Re: How can I differentiate iPhone VPN users from PC with same u

servicedesk · ‎12-01-2009

We would like to be able to differentiate between VPN connections from iPhones and VPN connections from software clients on PCs.

We currently have 1 common Groupname for VPN connections to our ASA pair, so I assumed I could create a new Groupname for iPhones. This is easy enough however when the users are authenticating via ACS (RSA + AD database mapping) I have no way of differentiating them from their regular PC connections.

I have researched some RADIUS attributes usable in Network Access Profiels however I do not see any option to use Groupname as a filter.

Is this possible? If not, is there another way to differentiate this traffic and ideally assign the iPhone connections different ACL's (or IP addresses which can then be used to apply different ACL's on the ASA)?

Our setup is:

ASA 5520 fail-over pair running 8.0.4, ACL's for each VPN group, RADIUS authentication to ACS, IPSEC VPN

ACS 4.2 for Windows with RSA and AD Database mappings

AD on server 2008 R2, users placed in AD groups to map to ACS groups for IP address assignment

Cheers

Ivan Martinon · ‎12-08-2009

Having an attribute sent from the specific connection is a bit hard, however you can use the featuer of client types on the ASA to restrict what type of users can connect to what groups, the feature is called "client access rule" where you permit sofware clients type windows XP or whatever the client is to a specific group, and deny iphone clients, and you can only allow iphone clients to connect only to specific groups see the following link of the command reference

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2118499

hth

Ivan

How can I differentiate iPhone VPN users from PC with same username?