07-11-2017 04:43 AM - edited 02-21-2020 09:21 PM
Is there any way to get anyconnect to run a program a tthe same time as it starts. I would like to use start before logon with an RSA soft token, but so far have not been able to get it to work
07-11-2017 05:00 AM
I should add that I was mtrying to get it to work by just entering the pin. I am running windows 10.
07-12-2017 05:34 AM
You can integrate the RSA with your ASA as a 2-factor authentication scheme. You could make one factor the user certificate if you have certificates. Or you could even make the RSA authentication the sole method. I have one customer who's doing that (though not with SBL) and it works fine.
07-12-2017 09:49 AM
I did a project for a customer a while back where they use SBL and authenticate internal users with RSA token. It works for them.
HTH
Rick
07-13-2017 01:27 AM
could you possibly let me have the procedures you used, and does it work on windows 10.
07-13-2017 12:40 PM
That project was a while back and probably predates Windows 10 so I have no experience to offer in answering the question about whether it works on Windows 10. But I would guess that it should work on Windows 10.
The configuration of SBL is fairly simple. In the configuration under webvpn you enable the SBL module
anyconnect modules value vpngina
and in the xml profile you enable SBL and optionally make this function user controllable
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
You may find additional details in this link which may be helpful
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107598-sbl.html
In the implementation that I did for this customer they were using a Radius server to authenticate the AnyConnect sessions and the Radius server communicated with RSA to process the token and do the authentication processing. This is what they used when they went to production. They were interested in changing and having the ASA communicate directly with RSA using sdi protocol. I have done this for customers and it does work. I discussed what they would need to change to accomplish this. But that change was outside of scope for our project so I was not involved in that change (and am not sure whether they actually made those changes). Whether it uses Radius for communication with the server or sdi for communication with the server the ASA configuration of authentication for AnyConnect sessions is fairly straightforward and quite similar.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide