We are using remote VPN to ASA 8.2(1) and have successfully configured Windows Location Settings to check for version & Registry key, and are using dual-factor authentication. We would like to do further post-auth endpoint checking for anti virus checking and thought we could do this with Dynamic Access Policy, but we can't seem to get the session to use anything but the default policy.
We want to ensure that only our endpoints are allowed to connect and reject everything else, and we do not wish to use Secure Desktop. Should it be possible to apply DAP without Secure Desktop?
The security appliance obtains endpoint security attributes by using posture assessment methods that you configure. These include Cisco Secure Desktop and NAC.
The security appliance uses a DAP policy when the user attributes matches the configured AAA and endpoint attributes. The Prelogin Assessment and Host Scan modules of Cisco Secure Desktop return information to the security appliance about the configured endpoint attributes, and the DAP subsystem uses that information to select a DAP record that matches the values of those attributes.
Most, but not all, antivirus, antispyware, and personal firewall programs support active scan, which means that the programs are memory-resident, and therefore always running. Host Scan checks to see if an endpoint has a program installed, and if it is memory-resident as follows:
â¢If the installed program does not support active scan, Host Scan reports the presence of the software. The DAP system selects DAP records that specify the program.
â¢If the installed program does support active scan, and active scan is enabled for the program, Host Scan reports the presence of the software. Again the security appliance selects DAP records that specify the program.
â¢If the installed program does support active scan and active scan is disabled for the program, Host Scan ignores the presence of the software. The security appliance does not select DAP records that specify the program. Further, the output of the debug trace command, which includes a lot of information about DAP, does not indicate the program presence, even though it is installed.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...