01-12-2012 09:18 AM
Hello,
I am looking for a solution to block smart devices from connecting to our network via VPN. Our current VPN solution is ASA5520 and we are using Cisco ACS for user authentication. We use Cisco VPN client only, no anyconnect or SSL VPN.
Managment is looking for a way we can stop smart devices from using VPN clients to connect and only allow laptops/desktops to connect.
Does anyone have a way we can do this via ACS or another method?
Solved! Go to Solution.
01-13-2012 01:16 AM
Worring - I block iPhones & iPad's all around my global networkwith 100% accuracy with a few simple lines of config:-
group-policy <
client-access-rule 1 deny type "iPhone OS" version *
client-access-rule 2 permit type * version *
As it actually works on the device OS - not the Cisco VPN Client version.
01-12-2012 11:09 AM
You can do this to a point, you can define the flavour of vpn client that is able to connect, use your favourite search engine for "client access rules"
Sent from Cisco Technical Support iPad App
01-12-2012 01:38 PM
Thanks but the client access rules will not solve this problem. I just connected with my iphone, it has a built in Cisco VPN client as part of the apple iOS......I was thinking more along the lines of being able to deny MAC tables based on manufacturer.
The domain membership idea might be worth looking into as well for us...
01-13-2012 01:16 AM
Worring - I block iPhones & iPad's all around my global networkwith 100% accuracy with a few simple lines of config:-
group-policy <
client-access-rule 1 deny type "iPhone OS" version *
client-access-rule 2 permit type * version *
As it actually works on the device OS - not the Cisco VPN Client version.
01-13-2012 07:25 AM
Ok I will try it again but according to this documentation the type must match what is displayed in the show vpn-sessiondb remote, when I do that command all I see is type ipsec....nothing about iOS or client version numbers.:
version
version Identifies the device version via free-form strings, for example 7.0. A string
must match exactly its appearance in the show vpn-sessiondb remote
display, except that you can use the * character as a wildcard.
01-13-2012 08:25 AM
You should see something like "Client Type : WinNT" if you see nothing - then the device is remote is not sending the remote device type.
01-13-2012 08:36 AM
Confirmed that works!! I was able to prevent my iphone from connecting:
Tunnel Rejected: Client Type or Version not allowed.
Thanks for the help...one last question for you. Is there a list of common strings for the different OS types that you can block using this command?
I don't understand how the ASA knows what type of OS is connecting. The command "show vpn-sessiondb remote" does not have any client or os information listed...so how would I know which parameters to block for other smart devices?
01-13-2012 08:49 AM
To be honest - I have no clue, I just read the command ref guide, then looked at the reported client type - and wrote my config with that, also with a wildcard....and it works for me!!!!
HTH>
01-13-2012 09:06 AM
If I check active VPN sessions using ASDM it shows me client type!!
Thanks for the help!
01-13-2012 09:08 AM
np glad to help.
01-12-2012 11:54 AM
Hi Rod. I have a similar challenge using ACS 5.2 ? Haven't tried yet, but my plan is for the ACS (using RADIUS) to verify the device is a member of the domain, in my case I want to control IP/subnet pool depending on domain membership. Hope someone has a good solution. Solution would also apply to our wireless device access.
-Keith
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: