Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
5
Helpful
2
Replies

Connection Profile, Prelogin Policies, DAPs, Host Scan and VPNs order of operations

douglaswhitwill
Level 1
Level 1

‎09-23-2015 09:01 PM

I'm having a tough time understanding how all the above kind of fit together.  I want to do a basic presentation about the above topics and want to explain them in plain english.  Plus it helps me study for CCNA security.
 
So a user makes a request for remote access via anyconnect.  The ASA needs to figure out what connection profile the user belongs to.  This can be done via URL, chosen by the user via drop down menu or checking contents of a certificate already setup on the user machine.  A connection profile is chosen based on the above.  If nothing matches are the default connection profiles then used?
 
Before the user gets a login prompt the prelogin policy is ran for each and every VPN connection attempt (that belongs to a connection profile).  It seems as though ALL VPN users use the same prelogin policy map, is this correct?  When the connection passes the prelogin checks and hits the green 'accept' then it continues to be processed by the other components.  Does the 'accept' NEED to be referenced in another other component of the ASA or is referencing the 'accept' optional?
 
Host scan is then processed?  From the description in the ASA it sounds like the attributes you check for in host scan are stored in the endpoint attribute which can be used later in a DAP.  So if we are checking for AVAS software to be present and its not then will it automatically be denied or do we need to setup a DAP to take action?
 
DAP then processes the connection and adds/denies rights based on which of the DAPs are matching.  If none match then it will use the default DAP policy.
 
Unfortunately I don't have access to a lab at my place of work, only production gear so I can only use a read only approach to understanding.
 
I also wonder why in the ASDM there is a spot to upload/activate (Setup) 'Secure Desktop Manager' but then there is 'Host Scan Image' section that I used to activate 'Host Scan'?  After I activated it it seems like Secure Desktop is now available to me.  From what I read it seems like Host Scan is a sub feature of 'Secure Desktop Manager'.
 
Any help to these question is appreciated!
Labels:
0 Helpful
2 Replies 2

rvarelac
Level 7
Level 7

‎09-24-2015 09:26 PM

Hi Douglas , 

 If nothing matches are the default connection profiles then used?

Yes , if there is not a URL/alias or matching method ( AAA assignment , certificate mapping , etc) the connection falls into the default tunnel-group.

 It seems as though ALL VPN users use the same prelogin policy map, is this correct?

The pre-login policy is configured under a DAP rule , everytime a user attempts to authenticate the ASA checks all the DAPs rules and put the user into the ones they match based on the DAP requirements.

 Does the 'accept' NEED to be referenced in another other component of the ASA or is referencing the 'accept' optional?

If the user does not pass the pre-login policy won't be able to go further , if they pass the pre-login policy then the other rules are checked. 

So if we are checking for AVAS software to be present and its not then will it automatically be denied or do we need to setup a DAP to take action?

Normally on the DAP configuration, is a default DAP rule that have as action terminate , if the user does not match any DAP rule, falls into this policy and the connection is closed.

I also wonder why in the ASDM there is a spot to upload/activate (Setup) 'Secure Desktop Manager' but then there is 'Host Scan Image' section that I used to activate 'Host Scan'?

Secure desktop was used with the predecessor of hostscan ( CSD) and most of their components are already depreciated. At this point only hostscan is supported , if you upgrade your ASDM most likely that option will not appear any longer. 

 

hope it helps

-Randy-

 

 

douglaswhitwill
Level 1
Level 1
In response to rvarelac

‎09-24-2015 10:56 PM

Hi Randy,

 

Thanks for the input!  I just want to clarify one of the questions/answers.

Q2: It seems as though ALL VPN users use the same prelogin policy map, is this correct?

A2: The pre-login policy is configured under a DAP rule , everytime a user attempts to authenticate the ASA checks all the DAPs rules and put the user into the ones they match based on the DAP requirements.

Followup2: Let me rephrase...  If we check for IP address in the 192.168.10.0/24 network in the decision tree of the prelogin policy then whom ever connects will be checked for that network as well?

0 Helpful
Customers Also Viewed These Support Documents