Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2357
Views
2
Helpful
4
Replies

ISE AnyConnect customization bundles?

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni

‎09-09-2016 11:59 AM

Greetings,

I'm lost on trying to figure out how to do this, or if it's even possible. The 2 issues I have is installing through the web portal. We can manually install correctly, but not via the portal.

1) We don't want to install the VPN client. Through command line, we can do it via this command.

msiexec /package anyconnect-win-4.3.01095-pre-deploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1

2) The default config managed wired, we only want wireless managed.

I found a PDF on customization bundles, but it's vague on if or how to do this. I downoaded their samples, and that's not much more of a help.

Anyone done this?

Or is there a way to edit the pkg file uploaded to ISE?

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Dustin Anderson

‎09-20-2016 03:24 PM

We will upload each of the AnyConnect profiles individually. For example, below, taken from our ISE compliance lab guide, shows the steps to upload a NAM profile with a name 'anyconnect-NAM-EAP-FAST.xml'.

  1. Click + Add then Agent Resources from local Disk from the drop-down list.

Category

Customer Created Packages

Type

AnyConnect Profile

Name

acNAMProfile

Description

Configure AnyConnect NAM for EAP-FAST.

  1. Browse to C:\Users\Admin\Downloads\
  2. Select anyconnect-NAM-EAP-FAST.xml
  3. Click Submit to save changes. Confirm when prompted for SHA hash match.

After that, we will create an AnyConnect configuration for Windows clients to combine all the profiles.

...

* AnyConnect Package:

AnyConnectDesktopWindows 4.2.01037.0

* Configuration Name:

acConfigWin

Description:

AnyConnect agent configuration for Windows

* Compliance Module

Anyconnect-win-compliance-3.6.10294.2

AnyConnect Module Selection

ISE Posture

VPN

Network Access Manager

Web Security

ASA Posture

Start Before Logon

Diagnostic and Reporting Tool

  

 

 

 

         

 

 

Profile Selection

ISE Posture

VPN 

Network Access Manager

Web Security

Customer Feedback

acPostureWinProfile

acVPNdisableProfile

acNAMProfile

-

-


...

Then, create an ISE client provisioning rule to use the AnyConnect configuration. For example,

Rule Name

ID Groups

OS

Conditions

Results

...

Windows Employee

Any

Windows All

demoAD:ExternalGroups

EQUALS

demo.local/HCC/Groups/Employees

Agent Configuration

Agent: acConfigWin

Native Supplicant Configuration

Config Wizard: WinSPWizard 1.0.0.51

Wizard Profile: Cisco-ISE-NSP

View solution in original post

0 Helpful
4 Replies 4

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-14-2016 09:09 AM

If I understand your questions correctly, you want to perform web deploy from ISE for AnyConnect ISE posture module and AnyConnect NAM module.

On 1, we may upload a XML file to disable VPN tile using the file attached.

On 2, we may download the AnyConnect profile editor at CCO, install it on a Windows admin PC, use it to create NAM profile.

VPNDisable_ServiceProfile.xml.zip

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni
In response to hslai

‎09-20-2016 03:10 PM

ok, I have made a new configuration.xml, but I'm not sure how to get it to deploy with the install.

You can upload a customization bundle, but not sure what needs to be in it, and what the folder structure needs to be.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Dustin Anderson

‎09-20-2016 03:24 PM

We will upload each of the AnyConnect profiles individually. For example, below, taken from our ISE compliance lab guide, shows the steps to upload a NAM profile with a name 'anyconnect-NAM-EAP-FAST.xml'.

  1. Click + Add then Agent Resources from local Disk from the drop-down list.

Category

Customer Created Packages

Type

AnyConnect Profile

Name

acNAMProfile

Description

Configure AnyConnect NAM for EAP-FAST.

  1. Browse to C:\Users\Admin\Downloads\
  2. Select anyconnect-NAM-EAP-FAST.xml
  3. Click Submit to save changes. Confirm when prompted for SHA hash match.

After that, we will create an AnyConnect configuration for Windows clients to combine all the profiles.

...

* AnyConnect Package:

AnyConnectDesktopWindows 4.2.01037.0

* Configuration Name:

acConfigWin

Description:

AnyConnect agent configuration for Windows

* Compliance Module

Anyconnect-win-compliance-3.6.10294.2

AnyConnect Module Selection

ISE Posture

VPN

Network Access Manager

Web Security

ASA Posture

Start Before Logon

Diagnostic and Reporting Tool

  

 

 

 

         

 

 

Profile Selection

ISE Posture

VPN 

Network Access Manager

Web Security

Customer Feedback

acPostureWinProfile

acVPNdisableProfile

acNAMProfile

-

-


...

Then, create an ISE client provisioning rule to use the AnyConnect configuration. For example,

Rule Name

ID Groups

OS

Conditions

Results

...

Windows Employee

Any

Windows All

demoAD:ExternalGroups

EQUALS

demo.local/HCC/Groups/Employees

Agent Configuration

Agent: acConfigWin

Native Supplicant Configuration

Config Wizard: WinSPWizard 1.0.0.51

Wizard Profile: Cisco-ISE-NSP

0 Helpful

Go to solution
Dustin Anderson
VIP Alumni
VIP Alumni
In response to hslai

‎09-20-2016 03:40 PM

Thanks,

I did not realize I could upload the bare xml files like that.

0 Helpful
Customers Also Viewed These Support Documents