Solved: Anyconnect SBL on Win10 machines

varunkhanna58026 · ‎03-27-2020

Hi Teams ,

Due to heavy tendency to have users from work from home due to COVID-19 , we are having to send laptops to users at their home. But since they haven't logged in before on new laptops their credentials are not cached , they are not able to login. Now we are trying to get SBL feature work . I have followed the 2 steps described in document

1. Enable vpngina

2. enable SBL in anyconnect profiles.

Both of them are in screenshot attached. But the problems is , although laptops in lab have been installed with SBL module , when we reboot laptop , there is an anyconnect icon called status , which spins and looks like trying to connect , but then falls back to windows login screen , instead of asking for VPN profiles or credentials. I have made a video of how laptop behave and is also attached. What can be wrong ? after logging in via cached credentials, a user can connect to VPN without problem .

Varun

Francesco Molino · ‎03-29-2020

This is what I was going to reply to check user rights. Have you checked you see the module correctly installed in Add/Remove Programs?
Can you try to do the auto download/install with a user having admin rights just for testing?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎03-27-2020

Hi

What anyconnect version are you using?
You've connected at least once with a user session openned to be sure everything worked and sbl module was successfully downloaded/installed?
Did it worked on 1 machine at least or not working anywhere?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

varunkhanna58026 · ‎03-27-2020

@Francesco Molino ,

Anyconnect version is 4.6.02074 .Yes we have connected user session in the lab before shipping out to customer. The SBL module got downloaded and that's why perhaps we even get to the point of anyconnect visible and starting to do something at the logon screen . There was no network connection button available at logon screen before we got SBL module. It dont work not just on 1 machine but any machine we try . Its all WIN10 though. Additionally , i have verified in the any connect profile ( .xml ) profile, following option is there :

-<ClientInitialization>

<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection> "

still , same happens : what can be wrong . May be something with .dll file that does not allow anyconnect as PLAP service provider in WIN10 .

varun

varunkhanna58026 · ‎03-28-2020

I have found the root of problem. Turns out while installing SBL from ASA itself , the functionality don't work. This may be a problem with windows rights to let install some app , we need to figure that part out.

However, if i install manually from the MSI file package , SBL work perfect.

So if we dont figure out why install from ASA functions with the fault , we may just go ahead let the file install via SCCM. Name of file : anyconnect-win-4.6.02074-gina-predeploy-k9.msi

Thanks,

Varun

Francesco Molino · ‎03-29-2020

This is what I was going to reply to check user rights. Have you checked you see the module correctly installed in Add/Remove Programs?
Can you try to do the auto download/install with a user having admin rights just for testing?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question