This configuration example presents how to perform the posture for the remote VPN sessions terminated on ASA. The posture will be performed locally by ASA using Cisco Secure Desktop with HostScan module. After VPN session is established compliant station will be allowed full network access, non compliant limited one.
Also CSD and AnyConnect 4.0 provisioning flows are presented.
Cisco recommends that you have knowledge of these topics:
Cisco ASA VPN configuration
Cisco AnyConnect Secure Mobility Client
The information in this document is based on these software and hardware versions:
Microsoft Windows 7
Cisco Adaptive Security Appliance, Version 9.3 or later
Cisco Identity Services Engine (ISE) Software, Versions 1.3 and Later
Cisco AnyConnect Secure Mobility Client, Vesion 4.0 and Later
Cisco Secure Desktop, Version 3.6 or Later
Topology and flow
Corporate policy is the following:
Remote VPN users which are having file c:\test.txt (compliant) should have full network access to inside company resources
Remote VPN users which are not having file c:\test.txt (non compliant) should have limited network access to inside company resources: only access to remediation server 126.96.36.199 should be provided.
File existence is the simplest example. Any other condition (antivirus, antispyware, process, application, registry) could be used.
The flow is the following:
Remote users does not have AnyConnect installed. They access ASA web page for CSD and AnyConnect provisioning (along with the VPN profile)
Once connecting via AnyConnect non compliant user will be allowed with limited network access. Dynamic Access Policy (DAP) called FileNotExists will be matched.
User performs remediation (manually install file c:\test.txt) and connects again using AnyConnect. This time full network access is provided (DAP policy called FileExists will be matched).
HostScan module can be installed manually on the endpoint. Example files (hostscan-win-4.0.00051-pre-deploy-k9.msi) are shared on CCO. But it could be also pushed from ASA. HostScan is a part of CSD which could be provisioned from ASA. That second approach is used in this example.
For older versions of AnyConnect (3.1 and before) there was a separate package available on CCO (example: hostscan_3.1.06073-k9.pkg) which could have been configured and provisioned on ASA separately (using "csd hostscan image" command) - but that option is not existing anymore for AnyConnect version 4.0.
Step1. Basic SSL VPN configuration
ASA is preconfigured with basic remote VPN access (SSL).
HostScan is still fully supported, new Basic HostScan rule is being added. Existence of c:\test.txt will be verified.
Also additional Advanced Endpoint Assessment rule is being added:
That one is checking for the existence of Symantec Norton AntiVirus 20.x and Microsoft Windows Firewall 7. Posture module (HostScan) will check those values but there will be no enforcement (DAP policy will not verify that).
Step3. DAP policies
DAP policies are responsible for using data gathered by HostScan as conditions and apply specific attributes to the VPN session as a result. To create DAP policy from ASDM: Remote Access VPN -> Clientless SSL VPN Access -> Dynamic Access Policies:
First policy (FileExists) will check tunnel-group name which is used by configured VPN profile (VPN profile configuration has been omitted for clarity). Then additional check for the file c:\test.txt is being performed:
As a result no actions are being performed with the default setting to permit connectivity. No ACL is being used - full network access will be provided.
Details for the file check:
Second policy (FileNonExists) is similar - but this time condition is "if file is not existing".
The result has access-list ACL1 configured. That will be applied for non compliant VPN users providing limited network access.
Both DAP policies are pushing for AnyConnect access:
Identity Services Engine is used for user authentication. Only network device (ASA) and correct username (cisco) should be configured. That part is not covered in this article.
CSD and AnyConnect provisioning
On the beginning user is not provisioned with AnyConnect client. User is also not compliant with the policy (the file c:\test.txt does not exist). Entering https://10.62.145.45 and is immediately redirected for Cisco Secure Desktop installation:
That can be done using Java or ActiveX. Once CSD is being installed that is being reported:
Then user is being redirected for authentication:
If successful AnyConnect along with configured profile is being deployed - again ActiveX or Java can be used:
And the VPN connection is being established:
The first step for AnyConnect is to perform posture checks (HostScan) and send the reports to ASA:
Then AnyConnect authenticates and finishes VPN session:
AnyConnect VPN session with posture - non compliant
When establishing a new VPN session using AnyConnect the first step would be the posture (HostScan) as presented on the screenshot above. Then authentication occurs and the VPN session is established:
ASA would report that HostScan report is being received:
%ASA-7-716603: Received 4 KB Hostscan data from IP <10.61.87.251>
Then performs user authentication:
%ASA-6-113004: AAA user authentication Successful : server = 10.62.145.42 : user = cisco
And starts authorization for that VPN session. When having "debug dap trace 255" enabled the information regarding the existence of "c:\test.txt" file is being returned:
Then multiple other logs reveal that CSD is installed. This is the example for a CSD provisioning and subsequent AnyConnect connection along with posture:
CSD detected, launching CSD Posture Assessment: Required for access Gathering CSD version information. Posture Assessment: Checking for updates... CSD version file located Downloading and launching CSD Posture Assessment: Updating... Downloading CSD update CSD Stub located Posture Assessment: Initiating... Launching CSD Initializing CSD Performing CSD prelogin verification. CSD prelogin verification finished with return code 0 Starting CSD system scan. CSD successfully launched Posture Assessment: Active CSD launched, continuing until token is validated. Posture Assessment: Initiating...
Checking CSD token for validity Waiting for CSD token validity result CSD token validity check completed CSD Token is now valid CSD Token validated successfully Authentication succeeded Establishing VPN session...
Communication between ASA and AnyConnect is optimized, ASA requests to perform only specific checks - AnyConnect downloads additional data to be able to perform that (for example specific AntiVirus verification).
When opening the case with TAC please attach Dart logs along with "show tech" and "debug dap trace 255" from ASA.