cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
47241
Views
0
Helpful
3
Replies

AnyConnect automatic start before logon Windows 7

barry
Rising star
Rising star

Hi all

I'm incuding this as a new post as although I've updated a previous entry this issue seems to be causing lots of grief to loads of people so deserves a bit of prominent exposure :-)

My issue was that I could not get the AnyConnect client to perform SBL automatically (i.e we did not want the user to have to select the networking logon icon).

Details follow:

Environment:

  • ASA running 9.1(1)
  • AnyConnect Secure Mobility Client 3.1
  • Authentication via digital certificates (to avoid the user entering credentials to establish the VPN).
  • SBL configured

All of the above is working and the user can manally connect to the VPN by selecting the "Networking Logon" icon on system startup. Our requirement is however for this to be automatic.

From working with TAC, this is NOT possible natively with the AnyConnect client using PLAP. My jaw dropped at that point is this HAS to be a common requirement and it works perfectly under Windows XP. Disappointing to say the least and stops Cisco competing against Microsoft DA.

There is however a workaround which I have tested under Windows 7 and Windows 8.

The solution in a nutshell is

1. Create a BAT file in the c:\windows\system32\Group Policy\Machine\Scripts\Startup directory.

Contents of the BAT File:

cd C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client

vpncli connect <profile name>

pause

Obviously path names will need to be changed to reflect your real installation directories.

<Profile Name> is the name of your AnyConnect profile.

2. Create either a Local Policy or GPO that runs this script on startup. You will also need to modify other policy elements:

System -> Scripts “Run logon scripts synchronously” to enabled

System -> Scripts Set “Run startup scripts asynchronously” to disabled

System -> Scripts Set Run startup scripts visible” to enabled.

System -> Logon -> Always wait for the network at computer startup and logon

Based around this, the script should run at startup and connect to the VPN. Note that you may need to disable the AnyConnect "Auto Connect at startup" option for this to work reliably otherwise you get a "connection request already in progress" message when the vpncli command runs. Also note that you don't even need SBL enabled for this to work.

Please note I'm not an MS expert, so can't assist with defining Local or GPO objects / options.

However the above does work and I now have an office full of Win 7 and Win 8 machines that connect to the VPN at system startup without any user intervention.

One caveat: this does NOT work out of the box for WiFi connections. This seems to be due to the fact that Win 7 does not connect to a specific SSID before the user logs onto Windows despite the wireless card drivers loading at system startup. There are plenty of other posts on the Internet how to achieve this under Win 7. Using these workarounds the above solution also works for WiFi connections.

Barry Hesk

Intrinsic Network Solutions

3 REPLIES 3

barry
Rising star
Rising star

PS. Sorry for the formatting. For some reason all of the line breaks got removed when I posted, and I don't seem to have an edit button

jlenkowski
Beginner
Beginner

Excellent solution!!!  How do you deal with certificates working from within the logged in Windows session but not working during the startup process that you documented??

Russell Gibbons
Beginner
Beginner

While there may be plenty of references to getting Win7 to connect to an SSID, there seem to be few to none referencing how to get AnyConnect to connect to wireless before logon. It would be nice if you could provide either a link or a description of how you acheived that portion.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: