Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
698
Views
5
Helpful
2
Replies

Restrict AnyConnect access to AD registered machines.

dkroske
Level 1
Level 1

‎05-05-2014 07:53 AM - edited ‎02-21-2020 07:38 PM

We have AD authentication working well for user authentication of AnyConnect sessions.  We now need to restrict AnyConnect access to ONLY machines registered in AD.  I'm not having any success with this.  What's the best way to do this?

Labels:
0 Helpful
2 Replies 2

ankit13389
Level 1
Level 1

‎05-05-2014 09:01 AM

Hi,

 

You can try split tunneling.. Define a standard ACL which would have only those host / subnets and allow in the group policy which is getting pushed to the users..

 

Also, you can use DAP policy to push access to certain host.

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-05-2014 09:02 AM

The most common method is to use a Dynamic Access Policy (DAP). That requires you have AnyConnect Premium and Advanced Endpoint Assessment licenses. If you do, we can refer to the Configuration Guide section on DAP. Typically we search for a registry key that identifies the domain membership.

The other alternative is to issue machine certificates and use the certificate as the first step of a two-factor authentication method. That does not require either of the two licenses I mentioned - only AnyConnect Essentials (although if you have them , that's OK).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents