03-24-2017 04:00 AM
Hi all,
does someone know if it is possible to validate AnyConnect Identity Extensions (like device ID) against an external DB? I know it's possible by using ASA DAP, but customer would like to do it centrally on ISE. Could not find a way (tried to do it with authorization rules).
Thanks in advance.
Roland
Solved! Go to Solution.
03-24-2017 05:52 PM
ACIDEX attributes are mainly for profiling at present. Please present your use case to our product management team.
03-24-2017 06:51 AM
Having our experts pcarco chime in as well
03-24-2017 05:52 PM
ACIDEX attributes are mainly for profiling at present. Please present your use case to our product management team.
03-27-2017 02:38 AM
The use case here is to validate if the device which is connecing via VPN actually a company-owned device. To check that, they would like to validate the device id which AnyConnect is sending to ISE against Database (LDAP/AD probably). The operating system in question here is MacBook. In most cases, you would do that by checking a certificate during authentication, but the customer in question here is not allowed to install certificates on MacBooks as they fear that the certificate can get compromised.
I know that this can be currently done via DAPs and LUA-scripts on ASA, but customer prefers ISE to do this job centrally for all VPN gateways.
Roland
03-27-2017 01:33 PM
please reach out to ISE-PM mailer for the use case as they handle the requests
03-29-2017 04:19 PM
This thread may also help on similar query: Machine + User Auth for MAC OSX
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide