Solved: AnyConnect HIP Checks

CiscoMedMed · ‎09-28-2021

I would like to characterize the machines that are currently attaching to AnyConnect. Is there any way on the ASA that I can see what OS a user is using? Or if they have AV or Malware protection? Or what model of hardware?

Rob Ingram · ‎09-28-2021

@CiscoMedMed the best way would be if you used ISE Posture, this will collect endpoint attributes such as OS and installed applications on a per endpoint basis and run reports.

https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273#toc-hId--1359647860

You could use ASA DAP (Dynamic Application Policies) which you scan and permit access depending on install application (i.e. AV) or OS, but I'm not aware of an obvious way to report on this (unlike if using ISE). You may be able to filter on DAP specific syslog messages and send these to a syslog server.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

View solution in original post

Rob Ingram · ‎09-28-2021

@CiscoMedMed the best way would be if you used ISE Posture, this will collect endpoint attributes such as OS and installed applications on a per endpoint basis and run reports.

https://community.cisco.com/t5/security-documents/ise-posture-prescriptive-deployment-guide/ta-p/3680273#toc-hId--1359647860

You could use ASA DAP (Dynamic Application Policies) which you scan and permit access depending on install application (i.e. AV) or OS, but I'm not aware of an obvious way to report on this (unlike if using ISE). You may be able to filter on DAP specific syslog messages and send these to a syslog server.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html