Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
879
Views
0
Helpful
5
Replies

Cisco Anyconnect

nelcnetworks
Level 4
Level 4

‎07-11-2017 04:43 AM - edited ‎02-21-2020 09:21 PM

Is there any way to get anyconnect to run a program a tthe same time as it starts. I would like to use start before logon with an RSA soft token, but so far have not been able to get it to work

Labels:
0 Helpful
5 Replies 5

nelcnetworks
Level 4
Level 4

‎07-11-2017 05:00 AM

I should add that I was mtrying to get it to work by just entering the pin. I am running windows 10.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to nelcnetworks

‎07-12-2017 05:34 AM

You can integrate the RSA with your ASA as a 2-factor authentication scheme. You could make one factor the user certificate if you have certificates. Or you could even make the RSA authentication the sole method. I have one customer who's doing that (though not with SBL) and it works fine.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Marvin Rhoads

‎07-12-2017 09:49 AM

I did a project for a customer a while back where they use SBL and authenticate internal users with RSA token. It works for them.

HTH

Rick

HTH

Rick
0 Helpful

nelcnetworks
Level 4
Level 4
In response to Richard Burts

‎07-13-2017 01:27 AM

could you possibly let me have the procedures you used, and does it work on windows 10.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to nelcnetworks

‎07-13-2017 12:40 PM

That project was a while back and probably predates Windows 10 so I have no experience to offer in answering the question about whether it works on Windows 10. But I would guess that it should work on Windows 10.

The configuration of SBL is fairly simple. In the configuration under webvpn you enable the SBL module

  anyconnect modules value vpngina

and in the xml profile you enable SBL and optionally make this function user controllable

 <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>

You may find additional details in this link which may be helpful

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107598-sbl.html

In the implementation that I did for this customer they were using a Radius server to authenticate the AnyConnect sessions and the Radius server communicated with RSA to process the token and do the authentication processing. This is what they used when they went to production. They were interested in changing and having the ASA communicate directly with RSA using sdi protocol. I have done this for customers and it does work. I discussed what they would need to change to accomplish this. But that change was outside of scope for our project so I was not involved in that change (and am not sure whether they actually made those changes). Whether it uses Radius for communication with the server or sdi for communication with the server the ASA configuration of authentication for AnyConnect sessions is fairly straightforward and quite similar.

HTH

Rick 

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents