ASA checks AnyConnect VPN Computer Name

Answered Question
Mar 2nd, 2010
User Badges:

Hello All,


I have searched the forums and documentation but haven't found a solution to my problem.  I am guessing it comes up occasionally but maybe I am searching for the wrong thing.  We have rolled out AnyConnect to all of our laptops but are struggling with employees who are getting the AnyConnect software from other sources and installing it on home PCs.  We are a governmental agency, although fairly small, but we have security policies in place and I need to lock it down so users cannot connect to the VPN unless they are on a work PC connected to our AD domain.  I've found one possible solution is to use Dynamic Access Policies within the ASA to check the Windows computer name.  So I set up LDAP and created a policy to check an AAA attribute.  It allows me to select "MemberOf", which I'm assuming that is the user group, but I need to check the computer name on the client before it allows access.


Stepping back from what I have already done, does anyone know of an easier or more logical way to lock down on what computers the AnyConnect VPN client can be used?


Or if I am going about it the right way with dynamic access policies, does anyone have suggestions or know of documentation that assists in configuring things correctly when checking computer name LDAP attribute?


Thanks!


JD

Correct Answer by Herbert Baerten about 7 years 4 weeks ago

Hi Joe,


You don't need LDAP for this, what you need is CSD (Cisco Secure Desktop) combined with DAP.

After you enable CSD, edit your DAP policy, and instead of an AAA attribute like you were trying, add an endpoint attribute (on the righ-hand side).

To check on hostname, select attribute type "device".

Alternatively you can also enable Host Scan (under CSD) and let CSD check for the presence of a file with a certain filename, or a registry entry, or a process name. CSD will pass the result of this check to DAP, so you can use it in a policy (endpoint attributes of type process, registry and file).


One other alternative is to use CSD with a pre-login policy - this does not allow you to check on hostname but it does allow checking on ip address, OS type, certificate as well as presence of a process, registry key, file. In that case you don't need DAP.


hth

Herbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Correct Answer
Herbert Baerten Wed, 03/03/2010 - 01:39
User Badges:
  • Cisco Employee,

Hi Joe,


You don't need LDAP for this, what you need is CSD (Cisco Secure Desktop) combined with DAP.

After you enable CSD, edit your DAP policy, and instead of an AAA attribute like you were trying, add an endpoint attribute (on the righ-hand side).

To check on hostname, select attribute type "device".

Alternatively you can also enable Host Scan (under CSD) and let CSD check for the presence of a file with a certain filename, or a registry entry, or a process name. CSD will pass the result of this check to DAP, so you can use it in a policy (endpoint attributes of type process, registry and file).


One other alternative is to use CSD with a pre-login policy - this does not allow you to check on hostname but it does allow checking on ip address, OS type, certificate as well as presence of a process, registry key, file. In that case you don't need DAP.


hth

Herbert

joedavis123 Wed, 03/03/2010 - 10:58
User Badges:

Hi Herbert,


I did install CSD on the ASA but hadn't enabled it until I knew it would be necessary.  We just rolled out AnyConnect to all of our users by installing the software on their PCs and it sounds like I need to do the same with CSD, is that correct?


Thanks,


JD

Herbert Baerten Wed, 03/03/2010 - 11:22
User Badges:
  • Cisco Employee,

JD,


you can pre-install CSD (as from version 3.5) but you don't have to. When Anyconnect establishes a tunnel, it will download CSD from the ASA and run it.


Unless of course your users do not have admin privileges, then pre-installation could be necessary, depending on what you want CSD to do.


BTW the same is true for the Anyconnect client itself - if a user has local admin rights, then he does not have the client installed, he can point his browser to the ASA, log in and download the client (and optionally keep it installed).


hth

Herbert

joedavis123 Wed, 03/03/2010 - 11:34
User Badges:

Our users aren't administrators on their machines so that might be an issue. I'm considering the best way to validate our clients with an endpoint attribute and I think either a file or registry key will be the best way. If users are not administrators on their machines and they connect to the VPN with only AnyConnect installed, do you think that will work, or I will still need to pre-install CSD on each machine?  I could probably just push it out through a group policy in AD, but just trying to figure out if it is required in the first place.


Also I really appreciate you taking the time to answer my questions.

Herbert Baerten Wed, 03/03/2010 - 23:31
User Badges:
  • Cisco Employee,

If the users do not have admin rights, then Anyconnect should still download and run CSD when connecting, but CSD will not be able to do all the host checks that it would be able to do if it had admin rights.

e.g. it will not be able to check if a certain file exists, if that file is in a directory that the user does not have access to.

Registry access to be honest I'm not sure of, but I assume non-admin users still have read access to the registry so that should be ok.


hth

Herbert

joedavis123 Thu, 03/04/2010 - 09:10
User Badges:

Looks like you are correct in respect to a non-admin user accessing the registry.  I had CSD check "Domain" key in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, and for a computer that is not on our domain it is terminating the connection.  A savvy user could bypass this on their home computer, but where I work I don't think we have to worry about that Thanks again for all of your help Herbert, it is much appreciated.


JD

raslan.a.s Wed, 03/19/2014 - 01:00
User Badges:

Hi Joe/Herbert,

Can any of you share the exact steps followed on this to enable the registry key check of a domain machine and allow for Anyconnect to establish the connection.

Our users are not admin on their machines and willing to use the registry check.

Looking forward to hear from you guys.

Thanks in advance.

Regards,

raslan

 

David Cebula Thu, 03/04/2010 - 09:43
User Badges:

Do you have a PKI to issue certificates to your Computers?

If so you can just have CSD do a certificate check and use that in DAP.

joedavis123 Tue, 09/09/2014 - 14:59
User Badges:

Hi David,

 

We do not currently have a PKI but that is something I am looking into setting up in the near future. Thank you for the suggestion.

 

raslan.a.s Wed, 03/19/2014 - 00:55
User Badges:

Hi Joe,

I am having same scenario like yours. I tried enabling basic hostscan and using a DAP with that but the users are either allowed or denied based on the policy which I set. It doesn't stop as we wanted.

 

Can you give me the steps that you used to enable this. It will be a great help as we are running out of time to implement this.

Already we have configured the Anyconnect to allow only the domain users based on LDAP but now we have to stop the computers other than domain machines.

Looking forward to hear from you.

Thanks in advance.

Raslan

 

 

Actions

This Discussion