Notes:
DAP policy is applied to all anyconnect profiles so your DAP rules must cover all. You can't apply it to just one profile
You need to update to latest CSC but also match the posture package and the SSO (secure external browser package) to the same version.
If CSC is on 5.1.17, then the other two need to be on 5.1.17. You may only need the SSO package if their MFA is redirecting to a webapge.
Secure client section in endpoint criteria can be used to select platform to know if its on widnows or mobile
I hit an issue. The fix was to match the hostscan module to the same version as the secure client.
If you are having issues upgrade to latest/recommended release.
Keep in mind when DAP is switched on its global for all anyconnect profiles so you need to make sure you have DAP rules setup to cover everything.
Posture is only checked once on connection its not a constant thing (like CSA, which is still only checking/enforcing every 5-15 minutes)
If you are still having issues:
- Start a putty session with logging enabled
- sh run all dynamic-access-policy-record
- debug dap trace 255
- debug dap errors
- apply the DAP in FMC and push policy
- sh run all dynamic-access-policy-record
- show tech
- send the output to cisco tac
No comments:
Post a Comment