Add feature - ACIDEX attributes
Hi OpenConnect team, I would like to ask if you plan or if you can add ACIDEX attributes to the OpenConnect client ? https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/118944-technote-anyconnect-00.html
I would describe our problem and I think it will help to other people as well. Our customer has Cisco Firepower with ASA software as VPN concentrator. This VPN concentrator is connected with Cisco ISE which works as authentication and authorization server. Normally it works well but the customer also shares the contexts with all firewalls via pxGrid so they can define firewall rules based on user and not to IP address/subnet. By default with Anyconnect, ISE is building context database where the "primary key" is MAC address which is unique for each endpoint. In case of Openconnect, ISE is building it's database with public IP address which is not unique as all users are behind NAT. The reason of it is because Anyconnect is sending ACIDEX attributes where the additional information are passed to Cisco ISE (see below). Now the problem. When first user connects to the VPN everything works just fine. When second user connects to VPN with same public IP address, the contexts will be in conflict which leads to incorrect update via pxGrid and the firewalls internally disconnects both users so the firewall rules will not apply and both users will not have access to the network.
AnyConnect CiscoAVPair |
---|
mdm-tlv=device-platform=mac-intel, |
mdm-tlv=device-type=MacBookPro14,1, |
mdm-tlv=device-mac=xx-xx-xx-xx-xx-xx, |
mdm-tlv=device-platform-version=10.14.6, |
mdm-tlv=device-public-mac=xx-xx-xx-xx-xx-xx, |
mdm-tlv=ac-user-agent=AnyConnect Darwin_i386 4.7.04056, |
mdm-tlv=device-uid=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, |
audit-session-id=0a00ec1600a0d0005d554e9a, |
ip:source-ip=xx.xxx.xxx.xx, |
coa-push=true |
OpenConnect CiscoAVPair |
---|
mdm-tlv=device-platform=linux-64, |
mdm-tlv=ac-user-agent=Open AnyConnect VPN Agent v8.04-unknown, |
audit-session-id=0a00ec1600a110005d5550a6, |
ip:source-ip=xx.xxx.xx.xx, |
coa-push=true |
I hope I described the issue understandably :-)