Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
3
Replies

Anyconnect 4.0 and Authenticating only Corporate Controlled Clients

shawnalloyd
Level 1
Level 1

‎02-19-2015 12:34 PM - edited ‎02-21-2020 08:05 PM

Today we have an environment that allows about 30,000 devices to connect over VPN using Anyconnect 3.x. Some of these devices are corporate owned, others are employee personal pc's and tablets, that they use with Anyconnect 3.x to access the corporate network over VPN. What we are after is a solution with Anyconnect 4.x that would allow only connections from Corporate devices, or tablets/phones that we control. Is there any option available to use with Anyconnect 4.x that would allow only connections from our known devices. We would like to authenticate similar to how we use .1x in the internal corporate network to discriminate between personal and corporate pcs. 

 

thanks

 

Shawn

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-19-2015 04:11 PM

You could use ISE as your authentication server. It can check on device attributes such as domain membership, presence of a certificate etc. You need to have ASA 9.2 or later for ISE to do this (it works via RADIUS Change of Authorization)

With ISE Apex (formerly know as Advanced) licenses you can drill down into more details to assess the posture, check for registry keys, consult your Mobile Device Management (MDM) software for device status, etc.

0 Helpful

shawnalloyd
Level 1
Level 1
In response to Marvin Rhoads

‎02-20-2015 06:23 AM

We do this today with ASA and ISE. Do you have any specific information regarding AnyConnect 4 that would be more generic across all platforms, i.e phones and tablets. Also, any good links regarding AnyConnect 4 would be great.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to shawnalloyd

‎02-20-2015 03:01 PM

When you deal with phones and tablets, you aren't getting AnyConnect 4 but rather the native AnyConnect client version for those platforms (iOS or Android).

In that case, your functionality would be primarily via what you can do with ISE 1.3. The ISE 1.3 documentation is pretty thorough in that regard and ISE Apex is required thus a Cisco Authorized Technology Partner (ATP) should be involved and they have access to even more partner level documentation on setting up the various features.

0 Helpful
Customers Also Viewed These Support Documents