Cisco Cisco ASA 5525-X Adaptive Security Appliance Leaflet

A. The certificate checks verifies only that the certificate is present on the endpoint host, and
not whether the certificate is PKI−validated.

Q. Registry and Certificate Prelogin checks apply to which OSes?

A. Only Windows.

Q. Can CSD settings be pushed from Radius/LDAP?

A. No. CSD specific policies cannot be set through Radius/LDAP .

Q. Can CSD detect TCP listening ports on the endpoint PC?

A. CSD 3.2.1 now supports Port Scanning on the endpoint PC (Windows, MAC, Linux) and
was implemented in CSCsj44999. Dynamic Access Policies (DAP) can enforce the
endpoint.device.port attribute in policy.

Q. What are the the CSD and DAP endpoint attributes that can be
enforced on an SSL VPN policy?

A. Here is a a list of DAP Endpoint Selection attribute categories as of 8.0.3.x:

Anti−Spyware

♦

Anti−Virus

♦

Application

♦

File

♦

NAC

♦

Operating System

♦

Personal Firewall

♦

Policy (Location)

♦

Process

♦

Registry

♦

Device such as Hostname, Mac Address, Port Number, and Privacy Protection

♦

Q. What is this CSD token seen within the DAP debugs (DAP_TRACE:
DAP_add_CSD: csd_token = [71F16BEE51C8B569360F9BF0]) ?

A. ASA creates unique random numbers and assigns them to HostScans so it can distinguish
one HostScan from another. HostScan happens before the login when no SSL VPN session
exists. HostScan does not send CSD token in the scan file. The token is used to attach the
scan data to the ASA SSL VPN session.

Q. What CSD capability is available with AnyConnect in Start Before
Login (SBL) mode?

A. When Anyconnect is launched in SBL mode, only hostscan is performed by CSD
regardless of what prelogin policy dictates,unless there is no location match, in which case
CSD launch fails.