Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1223
Views
0
Helpful
3
Replies

AnyConnect Secure Mobility Client and helpdesk support

Go to solution
tomvolpe1
Level 1
Level 1

‎10-06-2015 01:15 PM - edited ‎02-21-2020 08:29 PM

I'm in the process of establishing a new ASA VPN gateway (9.4.(1). All users are going to use the  AnyConnect Secure Mobility Client 3.1.1 and two factor authentication. 

I have discovered that a VPN client can establish a VPN connection and can successfully gain access to needed internal campus computer resources.  Split tunneling is enabled so general internet access is via the clients ISP.  All is working as expected.

My issue is with our internal campus helpdesk support staff assisting the remote VPN users with local user  problems on the PC's.

Helpdesk staff can target the VPN connected device by IP address supplied by the ASA IP Pool. and can remote onto the local users PC with DameWare

Mini Remote Control software. Because our remote user do not have local admin rights on the PC the helpdesk staff have to run a 'switch user' and log into the PC with their credentials. Immediately after the helpdesk staff login the VPN tunnel is removed from the VPN gateway. 

From what I understand from reading some documentation that this is normal default behavior.  What I want to know is a way of turning off this feature?

Short of making every one a local admin on their PC is there an alternative method of allowing support staff to gain access to the PC as themselves?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bravotom99
Level 1
Level 1

‎12-10-2015 07:10 PM

I don't know if this will work with switch user but you can set the 'retainVPNonLogoff' setting to true and set it to any user.  The helpdesk can then remote in, logoff the user and then log in as themselves and the VPN tunnel will remain up the entire time.   It might work with Switch user too but I haven't tested that.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-06-2015 02:11 PM

AnyConnect will always run in the the local user's identity space.

Helpdesk could run any commands they need by using "Run as" option and providing their admin credentials for that command / application only.

0 Helpful

Go to solution
bravotom99
Level 1
Level 1

‎12-10-2015 07:10 PM

I don't know if this will work with switch user but you can set the 'retainVPNonLogoff' setting to true and set it to any user.  The helpdesk can then remote in, logoff the user and then log in as themselves and the VPN tunnel will remain up the entire time.   It might work with Switch user too but I haven't tested that.

0 Helpful

Go to solution
tomvolpe1
Level 1
Level 1

‎03-04-2016 01:20 PM

I took your advice bravotom99 and it worked as needed.  Thank you very much.

0 Helpful
Customers Also Viewed These Support Documents