- Jamf Nation Community
- Products
- Jamf Pro
- Re: Cisco AnyConnect - Default Settings Deployment
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2017 09:17 AM
Hi all,
We are trying to deploy the Cisco AnyConnect default settings through the XML but we are having troubles with the default group.
We are managing to deploy the settings for the server but we are not having any luck with the default group. Even using composer snapshot we can't see any changes in this file when changing the setting manually.
We are using the latest version of Cisco AnyConnect.
Thank you very much.
Solved! Go to Solution.
Labels:
- Labels:
-
Composer
-
Package Building
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2017 11:54 PM
Look at ~/.anyconnect, there you can set per user settings. We provide the bold values with a script and that works in our environment.
You can also deploy a plain .anyconnect file containing only the <DefaultGroup> and let AnyConnect fill in the rest.
$ cat ~/.anyconnect
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser>username</DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint>your-client-cert-hash</ClientCertificateThumbprint>
<ServerCertificateThumbprint>your-server-cert-hash</ServerCertificateThumbprint>
<DefaultHostName>your-vpn-server</DefaultHostName>
<DefaultGroup>your-default-group</DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>
Reply
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2017 09:23 AM
Can you tell me exactly what file you are trying to deploy and where you are trying to put it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2017 09:58 AM
Of course @iJake!!
The path is /opt/cisco/anyconnect/profile.
We modify the default server but when we add the default group it's not taking it.
the thing is that I can't see any changes on the file even when changing it manually.
Thank you so much!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2017 10:05 AM
We simply place these files directly from the team that manages our VPN into that path.
ACTransforms.xml
acvpn.xml
AnyConnectProfile.xsd
ipsecvpn.xml
Is that what you are doing? You say you are changing files so not sure exactly what you mean.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2017 10:38 AM
The first time we connected the VPN a profile xml file is created on this path.
We took it, and edited the server, and added the default group. The server is changed but we can't manage to chane the default group.
Are you using the xml files that your team provided you from the firewall configuration as I understand?
Thank you so much for your time and help :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2017 10:46 AM
I don't think you can assign a default group in the profile xml file. If you could, knowledgeable users could simply edit the default group info in the xml file and modify their access rights.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2017 11:02 AM
Well, even if they could, the access control is managed by our AD groups, so no problems on that side.
There's a setting for sure on previous versions to set up the default group from the drop down menu and if you set it up manually the systems remembers the selection.
I'll keep checking it to see if I can find a way, if any idea pops out of your head it will be really appreciated.
Thank you so much for tour time :D
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2017 11:56 AM
Well, what you're doing is past my knowledge of AnyConnect. I'd suggest opening a case with our Cisco TAC as if this is an option to configure they should be able to help you figure out how.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-08-2017 11:54 PM
Look at ~/.anyconnect, there you can set per user settings. We provide the bold values with a script and that works in our environment.
You can also deploy a plain .anyconnect file containing only the <DefaultGroup> and let AnyConnect fill in the rest.
$ cat ~/.anyconnect
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser>username</DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint>your-client-cert-hash</ClientCertificateThumbprint>
<ServerCertificateThumbprint>your-server-cert-hash</ServerCertificateThumbprint>
<DefaultHostName>your-vpn-server</DefaultHostName>
<DefaultGroup>your-default-group</DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-09-2017 08:28 AM
Hi @mroiger,
I solved the issue with a mix of your solution and the xml profile file to fulfill our needs.
The Default Group setting in the .anyconnect file worked like a charm, we are using the xml file for the server as by some reason it's not taking the name and our boss doesn't want to show the full address of the server.
With this settings we managed to control the default group and provide the default address and backup servers like a charm.
Thank you so much for your help!!!
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-01-2017 08:00 AM
Hi rtolosa,
I am new to Cisco AnyConnect. We are also going into Cisco AnyConnect method for our environment. We want to integrate our MFA in this scope to increase the layer of security.Do you have flowchart on your set up and instruction how your end user connect to your VPN?
Thank you,
