cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1259
Views
0
Helpful
9
Replies

Preventing mac osx users from using cisco vpn

howithink
Level 1
Level 1

Hi,

I have setup ASA to act as our vpn server with radius as my authentication server. Users use the cisco vpn client utility to vpn in which has the .pcf file. This .pcf file has the group password, name and so on. Some users went online and found websites to decrypt the group password and have used that on their local macs to vpn in.

That irritates me and i want to know how i can prevent them from logging on. Are there any ways to block by os type within ASA?

Please help!!

thanks

3 Accepted Solutions

Accepted Solutions

Hello,

Unfortunately it is not going to work as you will need to use the CSD ( Cisco Secure Desktop) witch will make a host scan and that will work on anyconnect setup not on IPsec remote access configurations.

Regards,

Julio

Do rate all the helpful posts!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello,

That is correct, you can send a syslog list or message via emai, in order to accomplish that do the following:

Logging list test  message x.x.x.x( syslog message for the O.S) 

logging mail test
logging recipient-address email_address

logging from-address email_address

smtp-server ip_address

That shoud make it work!!

Regards,

Julio

Do rate all the helpful posts



Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hi,

I never tried this but the 'client-access-rules' command under group policy might work for you to restrict the MAC client by setting up deny /permit OS type. Check the below discussion...

https://supportforums.cisco.com/message/3533229#3533229

hth

MS

View solution in original post

9 Replies 9

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

So you want to block the remote users vpn connections by the OS, witch kind of vpn is this: SSL vpn or IPSEC remote access vpn?

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

We use ipsec remote access vpn

Hello,

Unfortunately it is not going to work as you will need to use the CSD ( Cisco Secure Desktop) witch will make a host scan and that will work on anyconnect setup not on IPsec remote access configurations.

Regards,

Julio

Do rate all the helpful posts!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you for that response.

With that said is there a way to have at leaset an email alert sent to me by my ASA that states they type of client OS. I know there is a syslog id message which shows you the client type: osx mac or wint nt and so on. Is that email possible?

thanks,

Hello,

That is correct, you can send a syslog list or message via emai, in order to accomplish that do the following:

Logging list test  message x.x.x.x( syslog message for the O.S) 

logging mail test
logging recipient-address email_address

logging from-address email_address

smtp-server ip_address

That shoud make it work!!

Regards,

Julio

Do rate all the helpful posts



Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

thanks i set it up to get 2 syslog messages: 713120 and 713904.

<165>Feb 09 2012 06:48:56: %ASA-5-713120: Group = vpnaccess-xyz123, Username = xyzcompany\jdoe, IP = 10.10.10.10, PHASE 2 COMPLETED (msgid=xxxxxx).

Which is good, now i know who is connected to my vpn and i get an alert, but i also want to know they type of OS they are using. When i do a lookup of syslog message id: 713904, that is suppose to give me the OS type (ex: winnt mac ox and so on), but i am not getting that.

Any reason why i dont get an alert from message id 713904, but i get one from 713120.

thanks

Hi,

I never tried this but the 'client-access-rules' command under group policy might work for you to restrict the MAC client by setting up deny /permit OS type. Check the below discussion...

https://supportforums.cisco.com/message/3533229#3533229

hth

MS

Mvsheik123....thank you! That worked beautifully. I was able to block Mac OS X users by defining a policy and allow everyone else in. Perfect!

Now is there a way to also get an email alert?

thanks

Glad to hear that. Now, are you looking to receive an email when the mac users access denied? If so - as long as the deny message is in ASA logs ( you may need to test by enablling different logging methods for exact message ID), please follow config provided by Julio.it should work.

Thx

MS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: