cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
748
Views
15
Helpful
12
Replies
ida71
Beginner

FMC / FTD Anyconnect restrict client OS that can connect ?

This question is specific to Anyconnect on FTD configured via FMC.

 

Does anyone know, is it possible to restrict the client OS type to say Windows for a given connection profile ?

 

I've gone through all the configuration options & I don't see anything that would relate to this. I know there is a capability to do this through GroupPolicy on an ASA, but the FTD seems to have a reduced set of Anyconnect configurability options.

 

Thanks

 

Chris.

12 REPLIES 12
Sheraz.Salim
VIP Advisor

to best of my knowledge you can leverage this using the ISE posture. Or you can use the FlexConfig in FMC.

please do not forget to rate.

Thanks Salim,  Unfortunately we don't have ISE. Currently running 3FA = Cert, AAA + 2fa, but I want to restrict the connections to ONLY be Anyconnect from Windows devices, preferably for one Profile, but would settle for all if it was an option.

 

I guess I may be out of luck.

Just looking now into some cisco documenation

 

Limitations

Currently unsupported on FTD, but available on ASA:

  • Double AAA Authentication
  • Dynamic Access Policy
  • Host Scan
  • ISE posture
  • RADIUS CoA
  • VPN load-balancer
  • Local authentication (Enhancement: CSCvf92680
     

     

    )
  • LDAP attribute map
  • AnyConnect customization
  • AnyConnect scripts
  • AnyConnect localization
  • Per-app VPN
  • SCEP proxy
  • WSA integration
  • SAML SSO
  • Simultaneous IKEv2 dynamic crypto map for RA and L2L VPN
  • AnyConnect modules (NAM, Hostscan, AMP Enabler etc.) – DART is installed by default
  • TACACS, Kerberos (KCD Authentication and RSA SDI)
  • Browser Proxy
please do not forget to rate.

Many thanks for the quick turn around, much appreciated. 

Do you know anything about auto client cert selection not working with Anyconnect to an ASA ? Work fine in Manual select.

 

https://community.cisco.com/t5/vpn/anyconnect-4-9x-auto-certificate-selection-does-not-work/td-p/4284496


I recently installed Anyconnect client V4.9 on my Win10 laptop to connect to an ASA running 9.12.3.12 .

 

- was this working before with previous version of ASA and other version of anyconnect?

 

For perspective, this is a preparation job, so the ASA external Cert is valid, but does NOT currently match its IP/FQDN due to that being used on another gateway we are replacing.

 

-have you not created or binded it to this ASA. ssl trust-point CERT-NAME Outside

 

If I configure 2FA, everything works as expected. But when I try 3FA using a client side certificate it will only work if I select cert store override in the profile & set cert selection to user control. If I try to use automatic selection, it comes back with Certificate Validation Failure.

 

- does the client have a cert in its windows cert store. cert  mmc or certmgr.msc

 

The ASA has the correct CA & Intermediate Certs. It works fine if I manually select the Cert from the popup that appears as part of connection/login. So I know the correct cert is installed & matching CA certs on the ASA. But I can't seem to get auto cert selection working.

 

-what are you tunnel-group policies?

 

please do not forget to rate.

Thanks Salim, as per below;-

 

- was this working before with previous version of ASA and other version of anyconnect?

Was never tried with older versions, this is a new temporary solution at existing site whilst client moves their Palo Global protect solution to a new site. Thus Tier2 ASA's will become temporary Teir1/2 FW's.

 

-have you not created or binded it to this ASA. ssl trust-point CERT-NAME Outside

Yes bonded & working.

 

- does the client have a cert in its windows cert store. cert  mmc or certmgr.msc

Yes, works fine to our FTD site, just these new ASA connections won't auto select the correct cert.

 

-what are you tunnel-group policies?

I have tried changing the connection profiles to no avail. Both created via the ASDM wizard & manually adjusted. Including adding a Certificate section but still auto fails, but manual selection works fine.

 

Regards

 

Chris

 

@ida71 FTD requires the anyconnect package uploaded in order for clients to connect, so if you only uploaded the windows package then linux or MacOS would be unable to connect. That would be for all connection profiles though.

 

What AAA are you using? If using RADIUS, the anyconnect package version/os is included in the RADIUS package, so you could potentially (not tried it) limit access that way.

Thanks Rob,  I thought the package was just for updates/download like on the ASA, if you have predeployed Anyconnect surely it would still work !?

 

I'll have a look at the Radius auth to see if that will work.

 

Regards

 

Chris.

Yes, it does updates....but you need a package for each OS (win, linux and MacOS) uploaded to the headend (FTD or ASA) in order for that OS to establish a VPN tunnel.

yes just to mentioned we have seen this since we all started working from home due to COVID. Lets say you running anyconnect 4.7 and so your client running 4.7.  you upgrade the anyconnect headend on your firewall to 4.9. now we noted some of the client were able to get the upgrade automatically when they connect to anyconnect url. but other client were having issue therefore we have to change the anyconnect order onthe FTD priroty 1 as 4.7 and prority 2 as 4.9 to get this issue fixed.

the other side is use SCCM to push the software.

 

please do not forget to rate.
Sheraz.Salim
VIP Advisor

You  have not mentioned what FMC/FTD software you on. I just had a good look on this documentation here they mentioned about the attributes which can be reflect with ISE or Radius Server.

please do not forget to rate.

Apologies, versions are  FMC 6.4.0.9-62  &  FTD 6.4.010-2