A custom script extracts the unique device ID (UDID) from the AnyConnect client on the laptop and compares it against the database. ISE needs to know the device ID to check its compliance status. We use the same posture database to check device status before allowing a connection to cloud services such as Office 365 as well.
- We don't have any change log information yet for version 4.8.03052 of Cisco AnyConnect Secure Mobility Client. Sometimes publishers take a little while to make this information available, so please check back in a few days to see if it has been updated.
- Instead of being confined to your desk, check out Cisco AnyConnect and experience freedom in working here and there, and everywhere. The infinite protection was created to ensure your organization is safe and protected no matter where you are. As a unified security endpoint agent, it delivers multiple security services for all.
Published: September 2019
You may be able to bring any device through Cisco's doors. But when it comes to connecting to the corporate network, we are working on a solution that provides “full access” to applications and services for devices that we have confirmed meet our Trusted Device standard.
A laptop might have picked up malware from a home network the night before. A mobile device might not have installed a critical security fix or your device may not even be encrypted. 'Our goal is to allow trusted devices full access on the network--and to restrict the access of non-trusted devices' says Adam Cobbsky, senior IT engineer.
What's a trusted device?
Trusted devices need to meet a specific set of security standards prior to accessing corporate applications and data, on or off the production network. For example, a device must not be jailbroken or rooted, it should be running a minimum OS version, and have a screen-saver password or PIN lock enabled.
For Cisco IT and many customers, these requirements and others are enforced by device management systems. In addition to ensuring that services such as disk encryption and antivirus/antimalware are installed and enabled, device management gives Cisco IT the ability to remotely lock or wipe compromised devices. For Cisco IT, a managed device is the foundation of a trusted device.
Cisco uses several management systems: Microsoft System Center Configuration Manager (SCCM) for Windows, JAMF Pro for Mac, and soon it will use Cisco Meraki for mobiles devices running iOS and Android.
Laptops, mobiles, and tablets that are registered with the respective device management platforms and are regularly checking in to that management system are considered compliant with the required Trusted Device security standard. Compliance means the device has an acceptable security posture.
Our first approach: integrating ISE and device managers
Since 2014, we've used Cisco Identity Services Engine (ISE) with device management integration. In its simplest form, ISE receives the MAC address of a device connecting to the network from the ISE-enabled switch or wireless access point.
Through ISE and device management integration, ISE can query the relevant management platform to verify the connecting device is registered and active and can confirm it meets our definition of trusted.
'Integrating ISE with our device management systems looked like a simple solution on the surface, but we discovered a lot of practical issues,' says Donald Gunn, IT program manager.
One problem is knowing exactly what device is connecting to our networks. The ability to uniquely identify a device is an industry challenge, and the increase in privacy protection within devices and operating systems to obscure unique identifiers is not making this any easier.
Further, MAC addresses may be shared across different devices and even OS types. This can occur due to plug-in network adapter dongles that get used by more than one device, or the use of virtual machines (VMs) that can share the same MAC address as the host. These types of scenarios can make it a challenge to uniquely identify a machine on the network and correlate it to a device in management.
Over 1.5 million endpoints connect to our ISE-enabled network. Not being sure whether the connecting device is a Windows laptop, MacBook, or mobile device, ISE potentially could query all device management platforms looking for a matching device. This isn't an intelligent use of resources, and some device management platforms couldn't handle the burden of that number of queries. We needed a more scalable and dynamic solution for device posture checking.
The two core issues come down to wanting a unique and reliable device identity and the need to focus device queries to device management systems down to sustainable levels.
Cisco Anyconnect Device Security Check Free
Our solution: a compliance database that maps the device ID to device type
To address these issues, Cisco IT has worked closely with the ISE development team. For mobile devices, the main challenge was to identify devices that are mobile and ensure ISE looks these up in our Mobile Device Management (MDM) system. When a mobile device enrolls in a management system, our automation tools pass the device details to ISE and a flag is set in ISE to identify the management system this device is enrolled in. When this device tries to connect to the network, ISE knows where to look it up, avoiding unnecessary queries.
For laptop and desktop computers, a different approach is used that utilizes a unique device identifier from the Cisco AnyConnect Client. This allows us to know uniquely what device is connecting. Using this ID, we can verify that a specific device is trusted by our management systems. There is no ambiguity any more.
Task manager for mac shortcut. To further buffer the management systems from device posture queries, we decided to create a central database of devices that meet our posture requirements. Not only does this give us better scalability, it also provides resiliency and availability in our solution without passing this burden directly on to the management systems.
This compliance database is synchronized with the device management systems through custom software and acts as the central database that ISE queries, instead of each individual device management system. We chose Active Directory as the foundation because it scales, has low latency everywhere in our network, replicates quickly, is highly available, and is stable.
Cisco IT has now completed a successful proof of concept using this solution (Figure 1).
Cisco Anyconnect Device Security Check Online
A custom script extracts the unique device ID (UDID) from the AnyConnect client on the laptop and compares it against the database. ISE needs to know the device ID to check its compliance status. We use the same posture database to check device status before allowing a connection to cloud services such as Office 365 as well.
Cisco Anyconnect Secure Mobility Client Windows 10
Figure 1 We check device posture with ISE, a compliance database, and device management platforms