :mad::p
The folllowing may be of use for those of us with clients coming in over VPN - it prevents ePO from using the MAC of the virtual interface for matching