Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1160
Views
5
Helpful
4
Replies

Different Any Connect script per LDAP Attribute or Group Policy

jlamb24
Level 1
Level 1

‎12-14-2018 09:36 AM

I am looking to deploy scripts to certain users only who log onto our VPN.  From what I can tell, there is no way to specify in each group policy which scripts to run on connect for anyconnect 4.3.  Either scripting is enabled on the profile or it isn't, that's it.  Is this true?  I've seen other threads where it is stated that this is not possible, but in those threads, they were running a lower version of anyconnect.  

 

We utilize AAA for authentication that queries and LDAP for creds.  Is it possible to create and LDAP attribute map that will only run a script if a user has that particular attribute?

 

 

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎12-14-2018 09:50 AM

You need to have LDAP user group like any connect and put the users required to VPN in that group.

 

so only those users will be get authenticate rest will be denied.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni

‎12-14-2018 09:58 AM

Yes, group-policy has no effect on OnConnect or Disconnect scripts. So even if you LDAP attribute mapping, it it going to run on connection and disconnection if it is present on the ASA and enabled on the profile. That being said, you can have different AnyConnect profile per group-policy. So if use LDAP attribute mapping to assign them to the right GP, you can directly tie only certain AD groups to a profile that has "Enable Scripting" checked on the profile. 

jlamb24
Level 1
Level 1
In response to Rahul Govindan

‎12-14-2018 11:47 AM

Thank you! I knew you could apply the ONConnect scripts per group policy. We have only one policy setup for all users and I don't want to enable scripting on that policy. I'd like to create another policy and map select users to that policy, but how can I have the select users use that policy and not have to change their vpn connection profile on their anyconnect client? Is it possible?
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to jlamb24

‎12-16-2018 04:01 PM

Yes, user can still choose the same connection profile as they did before. You are only changing what group-policy gets applied to them post authentication. When you create an LDAP attribute map and map AD group to a new group-policy, users in that AD group will always be assigned the new group-policy -  even though their connection profile has a default group-policy. AAA based group-policy assignment has a higher priority over the locally assigned default group-policy. 

0 Helpful
Customers Also Viewed These Support Documents