Re: Use cisco-av-pair with database query.

rhobab · ‎01-21-2019

We currently are validating the computers that access the network by the uid in the cisco-av-pair. For this we have conditions to validate the uid. While this worked fine with a few computers connecting via AnyConnect the amount of machines has increased greatly and the conditions have become unmanageable.

We have been looking for a way to validate the uid against a database at the time of authentication / authorization. We would insert the known uids into a database. The idea being to authenticate the user against the Active Directory and validate the uid against the database at the time of connection.

Does anyone know of a way to do this?

Thanks

Victor

Peter Koltl · ‎01-22-2019

Remote access or 802.1X ?

rhobab · ‎01-22-2019

Remote access.

Surendra · ‎01-23-2019

When you said “We currently are validating the computers that access the network by the uid in the cisco-av-pair”, May I know where this UID is configured and how you are validating it on the ISE ? perhaps a screenshot would help to understand your current setup better before providing any suggestions.

rhobab · ‎01-24-2019

As far as I know the uid is automatically generated when you install AnyConnect on the computer. It appears in the ISE logs as mdm-tlv-device-uid.

[cid:image002.png@01D4B3DD.ED261FB0]

Surendra · ‎01-24-2019

If the UID is generated when you install AnyConnect on a machine, may i know what are you validating it against? Wouldn't any machine with AnyConnect have a UID in that case and kind of unreliable?

rhobab · ‎01-28-2019

It is being validated against a condition in an authorization rule. Any machine with AntConnect has a UID which is randomly generated. In my opinion it is reliable.