Re: Not allow Apple devices to connect with anyconnect client?

dirkmelvin · ‎09-27-2017

Is there a configuration/setting on the ASA so that I can stop Apple users from connecting to the VPN?

I have some contractors that have gotten clever and are bypassing my posture rules (ISE) using their Apple Laptops. We are a Windows shop and prefer to keep it that way, at least for now. I am limited in knowledge of Apple devices in general, and just don't have the time nor the staff to have this additional 'support' burden.

Mohammed al Baqari · ‎09-27-2017

I don’t think you can do it other than posturing. Vpn end points can't be profiled. Try to tweek your posturing rules to look for is registery in windows. if available then grant access

GioGonza · ‎09-27-2017

Hello @dirkmelvin,

Here is a table to configure the posture in order to avoid the connections from Mac devices, check the following link: https://www.cisco.com/c/en/us/td/docs/security/ise/1-4/admin_guide/b_ise_admin_guide_14/b_ise_admin_guide_14_chapter_010111.html#task_19FF1593E194455087D9AB00FB843020.

HTH
Gio

dirkmelvin · ‎09-27-2017

I haven't read through it yet, but part of the problem with these unauthorized Apple clients, is that they don't have NAC Agent installed. All of our Windows clients do. So would this ISE configuration mentioned aboive have any affect, woudln't Anyconnect just ignore anything ISE said without the NAC agent installed?

I know there is also something in (or a part of) Anyconnect that can do the ISE posturing instead of using NAC Agent, but I haven't made it that far in configuration of ISE (I'm also in the throws of rebuilding ISE to v2.3 from our current 1.4).