cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1015
Views
0
Helpful
1
Replies

Assigning AnyConnect Client Profiles based on the machine?

David Cebula
Level 1
Level 1

I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.

If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.

If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.

What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.

It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.

If at all possible, I do not users to have to pick a conenction profile or use different URL's.

Is there anyway to accomplish this?

1 Reply 1

stephenneville
Level 1
Level 1

Hi

Did you ever resolve this issue?  I am trying to assign a specific IP address based on the hostname or machine cert but the certificate matching doesn't seem to look at the machine cert.

Has anyone got any idea how I could do this?

thanks

Steve

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: