PCA Demonstration Video
The resolution is not ideal
(especially for seeing the log entries, but it gives you a general idea
- for more info see you Cisco SE : )
Video1
This video shows a client booting up, and connecting in to the confidential network.
The PC is using full disk encryption from TrueCrypt , and is also protected by Cisco Security Agent
Once
the PC has booted up the Cisco IPSec client connects to the ASA5500
series, and authenticates. This is done with two factors. The
first is a Digital Certificate, in this case stored in the local
certificate store, but this may also be stored in a smart-card.
The second factor is a username and password. This is the user's Active Direcory credetials.
The Cisco ASA 5500 is configured with 3 Dynamic Access Policies
The
first is called "Allow Network Services" and allows basic requirements
such as access to DNS, Active Directory etc. This is applied to
all clients.
The second is called "Allow Application A" and permits
users who are members of active directory group 'ApplicationAusers' to
make http connections to 10.1.1.66. The is a third policy called
"Allow ApplicationB" that is similar.
Video 2
This
video shows the log files. Its amazing just how much information
there is in there. In addition to what is pointed out by the
commenary if you pause it you can look out for some extra detail.
After
the first 3 entries where the IPSec Client's certificate is being
validated you see 4 entries showing the connection the ASA makes to the
Active Directory server - its using LDAP over TLS (encrypted LDAP) and
you can see the certificate exchange.
One of the nice things
with the ASA/ASDM is that when looking at a log message for a packt
that has been denied it tells you which ACL was responsible. In
this case it shows that the ACL is dynamically generated by DAP.