Solved: Re: "Start Before Logon" with AnyConnect Client under Vista.

P. Muilman · ‎06-09-2008

Did make a .xml to Use "Start Before Logon" with AnyConnect under Vista.

SBL op TRUE!

Cisco AnyConnect VPN Client Administrator Guide

Topics:

Configuring and Using AnyConnect Client Operating Modes and User Profiles &

Sample AnyConnect Profile and XML Schema

.xml is pushed to the SSL VPN Client (AnyConnect) PC

And can be found under

XP

C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile

VISTA

C:\ProgramData\Cisco\Cisco AnyConnect VPN Client\Profile

For XP it works. But under Vista it doesn't

Under XP with a ctrl-alt-del the GUI for AnyConnect starts.

And I heard that under Vista there should be an extra icon on the right side of the logon screen.

But under the tested systems it doesn't appear...

These bugs I found for the standard VPN Client:

Bugs CSCse47544 en CSCsi35107

CSCse47544 Bug Details

Vista: VPN Client does not support Start Before Logon

Windows Vista no longer supports GINA technology that was used by VPN Client to implement Start Before Login functionality.

As a result, the Cisco VPN Client does not support Start Before Login functionality on Vista.

CSCsi35107 Bug Details

Vista: Start Before Login (SBL) not available

Symptom:

Unable to find the SBL configuration settings in the GUI.

Workaround:

Vista does not support the XP style GINA therefore SBL has been removed. This feature is not planned for the Cisco VPN Client.

Force Net Logon may be used to achieve similar (drive mapping, etc) functionality.

Did anyone get this working under VISTA with the AnyConnect Client??

Features in Cisco AnyConnect VPN Client, Release 2.2

Start Before Logon (SBL)-Allows for login scripts, password caching, drive mapping, and more, for Windows.

Farrukh Haroon · ‎06-11-2008

Since the user guide does not mention any value except 'vpngina' im assuming it should be the same. Just make sure your ASA/AnyConnect versions are compatiable as per the following matrix:

http://www.cisco.biz/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html

Regards

Farrukh

View solution in original post

Farrukh Haroon · ‎06-09-2008

At least the release notes say its supported:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect22/release/notes/anyconnect22rn.html#wp737642

Also that doc reads:

"Differences Between Windows-Vista and Pre-Vista Start Before Logon

The procedures for enabling SBL differ slightly on Windows Vista systems. Pre-Vista systems use a component called VPNGINA (which stands for virtual private network graphical identification and authentication) to implement SBL. Vista systems use a component called PLAP to implement SBL.

In the AnyConnect client, the Windows Vista Start Before Logon feature is known as the Pre-Login Access Provider (PLAP), which is a connectable credential provider. This feature lets network administrators perform specific tasks, such as collecting credentials or connecting to network resources, prior to login. PLAP provides start Before Logon functions on Windows Vista and the Windows 2008 server. PLAP supports 32-bit and 64-bit versions of the operating system with vpnplap.dll and vpnplap64.dll, respectively. The PLAP function supports Windows Vista x86 and x64 versions.

Note In this section, VPNGINA refers to the Start Before Logon feature for pre-Vista platforms, and PLAP refers to the Start Before Logon feature for Windows Vista systems.

In pre-Vista systems, Start Before Logon uses a component known as the VPN Graphical Identification and Authentication Dynamic Link Library (vpngina.dll) to provide Start Before Logon capabilities. The Windows PLAP component, which is part of Windows Vista, replaces the Windows GINA component.

A GINA is activated when a user presses the Ctrl+Alt+Del key combination. With PLAP, the Ctrl+Alt+Del key combination opens a window where the user can choose either to log in to the system or to activate any Network Connections (PLAP components) using the Network Connect button in the lower-right corner of the window.

For a complete description of enabling, configuring, and using the Start Before Logon feature (VPNGINA or PLAP) on a Windows platform, see Cisco AnyConnect VPN Client Administrator Guide, Release 2.2, Chapter 4. "

More Info here:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect22/administration/guide/22admin4.html#wp1006226

Regards

Farrukh

P. Muilman · ‎06-11-2008

Thanks,

This is correct.

When I want to use both Vista and pre-Vista clients, what is the syntax for this cmd?

group-policy DfltGrpPolicy attributes

webvpn

svc modules value vpngina

Couldn't find a list of values to enter for each client feature in the release notes for the Cisco AnyConnect VPN Client.

host(config-group-webvpn)#svc modules value ?

config-group-webvpn mode commands/options:

LINE < 255 char Opaque list of modules

P. Muilman · ‎06-11-2008

Did try also svc modules value plap

And on this moment svc modules value sbl

But neither option seems to work.

Farrukh Haroon · ‎06-11-2008

You have the .xml file option also, did you try that?

Regards

Farrukh

Farrukh Haroon · ‎06-11-2008

Since the user guide does not mention any value except 'vpngina' im assuming it should be the same. Just make sure your ASA/AnyConnect versions are compatiable as per the following matrix:

http://www.cisco.biz/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html

Regards

Farrukh

P. Muilman · ‎06-11-2008

Cisco Security Appliance Command Line Configuration Guide

For the Cisco ASA 5500 Series and Cisco PIX 500 Series

Software Version 8.0

Enabling Start Before Logon

Start Before Logon (SBL) allows login scripts, password caching, drive mapping, and more, for the AnyConnect client installed on a Windows PC. For SBL, you must enable the security appliance to download the SBL module, and you must edit the client profile. The following procedure shows how to enable SBL:

Step 1Enable the security appliance to download the SBL module to specific groups or users using the svc modules command from group policy webvpn or username webvpn configuration modes.

In the following example, the user enters group-policy attributes mode for the group policy telecommuters, enters webvpn configuration mode for the group policy, and specifies the string sbl to enable SBL:

hostname(config)# group-policy telecommuters attributes

hostname(config-group-policy)# webvpn

hostame(config-group-webvpn)# svc modules value sbl

Step 2Retrieve a copy of the client profiles file (AnyConnectProfile.tmpl). For information on the location of the profiles file for each operating system, see Table 38-1 on page 38-8

Step 3Edit the profiles file to specify that SBL is enabled. The example below shows the relevant portion of the profiles file (AnyConnectProfile.tmpl) for Windows:

false

The tag determines whether the client uses SBL. To turn SBL on, replace false with true. The example below shows the tag with SBL turned on:

true

Step 4Save the changes to AnyConnectProfile.tmpl and update the profile file for the group or user on the security appliance using the svc profile command from webvpn configuration mode. For example:

asa1(config-webvpn)# svc profiles sales disk0:/sales_hosts.xml

P. Muilman · ‎06-11-2008

My last post wasn't very clear.

In the ASA command line config guide page 38-10, it says to use svc modules value sbl.

It's not very clear to what this refers.

When should we use sbl and when vpngina?

We already use the .xml

svc profiles imtech disk0:/imtech.xml

P. Muilman · ‎06-11-2008

ASA 8.03 ASDM 6.0.(3) Cisco AnyConnect Client 2.1.0128 (but we have 2.2.0128)

Farrukh Haroon · ‎06-11-2008

Vista SBL support was added in 2.2.x so you need to have that. The Matrix recommends this 2.2.0133+.

I'm unable to find a reference for the different between vpngina and sbl, I would say get Anyconnect 2.2.0133+ or higher and then try both.

Regards

Farrukh

P. Muilman · ‎06-11-2008

So you suggest to upgrade Our ASA to

ASA Interim Release 8.0.3.12, with ASDM Interim Release 6.0.3.60 AND anyconnect 2.2.0133?

Farrukh Haroon · ‎06-11-2008

Yes, exactly that :)

Regards

Farrukh

P. Muilman · ‎06-12-2008

We did upgrade the ASA/ASDM and the AnyConnect package.

ASA had a reload last night at 01:00 CET.

New software is running. With XP I tested and my AnyConnect VPN Client has upgraded itself.

Asked a Vista user to test and now I'm waiting for his response.

Farrukh Haroon · ‎06-12-2008

Ok great, let us know how it goes :)

Regards

Farrukh

P. Muilman · ‎06-13-2008

User with Vista Business still has to test.

Vista Ultimate seems to work.

But only after I changed entry from sbl to vpngina.

Logoff > CTRL-ALT-DEL > Switch User and then there is that extra icon to start the AnyConnect VPN Client!

So the solution is newer software...!