Cisco Secure Desktop (CSD) – Part 4

      No Comments on Cisco Secure Desktop (CSD) – Part 4

Now, let’s talk about something in CSD that works fairly well, pre-login policies.  Pre-login polices are evaluated prior to even showing the user the login prompt for WebVPN.  Much like all the other CSD functionality it needs to be defined within the ASDM. 
image

Pre-login policy follows what I like to call a ‘flow’.  You begin at the ‘Start’ item and then choose your path based on decisions throughout the flow.  The below screenshot shows a little better example. 
image

For example, in this flow, CDS checks the OS type. If is Windows XP, 2K, or Vista I am put into the default policy.  If I’m running Windows 9x, Mac, Linux, or CSD is unable to detect then my login is denied and I am shown this screen in my browser.
image

The benefit of this flow-like system is that I can have any number of policies.  For instance, take a look at this screenshot below. 
image

I have defined a policy for each OS detection type, which means that I can define CSD settings for each policy.  As I create the policies in the flow, they are also added into the ASDM as shown below. 
image

As you can see, with each policy I create, I am able to define individual settings within that policy.  Now that we have a basis of understanding, let’s look at each of the checks available for use with pre-login policy.  As shown in the very first image, the default setting doesn’t have any configure pre-login policy checks and dumps the user directly into the default policy. To add a pre-login check, click the plus-sign as highlighted in the image below.  When you click the plus-sign an insert check window will appear at the bottom of the screen as shown in the second image.  You are able to configure checks for registry items, files, certificates, OS, and IP addresses.

imageimage

To change the outcome of a check click on the bow directly to the right of the plus-sign. When you select the box to the left of the plus-sign the box at the bottom of the screen will change to end selection window. The end of you flow can deny login, point to a policy (login allowed), or start a subsequence.

imageimage

Subsequences are just new flows.  The image below shows a subsequence, I think it’s fairly self-explanatory. 
imagePretty easy isn’t it?  It certainly is.  However like the other parts of CSD there are pieces that I just couldn’t get working, specifically the IP address check and the certificate check. They just didn’t work and I wasn’t able to find any helpful documentation on defining each of the checks either.  The more frustrating point is that there isn’t a log ANYWHERE that tells you on what step of the policy the client failed at.  The best thing I found was in the hostscan.log file located within C:Documents and Settings<Username>Application DataCiscoCisco HostScan directory.  And this is all it says…..

 

[Sat Jan 30 14:53:48 2010][hostscan][info][csd_transport_get_data] getting data done
[Sat Jan 30 14:53:48 2010][hostscan][debug][cfg_process_data] parsing config data.
[Sat Jan 30 14:53:48 2010][hostscan][warn][parse_prelogin] prelogin denied!

Neat, I mean that tells me all sorts of things I didn’t know already.  It seems to be a reoccurring theme here that the logging and debug information with CSD just isn’t up to par.  On top of which pre-login policies, once defined in production, aren’t something you can just start playing around with to see which one is getting hung up on a particular client machine.  At any rate, let’s walk through configuring the ones that do work.

Shown below is the entire flow that I configured.  I’ll list the checks I configured below.

image 

OS Check – All only newer versions of windows
image 

Registry Check – Check the registry for HKLMSOFTWARE|McAfee
image 

File Check – Check for C:Program FilesMcAfeeManaged VirusScanVScanMcShield.exe
image

Designing flows for pre-login policies are pretty easy to do, however I would stress that these items should be tested well in advance of actually deploying them in production.  And good luck when it comes to troubleshooting these.

Where are CSD configurations stored?
If you are like me and are disappointed about not being able to do any of this in the CLI then you might be asking yourself, where are these configuration settings stored?  Good question.  When you install CSD it creates a folder in flash called ‘sdesktop’.  Within the sdesktop folder is a XML file called data.xml.  A look at the XML file shows all of our pre-login policy settings.  A screenshot of my data.xml file is shown below.  As you can see all of the checks I defined are nested in the XML.

image

Additionally our Default policy is defined at the bottom of the XML document.
image

Summary
Much like some of the other parts of CSD, pre-login policies aren’t 100% perfect.  There are however some pieces that do work and those pieces work fairly well.

Leave a Reply

Your email address will not be published.