IOS devices authentication and verification with AnyConnect

Unanswered Question
Apr 7th, 2014
User Badges:

Hi,

 

We are currently using Anyconnect on IOS devices to remotely access our network via our ASA. We want to implement a security check to valide that the user is using his corporate device, and not de personal device...Is there a way to achieve that? By checking a property on the device or a certificate? 

 

We are managing our devices with Xenmobile mdm...so we can oush properties or certificate trouth it..

 

Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jleasher1 Fri, 09/25/2015 - 07:14
User Badges:

Wondering if there has been any good solution to this yet.  It seems like it should be possible.  I have a two factor SSL VPN configured, which works great, but would like to implement a validation check to ensure only corporate devices can connect via AnyConnect.

Have been reading about certificate validation, but have not been able to successfully implement.  Not looking to use certificates for authentication, but only device validation.

 

 

srsalari Fri, 09/25/2015 - 09:26
User Badges:

Hi jleasher,

 

Can you please share the two factor SSL VPN solution?

I am looking for a such solution.

 

thanks 

jleasher1 Fri, 09/25/2015 - 09:35
User Badges:

DUO Security with mobile soft tokens via Cisco ACS and Radius.

chbuey Tue, 09/29/2015 - 06:04
User Badges:
  • Cisco Employee,

The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify the operation system, antivirus, antispyware, and firewall software installed on the host. The HostScan application is the application that gathers this information.

 

In the ASA, you can create a policy that checks endpoint attributes. Based on the result of the policy evaluation, you can control which hosts are allowed to create a remote access connection to the security appliance.

 

Please visit the link below it has more information on the AnyConnect Posture Module.

 

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac05hostscanposture.pdf

Marvin Rhoads Tue, 09/29/2015 - 06:49
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

AnyConnect Posture Module can do this for Windows, OS X and Linux clients. It does require AnyConnect Apex licensing on the ASA. It CANNOT do this for iOS or Android devices.

If your organization uses ISE, ISE can integrate with your  Mobile Device Management system (or you can enter device MAC addresses manually) to authenticate at the device level (in addition to the user level) for all device types.

Regarding two factor authentication - I can say the DUO Security solution is one of the slickest I've seen. They have great instructions on how to set it up on their web site and the product is very flexible.

jleasher1 Tue, 09/29/2015 - 09:10
User Badges:

Thank you very much Marvin and chbuey for the input.  We have just implemented ISE and I will be working towards VPN authentication via ISE.

jleasher1 Tue, 10/06/2015 - 13:03
User Badges:

Hi Marvin,

For determining an endpoint device MAC address with ISE over VPN authentication, does this require the posturing license with Apex?  

I have ISE fielding VPN authentications and it works great, however the endpoints only show up by source IP address.  So far all references I have found are relating to Inline Posture Node by an HTTP SPAN probe, but requires setting promiscuous mode to accept on the virtual switch with VM's.

I am trying to create a VPN MAB pool for approved corporate iPhones or potentially looking into the MDM incorporation.  Essentially looking to do triple factor authentication by user/pass, token and approved corporate device, just as long as I can correctly identify the remote device.

Any documentation would be greatly appreciated.

Thanks!

Actions

This Discussion

Related Content