AnyConnect prelogin and dynamic access policy - Apple Mac
I've recently started at a new company - as usual, no documentation etc!
Anyway, it seems we have recently been introducing Apple Macs to our previously Windows-only environment. However, the Mac users are unable to connect to our VPN (ASA5545 running 9.6 software)
I looked into it and I think I can see what the problem is.
It seems they are still using Cisco Secure Desktop (I'm a bit puzzled by that as I thought it was now obsolete?) and there are Pre-Login policies defined.
The pre-login policy checks if the connecting device is a Windows device with a particular registry setting then assigns it to a "Secure Device" DAP.
When the Mac connects, it obviously doesn't meet that criteria and it is assigned a "Non-Secure Device" DAP which means it's only permitted as a clientless connection with restricted access.
Therefore, when our MAC users attempt to connect with AnyConnect client, it fails after authentication with the message "unauthorised connection mechanism"
I have a couple of questions:
1) Does the logic above sound correct in identifying the issue?
2) What would be the best way to fix this to allow Mac users to connect via AnyConnect client and still maintain security? Should we simply create a new prelogin policy that checks for a Mac OS and e.g. a particular file? Then assign it to a "Secure Mac device" DAP with similar permissions as the "Secure Device" DAP for our Windows users? Or is there a better way of achieving this?
Any thoughts/advice on this would be welcome! Thanks.
1. Yes, the logic is great. Actually that should be the reason why Mac devices are not able to connect.
2. My first recommendation is to change from CSD and Pre-login to DAP since as you said it is deprecated, but in the meantime you can create the policy for Mac devices and that should be the fastest solution as per now.
This document gives several answers on frequently asked questions for PFRv3 channel state behavior.
Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st...
The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921).
The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN.
I couldn't connect to the hos...
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...