Cisco Secure Access Mobile Private Access

I went on a journey to figure out features and workflows that I’ve never done before, or that were hard to do. This is one that I worked on to help understand how the various features are used for Secure Access’ mobile device capabilities. Especially on the Zero Trust Access (ZTA) side of things, where you can access private applications without the legacy Remote Access VPN (RAVPN) technology. Up until this point, I’ve worked with the platform only from a clientless or client-based approach using a laptop or a virtual machine. Needless to say, we are getting more and more mobile at work and we need to start considering ZTA from the mobile devices as well.

The components that I used were:

  • Meraki Systems Manager
    • For mobile device management, configuration and application compliance
  • Cisco Secure Access
    • For data center connectivity, policy enforcement, and compliance checks
  • Old iPhone
    • Wifi-only
    • Using Cisco Security Connector App and Cisco Zero Trust Access App

Prior to setting this up, the user and resource access integrations and policies were already configured. This typically occurs during the initial configuration workflow or during ongoing operations as additional private resources are being added.

Mobile Device Management

Using Meraki SM, I have my iPhone registered with Meraki and being managed by it, as shown here.

Device details for Joe's Lab iPhone including model, serial number, warranty, time zone, charge status, and security features.

Creating application lists and configurations in Meraki SM, I have the Cisco Security Connector and the Cisco Zero Trust Access applications. The Cisco Security Connector provides the Umbrella type functionality, servicing our DNS and web requests and redirecting them to Secure Access for inspection. From this perspective, Umbrella and Secure Access have similar functionality, with Secure Access having a more robust inspection capability.

The Zero Trust Access application brokers our private resource connections and allows us to use the ZTA access capabilities that come with Secure Access. This enables really cool capabilities and functionality for our mobile devices to be able to connect to the private apps wherever the device is.

Screenshot of an application list in a mobile device management dashboard, showing details such as app names, platforms, types, scopes, and tags.

Speaking of the Zero Trust Access app, let’s check out the configs! This is pretty simple, as a lot of the policy configurations will be added after enrollment inside of the application.

Screenshot showcasing the Cisco Zero Trust Access app details, including identifier, version, and description.

And for the Cisco Security Connector…connectivity to the Internet! This is what’s going to be able to give us the Umbrella-type features, like DNS filtering and web security protections.

Cisco Security Connector app details page showcasing features and settings for mobile device management.
Configuration screen for Cisco Umbrella MDM profile, showing various settings including use certificate, app bundle ID, and configuration keys.

Cisco Clarity is part of the content filtering as well, but from Cisco Secure Endpoint. This is the application that’s used to provide the EDR capabilities on the iOS devices.

Configuration page for Cisco Clarity within a mobile device management profile, showing various settings for content filtering and application management.

So that’s it’ from an MDM perspective. My iPhone is enrolled, and the applications were pushed to it.

Enrolling Mobile Devices

Hey look, I’m enrolled! I didn’t show that workflow, but once the apps were pushed I opened it. Then I clicked on the “enroll” button, and it redirected to my Cisco Duo tenant. This is what I have set for my enrollment IdP in Secure Access. So my user credentials were used to login, and I was enrolled in the platform.

Mobile device screen displaying 'Zero Trust Access' with a message indicating enrollment in secure access to organizational apps.

Testing and Validation

As you can see here, after enrollment, my configurations and policies synced to the app. You’re able to manually sync and unenroll if needed.

Screenshot of a mobile device interface displaying troubleshooting options for syncing configurations and unenrolling from Zero Trust Access.
Screenshot of mobile device management settings for Cisco Secure Access, showing details like enrollment time, server connectivity status, and organization ID.
Mobile app interface showing Zero Trust Access settings, including options for troubleshooting, sending logs, opening debug tools, and verbose logging.
Mobile device security status screen showing DNS security protected by Umbrella and endpoint visibility protected by Clarity.
Screenshot of the Umbrella app showing device protection status details including IPv4 and IPv6 protection, device ID, device label, and network information.
Screenshot of a mobile device displaying Cisco Secure Access Clarity status, showing 'Enabled', 'Provisioned', 'Registered', and 'Connected' with device details including Connector GUID, Event Intake URL, Management URL, and Detection Action.

Let’s take a look at this from the Cisco Secure Access side of things. This is where the DNS/Web/VPN/ZTNA profiles will come from, and we’ll configure everything from our access policies to our users inside of there.

Cisco Secure Access

After enrolling my device into the platform, I can see it under the Roaming Devices menu. We can customize the iOS notification settings, but as you can see, we can identify relevant profiling information in this view.

Table displaying roaming devices registered with Cisco Secure Access, including device names, serial numbers, operating systems, app versions, MDM types, and last sync times.

What’s really cool about this, is that we can create posture profiles for device compliance. These can be used for ensuring that certain levels of security are configured on the devices prior to connecting to a resource. We create a posture profile, configure the various posture checks, then tie the profile to an access control rule. In this posture profile, I’m only allowing iOS 18 to access my resources.

Interface for editing client-based posture profile in mobile device management, featuring fields for operating system, update requirements, and list of available iOS versions.

Now inside of the actual access control rule for the access, we have our actions, identities for the rule, and the various requirements. The requirements are where we tie in the security and posture profiles that we would like the endpoint to use when connecting to the resources. In the destinations, I have a private resource group with my web server configured as a web resource that is able to be connected to in a certain way.

Screenshot of a Cisco Secure Access configuration interface showing rule settings for allowing access based on endpoint requirements and user authentication.

Seeing the Private Resource Access

As you can see, in the example use case, we can connect to the private resource from anywhere. What’s cool about this is that I can use an internal FQDN because of the Zero Trust Module that’s on the device. So from anywhere with an internet connection, I can access my private resources in the datacenter. The address webserver1.phoenixlab.dev isn’t publicly resolvable, it’s internal-only. And, it uses micro-segmentation! This is possible through QUIC and MASQUE…topics for another day.

Screenshot of a mobile device displaying an index of a directory on a web server, showing files and last modified dates.

What other topics do you want to see with regards to Secure Access? Let me know in the comments!

Discover more from Defend The Net

Subscribe to get the latest posts sent to your email.

Leave a Reply

Search

Popular Posts

  • Cisco Secure Access Mobile Private Access

    I went on a journey to figure out features and workflows that I’ve never done before, or that were hard to do. This is one that I worked on to help understand how the various features are used for Secure Access’ mobile device capabilities. Especially on the Zero Trust Access (ZTA) side of things, where…

  • Multiple Cisco FTD RAVPN Tunnel Groups with Entra ID SAML Authentication
    Multiple Cisco FTD RAVPN Tunnel Groups with Entra ID SAML Authentication

    Any other title ideas? Let me know, but that’s the best that I could come up with to encompass the idea. Here’s a quick breakdown of the reason for this: Reference Post: https://community.cisco.com/t5/vpn/anyconnect-with-azure-saml-sso-cannot-add-multiple-tunnel-group/td-p/4140732/page/4 Remote Access VPNs are common in the industry, they’re everywhere. SAML authentication has been rising in popularity as well due to its…

Categories

Archives

Tags

entra-id (1) ravpn (1) saml (1) secure-firewall (1) Secure Access (1) zero trust (1) ztna (1)

Discover more from Defend The Net

Subscribe now to keep reading and get access to the full archive.

Continue reading