Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
156
Views
0
Helpful
2
Replies

Hostscan and CSD is not restricting access based on criteria

drlbaluyut
Level 1
Level 1

ā€Ž02-01-2016 08:50 PM

Hi

I'm wondering why all users are still able to connect to vpn despite not matching the criteria set for hostscan/csd such as file existence on endpoint.

It seems that posture assessment and hostscan checks are running during the vpn login.

Obviously, anyconnect essentials is disabled.

*************************************

I'm using the ff:

ASA 9.1

Anyconnect mobility client ver 4.2.0.1035

Hostscan image ver 4.2.0.1035

CSD 3.5.2008

************************************

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 300            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 5              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : 2500           perpetual
Other VPN Peers                   : 2500           perpetual
Total VPN Peers                   : 2500           perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
IPS Module                        : Enabled        perpetual
Cluster                           : Disabled       perpetual

Labels:
0 Helpful
2 Replies 2

Diego Lopez
Level 1
Level 1

ā€Ž02-02-2016 07:10 AM

Hello,

Is the action on the DfltAccessPolicy Terminate?, that could be a reason why your users are still connecting, it need to be set to terminate so the users that don't meet the DAP criterias fall in to the default and not connect.

You can run the debug "debug dap trace 255" at the end of the debug you will see the dap policy that the connection is hitting. This debug is really useful you can see all the attributes that are checked and rearrange your DAP to hit the one you want.

Regards, please rate.

0 Helpful

drlbaluyut
Level 1
Level 1
In response to Diego Lopez

ā€Ž02-02-2016 04:44 PM

Hi

Thanks for your time.

Yes it is set to terminate. I verified that it is working because only the specific set active directory users on DAP are able to connect. But the checking for hostscan like "a file must exist on endpoint" seems to be bypassed though posture assement is successfully running. I'll try your suggestion for debug dap trace 255.

0 Helpful
Customers Also Viewed These Support Documents