04-29-2021 08:43 AM
Hello All
I have 2 question that someone has come across before and hopefully can guide me.
We have a customer running a Cisco AnyConnect with SBL poc. They would like it so that the user do not have
the ability to disconnect the VPN. How do I achieve this, (trusted networks), (Always-on)?
Is Always-on even compatible with SBL? as it states:
If Always-On is enabled, but the user does not log on, AnyConnect does not establish the VPN connection. AnyConnect starts the VPN connection only post-login
But SBL starts connection before user windows log on.
2. Is there any way around the following for SBL?
SBL requires a network connection to be present at the time it is invoked. In some cases, this might not be possible, because a wireless connection might depend on credentials of the user to connect to the wireless infrastructure. Since SBL mode precedes the credential phase of a logon, a connection would not be available in this scenario. In this case, the wireless connection needs to be configured to cache the credentials across logon, or another wireless authentication needs to be configured, for SBL to work.
Will it be possible to have certain important users to have local machine login credential for the device so the user can connect to the public wifi and then start the vpn connection. Basically circumvent the SBL for certain user machine (CEO etc)?
Thanks
Feisal
05-03-2021 07:22 AM
Hey @feisalb ,
when you configure always on and trusted network detection you are basically forcing the user to connect to vpn or else the laptop/anyconnect denies any network activity.
SBL allows the user to connect to the VPN before login so mapped shares, gpo updates etc. work from the start but this does not mean the user has to use SBL at all.
Only when logging in the user is forced to connect to the VPN.
I have deployed SBL with always on works just fine.
In case of public WIFIs, in the AnyConnect profile you can configure a captive portal detection which disables always on for a set amount of seconds so the user can connect to the captive portal/public wifi. I believe by default the timer is 60 seconds.
BR
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide