Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

VPN & Endpoint Assessment

Hello everyone,

I had a question about DAP & endpoint assessment.

We are looking at replacing our Pix with ASAs. One of the requirements will be a remote access VPN. We have about 25 people with company issued laptops that need the ability to VPN in. We also have the need to support vendors accessing out network via "tunnel VPN" and another 25 users that have remote access needs that can be covered with the WebVPN.

My question is: how do I identify my computers? I am not looking at a key-gen fob or anything like that. Nor do I want to get into checking antivirus or anything like that. I just want to put a water mark on the computer so I know it's our own.

- If it's one of our computers, and they belong to the right AD groups, then they get access to certain subnets.

- If it's not one of our own, but they belong

I am looking at the IPS version of the ASA and adding SSL VPN licenses to it.

Is the advanced endpoint assesment licenses all that I need ? Do I need to add the CIsco Secure Desktop licenses? Are Secure desktop licenses included within the advanced endpoint license?

Thanks,

Ben

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN & Endpoint Assessment

"how do I identify my computers? I am not looking at a key-gen fob or  anything like that. Nor do I want to get into checking antivirus or  anything like that. I just want to put a water mark on the computer so I  know it's our own."

HD>>You can do a file check, registry check, or process scan through the CSD Host Scan feature. This does not require the "Advanced Endpoint Assessment" license, but it does require the SSL Full Client license (the SSL Anyconnect essentials license does not support hostscan features). Also keep in mind, that the traditional IPSec RA client does not do any hostscan.

"- If it's one of our computers, and they belong to the right AD groups,  then they get access to certain subnets."

HD>>You can do this with plain authentication such as radius or ldap. You can for example setup an ldap attribute map to say when we recieve an attribute from AD (like memberOf) we will give the user a specific group-policy that exists on the ASA. Search for "asa ldap group-policy" on cisco.com and the first document link should be the right one to give you more instructions on this.

"If it's not one of our own, but they belong"

HD>>If a user does not match any of the ldap map you setup as described above, the user is automatically given the default-group-policy on the connection profile. You can setup this group-policy to be more restricted or no access granted.

Your other option if you dont want ldap attribute map, is to use DAP. Again this does not require the "Advanced Endpoint Assessment" license, but depending on if you need the hostscan features (AV, FW, file check, reg check, etc) it may require the SSL Full Client license (the SSL Anyconnect essentials  license does not support hostscan features). Also again, the ipsec does not support any of the hostscan stuff (AV, FW, file check, reg check, etc), so the "Endpoint IDs" you see in the dap policy of ASDM are off limit for IPSec, but the IPSec VPN can use the "AAA Attribute" part of the dap policy to make a match. So you can still make it work with DAP if desired.

If you have more detailed questions about the config I would suggest opening a TAC case.

-heather

3 REPLIES
Cisco Employee

Re: VPN & Endpoint Assessment

"how do I identify my computers? I am not looking at a key-gen fob or  anything like that. Nor do I want to get into checking antivirus or  anything like that. I just want to put a water mark on the computer so I  know it's our own."

HD>>You can do a file check, registry check, or process scan through the CSD Host Scan feature. This does not require the "Advanced Endpoint Assessment" license, but it does require the SSL Full Client license (the SSL Anyconnect essentials license does not support hostscan features). Also keep in mind, that the traditional IPSec RA client does not do any hostscan.

"- If it's one of our computers, and they belong to the right AD groups,  then they get access to certain subnets."

HD>>You can do this with plain authentication such as radius or ldap. You can for example setup an ldap attribute map to say when we recieve an attribute from AD (like memberOf) we will give the user a specific group-policy that exists on the ASA. Search for "asa ldap group-policy" on cisco.com and the first document link should be the right one to give you more instructions on this.

"If it's not one of our own, but they belong"

HD>>If a user does not match any of the ldap map you setup as described above, the user is automatically given the default-group-policy on the connection profile. You can setup this group-policy to be more restricted or no access granted.

Your other option if you dont want ldap attribute map, is to use DAP. Again this does not require the "Advanced Endpoint Assessment" license, but depending on if you need the hostscan features (AV, FW, file check, reg check, etc) it may require the SSL Full Client license (the SSL Anyconnect essentials  license does not support hostscan features). Also again, the ipsec does not support any of the hostscan stuff (AV, FW, file check, reg check, etc), so the "Endpoint IDs" you see in the dap policy of ASDM are off limit for IPSec, but the IPSec VPN can use the "AAA Attribute" part of the dap policy to make a match. So you can still make it work with DAP if desired.

If you have more detailed questions about the config I would suggest opening a TAC case.

-heather

New Member

Re: VPN & Endpoint Assessment

Thank Heather,

So, as long as I have the Full SSL Licenses & the Advance Enpoint assessment licenses, I should be able to put the watermark on my computers and use that watermark in the DAP?

Can I check for the watermark in the host scan?

How do I put the watermark on the computer?

I just want a simply way of verifying that it's our computer. Ideally, it's not going to be something that's easily copied onto another computer.

Cisco Employee

Re: VPN & Endpoint Assessment

P.S. If I have answered your question please mark the post as resolved  and rate the responses. This helps us more easily identify which  questions remain unanswered and let us know how we are doing. Thanks in  advance!

1571
Views
0
Helpful
3
Replies
CreatePlease to create content