cancel
Showing results for 
Search instead for 
Did you mean: 

Endpoint Security

SOLVED
Les_G_
Occasional Contributor

Endpoint Security

Hi All

 

We have two 6500 clustered where several hundreds user terminate VPN tunnels. We would like to only allow authorized devices access. I believe endpoint security is how to do this but not sure how to configure this. We would like to check for certificate on the system and allow/deny base on if cert is on system or not.

 

Can someone direct me to documentation that provide configuration or if anyone has done this in production can you share how you configure this.

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
muttbarker_
Valued Contributor

Re: Endpoint Security

1- Import CA root cert

2- Define host check rule

3- Implement on realm

 

You will need to import a root cert from your internal cert server - done under: 

Configuration / Certificates / Trusted Client CA's 

 

You would define a new host check rule where you would check for a certificate - done under:

Authentication / EndPoint Security / Host Checker

Create a new HC policy using a rule type of custom: machine cert. Specify the root cert to check against. 

 

You would then implement HC on the realm - done under: 

Users / User Realms / "realm-name" / Authentication Policy / Host Checker 

You will need to specify Require and Enforce to use it. 

 

CAVEAT - machine cert checking via HC only works on Windows PC's - if you implement this and you have MAC or Linux users logging in you will also need to implement an HC policy that they will also pass or fail or they will not be admitted.

View solution in original post

4 REPLIES 4
muttbarker_
Valued Contributor

Re: Endpoint Security

1- Import CA root cert

2- Define host check rule

3- Implement on realm

 

You will need to import a root cert from your internal cert server - done under: 

Configuration / Certificates / Trusted Client CA's 

 

You would define a new host check rule where you would check for a certificate - done under:

Authentication / EndPoint Security / Host Checker

Create a new HC policy using a rule type of custom: machine cert. Specify the root cert to check against. 

 

You would then implement HC on the realm - done under: 

Users / User Realms / "realm-name" / Authentication Policy / Host Checker 

You will need to specify Require and Enforce to use it. 

 

CAVEAT - machine cert checking via HC only works on Windows PC's - if you implement this and you have MAC or Linux users logging in you will also need to implement an HC policy that they will also pass or fail or they will not be admitted.

Les_G_
Occasional Contributor

Re: Endpoint Security

Thanks! This is what I was looking for. I will have to test and verify. Instead of entire realm can HC be applied to a single role for testing.

muttbarker_
Valued Contributor

Re: Endpoint Security

Yes, HC can be applied to a single role. You will need to evaluate HC at the realm level, but not enforce to be able to enforce at the role. If you select evaluate you can see the results in the log to determine how your rule is working. 

Les_G_
Occasional Contributor

Re: Endpoint Security

Thanks.