Windows registry key check before AnyConnect SBL

Chess Norris · ‎04-12-2023

Hello,

Is there any way to do a Windows registry check before AnyConnect SBL? I know ISE posture can do this, but I think the user are required to log in before the posture agent will work, so I dont think it will work with SBL.

Thanks

/Chess

Rob Ingram · ‎04-12-2023

@Chess Norris TBH I've not tried SBL and ISE Posture together, but as SBL requires the user to login to AnyConnect I don't see why ISE posture would not run and then be able to check the registry.

Or do you want the Mgmt tunnel feature to perform the registry check before the user even connects to SBL?

Chess Norris · ‎04-12-2023

The idea here is to make the solution transparent to the users, so they will be using machine certificates but also a registry key check will be necessary before they can connect to the VPN.

If it's possible, I would like to perform the registry check without ISE posture and I was thinking about the hostscan or the new secure firewall posture feature that are built in in AnyConnect.

/Chess

Rob Ingram · ‎04-12-2023

@Chess Norris if you are authenticating using a machine certificate that is generally considered enough to confirm the machine is a legitimate corporate owned device, as the certificate would come from AD via GPO.

With FTD (7.x +) or ASA you can use Dynamic Access Policies (DAP) to check the registry. You wouldn't use ISE Posture as well, if using DAP. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd_dap_usecases.html

Chess Norris · ‎04-12-2023

Thanks Rob. Do you know if DAP also will work with SBL?

/Chess

Rob Ingram · ‎04-12-2023

@Chess Norris i've not read that it does nor does not work with SBL. What the docs does state "the Firepower Threat Defense checks the configured DAP records and attributes when a user attempts a VPN connection." - so on that basis I'd expect when the user logins into anyconnect via SBL that the DAP records are checked.

Gustavo Medina · ‎04-12-2023

One of the prerequisites for ISE posture is that the user should be logged in. We have an ENH to support this: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvz13178

As documented in the Admin Guide, if you go with HostScan (now Secure Firewall Posture), you must install the VPN Posture predeploy module on the endpoints to achieve full HostScan functionality, since SBL is pre-login. https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/configure_vpn.html#ID-1428-00000097

You need HostScan to collect the data from the endpoint which will be then evaluated by DAP.

This also applies for management-tunnel.

Salman Mahajan · ‎04-12-2023

Adding to above , Hostscan ( Secure Firewall Posture ) is an optional Secure Client module . It Scans a user’s machine and provides the results to the headend . It itself does not do anything with that information . Even without Hostscan installed, AnyConnect ( Secure Client now ) still sends the following info: Client version , Operating system , Device type (e.g. Lenovo 20EGS0AE00) & unique ID , MAC Address

•When Hostscan is enabled the following additional info is also sent: TCP ports in listening state , Certificates , Microsoft updates

FYI- You need to have Endpoint Assessment enabled to be able to send Registry keys info for DAP evaluation .

Chess Norris · ‎04-12-2023

Thanks for all the answers. Really helpful.

/Chess