cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1671
Views
0
Helpful
3
Replies

Cisco Host Scan (Hostscan_3.1.04082-k9.pkg)

mideyesupport2
Level 1
Level 1

Hello community,

I recently bought a Advanced Endpoint Assessment license for our ASA5505 to be able to check our remote users mainly, for antivirus and firewall. What i understand is that this feature requires the license mentioned above and also Anyconnect Premium Peers to be enabled. My "show ver" indicates that these licenses are enabled. See below.

Licensed features for this platform:

Maximum Physical Interfaces       : 8              perpetual

VLANs                             : 20             DMZ Unrestricted

Dual ISPs                         : Enabled        perpetual

VLAN Trunk Ports                  : 8              perpetual

Inside Hosts                      : 50             perpetual

Failover                          : Active/Standby perpetual

Encryption-DES                    : Enabled        perpetual

Encryption-3DES-AES               : Enabled        perpetual

AnyConnect Premium Peers          : 10             perpetual

AnyConnect Essentials             : Disabled       perpetual

Other VPN Peers                   : 25             perpetual

Total VPN Peers                   : 25             perpetual

Shared License                    : Disabled       perpetual

AnyConnect for Mobile             : Enabled        perpetual

AnyConnect for Cisco VPN Phone    : Disabled       perpetual

Advanced Endpoint Assessment      : Enabled        perpetual

UC Phone Proxy Sessions           : 2              perpetual

Total UC Proxy Sessions           : 2              perpetual

Botnet Traffic Filter             : Disabled       perpetual

Intercompany Media Engine         : Disabled       perpetual

Cluster                           : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.

Now to my question. What do I need to do to enable this feature? No matter what i try, when testing remote access from a Windows 8.1 with anyconnect 3.1.04072 they all get access to the network regardless of my setting made in ASDM.

This is what i have done after the actication of the license and a reboot:

1. From ASDM, "Configuration" --> Remote Access VPN --> Host Scan Image: Browse flash for

hostscan_3.1.04082-k9.pkg and enabled "Enable Host Scan/CSD". Then Apply and Save.

2. Restarted ASDM.

3. From ASDM, Configuration --> Remote Access VPN --> Secure Desktop Manager --> Host Scan -->Configure Advanced Endpoint Assessment ver 3.6.8133.2 --> Added F-secure.

4. Apply and Save.

When I try to connect with anyconnect from my Windows 8.1-machine (with no F-secure antivirus installed) I can see that the Anyconnect-client performs a hostscan but no matter what i do the machine will ignore my settings made for the Antivirus etc and get full access.

What am i missing? Do i need to create a DAP aswell, or shouldnt this work without one?

Note: Our Anyconnect authenticate using RADIUS with challenge-response, but I guess this wouldnt affect since the host-scan will be performed before the authentication take place.

Thank you all in advance,

Best Regards,

1 Accepted Solution

Accepted Solutions

jshojayi
Level 1
Level 1

A DAP rule would take care of this. This is where you'd create a rule to look for endpoint attributes such as processes, files, registry key's, or anything else. Based upon matched or unmatched criteria, you can decide whether to let them continue, quarantine them, or drop the connection. DAP rules are capable of much more, but based upon reading the above, it looks like you're wanting them to either connect or disconnect based upon the AV installed. Does this answer your question?

Thank you.

Joe

View solution in original post

3 Replies 3

jshojayi
Level 1
Level 1

A DAP rule would take care of this. This is where you'd create a rule to look for endpoint attributes such as processes, files, registry key's, or anything else. Based upon matched or unmatched criteria, you can decide whether to let them continue, quarantine them, or drop the connection. DAP rules are capable of much more, but based upon reading the above, it looks like you're wanting them to either connect or disconnect based upon the AV installed. Does this answer your question?

Thank you.

Joe

Hi Joe,

Thank you for your reply.

Since i posted my question I have tried the Host Scan feature with DAP, and it is almost working like i want to. I will give this a couple of days before posting more here. But yes, it seems that DAP is nessacery to connect or disconnect based upon AV-status.

Best regards,

OPSWAT, the technology that powers the posture assessment, also has an additional product, GEARS, that allows you to expand the endpoint assessment categories to include things like hard disk encryption and if any threats are detected on the endpoint. GEARS is added as a registry check within DAP, to quickly add the additional configurations. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: