Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
905
Views
10
Helpful
7
Replies

Anyconnect: Can we detect when a user has used SBL?

Go to solution
sven.andersen
Level 1
Level 1

‎03-31-2022 02:26 AM

is there a Windows Event log message, or reg key, or AnyConnect log file whichshows categorically that a user has used SBL ?

 

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
stsargen
Cisco Employee
Cisco Employee

‎03-31-2022 09:59 AM

The AnyConnect event viewer will have a few logs that might help you determine this.

 

This is when a connection is started using SBL.  The connection could still fail, but would at least tell you if they tried.

Description : Tunnel initiated by Start Before Logon Component.

 

This message is logged only during an SBL connection attempt

SCEP Certificate Enrollment not checked due to SBL detection.

 

This is might be the best one.  This indicates that a VPN connection was established and the user can now login to the OS.

VPN established. Continuing with login.

View solution in original post

7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-31-2022 02:38 AM

You mean "Start Before Logon"

If yes, we need to know your environment - are you looking posture ? or just check SBL ?

 

some information may help you :

 

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1/configure-vpn.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
sven.andersen
Level 1
Level 1
In response to balaji.bandi

‎03-31-2022 03:16 AM

HI thanks for the quick reply. So, a little more information.....

 

SBL is in place and is being used by the majority of users. We simply want to find the users who do not use SBL, so we can remind these users that they SHOULD be using it.  We cannot force SBL to be used...only advise the users who continue to VPN after logging on.

 

We have tried to use the Windows Security logs and can detect a Windows Security Event ID Type 11 from Logonui.exe (this is a cached logon whilst off the network) or a type 2 (this is a Network login) but this could mean the user used SBL, or is in the office. So we need to find the actual successful SBL connection from the log files.

 

is this possible?

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-31-2022 05:56 AM

Take a known client that has SBL installed.  Open up reg edit and search for 'gina' there are several reg key options you could target to determine if it is installed or not.  On my test machine here is what I see for options:

 

HKLM\Software\Classes\Installer\Products\D783879C2B2312A47A3C946B3D16674F

There are several possibilities located there

 

HKLM\Software\Classes\Installer\Products\D783879C2B2312A47A3C946B3D16674F\SourceList
PackageName = actual msi

 

HTH!

0 Helpful

Go to solution
sven.andersen
Level 1
Level 1
In response to Mike.Cifelli

‎03-31-2022 09:15 AM

Hi Mike, thanks for the reply, we know PLAP/SBL is installed. We want to confirm whether a user has used it prior to logging on to Windows, or if they are logging on to Windows and THEN connecting to VPN. the way we are doing this via the Windows Security Event Log is cumbersome and over complex. If there was an Even, or log file entry, which stated "PLAP connection successful" or similar, this would be more useful.

 

thanks

0 Helpful

Go to solution
stsargen
Cisco Employee
Cisco Employee

‎03-31-2022 09:59 AM

The AnyConnect event viewer will have a few logs that might help you determine this.

 

This is when a connection is started using SBL.  The connection could still fail, but would at least tell you if they tried.

Description : Tunnel initiated by Start Before Logon Component.

 

This message is logged only during an SBL connection attempt

SCEP Certificate Enrollment not checked due to SBL detection.

 

This is might be the best one.  This indicates that a VPN connection was established and the user can now login to the OS.

VPN established. Continuing with login.

Go to solution
stsargen
Cisco Employee
Cisco Employee
In response to stsargen

‎03-31-2022 10:34 AM

This might be a better solution.


If you do not use OnConnect scripting today you can use this option to perhaps create a file and put a timestamp in the file for each SBL connection made.  With the setting below the file would only be updated when SBL connection are made.  

SBL-script.PNG

 


Look into OnConnect scripts in the Admin guide on how to configure them.

-- Enable Post SBL On Connect Script—Launches the OnConnect script if present, and SBL establishes the VPN session. (Only supported if VPN endpoint is running Microsoft Windows.)

 

If you already use scripting today then this will not work because the script you already have would be executed for Desktop VPN connection also.

 

Hope this helps

Steve S.

 

 

0 Helpful

Go to solution
sven.andersen
Level 1
Level 1
In response to stsargen

‎04-01-2022 08:19 AM

Hi Steve, Thank you for your reply.  looking through the logs I can see the:

"SCEP Certificate Enrollment not checked due to SBL detection"

message. It is after a few "established" messages so indicates the connection via SBL.

So I think we will use that as the confirmation that the user has used SBL to login.

 

Many thanks !

 

Sven

0 Helpful
Customers Also Viewed These Support Documents