10-05-2007 06:38 AM
I'm trying to get an ASA to perform Endpoint Assessment using the Cisco Secure Desktop and the basic Endpoint Assessment v. 2.4.2.1
From what I can tell I have the configuration setup correctly however when I connect via CSD it doesn't appear that the assessment is taking place. In ASDM I can "Test Dynamic Access Policy" and the tests have the expected outcome of continue or terminate based on whether or not Anti-virus is present, however doing a "debug dap trace" on the ASA shows the following output:
woodlands# DAP_TRACE: DAP_open: D6C35840
DAP_TRACE: DAP_add_CSD: csd_token = [20A40F8465D3F1972FFA9416]
DAP_TRACE: Username: networkz, aaa.cisco.class = namroc
DAP_TRACE: Username: networkz, aaa.cisco.username = networkz
DAP_TRACE: Username: networkz, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["class"] = "namroc";
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"] = "networkz";
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"] = "DefaultWEBVPNGroup";
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"] = "Clientless";
DAP_TRACE: Username: networkz, dap_add_csd_data_to_lua:
endpoint.os.version = "Windows XP";
endpoint.os.servicepack = "2";
endpoint.policy.location = "Namroc";
endpoint.protection = "secure desktop";
endpoint.hostname = "<<masked by moderator>>";
DAP_TRACE: Username: networkz, Selected DAPs:
DAP_TRACE: dap_request: memory usage = 35%
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: networkz, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: networkz, DAP_close: D6C35840
It looks to me from this information that the ASA isn't reporting any information about the Anti-virus when I connect and therefore it isn't selecting the DAP to continue. I've tried this on two different ASA boxes with different AV vendors and neither one has worked. Has anyone gotten this to work?
10-05-2007 06:07 PM
We have both basic and Advanced Endpoint Assessment v. 2.4.x on the ASA 8.0.2(15) interim release. no luck to make the DAP work properly. The DAP didn't pick up the criteria properly.
12-20-2007 05:04 AM
Hi,
I have the problem, I can make it work it simple os detection. But when I'm trying to setup AV check it doesn't work. Do you have any progress since you wrote this message.
//Stefan
12-20-2007 06:08 AM
What version of CSD are you running. Since posting this they have released a never version that I'm told has resolved the issue, but I haven't had a chance to check it.
12-20-2007 06:04 AM
Hi again,
I talked to my Cisco presale contact in the security area. He told me that Advanced Endpoint Security is third party license. So you will have to buy that as well. The product license is ASA-ADV-END-SEC.
//Stefan Andersson
12-20-2007 06:10 AM
You should be able to get the "Basic" endpoint assessment to work without the license though. The basic still includes AV and AS features. If you want the advanced features then you'll need the additional license.
12-20-2007 06:42 AM
Hi
Not according to the presale guy Hakan Nohre who is well known security guy at Cisco. Speaker at Networkers and so on. But I will have my license probably tonight so I can give you answer if it is working or not tommorow.
Regards,
Stefan
12-20-2007 07:08 AM
Please do let me know once you have your license if it works. Also, if you wouldn't mind just as a test, try using just the basic options even with the license and see if they work as you are trying now. I'll also try on my ASA today without a license with the newest version of CSD. Thanks.
01-15-2008 04:12 AM
Hi
Sorry not replying earlier. Yes it's now working fine. The license that I recieved is tied to my serial. So you will have to contact Cisco Sales peapole.
I have no orded a license for my ASA. ;)
Regards,
Stefan
01-23-2008 07:55 AM
Stefan,
Thanks for the information - I did some more debugs and did notice more information being sent with the newer versions but you are right it must just require the license to be fully functional. Thanks again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: