Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
934
Views
10
Helpful
6
Replies

Cisco Anyconnect Central Manager

Go to solution
network_geek1979
Level 1
Level 1

‎05-06-2021 10:30 PM

Folks,

Does anyone know if we have a Cisco Anyconnect central manager? From what I understand we do not have one.

My use case is that we have had few Anyconnect nodes across the globe and managing the configuration to keep it same everywhere does become a challenge.

 

Are there any other recommendations anyone has?

 

 

Regards,

N.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to network_geek1979

‎05-21-2021 01:59 PM

Hi 

 

You can setup your VPN access on all boxes the same way and authenticate all your users on ISE. So based on their AD group membership, ASA location, you can push different ACLs that are managed in 1 central place (ISE).

 

So your XML profiles will be quite the same except the url of the ASA that will  change.

Is it something like that you want to do?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

6 Replies 6

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎05-09-2021 07:43 PM

Hi

 

What do you mean by keeping anyconnect configuration the same?

Are you talking about the xml profile itself or the VPN configuration on the FW ?

 

There’s no Central Manager as per say.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
network_geek1979
Level 1
Level 1
In response to Francesco Molino

‎05-10-2021 09:55 PM

Hi Francesco,

Thanks for the response, I meant the xml profile and the VPN configuration both.

 

sample use cases are: ensuring that all nodes have the same profile, the ACL name remain the same, the ACL gets applied to the same profile everywhere etc.

 

I am hearing about CDO(Cisco Defense Orchestrator) and wondering if that would be the correct fit here. I feel it should.

 

 

Regards!!

N.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-11-2021 02:10 AM

Yes, CDO can centrally manage your ASAs' configurations, including the files (xml profile etc.) stored on them.

https://docs.defenseorchestrator.com/Configuration_Guides/ASA_File_Management

You can also use ISE to manage multiple ASAs' VPN profiles (but not the rest of the ASAs' configurations).

Go to solution
network_geek1979
Level 1
Level 1
In response to Marvin Rhoads

‎05-11-2021 08:17 PM

Hi Marvin,

Many thanks.


I did not understand the part:

"You can also use ISE to manage multiple ASAs' VPN profiles (but not the rest of the ASAs' configurations)."

 

By VPN profiles, you mean specifically AnyConnect profiles, right? If yes, Can you provide me some links for this as well on how we can do this? I'll search for this as well.

 

Our use case is for the VPN profiles only. We want to ensure that configuration for one profile remains same on all the nodes.

i.e. the ACL, the associated policies etc.

 

 

Regards,

N!!!

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to network_geek1979

‎05-21-2021 01:59 PM

Hi 

 

You can setup your VPN access on all boxes the same way and authenticate all your users on ISE. So based on their AD group membership, ASA location, you can push different ACLs that are managed in 1 central place (ISE).

 

So your XML profiles will be quite the same except the url of the ASA that will  change.

Is it something like that you want to do?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
network_geek1979
Level 1
Level 1
In response to Francesco Molino

‎05-23-2021 10:34 PM - edited ‎05-23-2021 10:34 PM

Hi Francesco,

Do you have a detailed document I can refer to? I did not quite understand the meaning of "url of the ASA that will change".

 

Regards,

N!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents