08-14-2013 11:40 AM - edited 02-21-2020 07:05 PM
Is this possible? The goal being to allow only smartphones/tablets; no laptop full blown os'.
If you have the anyconnect essentials and the anyconnect mobile license would it be as simple as issuing the "no anyconnect-essentials" command. According the docs this only disables anyconnect essentials, but leaves the license intact. I'm hoping that would mean that the anyconnect for mobile would still work. Or maybe there is another way to accomplish this?
Unfortunately I don't have the liberty of testing and can't find this in the documentation.
~thanks
Solved! Go to Solution.
08-14-2013 08:43 PM
"no anyconnect-essentials" turns off that license feature in favor of the AnyConnect Premium license.
AnyConnect for Mobile requires one or the other license in order to function.
To enforce a device type restriction, you'd normally use Dynamic Access Policy (with AnyConnect Premium) and the Cisco Secure desktop feature. however, CSD is only supported on Windows / OS X / Linux. (Example)
Another way you could do it would be with device certificates. Check endpoints for the presence of a certificate (which you'd need to deploy) and only allow valid certificate-holding devices to be authenticated. That's how it's done (among other features) with Cisco ISE. ISE eases the pain somewhat by deploying the certificate as part of the device / user on-boarding. Doing it with ASA alone would require you to use a 3rd party certificate deployment (or possibly SCEP but I don't think you could enforce the mobile device only in the SCEP enrollment).
08-14-2013 11:53 PM
It can be achieved with DAP alone. With only AnyConnectEssentials there is no full HostScan available as that needs AnyConnectPremium. But the differentiation if the connecting device is a mobile device is still possible in DAP.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-14-2013 08:43 PM
"no anyconnect-essentials" turns off that license feature in favor of the AnyConnect Premium license.
AnyConnect for Mobile requires one or the other license in order to function.
To enforce a device type restriction, you'd normally use Dynamic Access Policy (with AnyConnect Premium) and the Cisco Secure desktop feature. however, CSD is only supported on Windows / OS X / Linux. (Example)
Another way you could do it would be with device certificates. Check endpoints for the presence of a certificate (which you'd need to deploy) and only allow valid certificate-holding devices to be authenticated. That's how it's done (among other features) with Cisco ISE. ISE eases the pain somewhat by deploying the certificate as part of the device / user on-boarding. Doing it with ASA alone would require you to use a 3rd party certificate deployment (or possibly SCEP but I don't think you could enforce the mobile device only in the SCEP enrollment).
08-14-2013 11:53 PM
It can be achieved with DAP alone. With only AnyConnectEssentials there is no full HostScan available as that needs AnyConnectPremium. But the differentiation if the connecting device is a mobile device is still possible in DAP.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-15-2013 06:54 AM
Thanks for the clarification, Karsten. I wasn't sure if DAP could be used without CSD.
08-15-2013 07:49 AM
Thank you Marvin and Karsten. DAP appears to be the key; will look in this direction.
08-15-2013 04:02 PM
You're welcome.
I came across an example of just this feature by coincidence while researching another issue today.
https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=6038&backBtn=true
See slide #113 in the presentation.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: