Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
1
Replies

Customer wants the abilty for user not to disconnect Cisco AnyConnect running SBL.

feisalb
Level 1
Level 1

‎04-29-2021 08:43 AM

Hello All

I have 2 question that someone has come across before and hopefully can guide me.

We have a customer running a Cisco AnyConnect with SBL poc. They would like it so that the user do not have

the ability to disconnect the VPN. How do I achieve this, (trusted networks), (Always-on)?

Is Always-on even compatible with SBL? as it states:

Limitations of Always-On VPN

  • If Always-On is enabled, but the user does not log on, AnyConnect does not establish the VPN connection. AnyConnect starts the VPN connection only post-login

But SBL starts connection before user windows log on.

 

2. Is there any way around the following for SBL? 

Enable SBL in the AnyConnect Profile

Before you begin

  • SBL requires a network connection to be present at the time it is invoked. In some cases, this might not be possible, because a wireless connection might depend on credentials of the user to connect to the wireless infrastructure. Since SBL mode precedes the credential phase of a logon, a connection would not be available in this scenario. In this case, the wireless connection needs to be configured to cache the credentials across logon, or another wireless authentication needs to be configured, for SBL to work.

Will it be possible to have certain important users to have  local machine login credential for the device so the user can connect to the public wifi and then start the vpn connection. Basically circumvent the SBL for certain user machine (CEO etc)?

 

Thanks

 

Feisal

Labels:
0 Helpful
1 Reply 1

rschlayer
Level 4
Level 4

‎05-03-2021 07:22 AM

Hey @feisalb ,

when you configure always on and trusted network detection you are basically forcing the user to connect to vpn or else the laptop/anyconnect denies any network activity.

SBL allows the user to connect to the VPN before login so mapped shares, gpo updates etc. work from the start but this does not mean the user has to use SBL at all.

Only when logging in the user is forced to connect to the VPN.

I have deployed SBL with always on works just fine.

 

In case of public WIFIs, in the AnyConnect profile you can configure a captive portal detection which disables always on for a set amount of seconds so the user can connect to the captive portal/public wifi. I believe by default the timer is 60 seconds.

 

BR
Rick

0 Helpful
Customers Also Viewed These Support Documents