Solved: ASA MDM-TLV Dictionary Entries

paul · ‎07-18-2016

I have a customer that would like to use ISE to stop unwanted OS types from connecting via AnyConnect to their ASAs. I know I can do this on the ASA with Hostscan and DAPs, but the customer wants to centralize all decisions in ISE is possible. The values are present during authentication via the mdm-tlv values, but without an MDM defined in ISE the MDM dictionary is not present.

Has anyone added a custom dictionary to watch the mdm-tlv values coming from the ASAs?

Here are the values:

mdm-tlv=device-platform=win

mdm-tlv=device-mac=68-94-23-11-6c-d6

mdm-tlv=ac-user-agent=AnyConnect Windows 4.1.06020

mdm-tlv=device-type=Hewlett-Packard HP ProBook 6470b

mdm-tlv=device-platform-version=6.1.7601 Service Pack 1

mdm-tlv=device-uid=838F2251D7BCEEDF93AC1EF5F82CFE74D62C70679FDFFE94C26B49EAB489931D

The one I am interested in is the device-platform version.

Thanks in advance for the help.

pcarco · ‎07-18-2016

I don't believe MDM needs to be enabled but I will touch base with another team member that focuses exclusively on ISE and confirm.

View solution in original post

pcarco · ‎07-18-2016

I don't believe MDM needs to be enabled but I will touch base with another team member that focuses exclusively on ISE and confirm.

paul · ‎07-18-2016

Perfect thx! I see it now. I didn't know how to use the ACIDEX in a rule. Using Cisco AV pair in condition makes sense.

pcarco · ‎07-18-2016

You are welcome. Good luck.

Best regards,

Paul