https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107598-sbl.htmlAnyConnect Start Before Logon

zekebash · ‎08-16-2021

Hello,

I'm trying to find an updated document that explains the procedure/steps in order to configure Anyconnect Before Logon on Win 10. The document below seems outdated as the it references some configuration parameters within the .xml file that no longer exist in Anyconnect Mobility version 4.10.x.

Can someone point me in the right direction?

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107598-sbl.htmlAnyConnect Start Before Logon

Best, ~zK

zekebash · ‎08-18-2021

@stsargen.. it is already defined. See below:

group-policy gp_anyconnect_Main internal
group-policy gp_anyconnect_Main attributes
wins-server none
dns-server value 10.160.140.60 10.160.140.70
vpn-filter value acl_Main_vpn_filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_Main_split_tunnel
default-domain value mycompany.ad
webvpn
anyconnect mtu 1300
anyconnect modules value vpngina
anyconnect profiles value Main_Profile type user

View solution in original post

zekebash · ‎08-19-2021

@Rob Ingram.. @stsargen .. @Milos_Jovanovic ,... I was able to fix the issue. Everything is working as expected.

Here is what I had to do:

- Removed the commands I applied under the group-policy\webvpn

- Re-applied the same commands I applied under the group-policy\webvpn
                 anyconnect mtu 1300
                 anyconnect modules value vpngina
                 anyconnect profiles value Main_Profile type user

- Removed the .xml file under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

- Disconnected current Anyconnect vpn session

- Added the .xml file under C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

- Re-conncted to Anyconnect vpn

- Rebooted

That resolved the issue.

I appreciate all of your assistance and time.

Best, ~zK

View solution in original post

Rob Ingram · ‎08-16-2021

@zekebash

Try using this guide, as it's more recent that the old guide you referenced.

zekebash · ‎08-17-2021

Thanks for the reply.

I tried to apply those configuration commands under webvpn but the are not available.

See below..

ASA version 9.16(1)

==== Command
group-policy GP-1 attributes
webvpn
anyconnect profiles value RASProfile type user <----- command not available
exit!
!
!
group-policy GP-1 attributes
webvpn
anyconnect modules value vpngina <----- command not available
exit
!
!

Milos_Jovanovic · ‎08-17-2021

Hi @zekebash,

Please follow the guide @Rob Ingram posted.

You need to define profile first, before you can use it:

 webvpn
 anyconnect profiles RASProfile disk0:/RAS.xml
 exit

Also, it is assumed that you enabled AnyConnect and did basic configuration.

BR,

Milos

zekebash · ‎08-17-2021

@Milos_Jovanovic

We have an active profile which we are currently using for testing.

The parameters listed in Rob's post are not available when I try to use them.

Rob's instrcution suggested to use this command:

webvpn
anyconnect modules

----

However, this modules parameter is not available on the version of ASA we are using. See below

WEBVPN3(config-webvpn)# anyconnect ?

webvpn mode commands/options:
      enable Enable the AnyConnect Client
      image Configure the AnyConnect client package file path
      profiles Configure the AnyConnect client profiles package filepath

WEBVPN3(config-webvpn)# anyconnect

Best, ~zK

Milos_Jovanovic · ‎08-17-2021

This is because command 'webvpn' exists in global configuration mode (your output), and also under group-policy (one that @Rob Ingram mentioned). You need to be in group-policy mode, and then use 'webvpn' command, and you'll have mentioned commands.

BR,

Milos

zekebash · ‎08-18-2021

@Milos_Jovanovicthanks for the clarification. I was able to apply the suggested configuration changes in ASDM and CLI and made sure the changes were applied to the .xml profile on the laptop. I rebooted my laptop but the option to allow SBL is not showing. I get the same logon window as if the changes are not taking effect.

Any thoughts?

Best, ~zK

stsargen · ‎08-18-2021

Do you have the SBL module installed on the client PC? Does it show in add remove programs? The only two things you need to have the PLAP option show up are are an anyconnect profile with SBL enabled and the msi installed for Start Before Logon. For the connection to succeed you need the same VPN profile on ASA and the rest of the configuration mentioned before.

zekebash · ‎08-18-2021

It doesn't appear that the SBL client got installed as it is not showing in add remove/programs. I only have Cisco Anyconnect Secure Mobility Client version 4.10.01075 installed. Here is the config I applied on the ASA:

group-policy gp_anyconnect_Main internal
group-policy gp_anyconnect_Main attributes
wins-server none
dns-server value 10.160.140.60 10.160.140.70
vpn-filter value acl_Main_vpn_filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_Main_split_tunnel
default-domain value mycompany.ad
webvpn
anyconnect mtu 1300
anyconnect modules value vpngina
anyconnect profiles value Main_Profile type user

====

What are the options to get the SBL module installed on the client device?

I followed this doc but it appears to be outdated: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107598-sbl.html

Thanks in advance.

Best, ~zK

Rob Ingram · ‎08-18-2021

@zekebash

Did you login to the VPN for the SBL agent to be automatically installed?

zekebash · ‎08-18-2021

- I logged in to the VPN (ASA where I made the changes)

- Checked the xml to make sure the the SML parmeters got changed. See below

- And rebooted my laptop couple of times

Any other ideas?

ClientInitialization>

Rob Ingram · ‎08-18-2021

@zekebash so if you successfully authenticated to the VPN and the SBL agent was not installed, are you bypassing the downloader (configured in the AnyConnectLocalPolicy.xml file)? This would prevent client downloads from the ASA.

stsargen · ‎08-18-2021

You should also specify it in the group policy to install the vpngina module.

group-policy <policy name>

webvpn

anyconnect modules value vpngina

exit

zekebash · ‎08-18-2021

@stsargen.. it is already defined. See below:

group-policy gp_anyconnect_Main internal
group-policy gp_anyconnect_Main attributes
wins-server none
dns-server value 10.160.140.60 10.160.140.70
vpn-filter value acl_Main_vpn_filter
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl_Main_split_tunnel
default-domain value mycompany.ad
webvpn
anyconnect mtu 1300
anyconnect modules value vpngina
anyconnect profiles value Main_Profile type user

stsargen · ‎08-18-2021

Do you have the same version of AnyConnect loaded on your ASA? You could post a DART here and we could take a look.

AnyConnect Start Before Logon 4.10.01075

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107598-sbl.htmlAnyConnect Start Before Logon