Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1032
Views
0
Helpful
1
Replies

Assigning AnyConnect Client Profiles based on the machine?

David Cebula
Level 1
Level 1

‎03-04-2010 08:34 AM - edited ‎02-21-2020 04:31 PM

I have an ASA running 8.2.x code with AnyConnect 2.4.x.I have both Radius and LDAP (AD) AAA available.

If a user connects from a company owned laptop, I want to push down AnyConnect client ProfileA (with scripts to map drives etc...) and network ACL's set A.

If a user connects from any other computer, I want to push down AnyConnect client ProfileB (no scripts etc...) and network ACL's set B.

What I would like to do is CSD to do a machine certificate check (for presence of a cert from my private CA) and to assign a EndPoint Policy attribute (Managed on successful check or Unmanaged on failure). I can then use DAP to tailor the ACL's that get set.

It seems like the only way to handle AnyConnect client profiles is with Group-Policy. Using LDAP I can assign a user to a Group-Policy, but I have no way of determining is they are coming in from a company laptop or not when assigning the Group-Policy. DAP can not assign an AnyConnect client profile.

If at all possible, I do not users to have to pick a conenction profile or use different URL's.

Is there anyway to accomplish this?

Labels:
0 Helpful
1 Reply 1

stephenneville
Level 1
Level 1

‎05-08-2012 06:02 AM

Hi

Did you ever resolve this issue?  I am trying to assign a specific IP address based on the hostname or machine cert but the certificate matching doesn't seem to look at the machine cert.

Has anyone got any idea how I could do this?

thanks

Steve

0 Helpful
Customers Also Viewed These Support Documents