Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Disabling SSL clientless login without disabling anyconnect

Please bear with me - I know little of the ASAs, amd not really a security person and don't have access to the equipment. I am trying to help almost by hearsay.

The description I have is:

We cannot disable SSL Clientless login without disabling fat client loggin (AnyConnect) or posture checking.

What this essentially means is once the service goes in, for the VPN solution to work we cannot stop the public facing ASA IP address from allowing https over port 443 connectivity.

OK the box will not allow individuals to login because they would fail the posture checks but by that stage we have reduced the attack surface as a potential attacker already knows what vendor solution we are using and who they are potentially attacking from the certificate.

ASA 5550 8.3.1

ASDM version 6.3.1
AnyConnect 2.4.1012
CSD 3.5.1077

Thanks for any pointers

2 REPLIES
Cisco Employee

Re: Disabling SSL clientless login without disabling anyconnect

In short, no.

AnyConnect also uses HTTP over SSL to login. So you cannot disable SSL session establishment in anyway as it is needed for AnyConnect. The difference between Clientless and AnyConnect is that ASA detects AnyConnect by the User-Agent HTTP header filed and redirects it to a different path. Even if you could prevent access for other User-Agents, this can be easily spoofed so a potential attacker can still take a peek, but I am not sure how useful that would be.

Re: Disabling SSL clientless login without disabling anyconnect

any thanks for the response, I willforward the comments on.

Paul.

554
Views
4
Helpful
2
Replies
CreatePlease to create content