Sounds like you have a significant security issue here. IF you have a PKI you can issue machine certificates and check them during the XAUTH phase. So even if the user manages to transfer a .pcf to a unauthorized device the machine cert will be invalid and the XAUTH will fail. You could use the concentrator's client update feature to push a new pcf with the certificate features enabled and email all authorized users machine certs in PEM format along with instructions on how to import the certs into the client cert store.
alternatively youu could enable group locking but in that case you will need to pass the authorized group as part of the RADIUS transaction. -----Original Message----- From: "Brett Looney" <[EMAIL PROTECTED]> Subj: [c-nsp] ACS and ASA VPN user authentication Date: Wed Aug 29, 2007 2:05 Size: 1K To: <cisco-nsp@puck.nether.net> Greets, Background: When connecting to an ASA using the Cisco VPN client you've got to build a connection entry (stored as a PCF file) that includes the VPN group name and VPN group shared key. PCF files can be migrated from one machine to another. We have an issue where a tech-savvy user has taken a copy of a PCF file and put it on a new laptop. Consequently, he can connect to an existing VPN group (that lots of other users connect to) and get access to things he shouldn't be able to. However, we want to let this user still connect to the ASA but using a different VPN group. But we have no way of forcing him to do this. We can't disable his account for this reason. And we can't change the group key because that would affect lots of users, some in remote locations that we can't get to. The root cause here is that in ACS I can't find any way of limiting a user (or group for that matter) to a particular VPN Group. The ASA doesn't appear to pass that attribute to the ACS and I can't find any attribute in the list of TACACS+ attribute-value pairs that would do this. So, is there a way I can do this with ASA and ACS? I want to lock a particular user (or group) to a VPN group and not let them connect any other way. More information: We're using ACS for Windows 3.3 (but can upgrade if necessary) and authenticating via TACACS+. We're running ASA code version 7.2.2. Any ideas? Does this even make sense? TIA. B. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ --- message truncated --- _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/