Prevent non-domain machines from connecting over Cisco VPN.

Discussion:

(too old to reply)

a***@gmail.com

2008-01-24 15:50:34 UTC

Is there a way to prevent non-domain machines from connecting over a
Cisco VPN?
What I would like is for only domain machines to be able to connect
over Cisco VPN.

I can post up details of our authentication methods, VPN concentrator
etc. if this will help to answer the question.

James McIllece [MS]

2008-01-25 17:33:26 UTC

Permalink

Post by a***@gmail.com
Is there a way to prevent non-domain machines from connecting over a
Cisco VPN?
What I would like is for only domain machines to be able to connect
over Cisco VPN.
I can post up details of our authentication methods, VPN concentrator
etc. if this will help to answer the question.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

a***@gmail.com

2008-01-28 11:59:11 UTC

Permalink

On Jan 25, 5:33 pm, "James McIllece [MS]"

Post by James McIllece [MS]

If you deploy EAP-TLS with autoenrolled computer certificates used for
client computer authentication, only domain joined machines can enroll a
certificate -- and therefore only domain member computers are successfully
authenticated when they attempt to connect.
To do this you need to deploy IAS and Certificate Services, and configure
Group Policy to autoenroll certs to computers. EAP-TLS provides mutual
authentication, so you must also autoenroll server certificates to IAS
servers.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.

I've done some research, based on the directions you provided. Is it
correct to say that autoenrollment will only work with Windows XP
clients?

James McIllece [MS]

2008-02-02 00:46:19 UTC

Permalink

Post by a***@gmail.com
On Jan 25, 5:33 pm, "James McIllece [MS]"

Post by James McIllece [MS]

Post by a***@gmail.com
Is there a way to prevent non-domain machines from connecting over
a Cisco VPN?
What I would like is for only domain machines to be able to connect
over Cisco VPN.
I can post up details of our authentication methods, VPN
concentrator etc. if this will help to answer the question.

If you deploy EAP-TLS with autoenrolled computer certificates used
for client computer authentication, only domain joined machines can
enroll a certificate -- and therefore only domain member computers
are successfully authenticated when they attempt to connect.
To do this you need to deploy IAS and Certificate Services, and
configure Group Policy to autoenroll certs to computers. EAP-TLS
provides mutual authentication, so you must also autoenroll server
certificates to IAS servers.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.

I've done some research, based on the directions you provided. Is it
correct to say that autoenrollment will only work with Windows XP
clients?

XP and Windows Vista.