IOS devices authentication and verification with AnyConnect

mathieuchartier · ‎04-07-2014

Hi,

We are currently using Anyconnect on IOS devices to remotely access our network via our ASA. We want to implement a security check to valide that the user is using his corporate device, and not de personal device...Is there a way to achieve that? By checking a property on the device or a certificate?

We are managing our devices with Xenmobile mdm...so we can oush properties or certificate trouth it..

Thanks!

Jordan1212 · ‎09-25-2015

Wondering if there has been any good solution to this yet. It seems like it should be possible. I have a two factor SSL VPN configured, which works great, but would like to implement a validation check to ensure only corporate devices can connect via AnyConnect.

Have been reading about certificate validation, but have not been able to successfully implement. Not looking to use certificates for authentication, but only device validation.

srsalari · ‎09-25-2015

Hi jleasher,

Can you please share the two factor SSL VPN solution?

I am looking for a such solution.

thanks

Jordan1212 · ‎09-25-2015

DUO Security with mobile soft tokens via Cisco ACS and Radius.

chbuey · ‎09-29-2015

The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify the operation system, antivirus, antispyware, and firewall software installed on the host. The HostScan application is the application that gathers this information.

In the ASA, you can create a policy that checks endpoint attributes. Based on the result of the policy evaluation, you can control which hosts are allowed to create a remote access connection to the security appliance.

Please visit the link below it has more information on the AnyConnect Posture Module.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac05hostscanposture.pdf

Marvin Rhoads · ‎09-29-2015

AnyConnect Posture Module can do this for Windows, OS X and Linux clients. It does require AnyConnect Apex licensing on the ASA. It CANNOT do this for iOS or Android devices.

If your organization uses ISE, ISE can integrate with your Mobile Device Management system (or you can enter device MAC addresses manually) to authenticate at the device level (in addition to the user level) for all device types.

Regarding two factor authentication - I can say the DUO Security solution is one of the slickest I've seen. They have great instructions on how to set it up on their web site and the product is very flexible.

Jordan1212 · ‎09-29-2015

Thank you very much Marvin and chbuey for the input. We have just implemented ISE and I will be working towards VPN authentication via ISE.

Jordan1212 · ‎10-06-2015

Hi Marvin,

For determining an endpoint device MAC address with ISE over VPN authentication, does this require the posturing license with Apex?

I have ISE fielding VPN authentications and it works great, however the endpoints only show up by source IP address. So far all references I have found are relating to Inline Posture Node by an HTTP SPAN probe, but requires setting promiscuous mode to accept on the virtual switch with VM's.

I am trying to create a VPN MAB pool for approved corporate iPhones or potentially looking into the MDM incorporation. Essentially looking to do triple factor authentication by user/pass, token and approved corporate device, just as long as I can correctly identify the remote device.

Any documentation would be greatly appreciated.

Thanks!