I have searched the forums and documentation but haven't found a solution to my problem. I am guessing it comes up occasionally but maybe I am searching for the wrong thing. We have rolled out AnyConnect to all of our laptops but are struggling with employees who are getting the AnyConnect software from other sources and installing it on home PCs. We are a governmental agency, although fairly small, but we have security policies in place and I need to lock it down so users cannot connect to the VPN unless they are on a work PC connected to our AD domain. I've found one possible solution is to use Dynamic Access Policies within the ASA to check the Windows computer name. So I set up LDAP and created a policy to check an AAA attribute. It allows me to select "MemberOf", which I'm assuming that is the user group, but I need to check the computer name on the client before it allows access.
Stepping back from what I have already done, does anyone know of an easier or more logical way to lock down on what computers the AnyConnect VPN client can be used?
Or if I am going about it the right way with dynamic access policies, does anyone have suggestions or know of documentation that assists in configuring things correctly when checking computer name LDAP attribute?
You don't need LDAP for this, what you need is CSD (Cisco Secure Desktop) combined with DAP.
After you enable CSD, edit your DAP policy, and instead of an AAA attribute like you were trying, add an endpoint attribute (on the righ-hand side).
To check on hostname, select attribute type "device".
Alternatively you can also enable Host Scan (under CSD) and let CSD check for the presence of a file with a certain filename, or a registry entry, or a process name. CSD will pass the result of this check to DAP, so you can use it in a policy (endpoint attributes of type process, registry and file).
One other alternative is to use CSD with a pre-login policy - this does not allow you to check on hostname but it does allow checking on ip address, OS type, certificate as well as presence of a process, registry key, file. In that case you don't need DAP.