cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1798
Views
0
Helpful
7
Replies

How to allow SSLVPN client to control SBL?

oldcreek12
Level 1
Level 1

Hi, I enabled SBL on ASA 8.4, anyconnect client is Win-XP, everything worked as expected, but some users do not want to see SBL logon screen before windows logon because often times they will need to login before they can get network connection. So I modified profile.xml's following line from

UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon

to

UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon

the new profile is downloaded to client machine's anyconnect vpn profile fine, yet still users see VPN logon screen before Windows log on, "Connect on startup" is un-checked on Anyconnect VPN client, client machines rebooted multiple times, Anyconnect VPN client was removed and re-downloaded from scratch, no change ... What else do I have to do? I certainly can create a new group-policy/tunnel-group for those users without SBL, but that is far from an elegant solution.

7 Replies 7

andamani
Cisco Employee
Cisco Employee

Hi,

Could you please ensure that you have configured the SBL as in the document below:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809f0d75.shtml

Please use the profile editor to edit the user profile

Hope this helps.

Regards,

Anisha

P.S: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Thanks a lot for your time for trying to answering my question, I am running 8.4 and AnyConnect 2.5, ASDM 6.4, so what you suggested really does not apply here, 8.4 CLI slightly changed from previous releases in terms of SBL configuration, also XML file is just a regular text file, using profile editor is not an absolute necesssary when your profile is just bare bone, let along ASDM 6.4/AnnyConnect2.5 comes with a nice GUI profile editor, so all in all, I would focus on somewhere else for the solution.

Hi,

I am aware of ASA 8.4 and the functionalities. i shared the link so that we check the configuration.

Also i recommended the use of proifle editor inorder to avoid making mistakes in the profile configuration.

Please let me know the exact symptoms that you see.

Also please confirm once again that you have enabled the gina module on the group-policy associated with the Anyconnect Connect Profile.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Hi, Once again thank you for your time, as I stated SBL worked PERFECTLY ... all I need to achieve is that for some users who do not wish to use SBL they can have the option not to start SBL -- without configuring a new tunnel-group for them --- that is why I changed "User Controllable" to "true" in profile.xml (the change was actually done by checking "user controller" box in profile editor, so XML syntax is guaranteed to be correct), this change was being pushed to client correctly, yet SBL is still active even user chose not to start it.  I don't know what else I can add about this problem.

I had similar problem with Auto Connect on Start.   I have found different User Controllable settings for different tunnel groups on the same headend causes problems.  1.  Make sure ALL of your profiles on the ASA have the same User Controllable settings or have only one installed for testing. 2. Delete all xml files on the host in the profile folder (both locations) to include the preference.xml.  Reconnect and verify what’s on the ASA is pushed to the client.  Hope this helps

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/ac01intro.html#wp1064854

Thanks, the document says after profile change, "system" must be restarted, not sure this "system" refers to ASA or client, I will reboot ASA in next maintenance window to see it will make a difference or not.

reboot???  To make the changes I suggested does not require a reboot on the ASA.  I provided the URI only to easily show the file paths to the hidden files you need to delete since I do not know which Win OS you are using.  A reboot is required on the host PC each time SBL is enabled/disabled in preferences, as the login prompt aka GINA (XP) or PLAP (Vista/Win 7) has to be enable/disable in the OS.  If you follow my recommendations, I think you will be good to go.  I also recommend using the profile editor in ADSM 6.4.  I too preferred plain text editing but the profile editor is a lot better now.  If you do use the profile editor create your new.xml from scratch do not use your old.xml as the source.  I recommend always using the same filename.xml which is counter to Cisco's recommendation but avoids your current issue of multiple xml files for the same ASA on the host PC.  The ADSM 6.4 profile editor appears to have fixed the caching issue in flash on the ASA when updating an existing profile.  good luck.