Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2766
Views
0
Helpful
2
Replies

Clientless VPN HostScan/CSD Bypass

Go to solution
p_warwick
Level 1
Level 1

‎12-05-2017 06:04 AM - edited ‎03-12-2019 04:47 AM

Hi,

 

I'm currently configuring AnyConnect on an ASA with hostscan and dynamic access policies. If the client already has AnyConnect installed it works great, posturing completes and the DAPs are assessed sucessfully. 

 

My issue is for a new client without AnyConnect installed. If they connect to the ASA interface with webvpn enabled via a browser it attempts to run CSD and ActiveX/Java which is giving mixed results. 

 

On a Mac running 10.3.1 and Java 8 with Safari the CSD process loops through the Java step indefinitely with the Java console outputting this:

 

Tue Dec 05 13:12:58 GMT 2017 Failed to download cstub

 

Chrome fails entirely but allows me to skip to the login page, however the user cannot log on as the fallback to the default DAP which terminates the connection.  

 

On Windows 10 devices it works in some instances however the process is finicky, end users have to add sites to trusted sites, tweak Java settings etc.

 

I'm not interested in using a clientless VPN, I just want the users to connect to the ASA's webvpn enabled interface, bypass the CSD process and be offered the AnyConnect client as a download to install it manually as it does without hostscan/CSD enabled.

 

Is this achievable?

 

Version details:

ASA 9.6(3)3

AnyConnect 4.5.02036

HostScan 4.3.05043

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎12-05-2017 06:20 AM

You can keep a separate tunnel-group for clientless access (say TG1) with csd disabled. Config below:

tunnel-group TG1 webvpn-attributes
without-csd

For that tunnel-group, you can create a group-policy pushing a client xml profile that has the group-url to the production tunnel-group (TG2). Once the user logs in and downloads the client, it would automatically connect to the TG1, but they can disconnect. Since you already downloaded the profile, next time they automatically connect to TG2.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎12-05-2017 06:20 AM

You can keep a separate tunnel-group for clientless access (say TG1) with csd disabled. Config below:

tunnel-group TG1 webvpn-attributes
without-csd

For that tunnel-group, you can create a group-policy pushing a client xml profile that has the group-url to the production tunnel-group (TG2). Once the user logs in and downloads the client, it would automatically connect to the TG1, but they can disconnect. Since you already downloaded the profile, next time they automatically connect to TG2.
0 Helpful

Go to solution
p_warwick
Level 1
Level 1
In response to Rahul Govindan

‎12-05-2017 08:59 AM

Thank you, here's what I did based on your suggestion.

 

I created an additional DAP at a lower priority to check for group membership from AD, I linked a network ACL which denied all traffic to that DAP.

 

Created another tunnel-group/profile with a group url of https://fqdn/setup with CSD disabled. Linked a group policy pushing a profile to this group.

 

On first connection the user goes to https://fqdn/setup and gets the client and connects, upon connection a banner prompts the user to disconnect then reconnect using the AnyConnect client.

 

Thanks for your guidance. 

0 Helpful
Customers Also Viewed These Support Documents