ASA Dynamic Access Policy (DAP) - Host Scan - Endpoint Assessment

Unanswered Question
Oct 5th, 2007
User Badges:

I'm trying to get an ASA to perform Endpoint Assessment using the Cisco Secure Desktop and the basic Endpoint Assessment v.

From what I can tell I have the configuration setup correctly however when I connect via CSD it doesn't appear that the assessment is taking place. In ASDM I can "Test Dynamic Access Policy" and the tests have the expected outcome of continue or terminate based on whether or not Anti-virus is present, however doing a "debug dap trace" on the ASA shows the following output:

woodlands# DAP_TRACE: DAP_open: D6C35840

DAP_TRACE: DAP_add_CSD: csd_token = [20A40F8465D3F1972FFA9416]

DAP_TRACE: Username: networkz, = namroc

DAP_TRACE: Username: networkz, = networkz

DAP_TRACE: Username: networkz, = DefaultWEBVPNGroup

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["class"] = "namroc";

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"] = "networkz";

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"] = "DefaultWEBVPNGroup";

DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"] = "Clientless";

DAP_TRACE: Username: networkz, dap_add_csd_data_to_lua:

endpoint.os.version = "Windows XP";

endpoint.os.servicepack = "2";

endpoint.policy.location = "Namroc"; = "secure desktop";

endpoint.hostname = "<<masked by moderator>>";

DAP_TRACE: Username: networkz, Selected DAPs:

DAP_TRACE: dap_request: memory usage = 35%

DAP_TRACE: dap_process_selected_daps: selected 0 records

DAP_TRACE: Username: networkz, dap_aggregate_attr: rec_count = 1

DAP_TRACE: Username: networkz, DAP_close: D6C35840

It looks to me from this information that the ASA isn't reporting any information about the Anti-virus when I connect and therefore it isn't selecting the DAP to continue. I've tried this on two different ASA boxes with different AV vendors and neither one has worked. Has anyone gotten this to work?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kevin Xiong Fri, 10/05/2007 - 18:07
User Badges:

We have both basic and Advanced Endpoint Assessment v. 2.4.x on the ASA 8.0.2(15) interim release. no luck to make the DAP work properly. The DAP didn't pick up the criteria properly.

s-andersson Thu, 12/20/2007 - 05:04
User Badges:


I have the problem, I can make it work it simple os detection. But when I'm trying to setup AV check it doesn't work. Do you have any progress since you wrote this message.


jcorman Thu, 12/20/2007 - 06:08
User Badges:

What version of CSD are you running. Since posting this they have released a never version that I'm told has resolved the issue, but I haven't had a chance to check it.

s-andersson Thu, 12/20/2007 - 06:04
User Badges:

Hi again,

I talked to my Cisco presale contact in the security area. He told me that Advanced Endpoint Security is third party license. So you will have to buy that as well. The product license is ASA-ADV-END-SEC.

//Stefan Andersson

jcorman Thu, 12/20/2007 - 06:10
User Badges:

You should be able to get the "Basic" endpoint assessment to work without the license though. The basic still includes AV and AS features. If you want the advanced features then you'll need the additional license.

s-andersson Thu, 12/20/2007 - 06:42
User Badges:


Not according to the presale guy Hakan Nohre who is well known security guy at Cisco. Speaker at Networkers and so on. But I will have my license probably tonight so I can give you answer if it is working or not tommorow.



jcorman Thu, 12/20/2007 - 07:08
User Badges:

Please do let me know once you have your license if it works. Also, if you wouldn't mind just as a test, try using just the basic options even with the license and see if they work as you are trying now. I'll also try on my ASA today without a license with the newest version of CSD. Thanks.

s-andersson Tue, 01/15/2008 - 04:12
User Badges:


Sorry not replying earlier. Yes it's now working fine. The license that I recieved is tied to my serial. So you will have to contact Cisco Sales peapole.

I have no orded a license for my ASA. ;)



jcorman Wed, 01/23/2008 - 07:55
User Badges:


Thanks for the information - I did some more debugs and did notice more information being sent with the newer versions but you are right it must just require the license to be fully functional. Thanks again.


This Discussion