+3Hi all,
We are trying to deploy the Cisco AnyConnect default settings through the XML but we are having troubles with the default group.
We are managing to deploy the settings for the server but we are not having any luck with the default group. Even using composer snapshot we can't see any changes in this file when changing the setting manually.
We are using the latest version of Cisco AnyConnect.
Thank you very much.
Best answer by mroiger
Look at ~/.anyconnect, there you can set per user settings. We provide the bold values with a script and that works in our environment.
You can also deploy a plain .anyconnect file containing only the <DefaultGroup> and let AnyConnect fill in the rest.
$ cat ~/.anyconnect
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser>username</DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint>your-client-cert-hash</ClientCertificateThumbprint>
<ServerCertificateThumbprint>your-server-cert-hash</ServerCertificateThumbprint>
<DefaultHostName>your-vpn-server</DefaultHostName>
<DefaultGroup>your-default-group</DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>
+21Can you tell me exactly what file you are trying to deploy and where you are trying to put it?
+3Of course @iJake!!
The path is /opt/cisco/anyconnect/profile.
We modify the default server but when we add the default group it's not taking it.
the thing is that I can't see any changes on the file even when changing it manually.
Thank you so much!
+21We simply place these files directly from the team that manages our VPN into that path.
ACTransforms.xml
acvpn.xml
AnyConnectProfile.xsd
ipsecvpn.xml
Is that what you are doing? You say you are changing files so not sure exactly what you mean.
+3The first time we connected the VPN a profile xml file is created on this path.
We took it, and edited the server, and added the default group. The server is changed but we can't manage to chane the default group.
Are you using the xml files that your team provided you from the firewall configuration as I understand?
Thank you so much for your time and help :)
+5I don't think you can assign a default group in the profile xml file. If you could, knowledgeable users could simply edit the default group info in the xml file and modify their access rights.
+3Well, even if they could, the access control is managed by our AD groups, so no problems on that side.
There's a setting for sure on previous versions to set up the default group from the drop down menu and if you set it up manually the systems remembers the selection.
I'll keep checking it to see if I can find a way, if any idea pops out of your head it will be really appreciated.
Thank you so much for tour time :D
+21Well, what you're doing is past my knowledge of AnyConnect. I'd suggest opening a case with our Cisco TAC as if this is an option to configure they should be able to help you figure out how.
+4Look at ~/.anyconnect, there you can set per user settings. We provide the bold values with a script and that works in our environment.
You can also deploy a plain .anyconnect file containing only the <DefaultGroup> and let AnyConnect fill in the rest.
$ cat ~/.anyconnect
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser>username</DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint>your-client-cert-hash</ClientCertificateThumbprint>
<ServerCertificateThumbprint>your-server-cert-hash</ServerCertificateThumbprint>
<DefaultHostName>your-vpn-server</DefaultHostName>
<DefaultGroup>your-default-group</DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>
+3Hi @mroiger,
I solved the issue with a mix of your solution and the xml profile file to fulfill our needs.
The Default Group setting in the .anyconnect file worked like a charm, we are using the xml file for the server as by some reason it's not taking the name and our boss doesn't want to show the full address of the server.
With this settings we managed to control the default group and provide the default address and backup servers like a charm.
Thank you so much for your help!!!
+4Hi rtolosa,
I am new to Cisco AnyConnect. We are also going into Cisco AnyConnect method for our environment. We want to integrate our MFA in this scope to increase the layer of security.Do you have flowchart on your set up and instruction how your end user connect to your VPN?
Thank you,
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
