Need to set up an anyconnect client Vpn where my users get authorize via using 2FA i.e 1st will be AD then party Innefu token. After these successful check, my machine will be checked for Registry key using ASA Host-scan features and then user will be allowed to connect to Anyconnect client Vpn and access to corporate network.
Is this possible to check Registry key using ASA host scan?
I know it would be achieved using ISE posture but I don't have ISE in my infrastructure.
A. Yes. AnyConnect 4.x still supports Hostscan functionality for VPN only posture with the Cisco ASA. AnyConect 4.x also has a unified posture agent that works across wired, wireless and VPN but this requires ISE 1.3 or greater. An AnyConnect Apex license is required for both options.
Thanks for your reply.
Is it any document related to my scenerio where I can use host scan feature of ASA for registry checking and then authorize user to enter my network.
Note: I don't want to use ISE for this condition
What registry value do you want to check?
If you want to check to confirm whether the computer is joined to the domain, locate the domain name in the registry of the computer. E.g:-
Then create a basic hostscan for that registry value. E.g:-
Create a new DAP, define tunnel-group user is connecting from and check endpoint attributes to determine whether the registry value is correct (in this example lab.local is the local domain). Action is continue if matched. E.g:-