cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3629
Views
10
Helpful
12
Replies

Cisco Anyconnect Posture 4.3.05017 with Host Scan

Hi Everyone,

I am testing Cosco Anyconnect 4.3.05017 SSL VPN with host scan feature. My requirements are to scan VPN user PC for specific antivirus, Anti spyware, OS and its version.

So If PC meets all criteria than user can gets connected other wise NO VPN connection.  I have uploaded host scan image onto ASA and enabled host scan / CSD on ASA. I configured group policy and enabled Advanced host assessment and specified antivirus / anti spare and OS and its version.

All is working but how can I know which anti virus and anti spyware, OS are detected by host scan ? Can I see report from ASA ?

Than I specified incorrect antivirus vendor and tried whether VPN user can still connect or no.. It should not connect but I can still gets connected.

How can I do this ? appreciated if someone helps here.

Thanks,

12 Replies 12

Marvin Rhoads
Hall of Fame
Hall of Fame

If you have installed the optional Diagnostics and Reporting Tool (DART) module, you can pull a report from the host side using that.

Otherwise I believe you would have to debug the DAP module on the ASA end.

Marvin is right, there is no direct report on the ASA for this information. Run a "debug dap trace" to see the AV,AS that are being matched. But this does not have a filter and runs for every connection coming in. DART also can provide the information, but is more of a one off basis. If you need reporting capability with posture, ISE Posture with ASA is the way to go.

Thanks Marvin and Rahul

Following details are captured from DART at VPN user side. It says no matching antivirus product detected. However user could connect VPN connection. My goal is if Host scan detects this, user should not be able to connect VPN and should have warm user why VPN is unable to connect.

Cisco documents does not say how remediation work. I mean how VPN user can download and install required antivirus if host scan detects non matching antivirus. OR if user can not perform remediation than VPN should not be connect.   

ASA 5512-x has Anyconnect premium and advanced endpoint assessment license.

============= captured from DART ========

[Thu Jan 19 13:46:40.167 2017][cscan][debug][prelogin] obtained CSD configuration data.
[Thu Jan 19 13:46:40.180 2017][cscan][all][parse_config] Logging level directive (error) received from headend
[Thu Jan 19 13:46:40.181 2017][cscan][all][parse_config] Logging level set to (warn)
[Thu Jan 19 13:46:50.725 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:46:51.237 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:47:59.769 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:48:00.306 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:49:08.934 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:49:09.458 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:50:18.171 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:50:18.680 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:51:27.221 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:51:27.722 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:52:36.210 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:52:36.710 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:53:45.205 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:53:45.691 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:54:54.070 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:54:54.571 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:56:03.244 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:56:03.729 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:57:13.524 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:57:14.040 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:57:16.010 2017][cscan][warn][run] login timeout reached, scanning stopped.
[Thu Jan 19 13:57:16.109 2017][cscan][all][halt] goodbye (0)
[Fri Jan 20 11:19:53.046 2017][cscan][all][init] hello
[Fri Jan 20 11:19:53.046 2017][cscan][all][init] cscan.exe version 3.1.05152
[Fri Jan 20 11:19:53.046 2017][cscan][debug][asa_tok_ren_init] cond init succeeded
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_transport_init] initialization
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_dl_load] attempting to load library (winhttp.dll)
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_dl_load] library (winhttp.dll) loaded
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_dl_load] attempting to load library (crypt32.dll)
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_dl_load] library (crypt32.dll) loaded
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_dl_load] attempting to load library (urlmon.dll)
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_dl_load] library (urlmon.dll) loaded

You have to configure DAP to take actions based on what hostscan detects. Hostscan is just the detection/scanning part of the Posture setup. Once the scan info is sent to the ASA, the ASA then evaluates the information and allows, denies and quarantines the user based on the policies created. You can create DAP rules as given in the guide below:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200238-ASA-VPN-posture-with-CSD-DAP-and-AnyCon.html

If you are looking for advanced DAP (like checking for presence of any AV on client machine), you would need to do some complex DAP policies. A few examples are given here:

http://www.cisco.com/image/gif/paws/115947/dap-adv-functions-00.pdf

Many thanks Rahul,

This is fantastic document. It is really use full.

I uploaded hostscan package (hostscan_4.3.05017-k9.pkg) under Configuration --> Network (Client) Access --> Host Scan Image and enabled the CSD option. I have also uploaded Anyconnect software package (anyconnect-win-4.3.05017-k9.pkg) under Configuration --> Network (Client) Access --> Anyconnect client software.

Do I still need to upload CSD package under Secure Desktop manager --> Setup ?

I read somewhere that CSD is part of host scan package and do not need to install separately. 

Could you please clarify as I am visiting client site tomorrow and will test the Anyconnect Secure Mobility Client 4.x with ASA 5525-x.

Thanks in advance.

Only Hostscan package is needed. Hostscan was previously part of the CSD package along with some other deprecated features. The ASDM still has the CSD section for backward compatibility with older CSD versions. If you upload both, the hostscan package takes precedence.

Thanks.

It is much clear now. Will updates how I am progressing ..

Thanks 

Today I was a customer site and I came across another challenge

.. Customer has set up 3 VPN user profile ( i e SSL-VPN , IPSEC-VPN, Annyconnect-VPN) on ASA 5525. User authentication is via ACS 5.6

When user try connecting through annyconnect Secure Mobility client from laptop... it pops up windows for selecting the VPN group to use for connecting. Customer do not want that window poping up. Customer want to lock-down from ACS

After few research, I found that it can be done using ACS --> RAIUD IETF.

There are so many options under dictionary and many attributes under each dictionary.

Customer is using ASA 5525 and ACS 5.6. Can anyone please help me what exact dictionary and attributes I should use so user gets connected without choosing VPNgroup ..

Many thanks

 

You cannot use ACS to choose the tunnel-group as this is already chosen before auth happens. What you can do is have create just one tunnel-group and have everyone come to that group. Based on their credentials, you can push different group-policies to users from the ACS. For this you have to set the Radius Class attribute (25) to the value of "OU=<GroupPolicy>", where Group policy is defined on the ASA.

A solution using Windows NPS is given here, the same concept applies to ACS:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

Also look at this link for the Radius attributes supported (Table 1-8):

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ref_extserver.pdf

Thanks  Rahul,

Today I tested host scanning feature. Somehow it is not working for Anti-virus and anti-spyware feature.

I enabled host-scan feature under Secure Desktop Manager and also enabled host scan extensions ( Advanced Endpoint Assessment ver 3.6.10972.2 and End point assessment 3.6.10972.2)

I also configured both options and selected Sophos Antivirus 10.x.

Than I created DAP policy with Antivirus does not exists and choose action as quarantine. and access method as annyconnect.

When I connect VPN it shows host-scanning initialized but still gets connected eventhough laptop does not have Sophos Antivirus.

Please help and it is really stressful.  Unable to move forward 

Check the output of "debug dap trace" when user connects. This will show you the results from hostscan that comes back from the client. This will also show you which DAP policy is chosen for the user. You would have to verify if the returned attributes match your DAP policy created.

Hi Rahul,

Today I came across another issue. I enabled host scanning and defined DAP policy. First files-does-not exists and than created manually. Both time I cam across with following error on ASDM log:

DAP: Processing error : Code 2401 and 3774

%ASA-3-734004: DAP: Processing error: Code number
A DAP processing error occurred.

• number—The internal error code

Any connect says : Login Denied : Yoyr environment does not meet the access criteria defined by administrator.  If I delete the DAP than it work  otherwise no.

ASA is 5512-x with 9.1(3) and ADM 7.3(1) and Any connect 4.3.x

Thanks