Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
2
Replies

ASA using Dynamic Access Policy for VPN?

bfbcnet
Level 1
Level 1

‎07-24-2009 03:12 AM

Hello Experts,

We are using remote VPN to ASA 8.2(1) and have successfully configured Windows Location Settings to check for version & Registry key, and are using dual-factor authentication. We would like to do further post-auth endpoint checking for anti virus checking and thought we could do this with Dynamic Access Policy, but we can't seem to get the session to use anything but the default policy.

We want to ensure that only our endpoints are allowed to connect and reject everything else, and we do not wish to use Secure Desktop. Should it be possible to apply DAP without Secure Desktop?

Labels:
0 Helpful
2 Replies 2

aghaznavi
Level 5
Level 5

‎07-30-2009 03:05 PM

The security appliance obtains endpoint security attributes by using posture assessment methods that you configure. These include Cisco Secure Desktop and NAC.

The security appliance uses a DAP policy when the user attributes matches the configured AAA and endpoint attributes. The Prelogin Assessment and Host Scan modules of Cisco Secure Desktop return information to the security appliance about the configured endpoint attributes, and the DAP subsystem uses that information to select a DAP record that matches the values of those attributes.

Most, but not all, antivirus, antispyware, and personal firewall programs support active scan, which means that the programs are memory-resident, and therefore always running. Host Scan checks to see if an endpoint has a program installed, and if it is memory-resident as follows:

•If the installed program does not support active scan, Host Scan reports the presence of the software. The DAP system selects DAP records that specify the program.

•If the installed program does support active scan, and active scan is enabled for the program, Host Scan reports the presence of the software. Again the security appliance selects DAP records that specify the program.

•If the installed program does support active scan and active scan is disabled for the program, Host Scan ignores the presence of the software. The security appliance does not select DAP records that specify the program. Further, the output of the debug trace command, which includes a lot of information about DAP, does not indicate the program presence, even though it is installed.

0 Helpful

bfbcnet
Level 1
Level 1
In response to aghaznavi

‎07-31-2009 01:28 AM

Thanks for your reply. What I don't really understand is exactly what is possible without using Secure Desktop or NAC.

We only want to allow our own hosts to connect, and as part of verfying this we want to check for the existance of a particular anti-virus software and that it has been updated recently.

Is there a matrix somewhere of what component can check for what?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents