Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1573
Views
5
Helpful
3
Replies

Updating AnyConnectProfile.xml

Go to solution
chrispchikin
Level 1
Level 1

ā€Ž03-28-2017 12:18 PM

Hi there,

We have an ASA-5515 running 8.6.1, and have AnyConnect full client users connecting (version 3.1.01065).

We also perform certificate authentication using machine certificates, prior to AD authentication.

There is a new PKI being deployed, and we need to update the certificate selection in the AnyConnectProfile.xml file.

We can manually update the file with an admin user on a given machine, which works, but we're trying to understand how this profile can be pushed down from the ASA - or more specifically, the conditions that must be met for the profile to be pushed down.

I've tried a whole bunch of stuff, even modifying the date attributes for the file on the client, but I can't seem to get the profile to download.

I know that xml file was originally placed on the clients from a custom MSI package, but surely this should get pushed from the ASA somehow? I thought these files had to match for a connection to succeed?

The existing profile is referenced in the webvpn section, as per the config below:

webvpn
 enable Outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 2
 anyconnect profiles anyconnectprofilecustom disk0:/anyconnectprofilecustom.xml
 anyconnect enable
 tunnel-group-list enable


group-policy DfltGrpPolicy attributes
 wins-server value x.x.x.x
 dns-server value x.x.x.x x.x.x.x
 vpn-tunnel-protocol ssl-client
 default-domain value customer.com
 msie-proxy server value customer.com:8080
 msie-proxy method use-server
 msie-proxy except-list value *.customer.com
 msie-proxy local-bypass enable

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

ā€Ž03-28-2017 12:33 PM

There should be a reference of the Anyconnect profile in the group-policy also. Users will download the Anyconnect profile once they are assigned that group policy. For eg.

group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
 webvpn
  anyconnect profiles value anyconnectprofilecustom type user

View solution in original post

3 Replies 3

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

ā€Ž03-28-2017 12:33 PM

There should be a reference of the Anyconnect profile in the group-policy also. Users will download the Anyconnect profile once they are assigned that group policy. For eg.

group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
 webvpn
  anyconnect profiles value anyconnectprofilecustom type user

Go to solution
chrispchikin
Level 1
Level 1
In response to Rahul Govindan

ā€Ž03-28-2017 12:37 PM

Thanks Rahul, with this in place, what conditions would need to be met for the client to pull down the new profile?

Does it only pull the file down once connected to the VPN?

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to chrispchikin

ā€Ž03-28-2017 12:51 PM

Once a successful connection is made with group-policy assignment, the client checks whether the profile on the ASA matches the profile on the endpoint. If there is a difference, it will download the new profile. Ideally, you would want to keep the same name and most of the parameters the same, so that the client replaces the old profile with the new and not keep 2 copies of it. Once the profile is updated, the next session will start to use the new client cert matching criterion.

0 Helpful
Customers Also Viewed These Support Documents