https://community.cisco.com/t5/network-security/sbl-allowing-users-to-connect-without-authentication/m-p/4957052#M1105733 <P>Some sort of authentication must be happening - it could be transparent to the end user depending on the system settings (for example, using certificate or some sort of SSO method).</P> <P>Check your headend firewall and/or AAA server to see what it says about that in the logs and configuration.</P> Fri, 10 Nov 2023 16:27:37 GMT Marvin Rhoads 2023-11-10T16:27:37Z https://community.cisco.com/t5/network-security/sbl-allowing-users-to-connect-without-authentication/m-p/4956940#M1105727 <P>&nbsp;</P><P>Hi All,</P><P>I am in the process of rolling out SBL and in the testing I realised that it works perfectly from the device logon screen. However, once I am logged in to the device, if I choose the SBL option from the Cisco AnyConnect dropdown list, I can connect to the VPN without any form of authentication...&nbsp;</P><P>Is there a way to configure this so that the SBL function is only available from the logon screen, or similarly the XML profile self-destructs after the first login to the device?</P><P>Thanks!</P> Fri, 10 Nov 2023 13:17:54 GMT https://community.cisco.com/t5/network-security/sbl-allowing-users-to-connect-without-authentication/m-p/4956940#M1105727 joemrris1 2023-11-10T13:17:54Z https://community.cisco.com/t5/network-security/sbl-allowing-users-to-connect-without-authentication/m-p/4957052#M1105733 <P>Some sort of authentication must be happening - it could be transparent to the end user depending on the system settings (for example, using certificate or some sort of SSO method).</P> <P>Check your headend firewall and/or AAA server to see what it says about that in the logs and configuration.</P> Fri, 10 Nov 2023 16:27:37 GMT https://community.cisco.com/t5/network-security/sbl-allowing-users-to-connect-without-authentication/m-p/4957052#M1105733 Marvin Rhoads 2023-11-10T16:27:37Z https://community.cisco.com/t5/network-security/sbl-allowing-users-to-connect-without-authentication/m-p/4957053#M1105734 <P>Thanks for the reply Marvin, you are right there is authentication happening, probably my poor wording!&nbsp;</P><P>My test device as an example... that has the SBL cert installed as well as the SBL XML profile. So i guess the cert is the authentication, however is there a way to configure it so that the authentication is required manually from the user? We have MFA for Cisco configured which works perfectly, but if a user chooses the SBL option from the dropdown then they can connect to the VPN without any form of MFA / password / manual authentication. This is exactly how we want it from the logon screen, but not once the device is logged in to.</P><P>Hopefully that explains it a bit better <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 10 Nov 2023 16:32:45 GMT https://community.cisco.com/t5/network-security/sbl-allowing-users-to-connect-without-authentication/m-p/4957053#M1105734 joemrris1 2023-11-10T16:32:45Z https://community.cisco.com/t5/network-security/sbl-allowing-users-to-connect-without-authentication/m-p/4957077#M1105738 <P>Ah ok. It sounds like you have SBL published as a selectable URL connection profile (tunnel-group). You could hide that but embed it in the client profile xml file so that it is automatically selected by SBL but not visible as a choice when logging on interactively.</P> Fri, 10 Nov 2023 17:10:30 GMT https://community.cisco.com/t5/network-security/sbl-allowing-users-to-connect-without-authentication/m-p/4957077#M1105738 Marvin Rhoads 2023-11-10T17:10:30Z https://community.cisco.com/t5/network-security/sbl-allowing-users-to-connect-without-authentication/m-p/4973685#M1106667 <P>Is there a way we can have SBL VPN automatically connect without login or any kind of user input (not even a laptop in laptop screen click ! ) ??&nbsp;</P> Thu, 07 Dec 2023 21:01:49 GMT https://community.cisco.com/t5/network-security/sbl-allowing-users-to-connect-without-authentication/m-p/4973685#M1106667 jbhanderi671 2023-12-07T21:01:49Z