02-01-2016 08:50 PM
Hi
I'm wondering why all users are still able to connect to vpn despite not matching the criteria set for hostscan/csd such as file existence on endpoint.
It seems that posture assessment and hostscan checks are running during the vpn login.
Obviously, anyconnect essentials is disabled.
*************************************
I'm using the ff:
ASA 9.1
Anyconnect mobility client ver 4.2.0.1035
Hostscan image ver 4.2.0.1035
CSD 3.5.2008
************************************
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 300 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 5 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : 2500 perpetual
Other VPN Peers : 2500 perpetual
Total VPN Peers : 2500 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
IPS Module : Enabled perpetual
Cluster : Disabled perpetual
02-02-2016 07:10 AM
Hello,
Is the action on the DfltAccessPolicy Terminate?, that could be a reason why your users are still connecting, it need to be set to terminate so the users that don't meet the DAP criterias fall in to the default and not connect.
You can run the debug "debug dap trace 255" at the end of the debug you will see the dap policy that the connection is hitting. This debug is really useful you can see all the attributes that are checked and rearrange your DAP to hit the one you want.
Regards, please rate.
02-02-2016 04:44 PM
Hi
Thanks for your time.
Yes it is set to terminate. I verified that it is working because only the specific set active directory users on DAP are able to connect. But the checking for hostscan like "a file must exist on endpoint" seems to be bypassed though posture assement is successfully running. I'll try your suggestion for debug dap trace 255.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide