That second approach is used in this example.įor older versions of An圜onnect (3.1 and earlier), there was a separate package available on CCO (example: hostscan_3-k9.pkg) which could have been configured and provisioned on ASA separately (with csd hostscan image command) - but that option do not exists anymore for An圜onnect version 4.0.ĪSA is preconfigured with basic remote VPN access (Secure Sockets Layer (SSL)): webvpnĪnyconnect image disk0:/anyconnect-win-1-k9.pkg 1 HostScan is a part of CSD which could be provisioned from ASA. Example files (hostscan-win-1-pre-deploy-k9.msi) are shared on Cisco Connection Online (CCO). HostScan module can be installed manually on the endpoint. This time, full network access is provided (DAP policy called FileExists are matched).
User performs remediation (manually install file c:\test.txt) and connects again with An圜onnect. 
Dynamic Access Policy (DAP) called FileNotExists are matched.
Once the connection via An圜onnect, non-compliant users are allowed with limited network access. They access ASA web page for CSD and An圜onnect provisioning (along with the VPN profile) Remote users does not have An圜onnect installed. Any other condition (antivirus, antispyware, process, application, registry) can be used. Remote VPN users which do not have file c:\test.txt (non-compliant) must have limited network access to inside company resources: only access to remediation server 1.1.1.1 is provided.įile existence is the simplest example. Remote VPN users which has file c:\test.txt (compliant) must have full network access to inside company resources. If your network is live, ensure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment. Cisco An圜onnect Secure Mobility Client, Version 4.0 and Later. Cisco Identity Services Engine (ISE) Software, Versions 1.3 and Later. The information in this document is based on these software and hardware versions: Cisco An圜onnect Secure Mobility Client. Prerequisites RequirementsĬisco recommends that you have knowledge of these topics: After VPN session is established, compliant station are allowed full network access whereas non-compliant station has limited network access.Īlso, CSD and An圜onnect 4.0 provisioning flows are presented. The posture is performed locally by ASA with the use of Cisco Secure Desktop (CSD) with HostScan module. This document describes how to perform the posture for remote VPN sessions terminated on Adaptive Security Appliance (ASA).
0 kommentar(er)
