cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
617
Views
0
Helpful
5
Replies

Allow only smartphones via anyconnect

mdelapina
Level 1
Level 1

Is this possible? The goal being to allow only smartphones/tablets; no laptop full blown os'.

If you have the anyconnect essentials and the anyconnect mobile license would it be as simple as issuing the "no anyconnect-essentials" command. According the docs this only disables anyconnect essentials, but leaves the license intact. I'm hoping that would mean that the anyconnect for mobile would still work. Or maybe there is another way to accomplish this?

Unfortunately I don't have the liberty of testing and can't find this in the documentation.

~thanks

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

"no anyconnect-essentials" turns off that license feature in favor of the AnyConnect Premium license.

AnyConnect for Mobile requires one or the other license in order to function.

To enforce a device type restriction, you'd normally use Dynamic Access Policy (with AnyConnect Premium) and the Cisco Secure desktop feature. however, CSD is only supported on Windows / OS X / Linux. (Example)

Another way you could do it would be with device certificates. Check endpoints for the presence of a certificate (which you'd need to deploy) and only allow valid certificate-holding devices to be authenticated. That's how it's done (among other features) with Cisco ISE. ISE eases the pain somewhat by deploying the certificate as part of the device / user on-boarding. Doing it with ASA alone would require you to use a 3rd party certificate deployment (or possibly SCEP but I don't think you could enforce the mobile device only in the SCEP enrollment).

View solution in original post

It can be achieved with DAP alone. With only AnyConnectEssentials there is no full HostScan available as that needs AnyConnectPremium. But the differentiation if the connecting device is a mobile device is still possible in DAP.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

"no anyconnect-essentials" turns off that license feature in favor of the AnyConnect Premium license.

AnyConnect for Mobile requires one or the other license in order to function.

To enforce a device type restriction, you'd normally use Dynamic Access Policy (with AnyConnect Premium) and the Cisco Secure desktop feature. however, CSD is only supported on Windows / OS X / Linux. (Example)

Another way you could do it would be with device certificates. Check endpoints for the presence of a certificate (which you'd need to deploy) and only allow valid certificate-holding devices to be authenticated. That's how it's done (among other features) with Cisco ISE. ISE eases the pain somewhat by deploying the certificate as part of the device / user on-boarding. Doing it with ASA alone would require you to use a 3rd party certificate deployment (or possibly SCEP but I don't think you could enforce the mobile device only in the SCEP enrollment).

It can be achieved with DAP alone. With only AnyConnectEssentials there is no full HostScan available as that needs AnyConnectPremium. But the differentiation if the connecting device is a mobile device is still possible in DAP.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Thanks for the clarification, Karsten. I wasn't sure if DAP could be used without CSD.

Thank you Marvin and Karsten. DAP appears to be the key; will look in this direction.

You're welcome.

I came across an example of just this feature by coincidence while researching another issue today.

https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=6038&backBtn=true

See slide #113 in the presentation.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: