Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3075
Views
0
Helpful
7
Replies

ASA Dynamic Access Policies Issues

sayrmatics
Level 1
Level 1

‎06-28-2013 11:39 AM

Hi

I have created a simple DAP to match a specific tunnel group (AAA attribute) and also to match endpoint attributes matching AnyConnect client version 3.1.xx and OS as Win7. When i test the DAPs on ASDM, i see that the custom one i created is selected. However when i actually connect from a client matching the specified AAA and endpoint attributes, the selected DAP is the default one. My aim is to be able to match custom DAPs for different connection profiles (plan to configure more later) so i can then set the action on the default DAP to terminate but i seem to be stuck on this.

I have looked at my config over and again and i guess if the solution could bite me, it would have but i can't seem to find what i need to do to fix this.

Appreciate any and every help here

Seyi

========
Test DAP
========
DAP_TRACE: DAP_open: 778B5E18
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:endpoint["anyconnect"]["clientversion"]="3.1.03103"
DAP_TRACE: name = endpoint["anyconnect"]["clientversion"], value = "3.1.03103"
DAP_TRACE: dap_add_to_lua_tree:endpoint["os"]["version"]="Windows 7"
DAP_TRACE: name = endpoint["os"]["version"], value = "Windows 7"
DAP_TRACE: Selected DAPs: ,POLICY-RSA
DAP_TRACE: dap_process_selected_daps: selected 1 records
DAP_TRACE: dap_aggregate_attr: rec_count = 1
DAP_TRACE: dap_comma_str_fcn: [,] 1 128
DAP_TRACE: DAP_close: 778B5E18

========================
Actual Client Connection
========================
DAP_TRACE: DAP_open: 79E0EA38
DAP_TRACE: Username: user1, aaa.cisco.grouppolicy = POLICY-RSA
DAP_TRACE: Username: user1, aaa.cisco.username = user1
DAP_TRACE: Username: user1, aaa.cisco.username1 = user1
DAP_TRACE: Username: user1, aaa.cisco.username2 =
DAP_TRACE: Username: user1, aaa.cisco.tunnelgroup = POLICY-RSA
DAP_TRACE: Username: user1, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: user1, DAP_add_AC:
endpoint.anyconnect.clientversion="3.1.03103";
endpoint.anyconnect.platform="win";

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="user1"
DAP_TRACE: name = aaa["cisco"]["username"], value = "user1"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username1"]="user1"
DAP_TRACE: name = aaa["cisco"]["username1"], value = "user1"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username2"]=""
DAP_TRACE: name = aaa["cisco"]["username2"], value = ""
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["sceprequired"]="false"
DAP_TRACE: name = aaa["cisco"]["sceprequired"], value = "false"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.03103"
DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.03103"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="win"
DAP_TRACE: name = endpoint.anyconnect.platform, value = "win"
DAP_TRACE: Username: user1, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: user1, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: user1, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: user1, DAP_close: 79E0EA38

Labels:
0 Helpful
7 Replies 7

Tarik Admani
VIP Alumni
VIP Alumni

‎06-28-2013 07:18 PM

Hi,

Can you post a screenshot of your dap entries and did you create a lua expression for any of the endpoint attributes?

Thanks,

Sent from Cisco Technical Support iPad App

0 Helpful

sayrmatics
Level 1
Level 1
In response to Tarik Admani

‎06-29-2013 09:10 AM

Hi Tarik

Please see attached screenshots from ASDM of the DAP config and no, I have no lua expressions configured.

Thanks for the help

Seyi

Preview file
95 KB
0 Helpful

rkumar5
Level 1
Level 1
In response to sayrmatics

‎07-01-2013 12:14 AM

Hi Seyi,

The problem lies here if you check the ouput of the debug dap trace of the client Pc which is as follow

DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.03103"

DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.03103"

DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="win"

DAP_TRACE: name = endpoint.anyconnect.platform, value = "win"

DAP_TRACE: Username: user1, Selected DAPs:

DAP_TRACE: dap_process_selected_daps: selected 0 records

DAP_TRACE: Username: user1, dap_aggregate_attr: rec_count = 1

DAP_TRACE: Username: user1, Selected DAPs: DfltAccessPolicy

I don't see it looking for OS version Check.

Ideally it should and this entry should have been there in the debug dap trace

endpoint["os"]["version"], value = "Windows 7

And in the DAP policy that you have created you have mentioned 2 end point attributes to be checked which are as follow

endpoint.anyconnect.clientversion, value = "3.1.03103

endpoint["os"]["version"], value = "Windows 7

Since it is not matching both the enpoint attributes it is falling on the

DfltAccessPolicy

Please let me know the host scan image that you have got.

Try with the hostscan_3.1.03103-k9.pkg.

And then check.

HTH

Regards

Raj Kumar

0 Helpful

sayrmatics
Level 1
Level 1
In response to rkumar5

‎07-01-2013 02:09 PM

Hi Raj

I did have hostscan_3.1.03104 loaded in flash but it wasnt enabled...doh! I suppose i'm the only one who doesnt know that DAP requires hostscan enabled to have all these endpoint assessments done.

I have created a simple pre-login assessment to check for OS and still fails to match my custom DAP and selects DfltAccessPolicy.

The client is being predeployed by an SMS tool so i guess i need to go back to the guys in charge and confirm that the posture module is part of what we are deploying now, dont i?

Thanks again

Seyi

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎07-02-2013 08:53 AM

Hi,

You do not need to enable anything on the client other than vpn client. Hostscan is the service on the asa that detects the dap attributes such as the os.


Sent from Cisco Technical Support Android App

0 Helpful

sayrmatics
Level 1
Level 1
In response to Tarik Admani

‎07-02-2013 01:02 PM

Hi Tarik

I have either read the guide at

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac05hostscanposture.html completely wrong or the wording leaves room for wild interpretations like mine

0 Helpful

sayrmatics
Level 1
Level 1
In response to sayrmatics

‎10-21-2013 08:33 AM

Thanks guys, I went to the latest hostcan package and everything now works merrily.

0 Helpful
Customers Also Viewed These Support Documents