This document describes how to perform the posture for remote VPN sessions terminated on Adaptive Security Appliance (ASA). The posture is performed locally by ASA with the use of Cisco Secure Desktop (CSD) with HostScan module. After VPN session is established, compliant station are allowed full network access whereas non-compliant station has limited network access.
Also, CSD and AnyConnect 4.0 provisioning flows are presented.
Cisco recommends that you have knowledge of these topics:
Cisco ASA VPN configuration
Cisco AnyConnect Secure Mobility Client
The information in this document is based on these software and hardware versions:
Microsoft Windows 7
Cisco ASA, Version 9.3 or Later
Cisco Identity Services Engine (ISE) Software, Versions 1.3 and Later
Cisco AnyConnect Secure Mobility Client, Version 4.0 and Later
CSD, Version 3.6 or Later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Corporate policy is as follows:
Remote VPN users which has file c:\test.txt (compliant) must have full network access to inside company resources
Remote VPN users which do not have file c:\test.txt (non-compliant) must have limited network access to inside company resources: only access to remediation server 220.127.116.11 is provided.
File existence is the simplest example. Any other condition (antivirus, antispyware, process, application, registry) can be used.
The flow is as follows:
Remote users does not have AnyConnect installed. They access ASA web page for CSD and AnyConnect provisioning (along with the VPN profile)
Once the connection via AnyConnect, non-compliant users are allowed with limited network access. Dynamic Access Policy (DAP) called FileNotExists are matched.
User performs remediation (manually install file c:\test.txt) and connects again with AnyConnect. This time, full network access is provided (DAP policy called FileExists are matched).
HostScan module can be installed manually on the endpoint. Example files (hostscan-win-4.0.00051-pre-deploy-k9.msi) are shared on Cisco Connection Online (CCO). But, it could be also pushed from ASA. HostScan is a part of CSD which could be provisioned from ASA. That second approach is used in this example.
For older versions of AnyConnect (3.1 and earlier), there was a separate package available on CCO (example: hostscan_3.1.06073-k9.pkg) which could have been configured and provisioned on ASA separately (with csd hostscan image command) - but that option do not exists anymore for AnyConnect version 4.0.
Step 1. Basic SSL VPN Configuration
ASA is preconfigured with basic remote VPN access (Secure Sockets Layer (SSL)):
HostScan is still fully supported, new Basic HostScan rule is added. Existence of c:\test.txt is verified as shown in the image.
Also, additional Advanced Endpoint Assessment rule is added as shown in the image.
That one checks for the existence of Symantec Norton AntiVirus 20.x and Microsoft Windows Firewall 7. Posture module (HostScan) checks these values but there will be no enforcement (DAP policy does not verify that).
Step 3. DAP Policies
DAP policies are responsible to use the data gathered by HostScan as conditions and apply specific attributes to the VPN session as a result. In order to create DAP policy from ASDM, navigate to Configuration > Remote Access VPN > Clientless SSL VPN Access > Dynamic Access Policies as shown in the image.
First policy (FileExists) checks tunnel-group name which is used by configured VPN profile (VPN profile configuration has been omitted for clarity). Then, additional check for the file c:\test.txt is performed as shown in the image.
As a result, no actions are performed with the default setting in order to permit connectivity. No ACL is used - full network access is provided.
Details for the file check are as shown in the image.
Second policy (FileNotExists) is similar - but this time condition is if file is not existing as shown in the image.
The result has access-list ACL1 configured. That is applied for non-compliant VPN users with the provision of limited network access.
Both DAP policies push for AnyConnect Client access as shown in the image.
ISE is used for user authentication. Only network device (ASA) and correct username (cisco) must be configured. That part is not covered in this article.
Use this section in order to confirm that your configuration works properly.
CSD and AnyConnect Provisioning
Initially, user is not provisioned with AnyConnect client. User is also not compliant with the policy (the file c:\test.txt does not exist). Enter https://10.62.145.45 and the user is immediately redirected for CSD installation as shown in the image.
That can be done with Java or ActiveX. Once CSD is installed, it is reported as shown in the image.
Then user is redirected for authentication as shown in the image.
If successful, AnyConnect along with configured profile is deployed - again ActiveX or Java can be used as shown in the image.
And, the VPN connection is established as shown in the image.
The first step for AnyConnect is to perform posture checks (HostScan) and send the reports to ASA as shown in the image.
Then, AnyConnect authenticates and finishes VPN session.
AnyConnect VPN Session with Posture - Non Compliant
When you establish a new VPN session with AnyConnect, the first step is the posture (HostScan) as presented on the screenshot earlier. Then, authentication occurs and the VPN session is established as shown in the images.
ASA reports that HostScan report is received:
%ASA-7-716603: Received 4 KB Hostscan data from IP <10.61.87.251>
Then performs user authentication:
%ASA-6-113004: AAA user authentication Successful : server = 10.62.145.42 : user = cisco
And starts authorization for that VPN session. When you have "debug dap trace 255" enabled, the information with regards to the existence of c:\test.txt file is returned:
Then, multiple other logs reveal that CSD is installed. This is the example for a CSD provisioning and subsequent AnyConnect connection along with posture:
CSD detected, launching CSD Posture Assessment: Required for access Gathering CSD version information. Posture Assessment: Checking for updates... CSD version file located Downloading and launching CSD Posture Assessment: Updating... Downloading CSD update CSD Stub located Posture Assessment: Initiating... Launching CSD Initializing CSD Performing CSD prelogin verification. CSD prelogin verification finished with return code 0 Starting CSD system scan. CSD successfully launched Posture Assessment: Active CSD launched, continuing until token is validated. Posture Assessment: Initiating...
Checking CSD token for validity Waiting for CSD token validity result CSD token validity check completed CSD Token is now valid CSD Token validated successfully Authentication succeeded Establishing VPN session...
Communication between ASA and AnyConnect is optimized, ASA requests in order to perform only specific checks - AnyConnect downloads additional data in order to be able to perform that (for example specific AntiVirus verification).
When you open the case with TAC, attach Dart logs along with "show tech" and "debug dap trace 255" from ASA.