View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0128 - SSL VPN AnyConnect Hostscan and Endpoint Assessment (Part 2)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: SEC0128 - Video Download $7.00
Purchase SEC0128 - Video Download $7.00
The video takes you through the Cisco ASA AnyConnect VPN abilities to gather VPN client information using Hostscan and basic Endpoint Assessment features. We will be deploying a Hostscan agent as part of an AnyConnect Posture module, and creating a pre-login policy from device registry and OS checks to categorize the endpoint and allow or deny VPN access accordingly. The video finishes with enabling Host Scan extension as a preparation to the next lab video.
Part 2 of this video goes over pre-login policy testing and enabling host scan extension
  • Host Scan and AnyConnect Posture Module
  • VPN Pre-Login Policy
    • Certificate Check
    • Registry Check
    • OS Check
  • Host Scan Extension

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.



Thank you for the videos, they are very helpful. I am trying to find a way to detect/gather information about end users computers' name, public IP, SSL VPN duration. Basically pretty much everything in sh vpn-sessiondb details anyconnect , plus computer name, whether a domain or personal computer (without restrict anything at the beginning) So I can start to build new access-list and policies.

We currently use ASA5540 with failover mode. We authenticate our end users with SecureAuth certificate. The main goal is to restrict non-domain computers but we want to identify them first. We have a Syslog server, I am trying to pull this information to the Solarwinds Orion server via SNMP traps.

Do you know if there is a way to do that?

Thank you


DAP should give you a lot of information. For the domain computer check, we don't believe there is a wuick way to do that but to do some kind of certificate or registry value check. 

Lab Minutes Classifieds


Vote for the Next Video Series
Firepower 6.6
DNAC 2.1
ISE 3.0
ACI 4.x
Total votes: 44