09-23-2015 09:01 PM
09-24-2015 09:26 PM
Hi Douglas ,
If nothing matches are the default connection profiles then used?
Yes , if there is not a URL/alias or matching method ( AAA assignment , certificate mapping , etc) the connection falls into the default tunnel-group.
It seems as though ALL VPN users use the same prelogin policy map, is this correct?
The pre-login policy is configured under a DAP rule , everytime a user attempts to authenticate the ASA checks all the DAPs rules and put the user into the ones they match based on the DAP requirements.
Does the 'accept' NEED to be referenced in another other component of the ASA or is referencing the 'accept' optional?
If the user does not pass the pre-login policy won't be able to go further , if they pass the pre-login policy then the other rules are checked.
So if we are checking for AVAS software to be present and its not then will it automatically be denied or do we need to setup a DAP to take action?
Normally on the DAP configuration, is a default DAP rule that have as action terminate , if the user does not match any DAP rule, falls into this policy and the connection is closed.
I also wonder why in the ASDM there is a spot to upload/activate (Setup) 'Secure Desktop Manager' but then there is 'Host Scan Image' section that I used to activate 'Host Scan'?
Secure desktop was used with the predecessor of hostscan ( CSD) and most of their components are already depreciated. At this point only hostscan is supported , if you upgrade your ASDM most likely that option will not appear any longer.
hope it helps
-Randy-
09-24-2015 10:56 PM
Hi Randy,
Thanks for the input! I just want to clarify one of the questions/answers.
Q2: It seems as though ALL VPN users use the same prelogin policy map, is this correct?
A2: The pre-login policy is configured under a DAP rule , everytime a user attempts to authenticate the ASA checks all the DAPs rules and put the user into the ones they match based on the DAP requirements.
Followup2: Let me rephrase... If we check for IP address in the 192.168.10.0/24 network in the decision tree of the prelogin policy then whom ever connects will be checked for that network as well?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: