I'm running into an issue when using OpenConnect to connect to a Cisco SSL VPN that uses Cisco ISE for authentication and performs a check for client MDM compliance. The issue is that either the OpenConnect client software, the ASA firewall, or Cisco ISE is assigning the client's public IP address as the "Endpoint ID" inside of ISE. ISE then passes this field to the MDM server who checks it for compliance. The problem is that the MDM software is expecting this field to contain a MAC address and not an IP address - thus the MDM server returns the MDM.DeviceCompliantStatus flag of false. When using the Cisco AnyConnect agent, the "Endpoint ID" field is populated with the client MAC address and everything works fine. It looks like it assigns this field from the RADIUS CiscoAVPair value of mdm-tlv=device-mac. Sadly I'm not sure how AnyConnect labels this information or when it sends it. Does anyone know of a way to make OpenConnect send the MAC address? Connection details when using OpenConnect: Event 5200 Authentication succeeded Username xxxxxxx Endpoint Id 73.111.111.11 CiscoAVPair mdm-tlv=device-platform=linux-64, mdm-tlv=ac-user-agent=Open AnyConnect VPN Agent v7.08-3, audit-session-id=0a0990810725100051111111, ip:source-ip=73.111.111.11, coa-push=true DeviceCompliantStatus false AuthorizationPolicyMatchedRule No MDM Client - Client Connection details when using AnyConnect: Event 5200 Authentication succeeded Username xxxxxxx Endpoint Id 64:5D:86:11:11:11 CiscoAVPair mdm-tlv=device-platform=linux-64, mdm-tlv=device-mac=64-5d-86-11-11-11, mdm-tlv=device-type=Dell Inc. Latitude 7490, mdm-tlv=ac-user-agent=AnyConnect Linux_64 4.6.03049, mdm-tlv=device-uid=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA49599111 1111111, mdm-tlv=device-platform-version=Linux 4.18.0-12-generic #13-Ubuntu SMP Wed Nov 14 15:17:05 UTC 2018 x86_64, audit-session-id=0a0946010c8ea00051111111, ip:source-ip=73.111.111.11, coa-push=true DeviceCompliantStatus true AuthorizationPolicyMatchedRule MDM Compliant Device Thanks for looking! Neil
