Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2463
Views
10
Helpful
7
Replies

Cisco Anyconnect Start before logon. Cisco 1941

Andrew Battersby
Level 1
Level 1

‎10-23-2012 12:24 AM - edited ‎02-21-2020 06:25 PM

Hi,

I'm trying to setup Start before logon on a Cisco 1941. The closest instructions I can find for this are :

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809f0d75.shtml

Unfortunately this is for an ASA due to this the below does not apply on the Cisco 1941 as the cli is different:

  • On the security appliance, add the profile as an available profile to  the WebVPN global section, as long as everything else is set up  correctly for AnyConnect connections:

    hostname(config-group-policy)# webvpn
hostame(config-group-webvpn)#  
   svc profiles ReallyNewProfile disk0:/AnyConnectProfile.xml

  • Edit the group policy that you use, and add the svc modules and svc profile commands:

    hostname(config)# group-policy GroupPolicy internal
hostname(config)# group-policy GroupPolicy attributes
hostname(config-group-policy)# webvpn
hostame(config-group-webvpn)# svc modules value vpngina
hostame(config-group-webvpn)# svc profiles value ReallyNewProfile

    • Can anyone advise on what I would need to do via the CLI to get Start before logon working. Below is my VPN configuration so far for the Cisco Anyconnect:

    webvpn gateway gateway_1

    ip address xx.xx.xx.xx port 443

    http-redirect port 80

    ssl trustpoint TP-self-signed-2717103300

    inservice

    !

    webvpn install svc flash0:/webvpn/sslclient-win-1.1.4.176.pkg sequence 1

    !

    webvpn install svc flash0:/webvpn/anyconnect-win-3.0.10055-k9.pkg sequence 2

    !

    webvpn context testingconfig

    secondary-color white

    title-color #CCCC66

    text-color black

    ssl authenticate verify all

    !

    !

    policy group policy_1

       functions svc-enabled

       svc address-pool "new" netmask 255.255.255.248

       svc split dns "10.0.0.253"

       svc split include 10.10.10.0 255.255.255.248

       svc split include 10.0.0.0 255.255.255.0

       svc wins-server primary 10.0.0.253

    default-group-policy policy_1

    aaa authentication list ssl_vpn_xauth_ml_1

    gateway gateway_1

    max-users 6

    inservice

    Thanks for any helps.

    Andrew

    Labels:
    0 Helpful
    7 Replies 7

    Jennifer Halim
    Cisco Employee
    Cisco Employee

    ‎10-23-2012 12:29 AM

    here is the configuration guide for Start Before Logon feature on IOS router:

    http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-1mt/sec-conn-sslvpn-ssl-vpn.html#GUID-4288662F-D0CB-4417-BCF9-C66809666055

    Hope that helps.

    Andrew Battersby
    Level 1
    Level 1
    In response to Jennifer Halim

    ‎10-23-2012 01:48 AM

    Thanks Jennifer

    That's perfect

    Andrew

    0 Helpful

    Iheanyi Obasi
    Level 1
    Level 1
    In response to Jennifer Halim

    ‎06-16-2014 08:37 AM

    Hi,

     

    Can this feature be enabled for an IPSec Anyconnect client (FlexVPN)? It is quite clear it will work for SSL but I can find no equivalent documentation for IPSec.

    0 Helpful

    Marvin Rhoads
    Hall of Fame
    Hall of Fame
    In response to Iheanyi Obasi

    ‎06-16-2014 09:39 AM

    There's a good TAC document here: link.

    The example has the xml file as not using SBL, i.e.:

    <UseStartBeforeLogon UserControllable="true">false
</UseStartBeforeLogon>

    But if you just modify that as referenced in the earlier link above, it should work.

    i.e. you should use:

    <ClientInitialization>
<UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon>
</ClientInitialization>
    0 Helpful

    Iheanyi Obasi
    Level 1
    Level 1
    In response to Marvin Rhoads

    ‎06-16-2014 11:23 AM

    Thanks a lot Marvin. I did look at that document... several times. In addition to some other links that mention the need to enable the VPNGINA (earlier that Windows Vista) or PLAP (Windows Vista and later). But I don't see a syntax to enable this feature for the IPSec anyconnect clients although it is well documented for SSL anyconnect. So apart from changing the XML file config, how does one obtain and integrate the .dll to enable User Start Before Logon.

    0 Helpful

    Marvin Rhoads
    Hall of Fame
    Hall of Fame
    In response to Iheanyi Obasi

    ‎06-16-2014 11:34 AM

    The dll files are included with the AnyConnect package (pkg file) that one generally downloads from the ASA. They are also in the ISO distribution if you are doing a manual or 3rd party deployment.

    Once you have activated a profile (via download from the ASA or pre-deployment), the VPNGINA or PLAP component of Windows will prompt the user for VPN authentication during subsequent logins as described in the AnyConnect Admin Guide.

    The transport (SSL vs. IPSEC) is independent of that setting and controlled by the transport protocol section of the profile.

    Iheanyi Obasi
    Level 1
    Level 1
    In response to Marvin Rhoads

    ‎06-17-2014 01:18 AM

    Ah, so that's where it is. I'll look into that. I would not have figured this out, the docs don't seem to give attention to this. Thanks again Marvin.

    0 Helpful
    Customers Also Viewed These Support Documents