Assigning AnyConnect Client Profiles based on the machine?

Similar Messages

• Anyconnect Client profile files deleted after client upgrade

  L.S.
  I am running anyconnect version 3.1.02040 on a Windows 7 64-bit machine with UAC turned on.
  The ASA I am connecting to is a 5510 running ASA OS 8.4.5
  The problem I have is the following:
  We are using machine certificate authentication combined with RADIUS user authentication.
  The machine certificates are stored in the Machine/Personal container in the local machine.
  By default, the anyconnect client does not have the rights to access this certificate store when run by the user in non-elevated mode.
  We do not want to have the user run the client as administrator (in elevated mode) all the time.
  Therefor we have made an Anyconnect Client profile that sets the Certificate Store Override parameter to true and attached it to the group policy.
  With this XML in place (in the C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile folder)
  the users can connect to the ASA and authenticate using the certificate without the need for elevated rights. This is all working perfectly.
  The anyconnect client and XML file are distributed to the clients using a software distribution system (Microsoft SCCM).
  The problem happens when I update the Anyconnect package on the ASA. I recently updated the package to release 3.1.03103. This is what happens:
  The user can connect using the 3.1.02040 client (certicate authentication works without elevation, since the XML Anyconnect Client Profile is present)
  The Anyconnect software updates itself to the new version during the connection, pushed from the ASA.
  The VPN is established.
  However, the XML file that is associated with the group policy is deleted during the upgrade process and not placed back in the Profile folder on the client after the upgrade.
  This means the user cannot connect without using elevated rights the next time he wants to connect.
  If he uses elevated rights after the upgrade, the XML is pushed back from the ASA normally, allowing the user to connect without elevation again any subsequent times.
  Is there any way to push the XML profile to the client from the ASA after the upgrade of the Anyconnect software?

  Hi poiu720408 ,
  1.  You need to set up a web-url or group-alias under the group policy as web have enable the "tunnel-group-list enable" under the webvpn configuration.  So once the user connect to the proper URL/alias the profile will be applied. 
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
  2. Yes the Anycopnnect store a "Cache " information on the PC , if you want to clan up you have to go to the anyconnect folder on C: on the PC and delete the global_preferences.xml profile.
  3. This behavior is totally expected and they should disappear  after a some minutes , however if you wan to force this , you can use the command "vpn-sessionsdb logoff webvpn noconfirm"
  Please rate helpful post !
  Hope this helps
  - Randy -

• ASDM Anyconnect client profile - unable to edit preferences

  Hi,
  I have a functioning vpn set up, my problem is that I'm trying to set up anyconnect start before login. I navigate to the anyconnect client profile section in the remote access vpn and create a profile xml file by clicking the add button. I can add a profile but as soon as I save the file I can no longer edit it. The edit button is greyed out and if I double click the file the asdm returns the error: "Input is not a well-formed, schema-compliant XML file."
  I'm running the following versions of software:
  asdm: 7.1(5)100
  anyconnect: 3.1.05152
  asa: 8.2(3) <----asa hardware doesn't support running a newer version.
  I have not been able to find any info on this particular problem but maybe someone here can help?

  Hello Ryan,
  Do you run into the same problem if you upload AnyConnect 2.5 and perform the same task?
  Also, have you tried this operation from a different machine with and old JAVA version like 1.6?
  HTH.

• AnyConnect Client Profile in ASDM

  I am trying to configure a client profile under the AnyConnect Client Profile tab in the ASDM but keep getting an error message stating "Check that you have a proper AnyConnect package installed in the AnyConnect Client Software menu.  Also check that your ASDM username have enough privelege."
  My user has sufficient privilege but I am not sure which AnyConnect software I should have to enable this.  Righ now I have
  anyconnect-win-3.0.10055-k9.pkg installed.
  This is a lab setup using GNS3.
  Any ideas?

  Hi Marius,
  I would assume you are running ASA 8.0x, right?
  Please check this out:
  "If you wish to use the ASDM-integrated Profile Editor to configure any of AnyConnect's components, you must use ASDM version 6.4(1) or later."
  Security Appliance Software Requirements
  So at this point, I would suggest to try to upgrade your ASDM to 6.4 or try with AnyConnect 2.5.
  Let me know.
  Thanks.
  Portu
  Please rate any posts you find helpful.

• Assigned a QoS profile based on client identity

  A client can be assigned a QoS profile based on its identity, through AAA, but how?

  You need a RADIUS server.
  Make sure the AAA override is enabled on the WLAN then try to use the folloiwng RADIUS attribute on the RADIUS server:
  RADIUS-Cisco Airespace -> Airespace-QOS-Level
  return the value of the QOS level in this attribute to the usres based on their identity.
  HTH
  Amjad
  p.s: never tried the above. so tell us if it worked correctly with you.
  Rating useful replies is more useful than saying "Thank you"

• "Anyconnect client profile" option missing in ASDM

  Hello,
  I'm in the process of setting up Anyconnect on the ASA, and have successfully updated the licensing, as well as uploaded the anyconnect pkg for web deployment. I enabled anyconnect on the outside interface and can now have the ASA push the client to the machine. Works fine. However, I want to add backup servers that the client will attempt to reach in the event the primary is down. I understand that "client profiles" can be created to customize settings like this. Problem is, when I follow the configuration guide with instructions for making client profiles at this location:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac02asaconfig.html#wp1289905
  It shows that I should have an option for Anyconnect Client Profile and Anyconnect Client Settings.
  I don't have either of those options in ASDM. Here's what mine shows:
  I have another "SSL Client profiles" option, but it doesn't seem the same as the options above.
  Can someone assist with what I need to do to get the Client Profiles option to be available so I can add backup server information to the client? Thanks!

  Thanks for the response Marvin,
  It shows the ASA and ASDM versions are 8.2 and 6.2 respectively.
  Result of the command: "sh version"
  Cisco Adaptive Security Appliance Software Version 8.2(1)
  Device Manager Version 6.2(1)
  Result of the command: "sh act | i Ess"
  AnyConnect Essentials        : Enabled 
  I don't have the premium license, just the Anyconnect Essentials and Mobile licenses. I would imagine essentials should have the same profile configuration options, though. If it is in fact because I'm running an older version of ASDM, do I need to update both the ASA IOS and ASDM together, or can I just upgrade ASDM on its own? Thanks again.

• ADSM AnyConnect Client Profile Editor will not close...

  When I fire up ADSM and go into the AnyConnect Client Profile Editor It will not let me close the Editor.
  If I go it and jsut hit cancel, or OK, or the X, nothing happens.   The only way to exit is to Close down Java.
  I've run ADSM on a few machines all with the same results.
  ADSM Version 6.3(4)
  Thanks

  I Upgraded to ADSM 7.1(2)
  This resolved my issue.

• AnyConnect Client Profile Backup Server Configuration

  I'm trying to understand the use of Backup Server option in AnyConnect Client Profile
  Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile > Edit > Backup Server
  (Screenshot attached)
  My questions:
  1. In what all scenarios do we add servers (ASA devices) in this tab
  2. If I have same information in two different locations (Site A and Site B) for AnyConnect user, can I add Site A-ASA and Site B-ASA into Backup Server tab as a failover mechanism for end user.
  3. Or is it only used to mention ASA devices configured in failover unit
  4. In case of failover unit, does it support stateful failover
  I could not find answers to above questions from Google search. So, asking here

  I think we need to be careful when we talk about failover. The original post was clearly asking about two different scenarios
  1) ASAs at two different sites
  2) ASAs configured as a High Availability failover pair (Active/Standby).
  The profile does work to provide failover in 1) but does not work to provide failover in 2).
  I do not know the authoritative answer to the question about IP phones use of the profile. I believe that the answer ought to be that yes the phone would receive the profile after its first connection and would use the backup server identified in the profile is the primary server was not available. That is a basic functionality of the AnyConnect client and if the phone is using the AnyConnect client then it ought to support that failover. 
  If someone does have an authoritative answer then please speak up. Several of us would like to know the right answer here.
  HTH
  Rick

• AnyConnect - Client profile

  Hi all
  I have a very quick question, been trying to find a solution but fail till now. The issue, is there is a default time for AcyConnect client profile to be downloaded/updated when you create a new client profile
  Example: if I have already a client profile (XML), then if I create a new Client profile. When the user connects, it should be using the new client profile correct. But this was not the case. The user was using the old client profile. However the new profile was updated on the client side after 8hrs.
  Ok as a workaround you could delete the xml file from the client PC, however my question is,is there is an option to enable this to be downloaded after creating the profile. I have checked everywhere with the client profile and was not be able to find any setting. If someone knows could you kindly share this please?
  Thanks in advance
  Lancellot

  Hi Lancellot
  as soon as you modify the profile on the ASA (or create a new one), all clients will download this profile as soon as they connect.
  Two things to note though:
  1. the new profile is only downloaded if the user logs in successfuly. So once the tunnel is established, you should see the new profile in the local profiles directory.
  2. Many settings in the profile are applicable *before* the new profile is downloaded, i.e. some are applied only before a connection is initiated (e.g. start before logon), others only during the connection attempt( e.g. automatic certificate selection).
  Similarly, if you add new ServerList entries to the profile then they will only be visible in the client GUI after the client downloads the new profile and disconnects.
  Does this clarify the behavior you saw?
  Herbert

• Locking down anyconnect client profile

  I was wondering if there is a way to lock down the anyconnect profile on a clients machine.  Basically we are using certifcates to authenticate so the client can make a VPN connection.  We have enabled the certifcate match function to check for IPSec User Extended Match Key.  I can modify the XML on the client PC to bypass the check and authenticate.  We would like to keep users from doing that.  Is there something I can setup on the ASA versus the client to check the certificate or prevent the XML from being modified?
  Thanks in advance.

  I went in and modified the xml and removed the following.  I was then able to make a connection without checking for the IPSecUser extended key usage.  I have 2 certs on my client.  One cert has the IPSecUser extended key usage and the other does not.
      IPSecUser

• Identiying the Profiles based on the input of Info provider

  Hi BW Experts,
  Right now i know the Info Provider Name.I just want to identify the profile name based on the input of Info Provider.
  Can you suggest me any TCODES for identiying the profiles.
  Thanks,
  Jelina.

  Hi,
  I'm explainning below the steps I usually take.
  You'll need to:
  1) Access RSSTOBJDIR table.
  2) Fill INFOCUBE parameter with the infocube's technical name and the AKTPS one with 'X'.
  3) Get the authorization(s) object(s) - OBJECT column.
  4) Go to the AGR_1251 table.
  5) Fill OBJECT parameter with the value(s) of step 3.
  It will be returned a list with the required profiles to access the infocubes entered on step 2.
  Regards,
  Tiago.

• AnyConnect Client profile: group-url in server-list with OGS doesn't work propertly

  Cisco Adaptive Security Appliance Software Version 8.4(4)1
  Device Manager Version 7.0(2)
  Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
  #show webvpn anyconnect
  1.disk0:/anyconnect-win-3.1.00495-k9.pkg 1 dyn-regex=/Windows NT/
     CISCO STC win2k+
     3,1,00495
     Hostscan Version 3.1.00495
  Profile in atthach-file. After this profile is uploaded to client Optimal Gateway Selection doesn't work propertly:
  When 'vpn1.mydomain.com/mygroup' (it best TTL server) is unreachable, then OGS try to be connected to other servers, but without group-url, for example 'vpn2.mydomain.com' (instead of 'vpn2.mydomain.com/mygroup')

  Anton,
  It MIGHT be cosmetic:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtz92140
  If not please open up a TAC case and provide DART for such a connection.
  M.

• LR2 + Vista 64: Crash when opening the profile list in the Print module

  I apologize if this is has been reported/discussed before. I use LR2 on a Vista 64 machine. When I want to select a printer profile in the print module, LR crashes. The "preference list" of profiles is empty and I expect LR2 should open the list of all the profiles installed on the machine
  . I did not have this issues on the same machine with the beta version of LR2. Is this a known issue ? Is there a work-around ?
  Thanks,
  Franck

  I have solved the issue by uninstalling and then re-installing all the ICC profiles at the OS level. I am not quite sure why but it did the job. Interestingly, the beta version of LR2 that was still installed never stopped working.

• Anyconnect client installer

                     Anyone have an issue with the anyconnect client installer that after the install it does make a successful connection but the anyconnect installer window says it failed? Is this a bug?

  Well if it works, it must have installed adequately, error messages notwithstanding.
  There are a couple of installer bugs documented. I've not run into nay of them personally.
  What version and client OS are you installing?

• What needs to be running on the machine to be controlled?

  I've just bought a copy of ARD 3.3 and I'm confused: do I need to have it running on my desktop at work, if I want to control it via ARD from my laptop at home? I install it on the client or also on the machine to be controlled remotely? Is there a server portion? Where do I indicate that I'm allowing my desktop to be controlled by ARD?
  thanks,
  Mike

  The client software is pre-installed on all Mac OS X systems. You turn it on in System Preferences -> Sharing -> Remote Management.
  You'll need to install the Admin application on whichever machine you wish to control from (sounds like your laptop).