02-08-2012 02:43 PM - edited 03-11-2019 03:26 PM
Hi,
I have setup ASA to act as our vpn server with radius as my authentication server. Users use the cisco vpn client utility to vpn in which has the .pcf file. This .pcf file has the group password, name and so on. Some users went online and found websites to decrypt the group password and have used that on their local macs to vpn in.
That irritates me and i want to know how i can prevent them from logging on. Are there any ways to block by os type within ASA?
Please help!!
thanks
Solved! Go to Solution.
02-08-2012 03:36 PM
Hello,
Unfortunately it is not going to work as you will need to use the CSD ( Cisco Secure Desktop) witch will make a host scan and that will work on anyconnect setup not on IPsec remote access configurations.
Regards,
Julio
Do rate all the helpful posts!!!
02-08-2012 03:56 PM
Hello,
That is correct, you can send a syslog list or message via emai, in order to accomplish that do the following:
Logging list test message x.x.x.x( syslog message for the O.S)logging mail testlogging recipient-address email_address logging from-address email_address smtp-server ip_address
That shoud make it work!!
Regards,
Julio
Do rate all the helpful posts
02-09-2012 08:10 AM
Hi,
I never tried this but the 'client-access-rules' command under group policy might work for you to restrict the MAC client by setting up deny /permit OS type. Check the below discussion...
https://supportforums.cisco.com/message/3533229#3533229
hth
MS
02-08-2012 03:23 PM
Hello,
So you want to block the remote users vpn connections by the OS, witch kind of vpn is this: SSL vpn or IPSEC remote access vpn?
Julio
02-08-2012 03:25 PM
We use ipsec remote access vpn
02-08-2012 03:36 PM
Hello,
Unfortunately it is not going to work as you will need to use the CSD ( Cisco Secure Desktop) witch will make a host scan and that will work on anyconnect setup not on IPsec remote access configurations.
Regards,
Julio
Do rate all the helpful posts!!!
02-08-2012 03:49 PM
Thank you for that response.
With that said is there a way to have at leaset an email alert sent to me by my ASA that states they type of client OS. I know there is a syslog id message which shows you the client type: osx mac or wint nt and so on. Is that email possible?
thanks,
02-08-2012 03:56 PM
Hello,
That is correct, you can send a syslog list or message via emai, in order to accomplish that do the following:
Logging list test message x.x.x.x( syslog message for the O.S)logging mail testlogging recipient-address email_address logging from-address email_address smtp-server ip_address
That shoud make it work!!
Regards,
Julio
Do rate all the helpful posts
02-09-2012 06:53 AM
thanks i set it up to get 2 syslog messages: 713120 and 713904.
<165>Feb 09 2012 06:48:56: %ASA-5-713120: Group = vpnaccess-xyz123, Username = xyzcompany\jdoe, IP = 10.10.10.10, PHASE 2 COMPLETED (msgid=xxxxxx).
Which is good, now i know who is connected to my vpn and i get an alert, but i also want to know they type of OS they are using. When i do a lookup of syslog message id: 713904, that is suppose to give me the OS type (ex: winnt mac ox and so on), but i am not getting that.
Any reason why i dont get an alert from message id 713904, but i get one from 713120.
thanks
02-09-2012 08:10 AM
Hi,
I never tried this but the 'client-access-rules' command under group policy might work for you to restrict the MAC client by setting up deny /permit OS type. Check the below discussion...
https://supportforums.cisco.com/message/3533229#3533229
hth
MS
02-09-2012 09:05 AM
Mvsheik123....thank you! That worked beautifully. I was able to block Mac OS X users by defining a policy and allow everyone else in. Perfect!
Now is there a way to also get an email alert?
thanks
02-09-2012 09:17 AM
Glad to hear that. Now, are you looking to receive an email when the mac users access denied? If so - as long as the deny message is in ASA logs ( you may need to test by enablling different logging methods for exact message ID), please follow config provided by Julio.it should work.
Thx
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide