Hi,
We need to restrict VPN Users from using routers as L2TP VPN clients. I see that the ASA recognizes their Client OS properly. But if I use client-access-rule matching these values, it doesn't work.
For instance:
sh vpn-sessiondb detail ra-ikev1-ipsec | i GP|Client
Group Policy : VPN-GP Tunnel Group : DefaultRAGroup
Client OS : Microsoft
Client OS Ver: 10.0
Group Policy : VPN-GP Tunnel Group : DefaultRAGroup
Client OS : MikroTik
Client OS Ver: 0.1
!!! Config
group-policy VPN-GP attributes
client-access-rule 1 deny type ZyXEL version *
client-access-rule 2 deny type *Keenetic* version *
client-access-rule 3 deny type *MikroTik* version *
client-access-rule 100 permit type * version *
What's wrong with that config? It doesn't work if I use exact matching without asterisk either.
Maybe the client-access-rule simply is not supposed to work with IPSEC VPN.
Any experience with tasks like that?