OpenConnect with Cisco ISE and 3rd Party MDM Solutions

Mon, 17 Dec 2018 19:33:09 -0800 

I'm running into an issue when using OpenConnect to connect to a Cisco SSL
VPN that uses Cisco ISE for authentication and performs a check for client
MDM compliance. The issue is that either the OpenConnect client software,
the ASA firewall, or Cisco ISE is assigning the client's public IP address
as the "Endpoint ID" inside of ISE. ISE then passes this field to the MDM
server who checks it for compliance. The problem is that the MDM software is
expecting this field to contain a MAC address and not an IP address - thus
the MDM server returns the MDM.DeviceCompliantStatus flag of false.

When using the Cisco AnyConnect agent, the "Endpoint ID" field is populated
with the client MAC address and everything works fine. It looks like it
assigns this field from the RADIUS CiscoAVPair value of mdm-tlv=device-mac.
Sadly I'm not sure how AnyConnect labels this information or when it sends
it. Does anyone know of a way to make OpenConnect send the MAC address?


Connection details when using OpenConnect:
Event   5200 Authentication succeeded
Username        xxxxxxx
Endpoint Id     73.111.111.11
CiscoAVPair      mdm-tlv=device-platform=linux-64,
mdm-tlv=ac-user-agent=Open AnyConnect VPN Agent v7.08-3,
audit-session-id=0a0990810725100051111111, ip:source-ip=73.111.111.11,
coa-push=true
DeviceCompliantStatus   false
AuthorizationPolicyMatchedRule  No MDM Client - Client

Connection details when using AnyConnect:
Event   5200 Authentication succeeded
Username        xxxxxxx
Endpoint Id     64:5D:86:11:11:11
CiscoAVPair      mdm-tlv=device-platform=linux-64,
mdm-tlv=device-mac=64-5d-86-11-11-11, mdm-tlv=device-type=Dell Inc. Latitude
7490, mdm-tlv=ac-user-agent=AnyConnect Linux_64 4.6.03049,
mdm-tlv=device-uid=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA49599111
1111111, mdm-tlv=device-platform-version=Linux 4.18.0-12-generic #13-Ubuntu
SMP Wed Nov 14 15:17:05 UTC 2018 x86_64,
audit-session-id=0a0946010c8ea00051111111, ip:source-ip=73.111.111.11,
coa-push=true
DeviceCompliantStatus   true
AuthorizationPolicyMatchedRule  MDM Compliant Device

Thanks for looking!
Neil


_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Reply via email to