01-11-2024 06:01 AM
Hi All,
We currently run cisco firepower firewalls (in ASA mode) with anyconnect access for staff, this is all working very well with users connecting with the Cisco Secure Client (ver 5.1). However, we now have a requirement for Cyber Essentials in the UK to ensure that clients with an older Operating System are unable to collect. We achievied this to some degree with the dynamic access policy and ISE posture setup that we have where we're able to say "If Operating System == Windows 7 then terminate", but we need to ideally be a little more granular and able to say if operating system is Android AND the version is less than 12 then terminate. I see no way to say "less than" or "greater than" in the ASDM to create these. Is this possible or is the only way to achieve this by literally listing every single version in the dap.xml and saying terminate? The list is going to be pretty exhaustive if that's the case as it's going to have to include minor versions as well.
Thanks!
James
Solved! Go to Solution.
01-12-2024 03:05 AM
No, I'm referring to ACIDex attributes. They're supported for mobile and desktop platforms and are listed here: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118944-technote-anyconnect-00.html
01-11-2024 06:27 AM
Do you mean that ">=" is not available for the "Platform Version" field when you choose "Endpoint Attribute Type = AnyConnect" and "Platform = Android"?
01-11-2024 11:29 AM
Hi,
When creating a "Dynamic Access Policy" I can create an endpoint attribute of say
Operating System Version = Apple IOS
Service pack = 15.0.1
And then configure the policy to "terminate". This means that anyone connecting to the VPN that has Apple IOS 15.0.1 will just be terminated. However, what I actually want to be able to say is anyone "less than" (<) 15, terminate the connection but in the ASDM I don't seem to be able to do this. You can only use "=" or "!=".
01-12-2024 03:05 AM
No, I'm referring to ACIDex attributes. They're supported for mobile and desktop platforms and are listed here: https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118944-technote-anyconnect-00.html
01-12-2024 03:31 AM
Hi,
I wasn't aware of the ACIDex attributes, that's exactly what I was looking for, thank you!
01-15-2024 05:49 AM
If you are using Duo for MFA (Advantage or Premier license level), it is even easier to setup a requirement to only allow certain OS versions to connect. Reference https://duo.com/docs/policy#operating-systems
I believe other MFA solutions may offer similar capability.
01-15-2024 08:12 AM
Hi Marvin,
Thanks for the feedback. we do use DUO so that's a great idea, thank you!
James
09-30-2024 07:16 PM
Would that not be negated by the fact that DUO is interested in the device doing the authentication, not the device you are running the VPN on? For example, you are connecting to Anyconnect on your Windows 10 PC, but using the Duo Prompt on your phone.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide