Solved: VPN & Endpoint Assessment

Benjamin Waldon · ‎05-21-2010

Hello everyone,

I had a question about DAP & endpoint assessment.

We are looking at replacing our Pix with ASAs. One of the requirements will be a remote access VPN. We have about 25 people with company issued laptops that need the ability to VPN in. We also have the need to support vendors accessing out network via "tunnel VPN" and another 25 users that have remote access needs that can be covered with the WebVPN.

My question is: how do I identify my computers? I am not looking at a key-gen fob or anything like that. Nor do I want to get into checking antivirus or anything like that. I just want to put a water mark on the computer so I know it's our own.

- If it's one of our computers, and they belong to the right AD groups, then they get access to certain subnets.

- If it's not one of our own, but they belong

I am looking at the IPS version of the ASA and adding SSL VPN licenses to it.

Is the advanced endpoint assesment licenses all that I need ? Do I need to add the CIsco Secure Desktop licenses? Are Secure desktop licenses included within the advanced endpoint license?

Thanks,

Ben

hdashnau · ‎05-21-2010

"how do I identify my computers? I am not looking at a key-gen fob or anything like that. Nor do I want to get into checking antivirus or anything like that. I just want to put a water mark on the computer so I know it's our own."

HD>>You can do a file check, registry check, or process scan through the CSD Host Scan feature. This does not require the "Advanced Endpoint Assessment" license, but it does require the SSL Full Client license (the SSL Anyconnect essentials license does not support hostscan features). Also keep in mind, that the traditional IPSec RA client does not do any hostscan.

"- If it's one of our computers, and they belong to the right AD groups, then they get access to certain subnets."

HD>>You can do this with plain authentication such as radius or ldap. You can for example setup an ldap attribute map to say when we recieve an attribute from AD (like memberOf) we will give the user a specific group-policy that exists on the ASA. Search for "asa ldap group-policy" on cisco.com and the first document link should be the right one to give you more instructions on this.

"If it's not one of our own, but they belong"

HD>>If a user does not match any of the ldap map you setup as described above, the user is automatically given the default-group-policy on the connection profile. You can setup this group-policy to be more restricted or no access granted.

Your other option if you dont want ldap attribute map, is to use DAP. Again this does not require the "Advanced Endpoint Assessment" license, but depending on if you need the hostscan features (AV, FW, file check, reg check, etc) it may require the SSL Full Client license (the SSL Anyconnect essentials license does not support hostscan features). Also again, the ipsec does not support any of the hostscan stuff (AV, FW, file check, reg check, etc), so the "Endpoint IDs" you see in the dap policy of ASDM are off limit for IPSec, but the IPSec VPN can use the "AAA Attribute" part of the dap policy to make a match. So you can still make it work with DAP if desired.

If you have more detailed questions about the config I would suggest opening a TAC case.

-heather

View solution in original post

hdashnau · ‎05-21-2010

"how do I identify my computers? I am not looking at a key-gen fob or anything like that. Nor do I want to get into checking antivirus or anything like that. I just want to put a water mark on the computer so I know it's our own."

HD>>You can do a file check, registry check, or process scan through the CSD Host Scan feature. This does not require the "Advanced Endpoint Assessment" license, but it does require the SSL Full Client license (the SSL Anyconnect essentials license does not support hostscan features). Also keep in mind, that the traditional IPSec RA client does not do any hostscan.

"- If it's one of our computers, and they belong to the right AD groups, then they get access to certain subnets."

HD>>You can do this with plain authentication such as radius or ldap. You can for example setup an ldap attribute map to say when we recieve an attribute from AD (like memberOf) we will give the user a specific group-policy that exists on the ASA. Search for "asa ldap group-policy" on cisco.com and the first document link should be the right one to give you more instructions on this.

"If it's not one of our own, but they belong"

HD>>If a user does not match any of the ldap map you setup as described above, the user is automatically given the default-group-policy on the connection profile. You can setup this group-policy to be more restricted or no access granted.

Your other option if you dont want ldap attribute map, is to use DAP. Again this does not require the "Advanced Endpoint Assessment" license, but depending on if you need the hostscan features (AV, FW, file check, reg check, etc) it may require the SSL Full Client license (the SSL Anyconnect essentials license does not support hostscan features). Also again, the ipsec does not support any of the hostscan stuff (AV, FW, file check, reg check, etc), so the "Endpoint IDs" you see in the dap policy of ASDM are off limit for IPSec, but the IPSec VPN can use the "AAA Attribute" part of the dap policy to make a match. So you can still make it work with DAP if desired.

If you have more detailed questions about the config I would suggest opening a TAC case.

-heather

Benjamin Waldon · ‎05-21-2010

Thank Heather,

So, as long as I have the Full SSL Licenses & the Advance Enpoint assessment licenses, I should be able to put the watermark on my computers and use that watermark in the DAP?

Can I check for the watermark in the host scan?

How do I put the watermark on the computer?

I just want a simply way of verifying that it's our computer. Ideally, it's not going to be something that's easily copied onto another computer.

hdashnau · ‎05-25-2010

P.S. If I have answered your question please mark the post as resolved and rate the responses. This helps us more easily identify which questions remain unanswered and let us know how we are doing. Thanks in advance!