Geek pop quiz!

[theweaselking]

Imagine a VPN. You have users with certificates and passwords who connect to the VPN - road warriors, connecting from wherever they are right now.

I want to restrict it *by machine* - so one user, one machine. That user cannot connect from a different machine, that machine cannot connect for a different user, even if they have valid certificates.

(I will accept "the machine is authorised" so that multiple valid certificates could be used from a valid machine. The important thing is that the machine must be approved, and the user must be approved, and "machine/user combo must be approved" is a want-not-need)

Is there a way to do this without TPM chips? I would even accept something spoofable like MAC filtering, if I could implement MAC filtering over a network connection with many routers and likely at least one NAT in the way. Replacing all the remote machines with new hardware is not doable. Requiring that the remote machines be Domain members is not doable. Requiring TPM is not doable. With those three out of the way, does anyone know if what we want is possible?

(Current setup is OpenVPN. Replacing it seems inevitable to get the desired function - so what now?)

EDIT: SonicWall does this, calling it "Endpoint Control" - their software checks HDD serial and stuff like that and supplied account credentials against server-side pre-stored numbers. Requires purchasing a SonicWall device, but, hey, out of the box fix? OH HAI YES PLZ. Downside: Expensive, requires dealing with SonicWall who will NEVER EVER EVER stop emailing and calling you.

Comments

[argonel.livejournal.com]

I wonder if this could be bashed together as a VPN over VPN configuration. Where the machine authenticates to an outer VPN allowing the user to authenticate to the inner VPN. Configuration and training would probably be a major headache.

[kjn]

No idea if this will be workable, but hash (or otherwise combine) MAC and username, and use that during the login process?

[theweaselking.livejournal.com]

Got an application to do that, on the fly, each time, and then some way to authenticate it at the far end?

I'd really rather not have to code it manually, especially if the answer becomes "use OpenVPN to connect, then use this custom app to open the gateway"

[kjn]

See first clause in my comment. And sorry, providing the idea is the limit of my helpfulness.

[theweaselking.livejournal.com]

It looks like SonicWall has already done pretty much exactly that, which is nice - it just means "purchasing a new device"

[jsbowden.livejournal.com]

Cisco's Anyconnect doesn't give you this level of control? I am surprised.

[theweaselking.livejournal.com]

Maybe it does? What's AnyConnect?

(He asked, while googling)

[theweaselking.livejournal.com]

It appears that AnyConnect requries a Cisco SSL-VPN device at the far end, making it functionally equivalent to SonicWall's NetExtender. Yes? No?

[jsbowden.livejournal.com]

Yes, but Cisco are far less annoying to deal with than SonicWall.

[theweaselking.livejournal.com]

Granted.

[disgruntledgrrl.livejournal.com]

I was about to recommend Cisco's AnyConnet when I read jsbowden's comment.
Then I re-read your post.

I don't see any mention of SSL (Cisco AnyConnect). We currently use that. The cert must be on the machine in order to work. If the user's machine is wiped, the helpdesk has to send them another cert.
So there's the control. Just put in a stipulation "I'm sorry but unless this is machine ##### I cannot resend the Certification."

[lafinjack.livejournal.com]

Are your road warriors abusing multiple logins or is it a resources issue?

[theweaselking.livejournal.com]

Neither. It is a "compliance with the security requirements of an organisation far more paranoid than my own" issue.

[lafinjack.livejournal.com]

Ah, interesting.

[netdef.livejournal.com]

Smart Cards.

Readers are available for USB and many professional grade laptops have mini readers built in.

I know that means TPM - but it's the least level of trouble for end users and can be configured to do pretty much exactly what you describe.