Location Aware policies with CSA 6

Unanswered Question
Feb 9th, 2009
User Badges:

Hi,


Does anyone have experience with creating location aware policies in CSA? I'm trying to create a policy which contains 3 location aware rule modules.


Is there a limit on the number of location aware rule modules that can be a used in a policy?


The rules in the location aware modules aren't being applied even though the criteria are being met.


There doesn't seem to be much documentation out there. I followed: http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/secwlandg20/csa_mobile_secure.html



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
tsteger1 Mon, 02/09/2009 - 10:33
User Badges:
  • Red, 2250 points or more

The most common problem I've seen with this is when the host cannot determine it's location.


This is usually due to either connection specific DNS, DNS devolution or DNS domain misconfiguration.


I don't believe there is a limit to the number of location aware rule modules.


Tom

watsoncisco Tue, 02/10/2009 - 01:24
User Badges:

Thanks for the reply.


I was guessing that I may have trouble with DNS so am not including anything to do with DNS at this stage.


I currently have a policy that includes 2 location aware rule modules; On-LAN and Off-LAN.


The On-LAN policy is designed to block Firefox when a client is on LAN and the only system state variable is that the MC is reachable.


The Off-LAN policy is designed to block Internet Explorer when a client is Off LAN. The system state is effectively the reverse of the On-LAN system state in that the MC should not be reachable.


The On-LAN system state was included first and works, I then added the Off-LAN rule module but this system state isn't detected when the client is taken off the LAN.


I've even gone very explicit with the rule modules which hasn't worked i.e. On-LAN but not Off-LAN and Off-LAN but not On-LAN respectively.


Everything that can be has been set the same i.e. Log, Take Precedence over other rules.


Any ideas much appreciated.

jan.nielsen Tue, 02/10/2009 - 18:27
User Badges:
  • Gold, 750 points or more

MC Reachable is not that fast in detecting reachability in my experience, so have patience, and look in the registry under HKLM\SYSTEM\CurrentControlSet\Services\csacenter\Persistent\@SysState there the active system state sets will appear, much easier than looking in the MC. You should also use DNS instead, if your MC is down, then your machines on the LAN would still be in off-lan with your current ruleset.

I have actually developed a little tray utility that looks for those reg keys and displays a green/red or black flag in the tray so you can see if you are offline or online with regards to csa states. check it out here if you want : http://www.csaforum.dk/csamon20.zip


watsoncisco Wed, 02/11/2009 - 00:35
User Badges:

I had a look at this registry yesterday, the On-LAN state is detected and a registry key shows up for it under the path you mentioned but when the laptop goes Off-LAN the key disappears but is not replaced by an Off-LAN version.


There is a key for MC reachability and Ethernet Active also which disappears when I unplug the Ethernet cable to simulate Off-LAN.


Thanks very much for the link, I will have a look at that just now.

tsteger1 Wed, 02/11/2009 - 13:47
User Badges:
  • Red, 2250 points or more

You can also look in the csalog.txt to see when MC Reachability state has been set to 'Not Reachable' and 'Reachable'.


It should change almost immediately.


I did a test where if the MC was unreachable, saving to USB was disabled and if it was reachable, you couldn't paste anything copied from Adobe Reader to the clipboard and both worked as expected.


Tom

Actions

This Discussion