Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1391
Views
5
Helpful
1
Replies

AnyConnect Auto Sign-In with Trusted Network

gilbert.aispuro1
Level 1
Level 1

‎05-16-2020 11:27 AM

Hello,

I currently have an FTD 2110 managed by FMC. I'm looking for a way to have AnyConnect startup and connect when user signs in. 

I know Management Tunnel is not supported on FTD as of yet, so as an alternative, I would like to have AnyConnect run without user interaction by possibly using the following Profile Editor features:

- Auto Connect On Start (which will start-up upon login)

- Trusted/Untrusted Network (detect if on enterprise network which will not initiate tunnel or NOT on enterprise network, which will initiate tunnel)

 

Again, I just want to make sure users are forced to use VPN when not at work and not forced when at work.

Right now, I have the two features enabled along with Certificate Authentication, but I get "Certificate Validation Failure"

Labels:
0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎05-16-2020 01:59 PM - edited ‎05-16-2020 02:01 PM

Hi

 

First of all, the only way to have a VPN coming up without any user interaction will be using certificate for authentication. However, only certificate machine will work if you want to have the VPN UP and running before a user logs in on Windows.

 

For that purpose, you will need:

  • Provide a certificate to your FTD signed by same PKI as your user.
  • On your XML profile, configure a certificate match profile in order to make sure the right certificate is selected by anyconnect to authenticate.

Example:

 

               <AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
		<CertificateMatch>
			<MatchOnlyCertsWithKU>false</MatchOnlyCertsWithKU>
			<DistinguishedName>
				<DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled" MatchCase="Disabled">
					<Name>ISSUER-CN</Name>
					<Pattern>MyPKIName</Pattern>
				</DistinguishedNameDefinition>
			</DistinguishedName>
		</CertificateMatch>

From above screen, replace MyPKIName on Pattern tag with your internal PKI issuer-cn

On FTD, there's nothing to take care except the certificate and VPN connection. Everything is done on vpn profile and user laptop.

The following tag will force a disconnect when your laptop goes into sleep mode and avoid any user error message.

 

<AutoReconnect UserControllable="false">true
	<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
</AutoReconnect>

Don't do always vpn because it will have an impact for users that maybe won't connect to VPN for x or y reason.

 

For automatic VPN, the configuration will be (an example):

 

		<AutomaticVPNPolicy>true
			<TrustedDNSDomains>test.com</TrustedDNSDomains>
			<TrustedDNSServers>10.10.10.10,10.10.10.11</TrustedDNSServers>
			<TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
			<UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
			<AlwaysOn>false
			</AlwaysOn>
		</AutomaticVPNPolicy>

In the above config, replace test.com by your internal DNS domain and replace IP addresses from TrustedDNSServers by your DNS servers IP.

 

Then, you need to install vpngina module (Start Before Logon module).

Once, you've done this, user must click on Network Sign-In to connect on VPN. You have 2 choices to force anyconnect to automatically connect when on Windows PLAP screen:

  • Use Windows scheduler to execute a script on boot (not used this solution myself)
  • Create a windows service (with a .net program) or using a free tool nssm

Either of these options must run a bash script using vpncli.exe command followed with your profile name.

When you do this, VPN will come up automatically but when user logs in, you'll be disconnected and reconnected which leads to issues if you have any script, GPO,....

To avoid this, add the following tag in your XML file:

		<RetainVpnOnLogoff>true
			<UserEnforcement>AnyUser</UserEnforcement>
		</RetainVpnOnLogoff>

So, after this, your xml profile is built and you just need to upload it to your FTD and attach it to your VPN connection.

 

In terms of user, you'll need to push this xml and install the SBL module using any methods like SCCM or whatever.

 

Hope this helps.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents