cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3097
Views
5
Helpful
15
Replies

Looking for batch file script for Anyconnect users for them to be automatically connect to AnyConnect or at least force to login Anyconnect

Hi Cisco VPN/Anyconnect Community,

 

I hope you could help me on what I am trying to achieve. My goal is to force users to login/use Anyconnect so that their laptops will be patched/updated by our GPO. Below are the things we have tried but seems not workable on our current setup.

 

1. SBL - my colleagues mentioned to me that they tried this but cannot work because we have MFA

2. Always-On VPN - I tried this but it appears it is deleting/removing our SAML cert (this cause connection issue from Anyconnect users to the vpn server (e.g vpn.domain.com)

 

Now, what I am thinking is a batch file script that can be used so that I can apply it on our Anyconnect Client Profile and then once a user logs in to the vpn server (vpn.domain.com) this batch file will be deployed on the user machine and will take care of the future automatic login of the users to the Anyconnect.

 

Is there such thing like this? Or is there anything that you could suggest that could fit my goal?

 

Thank you,

John

1 Accepted Solution

Accepted Solutions

Ok so TND is working correclty.

 

You need the password to identify the user and it wouldn't be Multi Factor Authentication if you skipped the password.

 

Youc could setup a new connection profile that doesn't require a password, you'd still need to enter a username otherwise how would you know the MFA passcode is correct?

View solution in original post

15 Replies 15

Hi @JohnClover-Of-Cisco 

If you just want to patch/update the computers you could deploy the management VPN tunnel. This will establish a VPN tunnel without the user explicitly authenticating. This relies on a computer certificate (no MFA) to authenticate and would be transparent to the user.

 

More information on management tunnel:

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

Hi Rob,

 

Thank you so much for your response to my question! I will check the link you provided and will revert to you for other questions I may encounter.

 

Hi Rob,

 

I've gone through the link guide and looks like this is a good approach to achieve our goal, however, yes, it is only relying on certificate only (no MFA). I just doubt this will pass our security setup since we are using SAML for authentication.

 

Is there's any other you can suggest or advice?

 

Thank you!

Hi @JohnClover-Of-Cisco 

Ok, then you could use trusted network detection (TND). This will have anyconnect establish a VPN tunnel automatically (it will open the login prompt for the users to login using MFA) when it detects the user is outside of the corporate network. When the user is connected to the local corporate network, the VPN will disconnect.

 

Reference

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect41/administration/guide/b_AnyConnect_Administrator_Guide_4-1/configure-vpn.html

Hi Rob, thank you thank you so much for your responses!

I've gone through the guide for the Use TND and I am honestly confused as to what to put in the following sections highlighted in my attachment. On the "Trusted DNS Servers" I think I will just need to put the two DNS servers that I am seeing on my ipconfig/all result. But the other two, I don't know what should I put and what are they doing. 

 

Sorry, I am really still a newb and hope you won't get tired to give an advice.

 

Thank you!

You don't need to fill in all those sections. You should at least define your internal corporate DNS name space and internal DNS servers, this is how AnyConnect determines when it is connected to a trusted network.

 

So in your scenario if you connect to your home network, it won't receive your corporate DNS servers/DNS name space, so anyconnect will determine it's on an untrusted network and attempt to establish a VPN.

Thank you, Rob! I will try this out. I remember I configured this Automatic VPN also together with the Always-On but I was not able to make it working. 

This time I will just try the TND only and let you know.

 

Once I have configured this and I applied it to the Profile, then I connected to that Profile, this TND should automatically apply on my client profile in my laptop, correct? Then if I restarted my laptop and login again to my laptop from my home wifi, I should be expecting that the Anyconnect will prompt me to login with MFA right? (Automatic means the Anyconnect login Page will just appear on my screen suddenly after login on my laptop).

Hi @Rob Ingram ,

 

I was able to configure the Automatic VPN and the TNDs. I restarted my laptop the the AnyConnect automatically prompted me, however, it still requires me to login my username and password, then the MFA.

 

Is there a way that it bypass the username and password and just go directly to MFA?

 

Thank you!

Ok so TND is working correclty.

 

You need the password to identify the user and it wouldn't be Multi Factor Authentication if you skipped the password.

 

Youc could setup a new connection profile that doesn't require a password, you'd still need to enter a username otherwise how would you know the MFA passcode is correct?

Rob! Thank you for your explanation! That really make sense to me now!

Thank you so much!!!

Hi @Rob Ingram ,


I just learned from my Teammate that this is not 100% working. My teammate went to our office and connected his laptop to the domain network. He still got prompted to login to the Anyconnect app automatically where it should not be as I understand because he is already inside the domain network/trusted network.

Is there anything that I am missing? Thank you and I hope you could still give some advice.

@JohnClover-Of-Cisco 

What DNS/domain name did he receive on that network? Is it correct as per the configuration you've applied in the policy?

Does it work correctly on other networks?

Hi @Rob Ingram ,

 

Thank you for your response.

 

My teammate got the domain name that I have also put in the Anyconnect. He connected via our Wireless LAN, and I am sure that he cannot be wrong as he is my Senior and also been long managing the company's Network. He just informed my last night that it looks like it is not working as expected when inside the domain network.

 

Please see attached on how I configured it. Not sure if the comma and spacing has anything to do.

 

Thank you!

CarloSalvador
Level 1
Level 1

Hi @Rob Ingram, how can I prevent the AnyConnect VPN to prompt the user to login when they are inside the office Network?

Thank you!