Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

New Member

Preventing mac osx users from using cisco vpn

Hi,

I have setup ASA to act as our vpn server with radius as my authentication server. Users use the cisco vpn client utility to vpn in which has the .pcf file. This .pcf file has the group password, name and so on. Some users went online and found websites to decrypt the group password and have used that on their local macs to vpn in.

That irritates me and i want to know how i can prevent them from logging on. Are there any ways to block by os type within ASA?

Please help!!

thanks

3 ACCEPTED SOLUTIONS

Accepted Solutions

Preventing mac osx users from using cisco vpn

Hello,

Unfortunately it is not going to work as you will need to use the CSD ( Cisco Secure Desktop) witch will make a host scan and that will work on anyconnect setup not on IPsec remote access configurations.

Regards,

Julio

Do rate all the helpful posts!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Preventing mac osx users from using cisco vpn

Hello,

That is correct, you can send a syslog list or message via emai, in order to accomplish that do the following:

Logging list test  message x.x.x.x( syslog message for the O.S) 

logging mail test
logging recipient-address email_address

logging from-address email_address

smtp-server ip_address

That shoud make it work!!

Regards,

Julio

Do rate all the helpful posts



Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Preventing mac osx users from using cisco vpn

Hi,

I never tried this but the 'client-access-rules' command under group policy might work for you to restrict the MAC client by setting up deny /permit OS type. Check the below discussion...

https://supportforums.cisco.com/message/3533229#3533229

hth

MS

9 REPLIES

Preventing mac osx users from using cisco vpn

Hello,

So you want to block the remote users vpn connections by the OS, witch kind of vpn is this: SSL vpn or IPSEC remote access vpn?

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Preventing mac osx users from using cisco vpn

We use ipsec remote access vpn

Preventing mac osx users from using cisco vpn

Hello,

Unfortunately it is not going to work as you will need to use the CSD ( Cisco Secure Desktop) witch will make a host scan and that will work on anyconnect setup not on IPsec remote access configurations.

Regards,

Julio

Do rate all the helpful posts!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Preventing mac osx users from using cisco vpn

Thank you for that response.

With that said is there a way to have at leaset an email alert sent to me by my ASA that states they type of client OS. I know there is a syslog id message which shows you the client type: osx mac or wint nt and so on. Is that email possible?

thanks,

Preventing mac osx users from using cisco vpn

Hello,

That is correct, you can send a syslog list or message via emai, in order to accomplish that do the following:

Logging list test  message x.x.x.x( syslog message for the O.S) 

logging mail test
logging recipient-address email_address

logging from-address email_address

smtp-server ip_address

That shoud make it work!!

Regards,

Julio

Do rate all the helpful posts



Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Preventing mac osx users from using cisco vpn

thanks i set it up to get 2 syslog messages: 713120 and 713904.

<165>Feb 09 2012 06:48:56: %ASA-5-713120: Group = vpnaccess-xyz123, Username = xyzcompany\jdoe, IP = 10.10.10.10, PHASE 2 COMPLETED (msgid=xxxxxx).

Which is good, now i know who is connected to my vpn and i get an alert, but i also want to know they type of OS they are using. When i do a lookup of syslog message id: 713904, that is suppose to give me the OS type (ex: winnt mac ox and so on), but i am not getting that.

Any reason why i dont get an alert from message id 713904, but i get one from 713120.

thanks

Preventing mac osx users from using cisco vpn

Hi,

I never tried this but the 'client-access-rules' command under group policy might work for you to restrict the MAC client by setting up deny /permit OS type. Check the below discussion...

https://supportforums.cisco.com/message/3533229#3533229

hth

MS

New Member

Preventing mac osx users from using cisco vpn

Mvsheik123....thank you! That worked beautifully. I was able to block Mac OS X users by defining a policy and allow everyone else in. Perfect!

Now is there a way to also get an email alert?

thanks

Re: Preventing mac osx users from using cisco vpn

Glad to hear that. Now, are you looking to receive an email when the mac users access denied? If so - as long as the deny message is in ASA logs ( you may need to test by enablling different logging methods for exact message ID), please follow config provided by Julio.it should work.

Thx

MS

576
Views
0
Helpful
9
Replies
CreatePlease to create content