Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Josh Morris
Stats
Member since
05-12-2011
206
Posts
25
Helpful
2
Solutions
Created by
Josh Morris
in Network Access Control
in Network Access Control
03-27-2020
06:20 AM
03-27-2020
06:20 AM
Thanks, what I'm wondering now is why the UDID discovered from Anyconnect doesn't match the actual UDID. For example, the actual UDID of my device is UDID: 7EE54F6A-2329-5DFE-84B8-XXXXXXXXXXX but Dart and Anyconnect report the UDID as UDID : 3DE068XXXXXXXXC348B081EF6630XXXXXXXXXXXXX. Not sure if this is some sort of hash or what. But obviously, this value would cause a mis-match when comparing to JAMF. When ISE does the MDM lookup, it does return the correct UDID value but it puts it in the 'PhoneID' attribute, with the 'PhoneIDType' set to 'UDID'. I still feel like there should be a way to tell Anyconnect how/what value to pull from the device to send to JAMF.
... View more
Created by
Josh Morris
in Network Access Control
in Network Access Control
03-26-2020
06:04 AM
03-26-2020
06:04 AM
I am trying to authenticate devices from my VPN to ISE for MDM compliance. Baed on the ISE 2.6 configuration guide, it should be using the UID to check for compliance when coming from the VPN. But I'm seeing that this isn't true...it still seems to be attempting to authenticate based on MAC address. This doesn't work right when the user connects with a dongle vs their wireless connection. How can I force the UID? Is it an Anyconnect setting?
... View more
03-16-2020
09:02 AM
Thanks, but where in the profile do I specify the login message instead of the HTML generated by the webvpn? Not seeing that option.
... View more
03-16-2020
07:52 AM
I have an Anyconnect profile that is showing HTML in the connection window. This is because I have customized the default webvpn portal. I want the customization to show up when going to the portal page with https, but not with Anyconnect. Can I remove it from AC only?
... View more
Labels:
Created by
Josh Morris
in Network Access Control
in Network Access Control
03-11-2020
05:40 AM
03-11-2020
05:40 AM
Thanks, my entire LAN environment supports inline tagging, so no issue there, but I don't think I can support all the way to my ASAs, hence the SXP question. My goal is to have SGTs in my ASA and also to my Checkpoint firewall. I do have pxGrid, which is how I plan on propagating to the Checkpoint. Should I use the pxGrid model for the ASAs instead of the SXP model?
... View more
Created by
Josh Morris
in Network Access Control
in Network Access Control
03-10-2020
01:14 PM
03-10-2020
01:14 PM
I want my VPN users on a Cisco ASA to authenticate against ISE but use Azure AD for MFA on the backend. So far, it seems there are three ways to do this. My requirements are that I must use AnyConnect and ISE. Setup Azure AD as External Radius Server and use a Radius Server Sequence in the Policy Set Auth rule. This one works most consistently for me. Downside is that you can't choose which method to use for authentication (SMS, app, notification, etc.) Setup Azure AD as a Radius Token server. This one works, but is rather clunky. For example, I'll get multiple SMS messages, random drops, etc. Setup Azure AD an a SAML idP. This one is the most complex it seems. Not sure of the advantages. I know it can be used as a SAML provider directly from the ASA...Could I have the ASA do SAML authentication and then let ISE do authorization? It looks like if I use ISE with the SAML iDP, you have to require a web portal for auth, which I don't want.
... View more
Labels:
Created by
Josh Morris
in Network Access Control
in Network Access Control
03-10-2020
01:06 PM
03-10-2020
01:06 PM
I have been successful at connecting an ASA to ISE just by adding a PAC file in the ASA. The ASA is then able to get an SGT and see where ISE assigns the SGT in the session. Do I even need to continue using SXP? I have configured it successfully although I find the configuration to be a little complex and would rather not use it if it isn't necessary.
... View more
Labels:
02-28-2020
05:32 AM
I have some old ASAs that cannot run TLS 1.2, and I am running some clientless VPN. When the browsers switch over to TLS 1.2 only, my clientless VPN will break. Does anyone know of a way to front-end this connection with f5 and let f5 negotiate at TLS 1.2 while using 1.1 on the backend to the ASAs?
... View more
Labels:
01-30-2020
08:35 AM
Hi, I am working on templatizing my VPN deployments and would like to deploy all config in the CLI. When I try the following config in the CLI, I do not get a connection profile to show up in the ASDM. But when I configure a connection profile in the ASDM, this is the config that gets deployed in the CLI. How can I get the connection profile to show up in the ASDM? object network 10.12.47.0-28
subnet 10.12.47.0 255.255.255.240
description Local Reservations
!
object network REMOTE_DGA_SUBNET1
subnet 10.x.0.0 255.255.255.0
description Dynamix Test Subnet
!
object network REMOTE_DGA_SUBNET2
subnet 10.x.0.0 255.255.0.0
description Dynamix Test Subnet
!
object-group network DGA_TESTING_LAB
network-object object REMOTE_DGA_SUBNET1
network-object object REMOTE_DGA_SUBNET2
exit
!
crypto ipsec ikev2 ipsec-proposal IKEV2_AESGCM-SHA
protocol esp encryption aes-gcm-256
protocol esp integrity sha-384
!
group-policy S2S_IKEv2_POLICY internal
group-policy S2S_IKEv2_POLICY attributes
vpn-tunnel-protocol ikev2
exit
!
tunnel-group S2S_DGA type ipsec-l2l
tunnel-group S2S_DGA general-attributes
default-group-policy S2S_IKEv2_POLICY
tunnel-group S2S_DGA ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
exit
!
access-list S2S_DGA_ACL line 1 extended permit ip object 10.12.47.0-28 object-group DGA_TESTING_LAB
!
crypto map outside_map 1 match address S2S_DGA_ACL
crypto map outside_map 1 set pfs group20
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set ikev2 ipsec-proposal IKEV2_AESGCM-SHA
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set nat-t-disable
!
