Anyconnect PC Check

jrichterkessing · ‎03-06-2013

I have a Cisco ASA5520 that we are going to use to allow users to connect to our network via the Anyconnect client, I have authentication set up to validate against AD via LDAP, but was wondering if there were any way to set up the profile to check the PC before they log in....we do not want users using their home PCs to attach to our corporate network, only PCs that were issued to them by the company. Nothing is jumping out at me in the config, we are running some fairly old sofware on the boxes (ASA - v8.2(2), Anyconnect - v2.5.3046) I plan on upgrading the Anyconnect to v3.1 but will probably need to keep running the 8.2(2) version on the ASA due to support issues.

Thanks in advance for any help!

stojanr · ‎03-09-2013

You should take a look at the Anyconnect HostScan option. It gives you an option of scanning the computers as they establish the VPN connection and allow/reject access baded on results. Possible checks include registry, file, process, etc. In your case you could scan the registry for the Windows domain to identify the company assets.

The Hostscan is supported with the Anyconnect Premium licences, and additionaly there is the Advanced Endpoint Assesment license, which allows for automatic AV/AS/Firewall remediation.

Karsten Iwen · ‎03-10-2013

Another option to Hostscan is the use of certificate-based authentication. All your clients have to be enrolled with your internal CA and that certificate is checked in addition to the username/password. But when you already have AnyConnect Premium licenses, then the HostScan will be probably easier to use to achieve your goal.

Sent from Cisco Technical Support iPad App