We are trying to see if the Cisco AnyConnect client configured for SBL (Start Before Logon) can integrate into the Windows (GINA) logon process. The end goal would be to only require one logon to the computer vs. two. Right now remote users are forced to enter login creditials into the AnyConnect client for SBL, then they have to enter in their Windows username and password which is the same as their anyconnect username and password. Our remote users use a combination of XP and Windows 7 laptops. thx Jason
One solution is to use certificate authentication for Anyconnect, this was the user does not need to enter username and password for VPN, only Windows logon. It is not possible to do single sign on from Anyconnect to Windows as far as I know.
You need to have a PKI infrastructure, with certificates deployed to clients.
In order to get this to work with machine certificates, you need to add the following lines in a profile that is assigned to the group-policy:
You can also configure "trusted network detection" in the profile so that VPN automatically connects when you are outside of the office, and automatically disconnects when you are in the office.
Apart from that, you just need to import the the CA certificate in the ASA so that it is trusted, and choose certificate authentication in the tunnel group.
Enhancement request CSCsm08815 has been filed for this. Please have your account teams follow up with the Anyconnect Product Manager to have this implemented.