Re: Anyconnect Always On

rmfalconer · ‎10-26-2018

I'm trying to determine if there's a way to have Anyconnect connect prior to a user entering their Windows credentials. I've tried with the SBL and the vpngina but that forces a double login, which won't work in my scenario.

I've set the connection profile to use certificate only and the client profile is to use the machine certificate. But Anyconnect will only start after the actual Windows login event.

I don't think there's any way for a pre Windows Anyconnect session to launch without user intervention but I'm hoping someone can show me a way.

Thanks.

Shakti Kumar · ‎10-30-2018

Hi @rmfalconer,

Your requirement exactly matches SBL feature. If you have allowed vpngina under group-policy you should see it installed under the Program and feature on Windows. provided the software is installed and profile is at the correct place. SBL should work without any issues.

If you see the software installed but not able to see SBL working please share the DART logs at shaktiku@cisco.com

Information on collecting DART is below

https://community.cisco.com/t5/security-documents/how-to-collect-the-dart-bundle-for-anyconnect/ta-p/3156025

Thanks
Shakti

rmfalconer · ‎10-31-2018

@Shakti Kumar

Thanks for the reply. SBL does not do what I want. It requires the user to take action for the tunnel to engage. I don't want the user to click another button to log in to Anyconnect, followed by having to actually log in to Windows. Asking users to double login won't work for us.

At least one other vendor has an automated VPN connection before login with no user action necessary.

Shakti Kumar · ‎10-31-2018

Hi rmfalconer,

You can use SBL along with AlwaysON , so that VPN connection is automated.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-vpn.html#topic_BD02A53E0A714E23A56850698C830A6C

thanks

Shakti

rmfalconer · ‎10-31-2018

Always On requires a Windows login before it launches. It's a listed limitation and I observed it during testing.

Again, I'm looking for VPN to launch automatically, pre Windows login, with no user interaction. Neither SBL nor Always On can provide this.

Shakti Kumar · ‎10-31-2018

hi @rmfalconer,

I am asking to use both the features together SBL and always on

1.) Always on - to auto connect the VPN
2.) SBL - for starting anyconnect prior to windows login

Thanks
Shakti

Shakti Kumar · ‎04-26-2019

Go for always on using cert based auth and SBL remember cert auth will use machine cert

guibarati · ‎04-26-2019

Did you ever get an answer for it? SBL and Always on without user interaction?

andrew333 · ‎04-01-2022

This is an old thread but to aid those who may come across this community post in searching, the Management Tunnel feature may be what you are looking for: https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

Excerpt:

A management VPN tunnel ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end-user. You can perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint OS login scripts that require corporate network connectivity also benefits from this feature.

NB:

Machine certificates are required for authentication.

A seperate profile is created using the standalone Mangagement Tunnel Profile Editor.

Supported on ASA from 9.0.1 and FTD from 6.7.

Saurabh Dhakate · ‎04-23-2022

AnyConnect started supporting external browser SAML authentication starting from version 4.10.04065, which can support WebAuthN. Please check Windows Hello feature which uses WebAuthN APIs.

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/webauthnapis