Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
7980
Views
0
Helpful
9
Replies

Anyconnect Always On

rmfalconer
Level 1
Level 1

‎10-26-2018 12:14 PM - edited ‎02-21-2020 09:29 PM

I'm trying to determine if there's a way to have Anyconnect connect prior to a user entering their Windows credentials. I've tried with the SBL and the vpngina but that forces a double login, which won't work in my scenario.

I've set the connection profile to use certificate only and the client profile is to use the machine certificate. But Anyconnect will only start after the actual Windows login event.

I don't think there's any way for a pre Windows Anyconnect session to launch without user intervention but I'm hoping someone can show me a way.

Thanks.

1 person had this problem
Labels:
0 Helpful
9 Replies 9

Shakti Kumar
Cisco Employee
Cisco Employee

‎10-30-2018 09:03 PM

Hi @rmfalconer,

Your requirement exactly matches SBL feature. If you have allowed vpngina under group-policy you should see it installed under the Program and feature on Windows. provided the software is installed and profile is at the correct place. SBL should work without any issues.

If you see the software installed but not able to see SBL working please share the DART logs at shaktiku@cisco.com

Information on collecting DART is below

https://community.cisco.com/t5/security-documents/how-to-collect-the-dart-bundle-for-anyconnect/ta-p/3156025

Thanks
Shakti

0 Helpful

rmfalconer
Level 1
Level 1
In response to Shakti Kumar

‎10-31-2018 07:58 AM

@Shakti Kumar

 

Thanks for the reply. SBL does not do what I want. It requires the user to take action for the tunnel to engage. I don't want the user to click another button to log in to Anyconnect, followed by having to actually log in to Windows. Asking users to double login won't work for us.

At least one other vendor has an automated VPN connection before login with no user action necessary.

0 Helpful

rmfalconer
Level 1
Level 1
In response to Shakti Kumar

‎10-31-2018 09:20 AM

Always On requires a Windows login before it launches. It's a listed limitation and I observed it during testing. 

Again, I'm looking for VPN to launch automatically, pre Windows login, with no user interaction. Neither SBL nor Always On can provide this.

0 Helpful

Shakti Kumar
Cisco Employee
Cisco Employee
In response to rmfalconer

‎10-31-2018 09:24 AM

hi @rmfalconer,

I am asking to use both the features together SBL and always on

1.) Always on - to auto connect the VPN
2.) SBL - for starting anyconnect prior to windows login

Thanks
Shakti
0 Helpful

Shakti Kumar
Cisco Employee
Cisco Employee
In response to Shakti Kumar

‎04-26-2019 08:21 AM

Go for always on using cert based auth and SBL remember cert auth will use machine cert

0 Helpful

guibarati
Level 4
Level 4
In response to rmfalconer

‎04-26-2019 06:20 AM

Did you ever get an answer for it? SBL and Always on without user interaction?

0 Helpful

andrew333
Level 4
Level 4

‎04-01-2022 06:38 AM

This is an old thread but to aid those who may come across this community post in searching, the Management Tunnel feature may be what you are looking for: https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

 

Excerpt:

A management VPN tunnel ensures connectivity to the corporate network whenever the client system is powered up, not just when a VPN connection is established by the end-user. You can perform patch management on out-of-the-office endpoints, especially devices that are infrequently connected by the user, via VPN, to the office network. Endpoint OS login scripts that require corporate network connectivity also benefits from this feature.

 

NB:

Machine certificates are required for authentication.

A seperate profile is created using the standalone Mangagement Tunnel Profile Editor.

Supported on ASA from 9.0.1 and FTD from 6.7.

 

 

0 Helpful

Saurabh Dhakate
Cisco Employee
Cisco Employee

‎04-23-2022 10:15 PM - edited ‎04-23-2022 10:15 PM

AnyConnect started supporting external browser SAML authentication starting from version 4.10.04065, which can support WebAuthN. Please check Windows Hello feature which uses WebAuthN APIs.

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/webauthnapis

0 Helpful
Customers Also Viewed These Support Documents
Top