AnyConnect and laptop Cached Creds for new remote user

clausonna · ‎09-15-2011

Hi folks,

How do you deal with a user in a remote (non WAN-connected) office or location that needs to cache their credentials on a corporate laptop? I do not (and cannot) run AnyConnect Start Before Login (SBL) - too many users need to access their machines when they have NO internet connectivity.

In the 'old days' with Microsoft PPTP VPN, a user could choose to optionally start the VPN session first, supply their domain creds, the VPN tunnel would establish, and THEN the user's creds were validated against the domain controllers and was subsequently allowed on the laptop (caching the creds in the process.)

Windows 7 allows this as well, but it seems to be only for Microsoft VPN connections (PPTP, L2TP, IPsec). I've tried to 'share' out AnyConnect adapters/settings but it doesn't appear in the list of available connections.

So I guess what I'm looking for is an Optional SBL from the Cisco AnyConnect team, and/or suggestions on how people do this now. One option would be to give the user the local Admin creds in order to get them logged in to the laptop, then they start AnyConnect, and do a "Run As" on a program with their account's domain creds, which will cache them locally. We'd really prefer not to do that, though, because most users aren't local admins to begin with, and we don't want to give the password out.

Thanks!!

Herbert Baerten · ‎09-18-2011

Hi

it seems to me this is precisely what SBL is for, so not sure I understand what the problem is when you install SBL ?

Herbert

clausonna · ‎09-18-2011

SBL is "all or nothing" - A user needs to have Internet connectivity in order to log in to their laptop, ALWAYS. I have 5000+ users all over world , some of which that are, literally, in the middle of a desert or jungle with no network access for miles. I can't lock them out of their laptop just because once in a blue moon a new user needs to cache their credentials. I have no other requirements (security or otherwise) for users to VPN in before they can get to their desktop. Plus, changing the way 5000+ users log in to their laptops, with the potential for locking them out entirely if something goes wrong? No thanks.

I'm asking for -optional- SBL: users always do CTRL-ALT-DEL and if their creds are cached them boom, they're in. If they want/need to fire up AnyConnect afterwards to get to corporate resources, then fine. But if the users creds aren't cached (for example, the old user has left company, and their laptop is given to the 'new guy') then I shouldn't have to a) force the user to go to a WAN-connected office just so they can cache their creds, b) give the user the laptop's local admin creds, c) go through some convultued SBL process.

Microsoft lets you do this now with their PPTP, L2TP/IPSec, and analog dial-up VPNs; why can't Cisco expose the AnyConnect VPN adapter in the same way so I can optionally fire up the VPN tunnel, authenticate with the new users creds, thus caching them locally in the process?

clausonna · ‎09-28-2011

Replying to my own post here:

Based on information I received from some (fantastic) internal Cisco folks, I can confirm that the feature I needed is available and works properly. First, enable SBL as defined here:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac03vpn.html#wp1056507

Then have the user connect, and then reboot. Afterwards, you select the "Switch User" and the click the Networks button. The Cisco AnyConnect client appears as an option, thus allowing a new non-cached credential user to VPN into the network first, then cache their creds*, but also allow existing cached-credential users to continue to access the system without having to VPN in first. Perfect!

It seems that its only if the user configures the "Connect on Start-up" option in their local AnyConnect Preferences that ALL users are forced to VPN in first, before any account / cached cred can access their system.

Also this seems to only work in Windows 7. I tried on an XP system by using the "Log on using a dial-up connection" check-box at CTRL-ALT-DEL, but it only presented by previous MS PPTP and analog-dial-up adapters, and not AnyConnect. If anyone gets this to work on XP please post, but otherwise I'm OK with it.

* = If your creds still aren't cached after doing this, you might need to run any program (i.e. notepad) with "Run As" and supply the domain creds. That ought to cache them locally permanently.

Thanks.