Assigning AnyConnect Client Profiles based on the machine?

Unanswered Question
Mar 4th, 2010
User Badges:

I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.

If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.

If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.

What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.

It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.

If at all possible, I do not users to have to pick a conenction profile or use different URL's.

Is there anyway to accomplish this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
stephenneville Tue, 05/08/2012 - 06:02
User Badges:


Did you ever resolve this issue?  I am trying to assign a specific IP address based on the hostname or machine cert but the certificate matching doesn't seem to look at the machine cert.

Has anyone got any idea how I could do this?




This Discussion