07-18-2016 07:54 AM
I have a customer that would like to use ISE to stop unwanted OS types from connecting via AnyConnect to their ASAs. I know I can do this on the ASA with Hostscan and DAPs, but the customer wants to centralize all decisions in ISE is possible. The values are present during authentication via the mdm-tlv values, but without an MDM defined in ISE the MDM dictionary is not present.
Has anyone added a custom dictionary to watch the mdm-tlv values coming from the ASAs?
Here are the values:
mdm-tlv=device-platform=win
mdm-tlv=device-mac=68-94-23-11-6c-d6
mdm-tlv=ac-user-agent=AnyConnect Windows 4.1.06020
mdm-tlv=device-type=Hewlett-Packard HP ProBook 6470b
mdm-tlv=device-platform-version=6.1.7601 Service Pack 1
mdm-tlv=device-uid=838F2251D7BCEEDF93AC1EF5F82CFE74D62C70679FDFFE94C26B49EAB489931D
The one I am interested in is the device-platform version.
Thanks in advance for the help.
Solved! Go to Solution.
07-18-2016 12:43 PM
I don't believe MDM needs to be enabled but I will touch base with another team member that focuses exclusively on ISE and confirm.
07-18-2016 12:43 PM
I don't believe MDM needs to be enabled but I will touch base with another team member that focuses exclusively on ISE and confirm.
07-18-2016 02:32 PM
Perfect thx! I see it now. I didn't know how to use the ACIDEX in a rule. Using Cisco AV pair in condition makes sense.
07-18-2016 05:35 PM
You are welcome. Good luck.
Best regards,
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide