Solved: Re: FTD and AnyConnect PreConnect message

sjones52 · ‎10-15-2018

Wondering where to put the pre-login messages with AnyConnect and FTD. Using FMC to manage - I can create a profile with the standalone editor and attach to the group policy, but that doesn't give me the ability that the ASDM did with Anyconnect customization / localization. Either the pre-connect message or the "copyright text" I think it was called. Just someplace I can put the silly 'Unauthorized attempted access is prohibited' before they auth.

Marvin Rhoads · ‎10-15-2018

The message Rahul referred to is the banner - it pops up post-authentication during the process of logging in.

If you want to change the text in AnyConnect's initial logon window, you cannot currently do that with FTD.

AnyConnect Customization and Localization support. The FTD device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.

Reference:

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

View solution in original post

Rahul Govindan · ‎10-15-2018

Should be under the Group-Policy edit section. Picture below:

Marvin Rhoads · ‎10-15-2018

The message Rahul referred to is the banner - it pops up post-authentication during the process of logging in.

If you want to change the text in AnyConnect's initial logon window, you cannot currently do that with FTD.

AnyConnect Customization and Localization support. The FTD device does not configure or deploy the files necessary to configure AnyConnect for these capabilities.

Reference:

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/firepower_threat_defense_remote_access_vpns.html#reference_xby_dml_wy

sjones52 · ‎10-16-2018

I have the post-auth banner configured, but yes, I was hoping for a pre-auth warning or modify the login box.

Thanks for pointing that line out Marvin. I must have missed it when I skimmed that doc before looking for the limitations. Anyone know if this is on the roadmap? We have some odd requirements from outside agencies, one of which is to have that warning verbiage before logon.

Marvin Rhoads · ‎10-16-2018

Cisco seldom announces roadmap specifics publicly. I know some enhancements are expected in 6.3 but can't say whether or not that will be among them.

I for one have given them repeated feedback the that lack of feature parity between SSL VPN on FTD vs. ASA is a barrier to adoption and source of frustration for many customers.

rajivkumar01092021 · ‎10-23-2023

Earlier we had ASA 5525 and I configured pre-connect message there (which was same as banner which Rahul mentioned). Now we have migrated this configuration on FTD 3130 but our users still see same pre-connect message. So, seems somehow it has been migrated from ASA to FTD and FTD has it somewhere in its configuration. But not sure where is this.

Marvin Rhoads · ‎10-23-2023

@rajivkumar01092021 can you explain more specifically what pre-connect banner you see? There is a banner that you see during login but it comes after the user credentials are entered and accepted.

rajivkumar01092021 · ‎11-06-2023

Hi Marvin, sorry for late reply, We actually see two banners. 2nd is that one which you mentioned "There is a banner that you see during login but it comes after the user credentials are entered and accepted."

But there is another one which pops up when user select URL from drop down and click on connect, then this banner is show. (It was configured on ASA by me before migration to FTD and it is same content as of second banner shown).

It is shown only on first connection after a windows laptop reboot or if AnyConnect is completely exited and restarted then when user connects, then it will be shown. On subsequent connection it is not shown.

Marvin Rhoads · ‎11-06-2023

Ah yes - I have seen that first pre-connect message myself. It started showing up with Secure Client 5 if I recall correctly.

I believe it is the message the Admin guide refers to here: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/Cisco-Secure-Client-5/admin/guide/b-cisco-secure-client-admin-guide-5-0/anyconnect-profile-editor.html?bookSearch=true#ID-1430-0000006c

I believe it shows up mistakenly on clients even though that box isn't selected, but I have not done an in-depth look to prove that.

rajivkumar01092021 · ‎11-08-2023

Hi Marvin, It was coming in AnyConnect 4.10 (with FTD headend). Now I upgraded to Cisco Secure client 5.0.04050 and it is still present.

Marvin Rhoads · ‎02-08-2024

@rajivkumar01092021 this has been bugging me and I got a chance to inquire directly to Aaron Woland at Cisco Live EMEA this week.

He explained that the startup of Secure Client / AnyConnect looks across ALL your profiles (not just the one you might be actively using) and if any of them have the pre-connect option selected for an SBL VPN profile that it will appear on your client. I researched mine and sure enough found one that I seldom use had the option selected.