[c-nsp] Profiling with ASA?
Ryan West
rwest at zyedge.com
Thu Nov 17 13:07:59 EST 2011
Scott,
On Thu, Nov 17, 2011 at 12:06:55, Scott Voll wrote:
> Subject: [c-nsp] Profiling with ASA?
>
> Has anyone done any Profiling of Devices connecting to ASA for
> anyconnect VPN service?
>
> I'm looking at how the ASA can Profile a user device, example. user
> Joe connects with Corporate Laptop, use profile Corp. user Joe turns
> around and connects via his home PC, use profile Home.
>
> I'm not sure where to look for the documentation, because I don't know
> what Cisco would call it. Any info or links would be Highly appreciated.
>
If you already have premium anyconnect licensing, you could leverage host scan with CSD to pull a file or registry key to determine if the laptop is a corporate entity or not. If you need more a robust solution, Cisco is pushing ISE pretty hard these days and you could use an iPEP device after your ASA to enforce policy.
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac05hostscanposture.html#wp1033842
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_ipep_deploy.html
-ryan
More information about the cisco-nsp
mailing list