02-06-2017 08:37 AM - edited 03-11-2019 12:26 AM
We are using ISE authentication and posture assessment for VPN and wireless and need to figure out a way to have the drive mappings script run after posture assessment is complete and successful. I know AnyConnect can run scripts but has anyone done this before and is there any documentation on the process? I've read the AnyConnect administration guides but it's not clear what type of scripts can be run and whether the ISE posture module can run the script when it reaches the compliant state. Thanks.
Solved! Go to Solution.
02-12-2018 11:22 AM
Yes, we do this in our environment.
We have a .bat file:
@echo off
:loop
timeout 2
ping -n 1 DOMAIN |find "TTL=" || goto :loop
echo Answer received.
:loop2
timeout 2
ping -n 1 DOMAIN |find "TTL=" || goto :loop2
echo Answer received.
if not exist U:\ (net use U: \\PATH\%username% /persistent:no)
Exit
You need to name this file as scripts_OnConnect.bat and import it to the ASA.
You need to enable scripting in your AnyConnect Client profile if you are using client VPN. i have attached a screenshot of the option 'enable scripting'. The option can be found under: Please see location.png
02-07-2018 08:12 AM
Hi,
Did you find any documentation on this?
02-12-2018 11:22 AM
Yes, we do this in our environment.
We have a .bat file:
@echo off
:loop
timeout 2
ping -n 1 DOMAIN |find "TTL=" || goto :loop
echo Answer received.
:loop2
timeout 2
ping -n 1 DOMAIN |find "TTL=" || goto :loop2
echo Answer received.
if not exist U:\ (net use U: \\PATH\%username% /persistent:no)
Exit
You need to name this file as scripts_OnConnect.bat and import it to the ASA.
You need to enable scripting in your AnyConnect Client profile if you are using client VPN. i have attached a screenshot of the option 'enable scripting'. The option can be found under: Please see location.png
02-12-2018 11:29 AM
This is one of the links i had used to implement AnyConnect Client VPN posturing using a logon script.
07-05-2022 09:26 PM
Hi
Have you find any solution for " ISE posture module can run the script when it reaches the compliant state"?
I have the same requirement.
br
Ashish
07-06-2022 03:29 PM
ISE 3.1 can run a Powershell or bash script to remediate non-compliance on an endpoint.
https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_compliance.html#task_dlq_gq1_jpb
ISE uses compliance as a condition for authorization to access the network. Running scripts after compliance is not really what ISE is intended to do.
Saying that, you could always suggest a feature enhancement.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide