cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
386
Views
0
Helpful
0
Replies
Highlighted
Beginner

Restricting VPN access by Client OS on Cisco ASA

Hi,

We need to restrict VPN Users from using routers as L2TP VPN clients. I see that the ASA recognizes their Client OS properly. But if I use client-access-rule matching these values, it doesn't work.

For instance:

sh vpn-sessiondb detail ra-ikev1-ipsec | i GP|Client
Group Policy : VPN-GP Tunnel Group : DefaultRAGroup
Client OS : Microsoft
Client OS Ver: 10.0
Group Policy : VPN-GP Tunnel Group : DefaultRAGroup
Client OS : MikroTik
Client OS Ver: 0.1

!!! Config

group-policy VPN-GP attributes
client-access-rule 1 deny type ZyXEL version *
client-access-rule 2 deny type *Keenetic* version *
client-access-rule 3 deny type *MikroTik* version *
client-access-rule 100 permit type * version *

What's wrong with that config? It doesn't work if I use exact matching without asterisk either.

Maybe the client-access-rule simply is not supposed to work with IPSEC VPN.

Any experience with tasks like that?

Everyone's tags (3)