01-22-2017 05:08 PM - edited 02-21-2020 09:07 PM
Hi Everyone,
I am testing Cosco Anyconnect 4.3.05017 SSL VPN with host scan feature. My requirements are to scan VPN user PC for specific antivirus, Anti spyware, OS and its version.
So If PC meets all criteria than user can gets connected other wise NO VPN connection. I have uploaded host scan image onto ASA and enabled host scan / CSD on ASA. I configured group policy and enabled Advanced host assessment and specified antivirus / anti spare and OS and its version.
All is working but how can I know which anti virus and anti spyware, OS are detected by host scan ? Can I see report from ASA ?
Than I specified incorrect antivirus vendor and tried whether VPN user can still connect or no.. It should not connect but I can still gets connected.
How can I do this ? appreciated if someone helps here.
Thanks,
01-22-2017 10:29 PM
If you have installed the optional Diagnostics and Reporting Tool (DART) module, you can pull a report from the host side using that.
Otherwise I believe you would have to debug the DAP module on the ASA end.
01-23-2017 04:22 AM
Marvin is right, there is no direct report on the ASA for this information. Run a "debug dap trace" to see the AV,AS that are being matched. But this does not have a filter and runs for every connection coming in. DART also can provide the information, but is more of a one off basis. If you need reporting capability with posture, ISE Posture with ASA is the way to go.
01-23-2017 02:48 PM
Thanks Marvin and Rahul
Following details are captured from DART at VPN user side. It says no matching antivirus product detected. However user could connect VPN connection. My goal is if Host scan detects this, user should not be able to connect VPN and should have warm user why VPN is unable to connect.
Cisco documents does not say how remediation work. I mean how VPN user can download and install required antivirus if host scan detects non matching antivirus. OR if user can not perform remediation than VPN should not be connect.
ASA 5512-x has Anyconnect premium and advanced endpoint assessment license.
============= captured from DART ========
[Thu Jan 19 13:46:40.167 2017][cscan][debug][prelogin] obtained CSD configuration data.
[Thu Jan 19 13:46:40.180 2017][cscan][all][parse_config] Logging level directive (error) received from headend
[Thu Jan 19 13:46:40.181 2017][cscan][all][parse_config] Logging level set to (warn)
[Thu Jan 19 13:46:50.725 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:46:51.237 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:47:59.769 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:48:00.306 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:49:08.934 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:49:09.458 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:50:18.171 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:50:18.680 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:51:27.221 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:51:27.722 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:52:36.210 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:52:36.710 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:53:45.205 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:53:45.691 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:54:54.070 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:54:54.571 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:56:03.244 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:56:03.729 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:57:13.524 2017][cscan][warn][scan_advanced_av] no matching antivirus products detected.
[Thu Jan 19 13:57:14.040 2017][cscan][warn][scan_advanced_as] no matching antispyware products detected.
[Thu Jan 19 13:57:16.010 2017][cscan][warn][run] login timeout reached, scanning stopped.
[Thu Jan 19 13:57:16.109 2017][cscan][all][halt] goodbye (0)
[Fri Jan 20 11:19:53.046 2017][cscan][all][init] hello
[Fri Jan 20 11:19:53.046 2017][cscan][all][init] cscan.exe version 3.1.05152
[Fri Jan 20 11:19:53.046 2017][cscan][debug][asa_tok_ren_init] cond init succeeded
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_transport_init] initialization
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_dl_load] attempting to load library (winhttp.dll)
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_dl_load] library (winhttp.dll) loaded
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_dl_load] attempting to load library (crypt32.dll)
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_dl_load] library (crypt32.dll) loaded
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_dl_load] attempting to load library (urlmon.dll)
[Fri Jan 20 11:19:53.046 2017][cscan][trace][hs_dl_load] library (urlmon.dll) loaded
01-23-2017 04:24 PM
You have to configure DAP to take actions based on what hostscan detects. Hostscan is just the detection/scanning part of the Posture setup. Once the scan info is sent to the ASA, the ASA then evaluates the information and allows, denies and quarantines the user based on the policies created. You can create DAP rules as given in the guide below:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200238-ASA-VPN-posture-with-CSD-DAP-and-AnyCon.html
If you are looking for advanced DAP (like checking for presence of any AV on client machine), you would need to do some complex DAP policies. A few examples are given here:
http://www.cisco.com/image/gif/paws/115947/dap-adv-functions-00.pdf
01-23-2017 07:25 PM
Many thanks Rahul,
This is fantastic document. It is really use full.
