Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3892
Views
5
Helpful
5
Replies

Anyconnect Client Vpn using hostscan

Netplace Support
Level 1
Level 1

‎09-30-2019 09:37 AM

Hi All,

Need to set up an anyconnect client Vpn where my users get authorize via using 2FA i.e 1st will be AD then party Innefu token. After these successful check, my machine will be checked for Registry key using ASA Host-scan features and then user will be allowed to connect to Anyconnect client Vpn and access to corporate network.

 

Is this possible to check Registry key using ASA host scan? 

 

I know it would be achieved using ISE posture but I don't have ISE in my infrastructure.

 

Any help.

 

Regards,

VISHAL

 

Labels:
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎09-30-2019 09:53 AM

Q. Can AnyConnect Hostscan/Posture be used without Cisco ISE?

A. Yes. AnyConnect 4.x still supports Hostscan functionality for VPN only posture with the Cisco ASA. AnyConect 4.x also has a unified posture agent that works across wired, wireless and VPN but this requires ISE 1.3 or greater. An AnyConnect Apex license is required for both options.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Netplace Support
Level 1
Level 1
In response to balaji.bandi

‎09-30-2019 09:58 AM

Dear Balaji,

 

Thanks for your reply.

Is it any document related to my scenerio where I can use host scan feature of ASA for registry checking and then authorize user to enter my network.

 

Note: I don't want to use ISE for this condition

0 Helpful

Rob Ingram
VIP
VIP
In response to Netplace Support

‎09-30-2019 10:49 AM

What registry value do you want to check?

 

If you want to check to confirm whether the computer is joined to the domain, locate the domain name in the registry of the computer. E.g:-

 

domain.PNG

 

Then create a basic hostscan for that registry value. E.g:-

 

hostscan.PNG

 

Create a new DAP, define tunnel-group user is connecting from and check endpoint attributes to determine whether the registry value is correct (in this example lab.local is the local domain). Action is continue if matched. E.g:-

 

dap policy.PNG

HTH

Netplace Support
Level 1
Level 1
In response to Rob Ingram

‎10-01-2019 06:30 AM

Hi RJI,

 

Thanks for your help.

 

But in my case im anyhow getting hit to default access policy and login denied. 

 

PFA logs an help me if im wrong anywhere

Preview file
46 KB
0 Helpful

Netplace Support
Level 1
Level 1
In response to Netplace Support

‎10-01-2019 08:37 AM

Attaching test DAP Configuration if it's help

Preview file
392 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents