Configuring DAP and Hostcan to check for AV presence on client

Scenario

You deployed Anyconnect client to remote machines and now you want to make sure that those clients have anti-virus software installed before they can connect.

The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify the operating system, antivirus, antispyware, and firewall software installed on the host. The Host Scan application, which is among the components delivered by the posture module, is the application that gathers this information.

In the adaptive security appliance (ASA), you can create a prelogin policy that evaluates endpoint attributes such as operating system, IP address, registry entries, local certificates, and filenames. Based on the result of the prelogin policy’s evaluation, you can control which hosts are allowed to create a remote access connection to the security appliance.

Solution

First you need to upload and enable Hostscan image. Once this is done you will notice that each client machine will install the package alongside with Anyconnect client.

Next, navigate to ‘Network (Client) Access’ and click on ‘Dynamic Access Policies’ and create a policy. In my case the policy is called ‘TEST’.

The Edit section of the policy looks like this. The top section is an ‘IF’ and the bottom section is ‘THEN’. So in my case if the username is Greig and the client machine has Bitdefender or Windows Defender installed, then the client is allowed to establish a VPN connection to to the ASA. Otherwise it will be denied.

Here is the AAA Attribute ‘edit’ section. We can choose which users will be evaluated by the policy. In my case I want everybody using Connection Profile called Anyconnect to be checked by the policy.

 

Here is the Endpoint Attribute where we specify requirements for the client machine software. I’m choosing which antivirus software should be present on a client machine prior to logon.

Result

Only client machines meeting configured requirements will be allowed to dial in. Machines without antivirus software will be denied and a chosen message will be displayed.

Refererence:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac05hostscanposture.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/vpn/asdm_71_vpn_config/vpn_asdm_dap.pdf

Supported AV software by Hostscan

http://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-device-support-tables-list.html

Leave a Reply

Your email address will not be published. Required fields are marked *