cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2277
Views
0
Helpful
9
Replies

ASA Dynamic Access Policy (DAP) - Host Scan - Endpoint Assessment

jcorman
Level 1
Level 1

I'm trying to get an ASA to perform Endpoint Assessment using the Cisco Secure Desktop and the basic Endpoint Assessment v. 2.4.2.1

From what I can tell I have the configuration setup correctly however when I connect via CSD it doesn't appear that the assessment is taking place. In ASDM I can "Test Dynamic Access Policy" and the tests have the expected outcome of continue or terminate based on whether or not Anti-virus is present, however doing a "debug dap trace" on the ASA shows the following output:

woodlands# DAP_TRACE: DAP_open: D6C35840

DAP_TRACE: DAP_add_CSD: csd_token = [20A40F8465D3F1972FFA9416]

DAP_TRACE: Username: networkz, aaa.cisco.class = namroc

DAP_TRACE: Username: networkz, aaa.cisco.username = networkz

DAP_TRACE: Username: networkz, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["class"] = "namroc";

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"] = "networkz";

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"] = "DefaultWEBVPNGroup";

DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"] = "Clientless";

DAP_TRACE: Username: networkz, dap_add_csd_data_to_lua:

endpoint.os.version = "Windows XP";

endpoint.os.servicepack = "2";

endpoint.policy.location = "Namroc";

endpoint.protection = "secure desktop";

endpoint.hostname = "<<masked by moderator>>";

DAP_TRACE: Username: networkz, Selected DAPs:

DAP_TRACE: dap_request: memory usage = 35%

DAP_TRACE: dap_process_selected_daps: selected 0 records

DAP_TRACE: Username: networkz, dap_aggregate_attr: rec_count = 1

DAP_TRACE: Username: networkz, DAP_close: D6C35840

It looks to me from this information that the ASA isn't reporting any information about the Anti-virus when I connect and therefore it isn't selecting the DAP to continue. I've tried this on two different ASA boxes with different AV vendors and neither one has worked. Has anyone gotten this to work?

9 Replies 9

Kevin Xiong
Level 1
Level 1

We have both basic and Advanced Endpoint Assessment v. 2.4.x on the ASA 8.0.2(15) interim release. no luck to make the DAP work properly. The DAP didn't pick up the criteria properly.

s-andersson
Level 1
Level 1

Hi,

I have the problem, I can make it work it simple os detection. But when I'm trying to setup AV check it doesn't work. Do you have any progress since you wrote this message.

//Stefan

What version of CSD are you running. Since posting this they have released a never version that I'm told has resolved the issue, but I haven't had a chance to check it.

s-andersson
Level 1
Level 1

Hi again,

I talked to my Cisco presale contact in the security area. He told me that Advanced Endpoint Security is third party license. So you will have to buy that as well. The product license is ASA-ADV-END-SEC.

//Stefan Andersson

You should be able to get the "Basic" endpoint assessment to work without the license though. The basic still includes AV and AS features. If you want the advanced features then you'll need the additional license.

Hi

Not according to the presale guy Hakan Nohre who is well known security guy at Cisco. Speaker at Networkers and so on. But I will have my license probably tonight so I can give you answer if it is working or not tommorow.

Regards,

Stefan

Please do let me know once you have your license if it works. Also, if you wouldn't mind just as a test, try using just the basic options even with the license and see if they work as you are trying now. I'll also try on my ASA today without a license with the newest version of CSD. Thanks.

Hi

Sorry not replying earlier. Yes it's now working fine. The license that I recieved is tied to my serial. So you will have to contact Cisco Sales peapole.

I have no orded a license for my ASA. ;)

Regards,

Stefan

Stefan,

Thanks for the information - I did some more debugs and did notice more information being sent with the newer versions but you are right it must just require the license to be fully functional. Thanks again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: