Solved: DAP option for Registry check for remote access VPN Anyconnect v 3.0 + users

Parag Mahajan · ‎11-18-2014

Hi All,

I am trying to assign DAP attribute to VPN users (Anyconnect 3.0 +) who fulfill some registry condition. While configuring DAP policy , while selecting registry condition it is giving error as "cisco secure desktop (CSD) is not enabled , CSD must be enabled to configure registry endpoint attribute" . But as I percevied from link , to check registry attribute "host scan" which is integrated in anyconnect 3.0 module will be responsible . So why it is asking me to enable CSD ? Is CSD really needed to check registry attribute even if we are using anyconenct 3.0 + ? Any pointer

Marvin Rhoads · ‎11-19-2014

The ASA end needs to be enabled in addition to the AnyConnect-based bits.

Note elsewhere in the link you cited it says "Host Scan automatically identifies operating systems and service packs on any remote device establishing a Cisco clientless SSL VPN or AnyConnect client session and when CSD or Host Scan/CSD is enabled on the ASA." (emphasis added).

FYI Cisco is deprecating these features over time in favor of Posture scanning on ISE in conjunction with the new AnyConnect 4.0 posture module.

View solution in original post

Marvin Rhoads · ‎11-19-2014

The ASA end needs to be enabled in addition to the AnyConnect-based bits.

Note elsewhere in the link you cited it says "Host Scan automatically identifies operating systems and service packs on any remote device establishing a Cisco clientless SSL VPN or AnyConnect client session and when CSD or Host Scan/CSD is enabled on the ASA." (emphasis added).

FYI Cisco is deprecating these features over time in favor of Posture scanning on ISE in conjunction with the new AnyConnect 4.0 posture module.