Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DAP that requires Windows AnyConnect users to have ANY antivirus installed, enabled, and updated.

I want to require AnyConnect users to have antivirus installed, enabled, and updated within the last 30 days, but don't want to maintain a list of products they're permitted to use.  AVAST, for example, isn't among the available options via the ASDM GUI, but is free and as effective as competing products.  I didn't see any way to meet all my criteria via ASDM so I wrote a LUA policy.

 

First I'd like to discuss a security concern with LUA code examples on the Internet.  All the examples on Cisco.com that I came across used the following code excerpt:

for k, v in pairs(endpoint.av) do...

This statement assumes "endpoint.av" is present and, in the examples I saw, only denies access if v.exists is explicitly set to the value "false".  Amazon Workspaces desktops, as well as some other Windows desktop settings, do not send any endpoint.av value at all, effectively allowing users to bypass the DAP and connect to the VPN without any antivirus installed.

I don't know LUA, but I threw together the following DAP to meet the criteria described in the title of this post, that also addresses scenarios where the client doesn't provide any endpoint.av key value pairs.  

 

Please note that the action needs to be set to 'Terminate' for this DAP to work properly.

 

assert(function()

local update_days   = "30" -- days
local av_lastupdate =  update_days*86400

-- Only apply this DAP to Windows hosts
if not (EVAL(endpoint.anyconnect.platform, "EQ",  "win", "string")) then
    return false
end

-- AWS workspace doesn't send endpoint.av at all, which means we never make it through the following loop. 
-- Use a local to track if endpoint.av exists to prevent them from connecting without AV.
local av_endpoint_sent = false
for k,v in pairs(endpoint.av) do
    av_endpoint_sent = true
    if (CheckAndMsg(EVAL(v.exists, "NE", "true", "string")," No antivirus installed.  Contact XYZ Support at XXX-XXX-XXXX for assistance.")) then
        return true 
    end
end
-- no endpoint.av was sent by the client.  Deny access.
if not av_endpoint_sent then
    return true
end

for k,v in pairs(endpoint.av) do
    if (CheckAndMsg(EVAL(v.activescan, "NE", "ok", "string"), "Antivirus not enabled.  Contact XYZ Support at XXX-XXX-XXXX for assistance.")) then
        return true
    end
end


for k,v in pairs(endpoint.av) do
    if (CheckAndMsg(EVAL(v.lastupdate, "GT", av_lastupdate, "integer"), "Antivirus not updated in last 30 days.  Contact XYZ Support at XXX-XXX-XXXX for assistance.")) then
        return true
    end
end

return false
end)()

Is there a Msg function I can call rather than using CheckAndMsg() to notify the user of the exact error for support purposes?  The av_endpoint_sent check above will deny access but not give a descriptive error message.  If CheckAndMsg() is required, I assume I'll need to check for a "boolean" type rather than "integer"?  Thank you.

  • VPN
554
Views
0
Helpful
0
Replies