03-08-2013 02:07 AM - edited 02-21-2020 06:45 PM
Hi all
I'm incuding this as a new post as although I've updated a previous entry this issue seems to be causing lots of grief to loads of people so deserves a bit of prominent exposure :-)
My issue was that I could not get the AnyConnect client to perform SBL automatically (i.e we did not want the user to have to select the networking logon icon).
Details follow:
Environment:
All of the above is working and the user can manally connect to the VPN by selecting the "Networking Logon" icon on system startup. Our requirement is however for this to be automatic.
From working with TAC, this is NOT possible natively with the AnyConnect client using PLAP. My jaw dropped at that point is this HAS to be a common requirement and it works perfectly under Windows XP. Disappointing to say the least and stops Cisco competing against Microsoft DA.
There is however a workaround which I have tested under Windows 7 and Windows 8.
The solution in a nutshell is
1. Create a BAT file in the c:\windows\system32\Group Policy\Machine\Scripts\Startup directory.
Contents of the BAT File:
cd C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client
vpncli connect <profile name>
pause
Obviously path names will need to be changed to reflect your real installation directories.
<Profile Name> is the name of your AnyConnect profile.
2. Create either a Local Policy or GPO that runs this script on startup. You will also need to modify other policy elements:
System -> Scripts “Run logon scripts synchronously” to enabled
System -> Scripts Set “Run startup scripts asynchronously” to disabled
System -> Scripts Set Run startup scripts visible” to enabled.
System -> Logon -> Always wait for the network at computer startup and logon
Based around this, the script should run at startup and connect to the VPN. Note that you may need to disable the AnyConnect "Auto Connect at startup" option for this to work reliably otherwise you get a "connection request already in progress" message when the vpncli command runs. Also note that you don't even need SBL enabled for this to work.
Please note I'm not an MS expert, so can't assist with defining Local or GPO objects / options.
However the above does work and I now have an office full of Win 7 and Win 8 machines that connect to the VPN at system startup without any user intervention.
One caveat: this does NOT work out of the box for WiFi connections. This seems to be due to the fact that Win 7 does not connect to a specific SSID before the user logs onto Windows despite the wireless card drivers loading at system startup. There are plenty of other posts on the Internet how to achieve this under Win 7. Using these workarounds the above solution also works for WiFi connections.
Barry Hesk
Intrinsic Network Solutions
03-08-2013 02:09 AM
PS. Sorry for the formatting. For some reason all of the line breaks got removed when I posted, and I don't seem to have an edit button
06-11-2013 02:32 PM
Excellent solution!!! How do you deal with certificates working from within the logged in Windows session but not working during the startup process that you documented??
06-24-2013 12:17 PM
While there may be plenty of references to getting Win7 to connect to an SSID, there seem to be few to none referencing how to get AnyConnect to connect to wireless before logon. It would be nice if you could provide either a link or a description of how you acheived that portion.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide