Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5464
Views
0
Helpful
1
Replies

AnyConnect VPN OS Identification

janiax
Level 1
Level 1

‎03-26-2019 08:11 AM - edited ‎04-03-2019 08:00 AM

Hello Cisco Community,

I would like to determine OS (desktop OS or mobile OS) and based on that assign users to particular groups (desktop users, mobile users).
We authenticate users with AAA and certificate. The goal is to allow only certain users to be able to connect from phones by issuing special certificate (all other will be denied), assign them particular IP address pool and regulate their access on firewall.

Do I need HostScan for this functionality? If so, Appex AnyConnect license is required, is that correct?
If I try to point Windows AnyConnect image as a HostScan, I receive following error:

 

asa/act/pri(config-webvpn)# hostscan image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg
WARNING: The existing AV/AS/FW DAP is not compatible with the latest Hostscan version
Failed to locate a Hostscan image inside an Anyconnect package
ERROR: Failed to install the specified Hostscan image. Resetting CSD config

I understand, that to address the warining I need to follow this - https://www.cisco.com/c/en/us/td/docs/security/asa/migration/guide/HostscanMigration43x-46x.html
But I thought, that standard AnyConnect packages such as anyconnect-win-4.7.00136-webdeploy-k9.pkg already include the HostScan, based on which I could achieve this configuration.

I noticed, that when I issue show vpn-sessiondb anyconnect detail, it can recognize Tunnels initiated from Android, which makes me think I don't need any endpoint posture?


SSL-Tunnel:
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2
TCP Dst Port : 443
Client OS : Android
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Android 4.7.00144

 

Many thanks.

Labels:
0 Helpful
1 Reply 1

Josue Brenes
Cisco Employee
Cisco Employee

‎03-27-2019 09:10 PM - edited ‎03-27-2019 09:21 PM

Hi Janiax,

 

See the following link for reference:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-hostscan.pdf

 

The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify the operating system, anti-virus, anti-spyware, and firewall software installed on the host. The HostScan application gathers this information. Posture assessment requires HostScan to be installed on the host.

 

Licensing for Host Scan

These are the AnyConnect licensing requirements for the posture module: 

• AnyConnect Apex for basic Host Scan.

• AnyConnect Plus is required for

◦Remediation

◦Mobile Device Management

 

As a summary:

Yo need the APEX license. 

DAP’s with Hostscan for the O.S check. 

The HS package on the flash and subsequently applied under webvpn “hostscan image flash:/<name>.pkg, not the anyconnect but the hostscan.pkg file. 

The error seen is basically because there is no proper HS image applied. 

The show vpn-sessiondb anyconnect command will only detect the O.S once the VPN is connected but will not filter allow/deny such conn by itself, HS is needed. 

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

0 Helpful
Customers Also Viewed These Support Documents