Blocking Unauthorized or Non-Compliant VPN Devices ================================================== In some situations, correct user credentials may be supplied to log into a VPN, but the device itself is not approved for use on the network. This may be the result of stolen credentials,being used to access the network, or an authorized user signing into the network with an unapproved or non-compliant device. Genian NAC can block these unapproved devices at Layer 3 using a Network Sensor deployed in Mirror Mode. .. image:: /images/vpn-mirror.png :width: 600 px Cofigure Sensor --------------- To configure a Sensor in Mirror Mode, see: :doc:`/controlling/config-mirror` Cofigure Groups and Enforcement Policies ---------------------------------------- Enforcing against VPN users with a mirror sensor uses the same configurations that are used for ARP Enforcement in a LAN environment. Simply create Groups and Enforcement Policies to defined which nodes, devices, or users can access which network resources and at which times. It is also possible to redirect the non-compliant node to a captive portal, where they can be served with a message from the administer, or required to download an agent. You can create separate Groups and Policies for VPN users The Mirror Sensor will use TCP Reset or ICMP unreachable replies to block any attempted access to prohibited resources. the VPN connection itself will remain unaltered. To Create Groups and Enforcement Policies to allow or disallow access, see: - :doc:`/monitoring/network-nodes/managing-nodegroups` - :doc:`/controlling/enforcement-policy/policy-nodegroup` .. note:: Traffic detected by a Mirror Sensor does not result in the creation of a node in the Web Console. Therefore traffic may be blocked without any logging occurring. Nodes with an Agent installed will be shown in the Web Console, and logging will occur when their policy status changes. Use of the Agent and is recommended for gathering endpoint information. For more content relating to VPN users, see: - :doc:`/authentication/enabling-authentication/vpn-users` - :doc:`/controlling/integration-cisco_asa`