try to set a new connection profile

jtuckerchug

I am having trouble wrapping my head around this. Our environment has one Realm. One production Community. This Community is set to only require username and password to get connected to the Connect Tunnel client. All works great. For compliance purposes we are rolling out End Point Control using an AD certificate. I setup a new Community and when I login with an appropriate user, I get error "Access denied. The required system capabilities are not present, enabled, or current.". I did a little research and was able to fix the issue by adding the new Community to Access Control > Basic Settings side by side the "from" box with the Community that works. I am pretty sure this is incorrect way. Second problem is the user goes into the default zone. Does not seem to check for the certificate. Do I need a separate Access Control rule?

Sorry if this makes little sense. Just ask if you have questions.

Thank you.

Viveks

It is not clear how you configured SMA to do EPC using AD certificate. Try if this helps, End Point Control → Profiles →New →Platform (Windows/Mac/Linux) → Add → Client certificate. You can add this to a zone and add the zone under Device zones of your community. If you dont want users to connect from devices without this certificate, under the same community settings, set zone-fallback option as Default zone and edit Default zone to set Access restrictions as Block VPN access. If you dont want to edit Default zone settings to block access, you could create a quarantine zone with message directing the user to contact admin and set it as zone fallback option.

jtuckerchug

@viveks thanks a bunch on this. i believe my problem was missing the last "block" for Zone. i am testing now.