Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2677
Views
0
Helpful
5
Replies

Force Anyconnect Client, or deny Openconnect Client?

AlexFer
Level 1
Level 1

‎03-01-2021 10:06 PM - edited ‎03-01-2021 10:10 PM

Resurrecting previous unanswered question in a more appropriate forum:

 

I need to force anyconnect client due to security reasons as it denies local LAN Access, enables firewall rules, inserts routing table entries, and forces DNS by default, where openconnect client does not do this by default and is subject to the end users ability to configure, a user could potentially open up a backdoor to the network without realizing what they are doing.

I need to prevent users from using any other client that is not subject to my specific XML policies.

Any ideas would be appreciated.

 

There's no impetus for openconnect to support AnyConnect Local Policy attributes, including, "acversion", so, there must be a way to prevent its use from the head-end.

 

Labels:
0 Helpful
5 Replies 5

AlexFer
Level 1
Level 1

‎03-18-2021 10:06 PM

Bug CSCvx7152.

0 Helpful

Rob Ingram
VIP
VIP

‎03-19-2021 01:15 AM

@AlexFer 

If using RADIUS server such as ISE, you can filter on "Cisco cisco-av-pair CONTAINS mdm-tlv=ac-user-agent=AnyConnect Windows 4." if the connecting user isn't using AnyConnect they will be denied.

 

HTH

0 Helpful

AlexFer
Level 1
Level 1
In response to Rob Ingram

‎03-19-2021 01:53 AM

Hi Rob,

thanks.. We're "passively" authorizing against Active Directory (via LDAP).

What I'm hoping is for Cisco to provide a system-wide config-webvpn command ala. "onlyanyconnect={true|false}" - isn't this simpler?

Alex.

 

0 Helpful

Rob Ingram
VIP
VIP

‎03-19-2021 01:58 AM

The only other option that may work is below, though I've never tried it myself

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html

 

client-access-rule

To configure rules that limit the remote access client types and versions that can connect via IPsec through the ASA, use the client-access-rule command in group-policy configuration mode. To delete a rule, use the no form of this command.

client-access-rule priority { permit | deny } type type version version | none

0 Helpful

AlexFer
Level 1
Level 1
In response to Rob Ingram

‎03-19-2021 02:00 AM - edited ‎03-19-2021 02:02 AM

Rob, what is stopping 3rd-party client (say, forked from openconnect) from faking its ac-user-agent? Alex

0 Helpful
Customers Also Viewed These Support Documents