Assigning AnyConnect Client Profiles based on the machine?

Unanswered Question
Mar 4th, 2010

I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.

If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.

If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.

What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.

It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.

If at all possible, I do not users to have to pick a conenction profile or use different URL's.

Is there anyway to accomplish this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
stephenneville Tue, 05/08/2012 - 06:02

Hi

Did you ever resolve this issue?  I am trying to assign a specific IP address based on the hostname or machine cert but the certificate matching doesn't seem to look at the machine cert.

Has anyone got any idea how I could do this?

thanks

Steve

Actions

Login or Register to take actions

This Discussion

Posted March 4, 2010 at 8:34 AM
Stats:
Replies:1 Avg. Rating:
Views:649 Votes:0
Shares:0
Tags: No tags.
Categories: ASA
+

Discussions Leaderboard