I'm trying to get an ASA to perform Endpoint Assessment using the Cisco Secure Desktop and the basic Endpoint Assessment v. 18.104.22.168
From what I can tell I have the configuration setup correctly however when I connect via CSD it doesn't appear that the assessment is taking place. In ASDM I can "Test Dynamic Access Policy" and the tests have the expected outcome of continue or terminate based on whether or not Anti-virus is present, however doing a "debug dap trace" on the ASA shows the following output:
woodlands# DAP_TRACE: DAP_open: D6C35840
DAP_TRACE: DAP_add_CSD: csd_token = [20A40F8465D3F1972FFA9416]
DAP_TRACE: Username: networkz, aaa.cisco.class = namroc
DAP_TRACE: Username: networkz, aaa.cisco.username = networkz
DAP_TRACE: Username: networkz, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["class"] = "namroc";
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"] = "networkz";
DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"] = "DefaultWEBVPNGroup";
DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"] = "Clientless";
DAP_TRACE: Username: networkz, dap_add_csd_data_to_lua:
endpoint.os.version = "Windows XP";
endpoint.os.servicepack = "2";
endpoint.policy.location = "Namroc";
endpoint.protection = "secure desktop";
endpoint.hostname = "<<masked by moderator>>";
DAP_TRACE: Username: networkz, Selected DAPs:
DAP_TRACE: dap_request: memory usage = 35%
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: networkz, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: networkz, DAP_close: D6C35840
It looks to me from this information that the ASA isn't reporting any information about the Anti-virus when I connect and therefore it isn't selecting the DAP to continue. I've tried this on two different ASA boxes with different AV vendors and neither one has worked. Has anyone gotten this to work?
We have both basic and Advanced Endpoint Assessment v. 2.4.x on the ASA 8.0.2(15) interim release. no luck to make the DAP work properly. The DAP didn't pick up the criteria properly.
I have the problem, I can make it work it simple os detection. But when I'm trying to setup AV check it doesn't work. Do you have any progress since you wrote this message.
What version of CSD are you running. Since posting this they have released a never version that I'm told has resolved the issue, but I haven't had a chance to check it.
I talked to my Cisco presale contact in the security area. He told me that Advanced Endpoint Security is third party license. So you will have to buy that as well. The product license is ASA-ADV-END-SEC.
You should be able to get the "Basic" endpoint assessment to work without the license though. The basic still includes AV and AS features. If you want the advanced features then you'll need the additional license.
Not according to the presale guy Hakan Nohre who is well known security guy at Cisco. Speaker at Networkers and so on. But I will have my license probably tonight so I can give you answer if it is working or not tommorow.
Please do let me know once you have your license if it works. Also, if you wouldn't mind just as a test, try using just the basic options even with the license and see if they work as you are trying now. I'll also try on my ASA today without a license with the newest version of CSD. Thanks.
Sorry not replying earlier. Yes it's now working fine. The license that I recieved is tied to my serial. So you will have to contact Cisco Sales peapole.
I have no orded a license for my ASA. ;)
Thanks for the information - I did some more debugs and did notice more information being sent with the newer versions but you are right it must just require the license to be fully functional. Thanks again.