This simple example shows how to enforce process checks via Dynamic Access Policy (DAP) that specifies that Vista machines must be running CSD Vault to allow the Clientless SSL VPN session to be established.
1) In ASDM, under Configuration-Remote Access VPN-Secure Desktop Manager-Prelogin Policy, define Prelogin check(s) .
We chose a simple OS check for Vista and a policy name called Vault. Other types of checks or nested checks can be performed depending on the granularity of the posture assessment desired.
2) In ASDM, under Configuration-Remote Access VPN-Secure Desktop Manager-Prelogin Policy-Vault, select the functionality the Vault policy will carry out. Choose the Secure Desktop (Vault) option.
3)In ASDM, under Configuration-Remote Access VPN-Secure Desktop Manager-Host Scan,define the process(es) that represent the Vault.
Note: CSD Vault spawns 2 processes: Main.exe and Storage.exe. Hostcan spawns Host.exe and Cache Cleaner spawns Cleaner.exe.
We chose 2 process IDs(names) for the 2 Vault processes.
4) In ASDM, under Configuration-Remote Access VPN-Clientless SSL VPNAccess -Dynamic Access Policies, definea DAP policy with the required checks
In our example we assume the following:
The VPN remote access will use Active Directory for authentication:
The AAA attribute verifies the user is part of the AD's Employees group The endpoint.process attributes verifies that CSD is running The endpoint.os check attribute verifies that only Vista machines meet this DAP policy
5) The DAP policy checks represented in LUA are as follows:
5540-1(config)# debug menu dap 2
DAP record [ check-if-Vault-is-running ]: (EVAL(aaa.ldap.memberOf,"EQ","Employees","caseless")) and ((EVAL(endpoint.os.version,"EQ","Windows Vista","string"))) and ((EVAL(end point.process["CSD-Main.exe"].exists,"EQ","true","string")) and (EVAL(endpoint.process["CSD-Storage.exe"].exists,"EQ","true","string ")))
Hello All, Have two query it would be great help if anyone helps 1) My company management wants to configure 'syslog logging facility' is equal to '23' is it possible to do that in ASA ?. Also need to reconfigure rsa key pair equal or ...
I have an internet speed of 140-150 Mbps but when I connect to the Cisco Anyconnect Secure Mobile client it kills my internet speed to 500-1000 kbps which is too slow. What possible solution I can try to increase my speed on VpnOS - Ubuntu 18.04.5 LTS
Hello everyone.I'm currently setting up a FMC and while attempting to use external authentication via LDAP, for some reason the FMC is not querying properly.Basically whenever I attempt the test the query, it only finds user machines and groups CNs , not ...
I have added the CRL URL link in the FMC (Ver 6.6.4) But after adding the CRL url link FMC GUI login page not coming but I m able to login through CLI. Pls suggest how to remove CRL url link from the FMC CLI.
Greetings, 'Port Bounce' or 'Reauth' is available in Administration > System > Settings > Profiling. I have it set as 'Reauth' How do I actually make ISE to send a 'Port Bounce' to place a device in a separate VLAN. Please he...