Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
1
Helpful
4
Replies

SBL allowing users to connect without authentication

joemrris1
Level 1
Level 1

‎11-10-2023 05:17 AM

 

Hi All,

I am in the process of rolling out SBL and in the testing I realised that it works perfectly from the device logon screen. However, once I am logged in to the device, if I choose the SBL option from the Cisco AnyConnect dropdown list, I can connect to the VPN without any form of authentication... 

Is there a way to configure this so that the SBL function is only available from the logon screen, or similarly the XML profile self-destructs after the first login to the device?

Thanks!

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-10-2023 08:27 AM

Some sort of authentication must be happening - it could be transparent to the end user depending on the system settings (for example, using certificate or some sort of SSO method).

Check your headend firewall and/or AAA server to see what it says about that in the logs and configuration.

joemrris1
Level 1
Level 1
In response to Marvin Rhoads

‎11-10-2023 08:32 AM

Thanks for the reply Marvin, you are right there is authentication happening, probably my poor wording! 

My test device as an example... that has the SBL cert installed as well as the SBL XML profile. So i guess the cert is the authentication, however is there a way to configure it so that the authentication is required manually from the user? We have MFA for Cisco configured which works perfectly, but if a user chooses the SBL option from the dropdown then they can connect to the VPN without any form of MFA / password / manual authentication. This is exactly how we want it from the logon screen, but not once the device is logged in to.

Hopefully that explains it a bit better

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to joemrris1

‎11-10-2023 09:10 AM

Ah ok. It sounds like you have SBL published as a selectable URL connection profile (tunnel-group). You could hide that but embed it in the client profile xml file so that it is automatically selected by SBL but not visible as a choice when logging on interactively.

0 Helpful

jbhanderi671
Level 1
Level 1

‎12-07-2023 01:01 PM

Is there a way we can have SBL VPN automatically connect without login or any kind of user input (not even a laptop in laptop screen click ! ) ?? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card