cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1101
Views
0
Helpful
10
Replies

Help blocking smart devices from using VPN

ROD FRANKLIN
Level 1
Level 1

Hello,

I am looking for a solution to block smart devices from connecting to our network via VPN. Our current VPN solution is ASA5520 and we are using Cisco ACS for user authentication. We use Cisco VPN client only, no anyconnect or SSL VPN.

Managment is looking for a way we can stop smart devices from using VPN clients to connect and only allow laptops/desktops to connect.

Does anyone have a way we can do this via ACS or another method?

1 Accepted Solution

Accepted Solutions

Worring - I block iPhones & iPad's all around my global networkwith 100% accuracy with a few simple lines of config:-

group-policy <> attributes

client-access-rule 1 deny type "iPhone OS" version *

client-access-rule 2 permit type * version *

As it actually works on the device OS - not the Cisco VPN Client version.

View solution in original post

10 Replies 10

andrew.prince
Level 10
Level 10

You can do this to a point, you can define the flavour of vpn client that is able to connect, use your favourite search engine for "client access rules"

Sent from Cisco Technical Support iPad App

Thanks but the client access rules will not solve this problem. I just connected with my iphone, it has a built in Cisco VPN client as part of the apple iOS......I was thinking more along the lines of being able to deny MAC tables based on manufacturer.

The domain membership idea might be worth looking into as well for us...

Worring - I block iPhones & iPad's all around my global networkwith 100% accuracy with a few simple lines of config:-

group-policy <> attributes

client-access-rule 1 deny type "iPhone OS" version *

client-access-rule 2 permit type * version *

As it actually works on the device OS - not the Cisco VPN Client version.

Ok I will try it again but according to this documentation the type must match what is displayed in the show vpn-sessiondb remote, when I do that command all I see is type ipsec....nothing about iOS or client version numbers.:

version

version Identifies the device version via free-form strings, for example 7.0. A string

must match exactly its appearance in the show vpn-sessiondb remote

display, except that you can use the * character as a wildcard.

You should see something like "Client Type  : WinNT" if you see nothing - then the device is remote is not sending the remote device type.

Confirmed that works!! I was able to prevent my iphone from connecting:

Tunnel Rejected: Client Type or Version not allowed.

Thanks for the help...one last question for you. Is there a list of common strings for the different OS types that you can block using this command?

I don't understand how the ASA knows what type of OS is connecting. The command "show vpn-sessiondb remote" does not have any client or os information listed...so how would I know which parameters to block for other smart devices?

To be honest - I have no clue, I just read the command ref guide, then looked at the reported client type - and wrote my config with that, also with a wildcard....and it works for me!!!!

HTH>

If I check active VPN sessions using ASDM it shows me client type!!


Thanks for the help!

np glad to help.

Keith Nelson
Level 1
Level 1

Hi Rod. I have a similar challenge using ACS 5.2 ?   Haven't tried yet, but my plan is for the ACS (using RADIUS) to verify the device is a member of the domain, in my case I want to control IP/subnet pool depending on domain membership. Hope someone has a good solution. Solution would also apply to our wireless device access.

-Keith

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: