Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
0
Helpful
1
Replies

Anyconnect for Mobile

Dumpster Eightyeight
Level 1
Level 1

‎06-03-2013 01:52 AM - edited ‎02-21-2020 06:56 PM

Hi,

We have an SSL VPN setup on our ASA (8.4) that users can connect using Webvpn and Anyconnect and ipsec, the authentication is ldap and OTP, and they can pretty much access anything they need on the network.

We now have a requirement to publish a web app (HTML) to mobile devices which to abide to our security policy needs to be 2 factor also, the app itself cannot facilitate this and we have also tried some other methods that are not that great so I have been asked to demo what we can do using anyconnect for mobile.

I initially thought this would be straight forward - get a trial license and let them connect to the same tunnel-group & group policy they connect to already and then give them the URL to connect to the web app.  BUT then my boss said that the current tunnel-group and group policy allows access to everything and he doesn't want that, he wants the mobile access to be restricted to just this one web page.

I don't mind creating a new tunnel-group and group policy for the mobile devices but as the users of the mobile devices are the same users of the existing VPN how do I restrict it so when they connect from a mobile they are only allowed to this web page, can I do a restriction based on the fact they are coming from a mobile (I don't think you can) or what seems more feasible is can I force the mobile devices to only use the new tunnel-group & group policy, my concern here is if they were able to change the group in anyconnect on their mobile then they will be allowed to authenticate on the group they use for their other connection and thus access everything again.

Hope this makes sense, thanks in advance.

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎06-06-2013 06:51 AM

Hi

have a look at DAP - Dynamic Access Policies. This will allow you to create rulesets based on several conditions like client type and tunnel-group and with several possible actions (e.g. deny access, apply access-list etc).

cfr.

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/vpn_asdm_dap.html#wp1183914

So I guess this can be most simply done by creating a rule like "if client OS is android or iOS then apply access-list " or if you prefer multiple tunnel groups then something like "if tunnel-group is A and client type is X then deny access".

Hope this helps, sorry if this is a bit terse but if you need more details let me know.

Herbert

0 Helpful
Customers Also Viewed These Support Documents