Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA checks AnyConnect VPN Computer Name

Hello All,

I have searched the forums and documentation but haven't found a solution to my problem.  I am guessing it comes up occasionally but maybe I am searching for the wrong thing.  We have rolled out AnyConnect to all of our laptops but are struggling with employees who are getting the AnyConnect software from other sources and installing it on home PCs.  We are a governmental agency, although fairly small, but we have security policies in place and I need to lock it down so users cannot connect to the VPN unless they are on a work PC connected to our AD domain.  I've found one possible solution is to use Dynamic Access Policies within the ASA to check the Windows computer name.  So I set up LDAP and created a policy to check an AAA attribute.  It allows me to select "MemberOf", which I'm assuming that is the user group, but I need to check the computer name on the client before it allows access.

Stepping back from what I have already done, does anyone know of an easier or more logical way to lock down on what computers the AnyConnect VPN client can be used?

Or if I am going about it the right way with dynamic access policies, does anyone have suggestions or know of documentation that assists in configuring things correctly when checking computer name LDAP attribute?

Thanks!

JD

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA checks AnyConnect VPN Computer Name

Hi Joe,

You don't need LDAP for this, what you need is CSD (Cisco Secure Desktop) combined with DAP.

After you enable CSD, edit your DAP policy, and instead of an AAA attribute like you were trying, add an endpoint attribute (on the righ-hand side).

To check on hostname, select attribute type "device".

Alternatively you can also enable Host Scan (under CSD) and let CSD check for the presence of a file with a certain filename, or a registry entry, or a process name. CSD will pass the result of this check to DAP, so you can use it in a policy (endpoint attributes of type process, registry and file).

One other alternative is to use CSD with a pre-login policy - this does not allow you to check on hostname but it does allow checking on ip address, OS type, certificate as well as presence of a process, registry key, file. In that case you don't need DAP.

hth

Herbert

10 REPLIES
Cisco Employee

Re: ASA checks AnyConnect VPN Computer Name

Hi Joe,

You don't need LDAP for this, what you need is CSD (Cisco Secure Desktop) combined with DAP.

After you enable CSD, edit your DAP policy, and instead of an AAA attribute like you were trying, add an endpoint attribute (on the righ-hand side).

To check on hostname, select attribute type "device".

Alternatively you can also enable Host Scan (under CSD) and let CSD check for the presence of a file with a certain filename, or a registry entry, or a process name. CSD will pass the result of this check to DAP, so you can use it in a policy (endpoint attributes of type process, registry and file).

One other alternative is to use CSD with a pre-login policy - this does not allow you to check on hostname but it does allow checking on ip address, OS type, certificate as well as presence of a process, registry key, file. In that case you don't need DAP.

hth

Herbert

New Member

Re: ASA checks AnyConnect VPN Computer Name

Hi Herbert,

I did install CSD on the ASA but hadn't enabled it until I knew it would be necessary.  We just rolled out AnyConnect to all of our users by installing the software on their PCs and it sounds like I need to do the same with CSD, is that correct?

Thanks,

JD

Cisco Employee

Re: ASA checks AnyConnect VPN Computer Name

JD,

you can pre-install CSD (as from version 3.5) but you don't have to. When Anyconnect establishes a tunnel, it will download CSD from the ASA and run it.

Unless of course your users do not have admin privileges, then pre-installation could be necessary, depending on what you want CSD to do.

BTW the same is true for the Anyconnect client itself - if a user has local admin rights, then he does not have the client installed, he can point his browser to the ASA, log in and download the client (and optionally keep it installed).

hth

Herbert

New Member

Re: ASA checks AnyConnect VPN Computer Name

Our users aren't administrators on their machines so that might be an issue. I'm considering the best way to validate our clients with an endpoint attribute and I think either a file or registry key will be the best way. If users are not administrators on their machines and they connect to the VPN with only AnyConnect installed, do you think that will work, or I will still need to pre-install CSD on each machine?  I could probably just push it out through a group policy in AD, but just trying to figure out if it is required in the first place.

Also I really appreciate you taking the time to answer my questions.

Cisco Employee

Re: ASA checks AnyConnect VPN Computer Name

If the users do not have admin rights, then Anyconnect should still download and run CSD when connecting, but CSD will not be able to do all the host checks that it would be able to do if it had admin rights.

e.g. it will not be able to check if a certain file exists, if that file is in a directory that the user does not have access to.

Registry access to be honest I'm not sure of, but I assume non-admin users still have read access to the registry so that should be ok.

hth

Herbert

New Member

Re: ASA checks AnyConnect VPN Computer Name

Looks like you are correct in respect to a non-admin user accessing the registry.  I had CSD check "Domain" key in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters, and for a computer that is not on our domain it is terminating the connection.  A savvy user could bypass this on their home computer, but where I work I don't think we have to worry about that Thanks again for all of your help Herbert, it is much appreciated.

JD

New Member

Hi Joe/Herbert,Can any of you

Hi Joe/Herbert,

Can any of you share the exact steps followed on this to enable the registry key check of a domain machine and allow for Anyconnect to establish the connection.

Our users are not admin on their machines and willing to use the registry check.

Looking forward to hear from you guys.

Thanks in advance.

Regards,

raslan

 

New Member

Re: ASA checks AnyConnect VPN Computer Name

Do you have a PKI to issue certificates to your Computers?

If so you can just have CSD do a certificate check and use that in DAP.

New Member

Re: ASA checks AnyConnect VPN Computer Name

Hi David,

 

We do not currently have a PKI but that is something I am looking into setting up in the near future. Thank you for the suggestion.

 

New Member

Hi Joe,I am having same

Hi Joe,

I am having same scenario like yours. I tried enabling basic hostscan and using a DAP with that but the users are either allowed or denied based on the policy which I set. It doesn't stop as we wanted.

 

Can you give me the steps that you used to enable this. It will be a great help as we are running out of time to implement this.

Already we have configured the Anyconnect to allow only the domain users based on LDAP but now we have to stop the computers other than domain machines.

Looking forward to hear from you.

Thanks in advance.

Raslan

 

 

2251
Views
9
Helpful
10
Replies
CreatePlease login to create content