06-17-2019 08:28 AM - edited 06-17-2019 08:44 AM
Hi,
Wonder if the ASA/FTD with Anyconnect can apply different login scripts to different anyconnect profiles/policies?
Say I have a windows login script added on the firewall. I want to associate this script with corp users only when they login to anyconnect VPN using "vpn.company.com" and not pushing the script to contractors when they login to VPN using "vpn.company.com/contractors".
I actually disabled the Scripting in the contractor Anyconnect profile but the same script is still pushed down to the contractor's laptop...
Thanks,
/S
06-17-2019 08:02 PM
06-17-2019 08:26 PM
06-17-2019 09:12 PM
06-18-2019 04:02 AM
06-20-2019 01:57 PM
10-13-2021 03:53 AM
Francesco,
I know this is an old post, but do you mean you can activate the "onconnect" script on a per Group-Policy basis?
If yes, is this how it's done?
group-policy GP-ANY-MYGROUPPOL2 attributes [...] webvpn anyconnect profiles value profile-xml-with-script type user exit
Further up in the config, profile-xml-with-script is linked to a file on the flash:
webvpn anyconnect profiles profile-xml-with-script disk0:/profile-xml-with-script.xml
This xml would contain:
<EnableScripting UserControllable="false">true</EnableScripting>
Also, presumably to use an XML file from the ASA as opposed to an offline deployment, does an end user need write-access to: %ALLUSERSPROFILE%\Cisco\Cisco AnyConnect Secure Mobility Client\Script ?
10-14-2021 05:48 AM
Just in case it helps others, the above configuration worked, but with some limitations:
Finally, I had a steer via another post that permissions issues within ProgramData are not common. There is some suggestion that the files will get written in by a SYSTEM user, but I wasn't able to confirm it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: