This simple example shows how to enforce process checks via Dynamic Access Policy (DAP) that specifies that Vista machines must be running CSD Vault to allow the Clientless SSL VPN session to be established.
1) In ASDM, under Configuration-Remote Access VPN-Secure Desktop Manager-Prelogin Policy, define Prelogin check(s) .
We chose a simple OS check for Vista and a policy name called Vault. Other types of checks or nested checks can be performed depending on the granularity of the posture assessment desired.
2) In ASDM, under Configuration-Remote Access VPN-Secure Desktop Manager-Prelogin Policy-Vault, select the functionality the Vault policy will carry out. Choose the Secure Desktop (Vault) option.
3)In ASDM, under Configuration-Remote Access VPN-Secure Desktop Manager-Host Scan,define the process(es) that represent the Vault.
Note: CSD Vault spawns 2 processes: Main.exe and Storage.exe. Hostcan spawns Host.exe and Cache Cleaner spawns Cleaner.exe.
We chose 2 process IDs(names) for the 2 Vault processes.
4) In ASDM, under Configuration-Remote Access VPN-Clientless SSL VPNAccess -Dynamic Access Policies, definea DAP policy with the required checks
In our example we assume the following:
The VPN remote access will use Active Directory for authentication:
The AAA attribute verifies the user is part of the AD's Employees group The endpoint.process attributes verifies that CSD is running The endpoint.os check attribute verifies that only Vista machines meet this DAP policy
5) The DAP policy checks represented in LUA are as follows:
5540-1(config)# debug menu dap 2
DAP record [ check-if-Vault-is-running ]: (EVAL(aaa.ldap.memberOf,"EQ","Employees","caseless")) and ((EVAL(endpoint.os.version,"EQ","Windows Vista","string"))) and ((EVAL(end point.process["CSD-Main.exe"].exists,"EQ","true","string")) and (EVAL(endpoint.process["CSD-Storage.exe"].exists,"EQ","true","string ")))
Hello, i have a problem with our ISE 2.7 distributed deployment and the COA after a Guest with a IPhone succuesfully registers. We use a Self-registration with approval process and Single SSID. After the Client succesfully registers he get...
FPR-1010 with ASA 9.14(1)30.Clientless VPN is not showing any bookmarks (there's simply section showing up, multiple browsers), even though they have been configured in the DAP & GP and debugs are showing that they have been applied after the user log...
Hi, a customer has a ESA Cluster of two C100V.the CPU usage es overall very high ( 85% sometimes 100% ) but the Appliance does not seam busy.Why ist the CPU average so high? SystemRAM Utilization 4%Overall CPU load average 86%CPU UtilizationMGA ...
Hello guys,I have 2x ASA 5545c in cluster mode in ACTIVE/ACTIVE mode. Problem is when one unit goes down ASA stop advertising route via OSPF to ASR 1001X router.As you can see in output i can see ASAs MAC addresse from ASR but after failover arp isnt upda...