Due to a managerial decision in my company, they have decided that the only mobile devices that they want connecting to our SSL VPN are iPhones/iPads w/the Anyconnect client. I have setup a dynamic access policy that blocks non iDevices. This works fine with blocking the Anyconnect client on Androids, but users have found a way to connect with third-party VPN clients (i.e. Openconnect for Android). I have opened a ticket with TAC, but they seemed to be stumped. Any ideas on how I can enforce this?
Are you able to detect when someone is doing this? If so, a simple reminder that it violates company policy to connect without using the Anyconnect client on iOS might help… If they do it again, a stun gun or other LART works wonders…
I know it’s not the answer you’re looking for but I’ve run into similar situations. I eventually realized that users will always find a way to do something that you don’t want them to do. Pat them on the head and praise their creativity but tell them to knock it off and they usually stop. As a possible technical solution switching to a certificate based system. It’s much more to maintain, but it might solve your issue.
Just thinking out loud.
If you can identify users in vpn-sessiondb via user-agent string you can either:
-
LUA something in DAP (possibly …)
-
Script periodically (output of show vpn-sessiondb) and kick those people off
Can’t you make it policy and punish (shame) the users are connecting with 3rd party clients?
Is this really about the anyconnect client or is the decision really to keep non-corporate devices off the VPN? If the latter, maybe investigate certificate based authentication on the mobile device or some NAC solution.
Or get yourself a VPN solution who just wont let anyone in…