cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
595
Views
0
Helpful
6
Replies

Automate Anyconnect

josephreid
Beginner
Beginner

I need to automate an Anyconnect connection. If the user is not connecting to an office (trusted) LAN, the following is needed:

1. The device (laptop) should start an Anyconnect session

2. The user should not need to interact with this process.

3. The authentication method should be a 'machine certificate'

4. The user cannot disconnect Anyconnect from the session. 

I can manually start the session, but need to initiate the session and confirm the certificate. I can also have the session start automatically, but it still needs user interaction to complete. 

I have looked at the profile settings, but cannot seem to find what the settings should be for automation of this process. Does it need to be scripted?

Thanks in advance

6 REPLIES 6

mickyq
Beginner
Beginner

have you configured start before login:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107598-sbl.html

I dont know about the machine cert. I use AD for authentication.

Hi Michael,

I have. I've finally got it to 'not ask' for certificate confirmation.

Rahul Govindan
Advocate
Advocate

You should use the Trusted Network Detection feature and Always-ON, along with Certificate authentication to achieve what you are looking for. Trusted network detection automates the connection when you are in a untrusted network (based on domain name and dns) and does not allow the user to disconnect unless in a trusted network. Look for the "Automatic VPN Policy" under Preferences (Part 2) in the client profile.

More info here:

https://supportforums.cisco.com/document/59201/anyconnect-trusted-network-detection-tnd-and-always-troubleshooting-faqs

I have configured all of this, before asking the question. The user can still disconnect the AnyConnect service.

I've configured that, but i still have to use a manual start on PC services. An auto start gives the 'certificate validation failure' error message. The same certificate is used. Identifies as the ASA is rejecting the certificate, but accepts for a manual service start. 

I see your 2 responses as notifications but does not show up on the thread.

To disable the ability to disconnect, uncheck the allow VPN Disconnect setting on the profile.

For the cert issue, TND and Always does a strict cert check, so if you have any certificate errors during manual connection (without alwayson), this wont work.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/configure-vpn.html#ID-1428-000001d7

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: