Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1856
Views
0
Helpful
7
Replies

Bug with Advanced Endpoint Assessment & ASDM Authenticaion since 8.3?

andrew.butterworth
Level 7
Level 7

‎05-16-2012 08:48 AM - edited ‎03-11-2019 04:07 PM

I have a 5505 in the Lab that is used purely for testing.  It was purchased a while ago when we doing some work for a customer who was using the Advanced Endpoint Assessment features.  It was purchased with the Advanced Endpoint Assessment license and at 8.2x it worked fine.  it has since been upgraded to 8.3 and now to 8.4(3)9, however since 8.3 I cannot see the AV, Firewall or Anti-Spyware products when I click to configure the Advanced Endpoint Assessment features.  i.e. Click Remote Access VPN, Secure Desktop Manager, Host Scan, select Advanced Endpoint Assessment and click Configure.  If I then click on Add for either AntiVirus, Personal Firewall or AntiSpyware the 'Add Products' screen is blank.  As it is in the Lab I haven't been too bothered about it but need to look at this again.

I have been gradually eliminating stuff and have eventually found what is causing the problem but not a way to fix it.  Telnet, SSH & HTTP/ASDM are set to authenticate using Radius; I have a Radius Server group called IAS-Servers and in this are two Windows 2003 IAS servers with identical policies configured.  If I change HTTP/ASDM authentication to local then I can see the AntiVirus, Personal Firewall & AntiSpyware products to add.

Authorisation is not enabled and I don't see any additional Radius messages sent when this happens.  I think this is a bug in 8.3+ but need someone to confirm it?

Andy

Labels:
0 Helpful
7 Replies 7

andrew.butterworth
Level 7
Level 7

‎05-16-2012 12:51 PM

I thought I would try configuring HTTP Authentication to be local, configure some Advanced Endpoint Assessment features, save it and then re-enable Radius HTTP Authentication.  I did this and now when I click on Configure for Advanced Endpoint Assessment under Host Scan Extensions I get an error dialogue box that says:

'Please enable Cisco Secure Destop to configure this parameter.'

If I change HTTP authentication back to local it works fine.

This must be a bug or an undocumented 'feature'

Andy

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to andrew.butterworth

‎05-25-2012 12:16 AM

Just upgraded to 8.4(4) and ASDM 6.4(9) and the problem remains

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to andrew.butterworth

‎07-03-2012 03:40 PM

Upgraded to 8.4(4)1 and the problem is still there although the behaviour is slightly different....

I tried changing the authentication for http to just be local and this fails as well - with 8.4(4)1 you physically need to remove the 'aaa authentication http console' command completely.  I am not sure if this was the same with 8.4(4), however with 8.4(3) you could change http authentication to be local with the command 'aaa authentication http console LOCAL' and it worked.  With 8.4(4)1 this no longer works and you must remove the 'aaa authentication http console' command completely.

So if its configured like this:

aaa-server IAS-Servers (inside) host 10.1.1.1

timeout 2

key *****

authentication-port 1812

accounting-port 1813

!

username admin password cisco privilege 15

!

aaa authentication http console IAS-Servers LOCAL

or this:

username admin password cisco privilege 15

!

aaa authentication http console LOCAL

It fails.  You have to remove the 'aaa authenticaion http console xxxx' command for the AV, AS or Firewall options to appear in the Advanced Endpoint Assessment, Host Scan Extensions.

Andy

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to andrew.butterworth

‎08-16-2012 03:31 AM

Still a problem with the latest 8.4(4)5 interim release and ASDM 6.4(9)103....

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to andrew.butterworth

‎11-04-2012 08:36 AM

OK, installed 9.0(1) & ASDM 7.0(2) and it now works.  Strangely I can't see anything in the release notes about this 'feature'?

Andy

0 Helpful

chip.wagner
Level 1
Level 1
In response to andrew.butterworth

‎11-07-2012 08:31 AM

Andrew,

first I greatly appreciate you posting this stuff on here. Second I'm seriously disapointed that no one replies to these kinds of posts.

I am running into the same exact issues on the ASDM. Your experience is much appreciated. How did you finally get this working. Only Upgrade? the issue I am running into is this, when I go to click on the host scan, i still recieve the "must enable CSD" (since I'm only running the host scan settings) I have been through all kinds of loop-d-loop problems with this. Firs the "must enable CSD" then it just lost all of its settings magically, and I couldn't even get into see the AV. I would get the blank screen you are referring to. I had to restore from a backup to get to a semi stable state. But now I'm back to the "must enable CSD" message. I ran the "no aaa authentication http console LOCAL" command but still the same problems. Any advice is appreciated. As far as I'm concerned this is serious problem with the SSL VPN...

0 Helpful

Atri Basu
Cisco Employee
Cisco Employee
In response to chip.wagner

‎11-10-2012 10:00 AM

TAC has been engaged regarding this behavior. More updates to follow.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card