12-13-2013 03:51 PM
Hello community,
I recently bought a Advanced Endpoint Assessment license for our ASA5505 to be able to check our remote users mainly, for antivirus and firewall. What i understand is that this feature requires the license mentioned above and also Anyconnect Premium Peers to be enabled. My "show ver" indicates that these licenses are enabled. See below.
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : 50 perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 10 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
Now to my question. What do I need to do to enable this feature? No matter what i try, when testing remote access from a Windows 8.1 with anyconnect 3.1.04072 they all get access to the network regardless of my setting made in ASDM.
This is what i have done after the actication of the license and a reboot:
1. From ASDM, "Configuration" --> Remote Access VPN --> Host Scan Image: Browse flash for
hostscan_3.1.04082-k9.pkg and enabled "Enable Host Scan/CSD". Then Apply and Save.
2. Restarted ASDM.
3. From ASDM, Configuration --> Remote Access VPN --> Secure Desktop Manager --> Host Scan -->Configure Advanced Endpoint Assessment ver 3.6.8133.2 --> Added F-secure.
4. Apply and Save.
When I try to connect with anyconnect from my Windows 8.1-machine (with no F-secure antivirus installed) I can see that the Anyconnect-client performs a hostscan but no matter what i do the machine will ignore my settings made for the Antivirus etc and get full access.
What am i missing? Do i need to create a DAP aswell, or shouldnt this work without one?
Note: Our Anyconnect authenticate using RADIUS with challenge-response, but I guess this wouldnt affect since the host-scan will be performed before the authentication take place.
Thank you all in advance,
Best Regards,
Solved! Go to Solution.
12-16-2013 05:11 PM
A DAP rule would take care of this. This is where you'd create a rule to look for endpoint attributes such as processes, files, registry key's, or anything else. Based upon matched or unmatched criteria, you can decide whether to let them continue, quarantine them, or drop the connection. DAP rules are capable of much more, but based upon reading the above, it looks like you're wanting them to either connect or disconnect based upon the AV installed. Does this answer your question?
Thank you.
Joe
12-16-2013 05:11 PM
A DAP rule would take care of this. This is where you'd create a rule to look for endpoint attributes such as processes, files, registry key's, or anything else. Based upon matched or unmatched criteria, you can decide whether to let them continue, quarantine them, or drop the connection. DAP rules are capable of much more, but based upon reading the above, it looks like you're wanting them to either connect or disconnect based upon the AV installed. Does this answer your question?
Thank you.
Joe
12-17-2013 12:05 AM
Hi Joe,
Thank you for your reply.
Since i posted my question I have tried the Host Scan feature with DAP, and it is almost working like i want to. I will give this a couple of days before posting more here. But yes, it seems that DAP is nessacery to connect or disconnect based upon AV-status.
Best regards,
04-24-2014 01:01 PM
OPSWAT, the technology that powers the posture assessment, also has an additional product, GEARS, that allows you to expand the endpoint assessment categories to include things like hard disk encryption and if any threats are detected on the endpoint. GEARS is added as a registry check within DAP, to quickly add the additional configurations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide