Restrict AnyConnect access to AD registered machines.
We have AD authentication working well for user authentication of AnyConnect sessions. We now need to restrict AnyConnect access to ONLY machines registered in AD. I'm not having any success with this. What's the best way to do this?
The most common method is to use a Dynamic Access Policy (DAP). That requires you have AnyConnect Premium and Advanced Endpoint Assessment licenses. If you do, we can refer to the Configuration Guide section on DAP. Typically we search for a registry key that identifies the domain membership.
The other alternative is to issue machine certificates and use the certificate as the first step of a two-factor authentication method. That does not require either of the two licenses I mentioned - only AnyConnect Essentials (although if you have them , that's OK).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...