Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Dynamic Access Policy (DAP) - Host Scan - Endpoint Assessment

I'm trying to get an ASA to perform Endpoint Assessment using the Cisco Secure Desktop and the basic Endpoint Assessment v. 2.4.2.1

From what I can tell I have the configuration setup correctly however when I connect via CSD it doesn't appear that the assessment is taking place. In ASDM I can "Test Dynamic Access Policy" and the tests have the expected outcome of continue or terminate based on whether or not Anti-virus is present, however doing a "debug dap trace" on the ASA shows the following output:

woodlands# DAP_TRACE: DAP_open: D6C35840

DAP_TRACE: DAP_add_CSD: csd_token = [20A40F8465D3F1972FFA9416]

DAP_TRACE: Username: networkz, aaa.cisco.class = namroc

DAP_TRACE: Username: networkz, aaa.cisco.username = networkz

DAP_TRACE: Username: networkz, aaa.cisco.tunnelgroup = DefaultWEBVPNGroup

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["class"] = "namroc";

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["username"] = "networkz";

DAP_TRACE: dap_add_to_lua_tree:aaa["cisco"]["tunnelgroup"] = "DefaultWEBVPNGroup";

DAP_TRACE: dap_add_to_lua_tree:endpoint["application"]["clienttype"] = "Clientless";

DAP_TRACE: Username: networkz, dap_add_csd_data_to_lua:

endpoint.os.version = "Windows XP";

endpoint.os.servicepack = "2";

endpoint.policy.location = "Namroc";

endpoint.protection = "secure desktop";

endpoint.hostname = "<<masked by moderator>>";

DAP_TRACE: Username: networkz, Selected DAPs:

DAP_TRACE: dap_request: memory usage = 35%

DAP_TRACE: dap_process_selected_daps: selected 0 records

DAP_TRACE: Username: networkz, dap_aggregate_attr: rec_count = 1

DAP_TRACE: Username: networkz, DAP_close: D6C35840

It looks to me from this information that the ASA isn't reporting any information about the Anti-virus when I connect and therefore it isn't selecting the DAP to continue. I've tried this on two different ASA boxes with different AV vendors and neither one has worked. Has anyone gotten this to work?

9 REPLIES
New Member

Re: ASA Dynamic Access Policy (DAP) - Host Scan - Endpoint Asses

We have both basic and Advanced Endpoint Assessment v. 2.4.x on the ASA 8.0.2(15) interim release. no luck to make the DAP work properly. The DAP didn't pick up the criteria properly.

New Member

Re: ASA Dynamic Access Policy (DAP) - Host Scan - Endpoint Asses

Hi,

I have the problem, I can make it work it simple os detection. But when I'm trying to setup AV check it doesn't work. Do you have any progress since you wrote this message.

//Stefan

New Member

Re: ASA Dynamic Access Policy (DAP) - Host Scan - Endpoint Asses

What version of CSD are you running. Since posting this they have released a never version that I'm told has resolved the issue, but I haven't had a chance to check it.

New Member

Re: ASA Dynamic Access Policy (DAP) - Host Scan - Endpoint Asses

Hi again,

I talked to my Cisco presale contact in the security area. He told me that Advanced Endpoint Security is third party license. So you will have to buy that as well. The product license is ASA-ADV-END-SEC.

//Stefan Andersson

New Member

Re: ASA Dynamic Access Policy (DAP) - Host Scan - Endpoint Asses

You should be able to get the "Basic" endpoint assessment to work without the license though. The basic still includes AV and AS features. If you want the advanced features then you'll need the additional license.

New Member

Re: ASA Dynamic Access Policy (DAP) - Host Scan - Endpoint Asses

Hi

Not according to the presale guy Hakan Nohre who is well known security guy at Cisco. Speaker at Networkers and so on. But I will have my license probably tonight so I can give you answer if it is working or not tommorow.

Regards,

Stefan

New Member

Re: ASA Dynamic Access Policy (DAP) - Host Scan - Endpoint Asses

Please do let me know once you have your license if it works. Also, if you wouldn't mind just as a test, try using just the basic options even with the license and see if they work as you are trying now. I'll also try on my ASA today without a license with the newest version of CSD. Thanks.

New Member

Re: ASA Dynamic Access Policy (DAP) - Host Scan - Endpoint Asses

Hi

Sorry not replying earlier. Yes it's now working fine. The license that I recieved is tied to my serial. So you will have to contact Cisco Sales peapole.

I have no orded a license for my ASA. ;)

Regards,

Stefan

New Member

Re: ASA Dynamic Access Policy (DAP) - Host Scan - Endpoint Asses

Stefan,

Thanks for the information - I did some more debugs and did notice more information being sent with the newer versions but you are right it must just require the license to be fully functional. Thanks again.

1398
Views
0
Helpful
9
Replies