I uploaded hostscan package (hostscan_4.3.05017-k9.pkg) under Configuration --> Network (Client) Access --> Host Scan Image and enabled the CSD option. I have also uploaded Anyconnect software package (anyconnect-win-4.3.05017-k9.pkg) under Configuration --> Network (Client) Access --> Anyconnect client software.
Do I still need to upload CSD package under Secure Desktop manager --> Setup ?
I read somewhere that CSD is part of host scan package and do not need to install separately.
Could you please clarify as I am visiting client site tomorrow and will test the Anyconnect Secure Mobility Client 4.x with ASA 5525-x.
Thanks in advance.
01-23-2017 07:34 PM
Only Hostscan package is needed. Hostscan was previously part of the CSD package along with some other deprecated features. The ASDM still has the CSD section for backward compatibility with older CSD versions. If you upload both, the hostscan package takes precedence.
01-23-2017 07:37 PM
Thanks.
It is much clear now. Will updates how I am progressing ..
Thanks
01-24-2017 10:48 PM
Today I was a customer site and I came across another challenge
.. Customer has set up 3 VPN user profile ( i e SSL-VPN , IPSEC-VPN, Annyconnect-VPN) on ASA 5525. User authentication is via ACS 5.6
When user try connecting through annyconnect Secure Mobility client from laptop... it pops up windows for selecting the VPN group to use for connecting. Customer do not want that window poping up. Customer want to lock-down from ACS
After few research, I found that it can be done using ACS --> RAIUD IETF.
There are so many options under dictionary and many attributes under each dictionary.
Customer is using ASA 5525 and ACS 5.6. Can anyone please help me what exact dictionary and attributes I should use so user gets connected without choosing VPNgroup ..
Many thanks
01-25-2017 09:59 AM
You cannot use ACS to choose the tunnel-group as this is already chosen before auth happens. What you can do is have create just one tunnel-group and have everyone come to that group. Based on their credentials, you can push different group-policies to users from the ACS. For this you have to set the Radius Class attribute (25) to the value of "OU=<GroupPolicy>", where Group policy is defined on the ASA.
A solution using Windows NPS is given here, the same concept applies to ACS:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html
Also look at this link for the Radius attributes supported (Table 1-8):
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ref_extserver.pdf
01-26-2017 09:26 PM
Thanks Rahul,
Today I tested host scanning feature. Somehow it is not working for Anti-virus and anti-spyware feature.
I enabled host-scan feature under Secure Desktop Manager and also enabled host scan extensions ( Advanced Endpoint Assessment ver 3.6.10972.2 and End point assessment 3.6.10972.2)
I also configured both options and selected Sophos Antivirus 10.x.
Than I created DAP policy with Antivirus does not exists and choose action as quarantine. and access method as annyconnect.
When I connect VPN it shows host-scanning initialized but still gets connected eventhough laptop does not have Sophos Antivirus.
Please help and it is really stressful. Unable to move forward
01-27-2017 05:31 AM
Check the output of "debug dap trace" when user connects. This will show you the results from hostscan that comes back from the client. This will also show you which DAP policy is chosen for the user. You would have to verify if the returned attributes match your DAP policy created.
01-29-2017 08:52 PM
Hi Rahul,
Today I came across another issue. I enabled host scanning and defined DAP policy. First files-does-not exists and than created manually. Both time I cam across with following error on ASDM log:
DAP: Processing error : Code 2401 and 3774
%ASA-3-734004: DAP: Processing error: Code number
A DAP processing error occurred.
• number—The internal error code
Any connect says : Login Denied : Yoyr environment does not meet the access criteria defined by administrator. If I delete the DAP than it work otherwise no.
ASA is 5512-x with 9.1(3) and ADM 7.3(1) and Any connect 4.3.x
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide