Solved: how to do device binding

kcp_ · ‎10-13-2009

Hi Friends,

One of the SP customer wants to lauch SSL service for it's customers, and wnats to have feature by which his customer would be able to bind their remote user's device ( e.g. laptop , desktop, PDA etc.) , preferably on it's MAC address, so that they are sure that user is accessing sensitive information through authorized device only.

Can you provide a brief description as to how this binding can be achieved in SSL solution? Is this also possible in our IPSec solution?

123go_ · ‎10-14-2009

MAC addresses can be spoofed (google search 'spoof mac address') so from a security standpoint it is not really the best option.

You can either go the client certificate route (but in this case you are authenticating the user, not the device) or the machine certificate route.

The Machine Certificate check is available underHost checker > New Policy > Windows: Custom: Machine Certificate.

You can restrict access to a subset Machine Certificate issued by a particular CA only (by installing the cert in Trusted client CA) or specific CA DN.

Of course you need to issue and manage these certificates on the endpoints (wether they are user certificates or machine certificates).

Other options are available too (e.g "hidden" registry check) but they are less secure as registry can be edited, if you know what you need in order to pass the host check.

View solution in original post

kenlars_ · ‎10-13-2009

KCP -

On SSL VPN, you have two choices to do what you wish. You should look at Authentication Policy in the Realm definition to see if any of the controls in there are acceptable - it might be that user certificates might do what you wish.

Host Checker can analyze almost anything on the client PC and you can then use this information to allow or disallow mapping to a role. We base a lot of decisions on obscure registry items. If there is a registry item which has the MAC address in it, you could use this for the type of check you want to do - at least on a PC. The PDA will be tougher - the Host Checker functionality for Windows Mobile devices is less evolved than for PCs.

Ken

imtravis_ · ‎10-13-2009

Another option could be to use a client certificate based authentication as a secondary, and just have the client certs installed from an internal resource only. Then only allow those devices with the cert to be able to authenticate. I believe you can base the client cert off of the MAC address.

123go_ · ‎10-14-2009

MAC addresses can be spoofed (google search 'spoof mac address') so from a security standpoint it is not really the best option.

You can either go the client certificate route (but in this case you are authenticating the user, not the device) or the machine certificate route.

The Machine Certificate check is available underHost checker > New Policy > Windows: Custom: Machine Certificate.

You can restrict access to a subset Machine Certificate issued by a particular CA only (by installing the cert in Trusted client CA) or specific CA DN.

Of course you need to issue and manage these certificates on the endpoints (wether they are user certificates or machine certificates).

Other options are available too (e.g "hidden" registry check) but they are less secure as registry can be edited, if you know what you need in order to pass the host check.

how to do device binding

how to do device binding

Re: how to do device binding

Re: how to do device binding

Re: how to do device binding

Re: how to do device binding