cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
53
Views
0
Helpful
2
Replies
Highlighted
Beginner

Hostscan and CSD is not restricting access based on criteria

Hi

I'm wondering why all users are still able to connect to vpn despite not matching the criteria set for hostscan/csd such as file existence on endpoint.

It seems that posture assessment and hostscan checks are running during the vpn login.

Obviously, anyconnect essentials is disabled.

*************************************

I'm using the ff:

ASA 9.1

Anyconnect mobility client ver 4.2.0.1035

Hostscan image ver 4.2.0.1035

CSD 3.5.2008

************************************

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 300            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 5              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : 2500           perpetual
Other VPN Peers                   : 2500           perpetual
Total VPN Peers                   : 2500           perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Enabled        perpetual
Cluster                           : Disabled       perpetual

2 REPLIES 2
Beginner

Hello,

Hello,

Is the action on the DfltAccessPolicy Terminate?, that could be a reason why your users are still connecting, it need to be set to terminate so the users that don't meet the DAP criterias fall in to the default and not connect.

You can run the debug "debug dap trace 255" at the end of the debug you will see the dap policy that the connection is hitting. This debug is really useful you can see all the attributes that are checked and rearrange your DAP to hit the one you want.

Regards, please rate.

Highlighted
Beginner

Hi

Hi

Thanks for your time.

Yes it is set to terminate. I verified that it is working because only the specific set active directory users on DAP are able to connect. But the checking for hostscan like "a file must exist on endpoint" seems to be bypassed though posture assement is successfully running. I'll try your suggestion for debug dap trace 255.