Re: Force Anyconnect Client, or deny Openconnect Client?

AlexFer · ‎03-01-2021

Resurrecting previous unanswered question in a more appropriate forum:

I need to force anyconnect client due to security reasons as it denies local LAN Access, enables firewall rules, inserts routing table entries, and forces DNS by default, where openconnect client does not do this by default and is subject to the end users ability to configure, a user could potentially open up a backdoor to the network without realizing what they are doing.

I need to prevent users from using any other client that is not subject to my specific XML policies.

Any ideas would be appreciated.

There's no impetus for openconnect to support AnyConnect Local Policy attributes, including, "acversion", so, there must be a way to prevent its use from the head-end.

AlexFer · ‎03-18-2021

Bug CSCvx7152.

Rob Ingram · ‎03-19-2021

@AlexFer

If using RADIUS server such as ISE, you can filter on "Cisco cisco-av-pair CONTAINS mdm-tlv=ac-user-agent=AnyConnect Windows 4." if the connecting user isn't using AnyConnect they will be denied.

HTH

AlexFer · ‎03-19-2021

Hi Rob,

thanks.. We're "passively" authorizing against Active Directory (via LDAP).

What I'm hoping is for Cisco to provide a system-wide config-webvpn command ala. "onlyanyconnect={true|false}" - isn't this simpler?

Alex.

Rob Ingram · ‎03-19-2021

The only other option that may work is below, though I've never tried it myself

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html

client-access-rule

To configure rules that limit the remote access client types and versions that can connect via IPsec through the ASA, use the client-access-rule command in group-policy configuration mode. To delete a rule, use the no form of this command.

client-access-rule priority { permit | deny } type type version version | none

AlexFer · ‎03-19-2021

Rob, what is stopping 3rd-party client (say, forked from openconnect) from faking its ac-user-agent? Alex