Solved: Re: Restrict Secure Client connections with older Operating Systems

fbsdkernel · ‎01-11-2024

Hi All,

We currently run cisco firepower firewalls (in ASA mode) with anyconnect access for staff, this is all working very well with users connecting with the Cisco Secure Client (ver 5.1). However, we now have a requirement for Cyber Essentials in the UK to ensure that clients with an older Operating System are unable to collect. We achievied this to some degree with the dynamic access policy and ISE posture setup that we have where we're able to say "If Operating System == Windows 7 then terminate", but we need to ideally be a little more granular and able to say if operating system is Android AND the version is less than 12 then terminate. I see no way to say "less than" or "greater than" in the ASDM to create these. Is this possible or is the only way to achieve this by literally listing every single version in the dap.xml and saying terminate? The list is going to be pretty exhaustive if that's the case as it's going to have to include minor versions as well.

Thanks!

James

tvotna · ‎01-12-2024

No, I'm referring to ACIDex attributes. They're supported for mobile and desktop platforms and are listed here: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118944-technote-anyconnect-00.html

View solution in original post

tvotna · ‎01-11-2024

Do you mean that ">=" is not available for the "Platform Version" field when you choose "Endpoint Attribute Type = AnyConnect" and "Platform = Android"?

fbsdkernel · ‎01-11-2024

Hi,

When creating a "Dynamic Access Policy" I can create an endpoint attribute of say

Operating System Version = Apple IOS
Service pack = 15.0.1

And then configure the policy to "terminate". This means that anyone connecting to the VPN that has Apple IOS 15.0.1 will just be terminated. However, what I actually want to be able to say is anyone "less than" (<) 15, terminate the connection but in the ASDM I don't seem to be able to do this. You can only use "=" or "!=".

tvotna · ‎01-12-2024

No, I'm referring to ACIDex attributes. They're supported for mobile and desktop platforms and are listed here: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118944-technote-anyconnect-00.html

fbsdkernel · ‎01-12-2024

Hi,

I wasn't aware of the ACIDex attributes, that's exactly what I was looking for, thank you!

Marvin Rhoads · ‎01-15-2024

If you are using Duo for MFA (Advantage or Premier license level), it is even easier to setup a requirement to only allow certain OS versions to connect. Reference https://duo.com/docs/policy#operating-systems

I believe other MFA solutions may offer similar capability.

fbsdkernel · ‎01-15-2024

Hi Marvin,

Thanks for the feedback. we do use DUO so that's a great idea, thank you!

James

ian.slade · ‎09-30-2024

Would that not be negated by the fact that DUO is interested in the device doing the authentication, not the device you are running the VPN on? For example, you are connecting to Anyconnect on your Windows 10 PC, but using the Duo Prompt on your phone.