Solved: Block Cisco AV attribute via authorization rule in ISE

ryan14 · ‎03-08-2022

Is it possible to block a device trying to connect via AnyConnect with the Cisco AV pair mdm-tlv=device-platform=apple-ios? I have created an AuthZ rule which denies Cisco·cisco-av-pair 'contains' apple-ios, but it never matches the rule.

Rob Ingram · ‎03-09-2022

@ryan14 this is the bug I recall was related to this issue, it started working after applying the patch.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz55258

View solution in original post

Rob Ingram · ‎03-08-2022

@ryan14 yes, that looks like the correct acidex attribute, I've used it before with win clients.

Look in the live logs or take a packet capture of the authentication process and confirm exactly what attributes is sent by the client.

ryan14 · ‎03-09-2022

Yeah I copied pasted an attribute from the live logs but my rule must be wrong. Here is a screen shot (it matches the rule below it):

Rob Ingram · ‎03-09-2022

@ryan14 I cannot test your exact scenario currently, but this screenshot is from my notes - it uses the same AVP but I've included mdm-tlv=device-platform= which you do not appear to have.

My memory is not 100%, but I think when I tested this it did not work and I had to patch ISE (probably 3.0), then it worked.

ryan14 · ‎03-09-2022

OK Thanks. I tried including the full string from the live logs but didn't make any difference. I also tried including contains 'apple' but didn't match either. I am running 2.7 so, will try this again after upgrading to 3.x.

Rob Ingram · ‎03-09-2022

@ryan14 this is the bug I recall was related to this issue, it started working after applying the patch.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz55258