Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2197
Views
0
Helpful
5
Replies

Block non-AnyConnect VPN client

Go to solution
AlexFer
Level 1
Level 1

‎05-07-2020 09:13 PM

Hi Experts,

we have a requirement to block all non-AnyConnect RA VPN access, eg. Cisco Legacy VPN client and MacOS & IOS' built-in IPsec VPN clients.

My understanding is that (all?) alternatives use IKEv1, whilst AnyConnect via IPsec uses IKEv2, so, I should be able to remove "ikev1" value from group-policy's "vpn-tunnel-protocol" to effect this.

However, is there a smarter way (perhaps, on tunnel-group level)?

R's, Alex

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎05-08-2020 01:06 AM

 

 - Check if this thread can help you :

           https://community.cisco.com/t5/vpn/block-the-use-off-old-vpn-client/td-p/1403389

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

0 Helpful
5 Replies 5

Go to solution
marce1000
VIP
VIP

‎05-08-2020 01:06 AM

 

 - Check if this thread can help you :

           https://community.cisco.com/t5/vpn/block-the-use-off-old-vpn-client/td-p/1403389

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎05-08-2020 02:15 AM

Hi,

 

If you are using a RADIUS server for authentication and authorisation, when the client establishes a VPN it sends various attributes to the RADIUS server including the information on the client (AnyConnect or Cisco VPN Client) and protocol (SSL or IPSec), you can then use the RADIUS attribute Cisco-VPN3000·CVPN3000/ASA/PIX7x-Client-Type to make policy decisions.

 

image.png

So you could permit connections from AnyConnect-Client-SSL-VPN or AnyConnect-Client-IPSec-VPN clients and deny all others, or perhaps authorise them differently.

 

Reference:-

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115962-differ-auth-types-asa-ise-00.html

 

HTH

0 Helpful

Go to solution
AlexFer
Level 1
Level 1
In response to Rob Ingram

‎05-08-2020 02:20 AM - edited ‎05-08-2020 02:20 AM

Thank you, both.

Wondering, wouldn’t my proposed solution be equally effective? 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to AlexFer

‎05-08-2020 02:29 AM

Sorry your suggestion will work fine. I was giving you an alternative suggestion....so perhaps instead of denying the connection from an older "Cisco VPN Client" you can authorise them differently. You will then have a list of devices that need an upgrade, rather than deny them access.
0 Helpful

Go to solution
AlexFer
Level 1
Level 1
In response to Rob Ingram

‎05-10-2020 09:50 PM

Given 3 solutions - I chose simplest:

hostname(config-group-policy)# vpn-tunnel-protocol ikev2 ssl-client ssl-clientless

 

BTW, since "client-access-rule" is related to IPsec (IKEv1) connections, this would have been the alternative:

hostname(config-group-policy)# client-access-rule 1 deny type * version *

0 Helpful
Customers Also Viewed These Support Documents