05-16-2012 08:48 AM - edited 03-11-2019 04:07 PM
I have a 5505 in the Lab that is used purely for testing. It was purchased a while ago when we doing some work for a customer who was using the Advanced Endpoint Assessment features. It was purchased with the Advanced Endpoint Assessment license and at 8.2x it worked fine. it has since been upgraded to 8.3 and now to 8.4(3)9, however since 8.3 I cannot see the AV, Firewall or Anti-Spyware products when I click to configure the Advanced Endpoint Assessment features. i.e. Click Remote Access VPN, Secure Desktop Manager, Host Scan, select Advanced Endpoint Assessment and click Configure. If I then click on Add for either AntiVirus, Personal Firewall or AntiSpyware the 'Add Products' screen is blank. As it is in the Lab I haven't been too bothered about it but need to look at this again.
I have been gradually eliminating stuff and have eventually found what is causing the problem but not a way to fix it. Telnet, SSH & HTTP/ASDM are set to authenticate using Radius; I have a Radius Server group called IAS-Servers and in this are two Windows 2003 IAS servers with identical policies configured. If I change HTTP/ASDM authentication to local then I can see the AntiVirus, Personal Firewall & AntiSpyware products to add.
Authorisation is not enabled and I don't see any additional Radius messages sent when this happens. I think this is a bug in 8.3+ but need someone to confirm it?
Andy
05-16-2012 12:51 PM
I thought I would try configuring HTTP Authentication to be local, configure some Advanced Endpoint Assessment features, save it and then re-enable Radius HTTP Authentication. I did this and now when I click on Configure for Advanced Endpoint Assessment under Host Scan Extensions I get an error dialogue box that says:
'Please enable Cisco Secure Destop to configure this parameter.'
If I change HTTP authentication back to local it works fine.
This must be a bug or an undocumented 'feature'
Andy
05-25-2012 12:16 AM
Just upgraded to 8.4(4) and ASDM 6.4(9) and the problem remains
07-03-2012 03:40 PM
Upgraded to 8.4(4)1 and the problem is still there although the behaviour is slightly different....
I tried changing the authentication for http to just be local and this fails as well - with 8.4(4)1 you physically need to remove the 'aaa authentication http console' command completely. I am not sure if this was the same with 8.4(4), however with 8.4(3) you could change http authentication to be local with the command 'aaa authentication http console LOCAL' and it worked. With 8.4(4)1 this no longer works and you must remove the 'aaa authentication http console' command completely.
So if its configured like this:
aaa-server IAS-Servers (inside) host 10.1.1.1
timeout 2
key *****
authentication-port 1812
accounting-port 1813
!
username admin password cisco privilege 15
!
aaa authentication http console IAS-Servers LOCAL
or this:
username admin password cisco privilege 15
!
aaa authentication http console LOCAL
It fails. You have to remove the 'aaa authenticaion http console xxxx' command for the AV, AS or Firewall options to appear in the Advanced Endpoint Assessment, Host Scan Extensions.
Andy
08-16-2012 03:31 AM
Still a problem with the latest 8.4(4)5 interim release and ASDM 6.4(9)103....
11-04-2012 08:36 AM
OK, installed 9.0(1) & ASDM 7.0(2) and it now works. Strangely I can't see anything in the release notes about this 'feature'?
Andy
11-07-2012 08:31 AM
Andrew,
first I greatly appreciate you posting this stuff on here. Second I'm seriously disapointed that no one replies to these kinds of posts.
I am running into the same exact issues on the ASDM. Your experience is much appreciated. How did you finally get this working. Only Upgrade? the issue I am running into is this, when I go to click on the host scan, i still recieve the "must enable CSD" (since I'm only running the host scan settings) I have been through all kinds of loop-d-loop problems with this. Firs the "must enable CSD" then it just lost all of its settings magically, and I couldn't even get into see the AV. I would get the blank screen you are referring to. I had to restore from a backup to get to a semi stable state. But now I'm back to the "must enable CSD" message. I ran the "no aaa authentication http console LOCAL" command but still the same problems. Any advice is appreciated. As far as I'm concerned this is serious problem with the SSL VPN...
11-10-2012 10:00 AM
TAC has been engaged regarding this behavior. More updates to follow.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide