Hi, I am evaluation the new Anyconnect 3.0 client against Microsoft DA. Everything looks good but I am wondering; Is it possible to have Anyconnect auto connect (based on TND) before user logon without the user activating the client manually?
We are doing this exact thing for our deployment and it works great, BUT we're doing it with AnyConnect 2.5.2014 rather than AnyConnect 3. (I'm not that brave yet! )
As the SBL doesn't pass AD authentication info to windows at login (single sign-on), we're going certificate authenticaion based on the machine certificate store. In essense, we're authenticating the asset during SBL. After authentication, the user is then presented with the regular Windows logon and that user is then directly authenticated against AD at login as the tunnel is already up. This also makes a pleasant experience for the user as they're still entering credentials only once.
When I was working with Cisco on this, the best way to get TND working for us was to configure our Trusted DNS Domain only. When trusting DNS servers, it has to be and EXACT match. This didn't work to well for us globaly as certain DHCP locations would serve different DNS servers and since the client looks for an EXACT match, only trusting the domain name is working perfect.
So... to answer your question, yes... it is possible.
EDIT - By the way... I do have some (Qty 3) AnyConnect 3.0 clients in a test using my same 2.5 .xml profile, and they're working fine.
Did you ever manage to get SBL working without user intervention? I have certificate based auth working for the VPN (windows 7)... but users still have to manually click the other user and then SBL and wait for the VPN to establish... this means that Microsoft Direct Access is much smarter as it just auto connects as soon as the computer is booted (before the users logs in)
I would like to know this as well. We are looking for a fully automated VPN with a single login and don't want to go through all the headaches of setting up Microsoft DA.
I know this thread is a little old, however I just thought I would share my experiences as they may help somebody else.
ASA running 9.1(1)
AnyConnect Secure Mobility Client 3.1
Authentication via digital certificates (to avoid the user entering credentials to establish the VPN).
All of the above is working and the user can manally connect to the VPN by selecting the "Networking Logon" icon on system startup. Our requirement is however for this to be automatic.
From working with TAC, this is NOT possible natively with the AnyConnect client using PLAP. My jaw dropped at that point is this HAS to be a common requirement and it works perfectly under Windows XP. Disappointing to say the least.
There is however a workaround which I have tested under Windows 7 and Windows 8.
The solution in a nutshell is
1. Create a BAT file in the c:\windows\system32\Group Policy\Machine\Scripts\Startup directory.
Contents of the BAT File:
cd C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client
Obviously path names will need to be changed to reflect your real installation directories.
2. Create either a Local Policy or GPO that runs this script on startup. You will also need to modify other policy elements:
System -> Scripts “Run logon scripts synchronously” to enabled
System -> Scripts Set “Run startup scripts asynchronously” to disabled
System -> Scripts Set Run startup scripts visible” to enabled.
System -> Logon -> Always wait for the network at computer startup and logon
Based around this, the script should run at startup and connect to the VPN. Note that you may need to disable the AnyConnect "Auto Connect at startup" option for this to work reliably otherwise you get a "connection request already in progress" message when the vpncli command runs. Also note that you don't even need SBL enabled for this to work.
Please note I'm not an MS expert, so can't assist with defining Local or GPO objects / options.
However the above does work and I now have an office full of Win 7 and Win 8 machines that connect to the VPN at system startup without any user intervention.
I will post this as a new entry in the forum as well as this issue seems to be causing a lot of issues to other people.
One caveat: this does NOT work out of the box for WiFi connections. This seems to be due to the fact that Win 7 does not connect to a specific SSID before the user logs onto Windows despite the wireless card drivers loading at system startup. There are plenty of other posts on the Internet how to achieve this under Win 7. Using these workarounds the above solution also works for WiFi connections.
Intrinsic Network Solutions