06-28-2013 11:39 AM
Hi
I have created a simple DAP to match a specific tunnel group (AAA attribute) and also to match endpoint attributes matching AnyConnect client version 3.1.xx and OS as Win7. When i test the DAPs on ASDM, i see that the custom one i created is selected. However when i actually connect from a client matching the specified AAA and endpoint attributes, the selected DAP is the default one. My aim is to be able to match custom DAPs for different connection profiles (plan to configure more later) so i can then set the action on the default DAP to terminate but i seem to be stuck on this.
I have looked at my config over and again and i guess if the solution could bite me, it would have but i can't seem to find what i need to do to fix this.
Appreciate any and every help here
Seyi
========
Test DAP
========
DAP_TRACE: DAP_open: 778B5E18
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:endpoint["anyconnect"]["clientversion"]="3.1.03103"
DAP_TRACE: name = endpoint["anyconnect"]["clientversion"], value = "3.1.03103"
DAP_TRACE: dap_add_to_lua_tree:endpoint["os"]["version"]="Windows 7"
DAP_TRACE: name = endpoint["os"]["version"], value = "Windows 7"
DAP_TRACE: Selected DAPs: ,POLICY-RSA
DAP_TRACE: dap_process_selected_daps: selected 1 records
DAP_TRACE: dap_aggregate_attr: rec_count = 1
DAP_TRACE: dap_comma_str_fcn: [,] 1 128
DAP_TRACE: DAP_close: 778B5E18
========================
Actual Client Connection
========================
DAP_TRACE: DAP_open: 79E0EA38
DAP_TRACE: Username: user1, aaa.cisco.grouppolicy = POLICY-RSA
DAP_TRACE: Username: user1, aaa.cisco.username = user1
DAP_TRACE: Username: user1, aaa.cisco.username1 = user1
DAP_TRACE: Username: user1, aaa.cisco.username2 =
DAP_TRACE: Username: user1, aaa.cisco.tunnelgroup = POLICY-RSA
DAP_TRACE: Username: user1, DAP_add_SCEP: scep required = [FALSE]
DAP_TRACE: Username: user1, DAP_add_AC:
endpoint.anyconnect.clientversion="3.1.03103";
endpoint.anyconnect.platform="win";
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["grouppolicy"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["grouppolicy"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"]="user1"
DAP_TRACE: name = aaa["cisco"]["username"], value = "user1"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username1"]="user1"
DAP_TRACE: name = aaa["cisco"]["username1"], value = "user1"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username2"]=""
DAP_TRACE: name = aaa["cisco"]["username2"], value = ""
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"]="POLICY-RSA"
DAP_TRACE: name = aaa["cisco"]["tunnelgroup"], value = "POLICY-RSA"
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["sceprequired"]="false"
DAP_TRACE: name = aaa["cisco"]["sceprequired"], value = "false"
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"]="AnyConnect"
DAP_TRACE: name = endpoint["application"]["clienttype"], value = "AnyConnect"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.03103"
DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.03103"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="win"
DAP_TRACE: name = endpoint.anyconnect.platform, value = "win"
DAP_TRACE: Username: user1, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: user1, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: user1, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: user1, DAP_close: 79E0EA38
06-28-2013 07:18 PM
Hi,
Can you post a screenshot of your dap entries and did you create a lua expression for any of the endpoint attributes?
Thanks,
Sent from Cisco Technical Support iPad App
06-29-2013 09:10 AM
07-01-2013 12:14 AM
Hi Seyi,
The problem lies here if you check the ouput of the debug dap trace of the client Pc which is as follow
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.clientversion="3.1.03103"
DAP_TRACE: name = endpoint.anyconnect.clientversion, value = "3.1.03103"
DAP_TRACE: dap_install_endpoint_data_to_lua:endpoint.anyconnect.platform="win"
DAP_TRACE: name = endpoint.anyconnect.platform, value = "win"
DAP_TRACE: Username: user1, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: user1, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: user1, Selected DAPs: DfltAccessPolicy
I don't see it looking for OS version Check.
Ideally it should and this entry should have been there in the debug dap trace
endpoint["os"]["version"], value = "Windows 7
And in the DAP policy that you have created you have mentioned 2 end point attributes to be checked which are as follow
endpoint.anyconnect.clientversion, value = "3.1.03103
endpoint["os"]["version"], value = "Windows 7
Since it is not matching both the enpoint attributes it is falling on the
DfltAccessPolicy
Please let me know the host scan image that you have got.
Try with the hostscan_3.1.03103-k9.pkg.
And then check.
HTH
Regards
Raj Kumar
07-01-2013 02:09 PM
Hi Raj
I did have hostscan_3.1.03104 loaded in flash but it wasnt enabled...doh! I suppose i'm the only one who doesnt know that DAP requires hostscan enabled to have all these endpoint assessments done.
I have created a simple pre-login assessment to check for OS and still fails to match my custom DAP and selects DfltAccessPolicy.
The client is being predeployed by an SMS tool so i guess i need to go back to the guys in charge and confirm that the posture module is part of what we are deploying now, dont i?
Thanks again
Seyi
07-02-2013 08:53 AM
Hi,
You do not need to enable anything on the client other than vpn client. Hostscan is the service on the asa that detects the dap attributes such as the os.
Sent from Cisco Technical Support Android App
07-02-2013 01:02 PM
Hi Tarik
I have either read the guide at
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac05hostscanposture.html completely wrong or the wording leaves room for wild interpretations like mine
10-21-2013 08:33 AM
Thanks guys, I went to the latest hostcan package and everything now works merrily.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide