Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1259
Views
0
Helpful
1
Replies

ASA RADIUS attribute CVPN3000/ASA/PIX7x-IE-proxy-lockdown - supported ? Type ? Valid Values ?

Go to solution
ffischer
Level 1
Level 1

‎10-02-2018 12:08 PM - edited ‎02-21-2020 08:18 AM

I found the ASA RADIUS attribute 

    CVPN3000/ASA/PIX7x-IE-proxy-lockdown       134

in the ISE Dictionary as well as listed here:

  https://community.cisco.com/t5/security-documents/ise-network-access-attributes/ta-p/3616253

 

If at all, what ASA versions exactly do supported this attribute ?

Whats its Data Type ?  string ? integer ?

What Values are valid ?

 

I found noting in the official ASA documentation about it,

but returning it from ISE for a successful SSL Authentication

a ASAv 9.8.3 seems to understand it at least halfways and

produces a syslog message

%ASA-4-113036    Group... IP ... AAA parameter <msie-proxy-lockdown> value invalid

 

Maybe some could have a quick look into the ASA sources ?

Thanks a lot !

Frank

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ffischer
Level 1
Level 1

‎10-04-2018 03:07 AM

Solved.

 

Systems tested on are  ISE 2.3.0.298 Patch 5 and ASA 9.8.(3)11 interims

 

Attribute CVPN3000/ASA/PIX7x-IE-proxy-lockdown

has datatype INTEGER/uint32

 

Valid values apparently are:

   0 - do not lockdown / hide the connections tab from IE settings

   1 - lockdown / hide the connections tab from IE settings

 

To get it working, you have to correct the datatype in ISE System directory
and add the allowed values.

2018-10-04 11_01_53-Windows10 - VMware Workstation.png

 

Now you can use the attribute in an authorization profile the on ISE

and assign values to users dialing in.

 

Would be great to see an updated ASA documentation in future

 

BR,

Frank

View solution in original post

0 Helpful
1 Reply 1

Go to solution
ffischer
Level 1
Level 1

‎10-04-2018 03:07 AM

Solved.

 

Systems tested on are  ISE 2.3.0.298 Patch 5 and ASA 9.8.(3)11 interims

 

Attribute CVPN3000/ASA/PIX7x-IE-proxy-lockdown

has datatype INTEGER/uint32

 

Valid values apparently are:

   0 - do not lockdown / hide the connections tab from IE settings

   1 - lockdown / hide the connections tab from IE settings

 

To get it working, you have to correct the datatype in ISE System directory
and add the allowed values.

2018-10-04 11_01_53-Windows10 - VMware Workstation.png

 

Now you can use the attribute in an authorization profile the on ISE

and assign values to users dialing in.

 

Would be great to see an updated ASA documentation in future

 

BR,

Frank

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card