10-26-2018 12:14 PM - edited 02-21-2020 09:29 PM
I'm trying to determine if there's a way to have Anyconnect connect prior to a user entering their Windows credentials. I've tried with the SBL and the vpngina but that forces a double login, which won't work in my scenario.
I've set the connection profile to use certificate only and the client profile is to use the machine certificate. But Anyconnect will only start after the actual Windows login event.
I don't think there's any way for a pre Windows Anyconnect session to launch without user intervention but I'm hoping someone can show me a way.
Thanks.
10-30-2018 09:03 PM
10-31-2018 07:58 AM
Thanks for the reply. SBL does not do what I want. It requires the user to take action for the tunnel to engage. I don't want the user to click another button to log in to Anyconnect, followed by having to actually log in to Windows. Asking users to double login won't work for us.
At least one other vendor has an automated VPN connection before login with no user action necessary.
10-31-2018 08:53 AM
10-31-2018 09:20 AM
Always On requires a Windows login before it launches. It's a listed limitation and I observed it during testing.
Again, I'm looking for VPN to launch automatically, pre Windows login, with no user interaction. Neither SBL nor Always On can provide this.
10-31-2018 09:24 AM
04-26-2019 08:21 AM
Go for always on using cert based auth and SBL remember cert auth will use machine cert
04-26-2019 06:20 AM
Did you ever get an answer for it? SBL and Always on without user interaction?
04-01-2022 06:38 AM
This is an old thread but to aid those who may come across this community post in searching, the Management Tunnel feature may be what you are looking for: https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html
Excerpt:
A management VPN tunnel ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end-user. You can perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint OS login scripts that require corporate network connectivity also benefits from this feature.
NB:
Machine certificates are required for authentication.
A seperate profile is created using the standalone Mangagement Tunnel Profile Editor.
Supported on ASA from 9.0.1 and FTD from 6.7.
04-23-2022 10:15 PM - edited 04-23-2022 10:15 PM
AnyConnect started supporting external browser SAML authentication starting from version 4.10.04065, which can support WebAuthN. Please check Windows Hello feature which uses WebAuthN APIs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide