Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restrict AnyConnect access to AD registered machines.

We have AD authentication working well for user authentication of AnyConnect sessions.  We now need to restrict AnyConnect access to ONLY machines registered in AD.  I'm not having any success with this.  What's the best way to do this?

Everyone's tags (3)
New Member

Hi, You can try split



You can try split tunneling.. Define a standard ACL which would have only those host / subnets and allow in the group policy which is getting pushed to the users..


Also, you can use DAP policy to push access to certain host.



Hall of Fame Super Silver

The most common method is to

The most common method is to use a Dynamic Access Policy (DAP). That requires you have AnyConnect Premium and Advanced Endpoint Assessment licenses. If you do, we can refer to the Configuration Guide section on DAP. Typically we search for a registry key that identifies the domain membership.

The other alternative is to issue machine certificates and use the certificate as the first step of a two-factor authentication method. That does not require either of the two licenses I mentioned - only AnyConnect Essentials (although if you have them , that's OK).