08-16-2021 02:01 PM
Hello,
I'm trying to find an updated document that explains the procedure/steps in order to configure Anyconnect Before Logon on Win 10. The document below seems outdated as the it references some configuration parameters within the .xml file that no longer exist in Anyconnect Mobility version 4.10.x.
Can someone point me in the right direction?
Best, ~zK
Solved! Go to Solution.
08-18-2021 10:13 AM
@stsargen.. it is already defined. See below:
group-policy gp_anyconnect_Main internal
group-policy gp_anyconnect_Main attributes
wins-server none
dns-server value 10.160.140.60 10.160.140.70
vpn-filter value acl_Main_vpn_filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_Main_split_tunnel
default-domain value mycompany.ad
webvpn
anyconnect mtu 1300
anyconnect modules value vpngina
anyconnect profiles value Main_Profile type user
08-19-2021 10:45 AM
@Rob Ingram.. @stsargen .. @Milos_Jovanovic ,... I was able to fix the issue. Everything is working as expected.
Here is what I had to do:
- Removed the commands I applied under the group-policy\webvpn
- Re-applied the same commands I applied under the group-policy\webvpn
anyconnect mtu 1300
anyconnect modules value vpngina
anyconnect profiles value Main_Profile type user
- Removed the .xml file under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
- Disconnected current Anyconnect vpn session
- Added the .xml file under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile
- Re-conncted to Anyconnect vpn
- Rebooted
That resolved the issue.
I appreciate all of your assistance and time.
Best, ~zK
08-16-2021 02:07 PM
08-17-2021 11:20 AM
Thanks for the reply.
I tried to apply those configuration commands under webvpn but the are not available.
See below..
ASA version 9.16(1)
==== Command
group-policy GP-1 attributes
webvpn
anyconnect profiles value RASProfile type user <----- command not available
exit!
!
!
group-policy GP-1 attributes
webvpn
anyconnect modules value vpngina <----- command not available
exit
!
!
08-17-2021 11:39 AM
Hi @zekebash,
Please follow the guide @Rob Ingram posted.
You need to define profile first, before you can use it:
webvpn
anyconnect profiles RASProfile disk0:/RAS.xml
exit
Also, it is assumed that you enabled AnyConnect and did basic configuration.
BR,
Milos
08-17-2021 12:25 PM
We have an active profile which we are currently using for testing.
The parameters listed in Rob's post are not available when I try to use them.
Rob's instrcution suggested to use this command:
webvpn
anyconnect modules
----
However, this modules parameter is not available on the version of ASA we are using. See below
WEBVPN3(config-webvpn)# anyconnect ?
webvpn mode commands/options:
enable Enable the AnyConnect Client
image Configure the AnyConnect client package file path
profiles Configure the AnyConnect client profiles package filepath
WEBVPN3(config-webvpn)# anyconnect
Best, ~zK
08-17-2021 01:02 PM
This is because command 'webvpn' exists in global configuration mode (your output), and also under group-policy (one that @Rob Ingram mentioned). You need to be in group-policy mode, and then use 'webvpn' command, and you'll have mentioned commands.
BR,
Milos
08-18-2021 08:47 AM
@Milos_Jovanovicthanks for the clarification. I was able to apply the suggested configuration changes in ASDM and CLI and made sure the changes were applied to the .xml profile on the laptop. I rebooted my laptop but the option to allow SBL is not showing. I get the same logon window as if the changes are not taking effect.
Any thoughts?
Best, ~zK
08-18-2021 09:12 AM
Do you have the SBL module installed on the client PC? Does it show in add remove programs? The only two things you need to have the PLAP option show up are are an anyconnect profile with SBL enabled and the msi installed for Start Before Logon. For the connection to succeed you need the same VPN profile on ASA and the rest of the configuration mentioned before.
08-18-2021 09:44 AM
It doesn't appear that the SBL client got installed as it is not showing in add remove/programs. I only have Cisco Anyconnect Secure Mobility Client version 4.10.01075 installed. Here is the config I applied on the ASA:
group-policy gp_anyconnect_Main internal
group-policy gp_anyconnect_Main attributes
wins-server none
dns-server value 10.160.140.60 10.160.140.70
vpn-filter value acl_Main_vpn_filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_Main_split_tunnel
default-domain value mycompany.ad
webvpn
anyconnect mtu 1300
anyconnect modules value vpngina
anyconnect profiles value Main_Profile type user
====
What are the options to get the SBL module installed on the client device?
I followed this doc but it appears to be outdated: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107598-sbl.html
Thanks in advance.
Best, ~zK
08-18-2021 09:48 AM
Did you login to the VPN for the SBL agent to be automatically installed?
08-18-2021 09:54 AM
- I logged in to the VPN (ASA where I made the changes)
- Checked the xml to make sure the the SML parmeters got changed. See below
- And rebooted my laptop couple of times
Any other ideas?
08-18-2021 10:01 AM
@zekebash so if you successfully authenticated to the VPN and the SBL agent was not installed, are you bypassing the downloader (configured in the AnyConnectLocalPolicy.xml file)? This would prevent client downloads from the ASA.
08-18-2021 10:11 AM
You should also specify it in the group policy to install the vpngina module.
group-policy <policy name>
webvpn
anyconnect modules value vpngina
exit
exit
08-18-2021 10:13 AM
@stsargen.. it is already defined. See below:
group-policy gp_anyconnect_Main internal
group-policy gp_anyconnect_Main attributes
wins-server none
dns-server value 10.160.140.60 10.160.140.70
vpn-filter value acl_Main_vpn_filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_Main_split_tunnel
default-domain value mycompany.ad
webvpn
anyconnect mtu 1300
anyconnect modules value vpngina
anyconnect profiles value Main_Profile type user
08-18-2021 10:21 AM
Do you have the same version of AnyConnect loaded on your ASA? You could post a DART here and we could take a look.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide