Solved: Validating AnyConnect Identity Extensions (ACIDex) attributes against external DB

rmueller@cisco.com · ‎03-24-2017

Hi all,

does someone know if it is possible to validate AnyConnect Identity Extensions (like device ID) against an external DB? I know it's possible by using ASA DAP, but customer would like to do it centrally on ISE. Could not find a way (tried to do it with authorization rules).

Thanks in advance.

Roland

hslai · ‎03-24-2017

ACIDEX attributes are mainly for profiling at present. Please present your use case to our product management team.

View solution in original post

Jason Kunst · ‎03-24-2017

Having our experts pcarco chime in as well

hslai · ‎03-24-2017

ACIDEX attributes are mainly for profiling at present. Please present your use case to our product management team.

rmueller@cisco.com · ‎03-27-2017

The use case here is to validate if the device which is connecing via VPN actually a company-owned device. To check that, they would like to validate the device id which AnyConnect is sending to ISE against Database (LDAP/AD probably). The operating system in question here is MacBook. In most cases, you would do that by checking a certificate during authentication, but the customer in question here is not allowed to install certificates on MacBooks as they fear that the certificate can get compromised.

I know that this can be currently done via DAPs and LUA-scripts on ASA, but customer prefers ISE to do this job centrally for all VPN gateways.

Roland

Jason Kunst · ‎03-27-2017

please reach out to ISE-PM mailer for the use case as they handle the requests

Craig Hyps · ‎03-29-2017

This thread may also help on similar query: Machine + User Auth for MAC OSX