I've recently started at a new company - as usual, no documentation etc!
Anyway, it seems we have recently been introducing Apple Macs to our previously Windows-only environment. However, the Mac users are unable to connect to our VPN (ASA5545 running 9.6 software)
I looked into it and I think I can see what the problem is.
It seems they are still using Cisco Secure Desktop (I'm a bit puzzled by that as I thought it was now obsolete?) and there are Pre-Login policies defined.
The pre-login policy checks if the connecting device is a Windows device with a particular registry setting then assigns it to a "Secure Device" DAP.
When the Mac connects, it obviously doesn't meet that criteria and it is assigned a "Non-Secure Device" DAP which means it's only permitted as a clientless connection with restricted access.
Therefore, when our MAC users attempt to connect with AnyConnect client, it fails after authentication with the message "unauthorised connection mechanism"
I have a couple of questions:
1) Does the logic above sound correct in identifying the issue?
2) What would be the best way to fix this to allow Mac users to connect via AnyConnect client and still maintain security? Should we simply create a new prelogin policy that checks for a Mac OS and e.g. a particular file? Then assign it to a "Secure Mac device" DAP with similar permissions as the "Secure Device" DAP for our Windows users? Or is there a better way of achieving this?
Any thoughts/advice on this would be welcome! Thanks.
1. Yes, the logic is great. Actually that should be the reason why Mac devices are not able to connect.
2. My first recommendation is to change from CSD and Pre-login to DAP since as you said it is deprecated, but in the meantime you can create the policy for Mac devices and that should be the fastest solution as per now.