Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9930
Views
9
Helpful
10
Replies

ASA checks AnyConnect VPN Computer Name

Go to solution
joedavis123
Level 1
Level 1

‎03-02-2010 09:54 AM - edited ‎02-21-2020 04:31 PM

Hello All,

I have searched the forums and documentation but haven't found a solution to my problem.  I am guessing it comes up occasionally but maybe I am searching for the wrong thing.  We have rolled out AnyConnect to all of our laptops but are struggling with employees who are getting the AnyConnect software from other sources and installing it on home PCs.  We are a governmental agency, although fairly small, but we have security policies in place and I need to lock it down so users cannot connect to the VPN unless they are on a work PC connected to our AD domain.  I've found one possible solution is to use Dynamic Access Policies within the ASA to check the Windows computer name.  So I set up LDAP and created a policy to check an AAA attribute.  It allows me to select "MemberOf", which I'm assuming that is the user group, but I need to check the computer name on the client before it allows access.

Stepping back from what I have already done, does anyone know of an easier or more logical way to lock down on what computers the AnyConnect VPN client can be used?

Or if I am going about it the right way with dynamic access policies, does anyone have suggestions or know of documentation that assists in configuring things correctly when checking computer name LDAP attribute?

Thanks!

JD

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎03-03-2010 01:39 AM

Hi Joe,

You don't need LDAP for this, what you need is CSD (Cisco Secure Desktop) combined with DAP.

After you enable CSD, edit your DAP policy, and instead of an AAA attribute like you were trying, add an endpoint attribute (on the righ-hand side).

To check on hostname, select attribute type "device".

Alternatively you can also enable Host Scan (under CSD) and let CSD check for the presence of a file with a certain filename, or a registry entry, or a process name. CSD will pass the result of this check to DAP, so you can use it in a policy (endpoint attributes of type process, registry and file).

One other alternative is to use CSD with a pre-login policy - this does not allow you to check on hostname but it does allow checking on ip address, OS type, certificate as well as presence of a process, registry key, file. In that case you don't need DAP.

hth

Herbert

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎03-03-2010 01:39 AM

Hi Joe,

You don't need LDAP for this, what you need is CSD (Cisco Secure Desktop) combined with DAP.

After you enable CSD, edit your DAP policy, and instead of an AAA attribute like you were trying, add an endpoint attribute (on the righ-hand side).

To check on hostname, select attribute type "device".

Alternatively you can also enable Host Scan (under CSD) and let CSD check for the presence of a file with a certain filename, or a registry entry, or a process name. CSD will pass the result of this check to DAP, so you can use it in a policy (endpoint attributes of type process, registry and file).

One other alternative is to use CSD with a pre-login policy - this does not allow you to check on hostname but it does allow checking on ip address, OS type, certificate as well as presence of a process, registry key, file. In that case you don't need DAP.

hth

Herbert

0 Helpful

Go to solution
joedavis123
Level 1
Level 1
In response to Herbert Baerten

‎03-03-2010 10:58 AM

Hi Herbert,

I did install CSD on the ASA but hadn't enabled it until I knew it would be necessary.  We just rolled out AnyConnect to all of our users by installing the software on their PCs and it sounds like I need to do the same with CSD, is that correct?

Thanks,

JD

0 Helpful

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to joedavis123

‎03-03-2010 11:22 AM

JD,

you can pre-install CSD (as from version 3.5) but you don't have to. When Anyconnect establishes a tunnel, it will download CSD from the ASA and run it.

Unless of course your users do not have admin privileges, then pre-installation could be necessary, depending on what you want CSD to do.

BTW the same is true for the Anyconnect client itself - if a user has local admin rights, then he does not have the client installed, he can point his browser to the ASA, log in and download the client (and optionally keep it installed).

hth

Herbert

0 Helpful

Go to solution
joedavis123
Level 1
Level 1
In response to Herbert Baerten

‎03-03-2010 11:34 AM

Our users aren't administrators on their machines so that might be an issue. I'm considering the best way to validate our clients with an endpoint attribute and I think either a file or registry key will be the best way. If users are not administrators on their machines and they connect to the VPN with only AnyConnect installed, do you think that will work, or I will still need to pre-install CSD on each machine?  I could probably just push it out through a group policy in AD, but just trying to figure out if it is required in the first place.

Also I really appreciate you taking the time to answer my questions.

0 Helpful

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee
In response to joedavis123

‎03-03-2010 11:31 PM

If the users do not have admin rights, then Anyconnect should still download and run CSD when connecting, but CSD will not be able to do all the host checks that it would be able to do if it had admin rights.

e.g. it will not be able to check if a certain file exists, if that file is in a directory that the user does not have access to.

Registry access to be honest I'm not sure of, but I assume non-admin users still have read access to the registry so that should be ok.

hth

Herbert

Go to solution
joedavis123
Level 1
Level 1
In response to Herbert Baerten

‎03-04-2010 09:10 AM

Looks like you are correct in respect to a non-admin user accessing the registry.  I had CSD check "Domain" key in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, and for a computer that is not on our domain it is terminating the connection.  A savvy user could bypass this on their home computer, but where I work I don't think we have to worry about that Thanks again for all of your help Herbert, it is much appreciated.

JD

Go to solution
raslan.a.s
Level 1
Level 1
In response to joedavis123

‎03-19-2014 01:00 AM

Hi Joe/Herbert,

Can any of you share the exact steps followed on this to enable the registry key check of a domain machine and allow for Anyconnect to establish the connection.

Our users are not admin on their machines and willing to use the registry check.

Looking forward to hear from you guys.

Thanks in advance.

Regards,

raslan

 

0 Helpful

Go to solution
David Cebula
Level 1
Level 1
In response to Herbert Baerten

‎03-04-2010 09:43 AM

Do you have a PKI to issue certificates to your Computers?

If so you can just have CSD do a certificate check and use that in DAP.

0 Helpful

Go to solution
joedavis123
Level 1
Level 1
In response to David Cebula

‎09-09-2014 02:59 PM

Hi David,

 

We do not currently have a PKI but that is something I am looking into setting up in the near future. Thank you for the suggestion.

 

0 Helpful

Go to solution
raslan.a.s
Level 1
Level 1

‎03-19-2014 12:55 AM

Hi Joe,

I am having same scenario like yours. I tried enabling basic hostscan and using a DAP with that but the users are either allowed or denied based on the policy which I set. It doesn't stop as we wanted.

 

Can you give me the steps that you used to enable this. It will be a great help as we are running out of time to implement this.

Already we have configured the Anyconnect to allow only the domain users based on LDAP but now we have to stop the computers other than domain machines.

Looking forward to hear from you.

Thanks in advance.

Raslan

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents