cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3823
Views
10
Helpful
5
Replies

ISE and Windows drive mapping scripts

Ben.Levin
Level 1
Level 1

We are using ISE authentication and posture assessment for VPN and wireless and need to figure out a way to have the drive mappings script run after posture assessment is complete and successful.  I know AnyConnect can run scripts but has anyone done this before and is there any documentation on the process?  I've read the AnyConnect administration guides but it's not clear what type of scripts can be run and whether the ISE posture module can run the script when it reaches the compliant state. Thanks.

1 Accepted Solution

Accepted Solutions

abhishek.marat1
Level 1
Level 1

Yes, we do this in our environment.

We have a .bat file:

 

@echo off
:loop
timeout 2
ping -n 1 DOMAIN |find "TTL=" || goto :loop
echo Answer received.
:loop2
timeout 2
ping -n 1 DOMAIN |find "TTL=" || goto :loop2
echo Answer received.
if not exist U:\ (net use U: \\PATH\%username% /persistent:no)
Exit

 

You need to name this file as scripts_OnConnect.bat and import it to the ASA.

 

You need to enable scripting in your AnyConnect Client profile if you are using client VPN. i have attached a screenshot of the option 'enable scripting'. The option can be found under: Please see location.pngEnable scripting.pnglocation.png

 

 

 

 

View solution in original post

5 Replies 5

Darius
Level 1
Level 1

Hi,

 

Did you find any documentation on this?

abhishek.marat1
Level 1
Level 1

Yes, we do this in our environment.

We have a .bat file:

 

@echo off
:loop
timeout 2
ping -n 1 DOMAIN |find "TTL=" || goto :loop
echo Answer received.
:loop2
timeout 2
ping -n 1 DOMAIN |find "TTL=" || goto :loop2
echo Answer received.
if not exist U:\ (net use U: \\PATH\%username% /persistent:no)
Exit

 

You need to name this file as scripts_OnConnect.bat and import it to the ASA.

 

You need to enable scripting in your AnyConnect Client profile if you are using client VPN. i have attached a screenshot of the option 'enable scripting'. The option can be found under: Please see location.pngEnable scripting.pnglocation.png

 

 

 

 

Hi

Have you find any solution for " ISE posture module can run the script when it reaches the compliant state"?

 

I have the same requirement.

 

br

Ashish

ISE 3.1 can run a Powershell or bash script to remediate non-compliance on an endpoint.
https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/admin_guide/b_ise_admin_3_1/b_ISE_admin_31_compliance.html#task_dlq_gq1_jpb

ISE uses compliance as a condition for authorization to access the network. Running scripts after compliance is not really what ISE is intended to do.

Saying that, you could always suggest a feature enhancement.