... View more
Labels:
01-23-2020
08:50 AM
I am trying to get VPN split tunneling working where I can specify a tunnel network list that includes all RFC1918 address space. This should allow internet traffic to stay local to the user. This works as expected. What I am seeing though is that my local traffic (192.168.1.0/24 at home) is also being tunneled. How can I avoid sending my local traffic over the tunnel when using 192.168.0.0/16 in my ACL? I tried adding a DENY 192.168.1.0/24 in my ACL, but that didn't help.
... View more
Labels:
Created by
Josh Morris
in Application Centric Infrastructure
in Application Centric Infrastructure
01-21-2020
08:39 AM
01-21-2020
08:39 AM
I am trying to accommodate a vendor who needs to regularly see the cam table for a leaf. I don't want to give them direct access into the leaf. Is there an API call that can return the mac-address to port combination?
... View more
Labels:
Created by
Josh Morris
in Network Access Control
in Network Access Control
12-12-2019
05:41 AM
12-12-2019
05:41 AM
Thanks, that is interesting. Although counter-intuitive. I did remove the authorization command and tried again, and I no longer get the additional ISE failure. I now get three successful logs in ISE with the following steps... Session Events 2019-12-12 07:36:59.61 Dynamic Authorization succeeded 2019-12-12 07:36:51.07 RADIUS Accounting watchdog update 2019-12-12 07:36:49.583 RADIUS Accounting start request 2019-12-12 07:36:49.575 DACL Download Succeeded 2019-12-12 07:36:49.574 Authentication succeeded The ASA does not report a failed (or successful) authorization, but it also does use the DACL I have applied in my ISE authorization policy, so I guess authorization is working. Thanks, I will continue to test.
... View more
Created by
Josh Morris
in Network Access Control
in Network Access Control
12-11-2019
09:42 AM
12-11-2019
09:42 AM
It's just weird. I feel like I am successfully being authorized because I added a DACL for testing and it gets applied successfully. But I see in the ASA logs that authorization was rejected and I see the two log entries in the ISE live logs.
... View more
Created by
Josh Morris
in Network Access Control
in Network Access Control
12-11-2019
07:38 AM
12-11-2019
07:38 AM
tunnel-group ISE_AAA type remote-access tunnel-group ISE_AAA general-attributes authentication-server-group ISE_RADIUS authorization-server-group ISE_RADIUS accounting-server-group ISE_RADIUS default-group-policy ISE_TEST dhcp-server subnet-selection 10.200.x.x dhcp-server subnet-selection 10.244.x.x tunnel-group ISE_AAA webvpn-attributes group-url https://testingurl enable tunnel-group webvpn type remote-access
... View more
Created by
Josh Morris
in Network Access Control
03-27-2020
03-27-2020
Thanks, what I'm wondering now is why the UDID discovered from
Anyconnect doesn't match the actual U...
03-26-2020
I am trying to authenticate devices from my VPN to ISE for MDM
compliance. Baed on the ISE 2.6 confi...
03-16-2020
Thanks, but where in the profile do I specify the login message instead
of the HTML generated by the...
03-16-2020
I have an Anyconnect profile that is showing HTML in the connection
window. This is because I have c...
Created by
Josh Morris
in Network Access Control
03-11-2020
03-11-2020
Thanks, my entire LAN environment supports inline tagging, so no issue
there, but I don't think I ca...
Created by
Josh Morris
in Network Access Control
03-10-2020
03-10-2020
I want my VPN users on a Cisco ASA to authenticate against ISE but use
Azure AD for MFA on the backe...
03-10-2020
I have been successful at connecting an ASA to ISE just by adding a PAC
file in the ASA. The ASA is ...
02-28-2020
I have some old ASAs that cannot run TLS 1.2, and I am running some
clientless VPN. When the browser...
Created by
Josh Morris
in VPN
01-30-2020
01-30-2020
Hi, I am working on templatizing my VPN deployments and would like to
deploy all config in the CLI. ...
Created by
Josh Morris
in VPN
01-23-2020
01-23-2020
I am trying to get VPN split tunneling working where I can specify a
tunnel network list that includ...
Created by
Josh Morris
in Application Centric Infrastructure
01-21-2020
01-21-2020
I am trying to accommodate a vendor who needs to regularly see the cam
table for a leaf. I don't wan...
12-12-2019
Thanks, that is interesting. Although counter-intuitive. I did remove
the authorization command and ...
12-11-2019
It's just weird. I feel like I am successfully being authorized because
I added a DACL for testing a...
Public Statistics
| Date Registered | 05-12-2011 06:26 AM |
| Date Last Visited | 04-02-2020 06:04 AM |
| Total Messages Posted | 206 |
| Total Helpful Votes Received | 25 |
Helpful Votes Given To
.jpg "VIP Advocate"){kind=icon}
.jpg "Hall of Fame Guru"){kind=icon}
Helpful Votes From
