If these use cases were in fully manged environments we may have some other options to correct the OnGuard agent's behavior but I haven't found anything that applies to the unmanaged/Guest/BYOD use cases for OnGuard and Cisco ASA VPNs to date. If it's not difinitively possible at this time, it would also be good to know so that I can help our sales teams not oversell capabilities that aren't there without very specific constraints. It won't work with the OnGuard's WebAuth based service from what we can tell from Cisco debugs on the ASA, etc.Ī solution to this would be nice. show crypto ca certificates Export the Trustpoint configuration, keys and certificates in PKCS12 with a password.
Export/Import via CLI View the current CA/Identity certificate and identify the Trustpoint. We've also tried putting the desired enforcement responses on the WebAuth instead of the VPN auth (RADIUS) but the ASA doesn't receive them unless it's coming from the RADIUS based service. This post provides step-by-step procedure to export/import the SSL certificate used by the Cisco ASA using CLI and ASDM. These customers don't want to have to auth the OnGuard client which is the only other mechanism that I can find to match the identity of the WebAuth attempt and the VPN Auth attempt. Therefore the cached information for the user's device exists but doesn't line up and is not applied to the VPN auth service attempt.
#Asa 9.2 setup anyconnect vpn mac
There was a security issue with one of our remote systems and able to find who had that IP address but unable to find the user with MAC address with that IP address. So both individual services are successful but the posture response from the VPN service is listed as "unknown" because the MACs are different between what was recorded for the devices WebAuth attempt from OnGuard and the VPN auth attempt. I would like to know if it is possible to setup my ASA running 9.4 to log events from when my users connect and disconnect the anyconnect vpn client. They can then successfully auth to the VPN but the MAC recorded is the physical MAC of the port on the device connecting to the VPN. ACIDex, also known as An圜onnect Endpoint Attributes or Mobile Posture, is the method used by the An圜onnect VPN client to communicate posture information to the ASA.
An圜onnect Identity Extensions (ACIDex) for Desktop Platforms.
What I've noticed is that when I've tried to get this working for several customers that are wanting an OnGuard posture check for "unmanaged/non-corporate" devices, the WebAuth portion works for OnGuard and records the virtual MAC address from the WebAuth attempt. We introduced or modified the following commands: anyconnect-custom-attr ,anyconnect-custom-data, and anyconnect-custo. Does this mean that the issue still has not been resolved but Aruba/HPE is not pursuing it any further?
0 kommentar(er)
