Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
661
Views
0
Helpful
3
Replies

DAP Endpoints

snormoyle
Level 1
Level 1

‎01-19-2018 03:20 AM - edited ‎03-12-2019 04:55 AM

I am trying to configure the DAP policy to check the registry for domain values.  the person connecting can only connect from certain domains. It works if I only have one endpoint.  If I add multiple endpoints it fails.

 

It seems like instead of treating the entries as Match-Any (OR) it is being treated as Match-All(AND).

 

So has anybody had success with using multiple registry scans

Labels:
0 Helpful
3 Replies 3

GioGonza
Level 4
Level 4

‎01-19-2018 05:36 AM

Hello @snormoyle

 

In order to know what is happening with the DAP check on the ASA, we need the outputs from the following commands: 

 

debug dap trace

debug menu dap 2

 

After you apply the commands try to connect and share the outputs here. Do the previous tests you already did. 

 

HTH

Gio

0 Helpful

snormoyle
Level 1
Level 1
In response to GioGonza

‎01-19-2018 07:06 AM

Not sure if can upload the output of trace.  waiting on the security group to think about it.  I have attached the screenshot from ASDM showing it.

 

If i use just one endpoint entry this works fine, but when I put multiple endpoint entries it will terminate the connection even though a user is coming from an authorize domain.

Preview file
50 KB
0 Helpful

GioGonza
Level 4
Level 4
In response to snormoyle

‎01-19-2018 12:31 PM

Hello @snormoyle

 

In order to know what is the ASA doing when you try to log in is with the outputs of the commands I presented before, without it this task is impossible, since we are not going to be able to check what is the ASA doing with information received by the machine (if it is received). 

 

If for security reasons you cannot upload the outputs for the commands, in my honest opinion (I don´t want to be rude) but I would recommend to open a case with Cisco TAC and review the information with them. With the outputs you can do the following: 

 

1. Verify if the ASA is receving the information from the machine. 

2. Verify the syntax of the DAP you configured on the ASA. 

3. Verify how the ASA checks what he received from the machine vs DAP. 

4. Check the reason why it is not working and apply changes accordingly. 

 

Without the debugs, it is virtually impossible. 

 

HTH

Gio

0 Helpful
Customers Also Viewed These Support Documents