ASA using Dynamic Access Policy for VPN?

Unanswered Question
Jul 24th, 2009
User Badges:

Hello Experts,

We are using remote VPN to ASA 8.2(1) and have successfully configured Windows Location Settings to check for version & Registry key, and are using dual-factor authentication. We would like to do further post-auth endpoint checking for anti virus checking and thought we could do this with Dynamic Access Policy, but we can't seem to get the session to use anything but the default policy.

We want to ensure that only our endpoints are allowed to connect and reject everything else, and we do not wish to use Secure Desktop. Should it be possible to apply DAP without Secure Desktop?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
aghaznavi Thu, 07/30/2009 - 15:05
User Badges:
  • Silver, 250 points or more

The security appliance obtains endpoint security attributes by using posture assessment methods that you configure. These include Cisco Secure Desktop and NAC.

The security appliance uses a DAP policy when the user attributes matches the configured AAA and endpoint attributes. The Prelogin Assessment and Host Scan modules of Cisco Secure Desktop return information to the security appliance about the configured endpoint attributes, and the DAP subsystem uses that information to select a DAP record that matches the values of those attributes.

Most, but not all, antivirus, antispyware, and personal firewall programs support active scan, which means that the programs are memory-resident, and therefore always running. Host Scan checks to see if an endpoint has a program installed, and if it is memory-resident as follows:

•If the installed program does not support active scan, Host Scan reports the presence of the software. The DAP system selects DAP records that specify the program.

•If the installed program does support active scan, and active scan is enabled for the program, Host Scan reports the presence of the software. Again the security appliance selects DAP records that specify the program.

•If the installed program does support active scan and active scan is disabled for the program, Host Scan ignores the presence of the software. The security appliance does not select DAP records that specify the program. Further, the output of the debug trace command, which includes a lot of information about DAP, does not indicate the program presence, even though it is installed.

bfbcnet Fri, 07/31/2009 - 01:28
User Badges:

Thanks for your reply. What I don't really understand is exactly what is possible without using Secure Desktop or NAC.

We only want to allow our own hosts to connect, and as part of verfying this we want to check for the existance of a particular anti-virus software and that it has been updated recently.

Is there a matrix somewhere of what component can check for what?


This Discussion