different AnyConnect OnConnect script for each group policy

tarekaljallad · ‎02-05-2012

From what I can tell, there is no way to specify in each group policy which script to run on connect for anyconnect 2.5.

Either scripting is enabled on the profile or it isn't, thats it.

Is this a bug or am I missing something?

I need to be able to run different scripts based on Anyconnect groups, but how?

Thanks.

Herbert Baerten · ‎02-10-2012

Hi

you are correct, this is not possible at the moment. It's not a bug, it's just the way it was implemented. You could ask TAC, or better still: your Cisco account team, to submit an enhancement request.

BTW you could use a single script for all users, and in that script use variables like %username% to achieve different behavior for different users.

Or you could pre-deploy a (different) script to all users.

Both suggstions are user-based, not group-based, but I thought I'd mention them anyway in case you or anyone else with a similar question might find them useful.

regards

Herbert

Herbert Baerten · ‎02-10-2012

Actually now I that I think of it some more, you might actually write a script that somehow extracts the groupname from \Users\%username%\AppData\Local\Cisco\Cisco Anyconnect Secure Mobility Client\preferences.xml

(this is the path on win7 - on other platforms it will be different).

And then in the script do something like

if groupname == foo

then

...

else if groupname == foo2

then

...

etc.

This would still not allow you to differentiate on group-policy, but on tunnel-group (which may or may not be equivalent, depending on how you do your group-policy assignment).

Extracting the group from the preferences file might be tricky, but I think it can be done.

hth

Herbert