AnyConnect prelogin and dynamic access policy - Apple Mac
I've recently started at a new company - as usual, no documentation etc!
Anyway, it seems we have recently been introducing Apple Macs to our previously Windows-only environment. However, the Mac users are unable to connect to our VPN (ASA5545 running 9.6 software)
I looked into it and I think I can see what the problem is.
It seems they are still using Cisco Secure Desktop (I'm a bit puzzled by that as I thought it was now obsolete?) and there are Pre-Login policies defined.
The pre-login policy checks if the connecting device is a Windows device with a particular registry setting then assigns it to a "Secure Device" DAP.
When the Mac connects, it obviously doesn't meet that criteria and it is assigned a "Non-Secure Device" DAP which means it's only permitted as a clientless connection with restricted access.
Therefore, when our MAC users attempt to connect with AnyConnect client, it fails after authentication with the message "unauthorised connection mechanism"
I have a couple of questions:
1) Does the logic above sound correct in identifying the issue?
2) What would be the best way to fix this to allow Mac users to connect via AnyConnect client and still maintain security? Should we simply create a new prelogin policy that checks for a Mac OS and e.g. a particular file? Then assign it to a "Secure Mac device" DAP with similar permissions as the "Secure Device" DAP for our Windows users? Or is there a better way of achieving this?
Any thoughts/advice on this would be welcome! Thanks.
1. Yes, the logic is great. Actually that should be the reason why Mac devices are not able to connect.
2. My first recommendation is to change from CSD and Pre-login to DAP since as you said it is deprecated, but in the meantime you can create the policy for Mac devices and that should be the fastest solution as per now.
Meet the Authors Event - CCIE Security in a Remote and Cloud Driven Network: SASE and Beyond
(Live event – Thursday, 29th, 2021 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 7:00 p.m. Paris)
This event will have place on Thursday 29th, April 2021 at 10...
Application Protection, Availability & Security
Join our webinar May 6th to gain valuable industry insights into the most recent application cyber attacks and to understand the potential impact bot traffic is having on your business.
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS...
For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b...