topic Preventing mac osx users from using cisco vpn in Network Security

Preventing mac osx users from using cisco vpn

howithink — Mon, 11 Mar 2019 22:26:14 GMT

Hi,

I have setup ASA to act as our vpn server with radius as my authentication server. Users use the cisco vpn client utility to vpn in which has the .pcf file. This .pcf file has the group password, name and so on. Some users went online and found websites to decrypt the group password and have used that on their local macs to vpn in.

That irritates me and i want to know how i can prevent them from logging on. Are there any ways to block by os type within ASA?

Please help!!

thanks

Preventing mac osx users from using cisco vpn

Julio Carvajal — Wed, 08 Feb 2012 23:23:45 GMT

Hello,

So you want to block the remote users vpn connections by the OS, witch kind of vpn is this: SSL vpn or IPSEC remote access vpn?

Julio

Preventing mac osx users from using cisco vpn

howithink — Wed, 08 Feb 2012 23:25:00 GMT

We use ipsec remote access vpn

Preventing mac osx users from using cisco vpn

Julio Carvajal — Wed, 08 Feb 2012 23:36:04 GMT

Hello,

Unfortunately it is not going to work as you will need to use the CSD ( Cisco Secure Desktop) witch will make a host scan and that will work on anyconnect setup not on IPsec remote access configurations.

Regards,

Julio

Do rate all the helpful posts!!!

Preventing mac osx users from using cisco vpn

howithink — Wed, 08 Feb 2012 23:49:08 GMT

Thank you for that response.

With that said is there a way to have at leaset an email alert sent to me by my ASA that states they type of client OS. I know there is a syslog id message which shows you the client type: osx mac or wint nt and so on. Is that email possible?

thanks,

Preventing mac osx users from using cisco vpn

Julio Carvajal — Wed, 08 Feb 2012 23:56:25 GMT

Hello,

That is correct, you can send a syslog list or message via emai, in order to accomplish that do the following:

Logging list test  message x.x.x.x( syslog message for the O.S) 

logging mail test
logging recipient-address email_address

logging from-address email_address

smtp-server ip_address

That shoud make it work!!

Regards,

Julio

Do rate all the helpful posts

Preventing mac osx users from using cisco vpn

howithink — Thu, 09 Feb 2012 14:53:04 GMT

thanks i set it up to get 2 syslog messages: 713120 and 713904.

<165>Feb 09 2012 06:48:56: %ASA-5-713120: Group = vpnaccess-xyz123, Username = xyzcompany\jdoe, IP = 10.10.10.10, PHASE 2 COMPLETED (msgid=xxxxxx).

Which is good, now i know who is connected to my vpn and i get an alert, but i also want to know they type of OS they are using. When i do a lookup of syslog message id: 713904, that is suppose to give me the OS type (ex: winnt mac ox and so on), but i am not getting that.

Any reason why i dont get an alert from message id 713904, but i get one from 713120.

thanks

Preventing mac osx users from using cisco vpn

mvsheik123 — Thu, 09 Feb 2012 16:10:46 GMT

Hi,

I never tried this but the 'client-access-rules' command under group policy might work for you to restrict the MAC client by setting up deny /permit OS type. Check the below discussion...

https://supportforums.cisco.com/message/3533229#3533229

hth

Preventing mac osx users from using cisco vpn

howithink — Thu, 09 Feb 2012 17:05:47 GMT

Mvsheik123....thank you! That worked beautifully. I was able to block Mac OS X users by defining a policy and allow everyone else in. Perfect!

Now is there a way to also get an email alert?

thanks

Re: Preventing mac osx users from using cisco vpn

mvsheik123 — Thu, 09 Feb 2012 17:17:06 GMT

Glad to hear that. Now, are you looking to receive an email when the mac users access denied? If so - as long as the deny message is in ASA logs ( you may need to test by enablling different logging methods for exact message ID), please follow config provided by Julio.it should work.

Thx