Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10200
Views
0
Helpful
7
Replies

SSO with AnyConnect and Start Before Logon

christoph.waldner
Level 1
Level 1

‎07-02-2015 01:25 AM - edited ‎02-21-2020 08:19 PM

Hello,

is it possible to configure my ASA 5512 and AnyConnect Client to have a SSO with SBL, so i only have to login to the AnyConnect and Windows gets the credentials by AnyConnect?

AnyConnect Version: 4.0.00061

ASA Firmware: 9.4(1)

Labels:
0 Helpful
7 Replies 7

patoberli
VIP Alumni
VIP Alumni

‎07-02-2015 02:17 AM

I tested that with 3.1.x and ASA 9.1(x) and Windows 7 around 1.5 years ago. At that time SSO was not possible or not working. In any case, the user had to login twice. You could change that with certificate based login in AnyConnect probably, but I've never done that.

0 Helpful

christoph.waldner
Level 1
Level 1
In response to patoberli

‎07-02-2015 02:33 AM

If i use certificate based login, it is not really a SSO :)

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to christoph.waldner

‎07-02-2015 02:35 AM

For the user it is (I mean it's the users view that counts, typically), so anyconnect connects automatically and then the user only once inputs his credentials into Windows Login ;)

0 Helpful

christoph.waldner
Level 1
Level 1
In response to patoberli

‎07-02-2015 02:37 AM

I know you did not configured it yet, but the certificate login works with start before logon?

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to christoph.waldner

‎07-02-2015 02:44 AM

I sadly don't know that.

Based upon the manual (for 3.1) I couldn't see any restriction (besides the Wireless Connection one, which is VERY important if you want to use it with Windows 7):

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac03vpn.html#pgfId-1524170

This wireless issue was one of the main points why we killed the project, besides the double authentication (we didn't want to do anything with certificates). Also your Windows login can take ages if you are on a slow connection.

 

0 Helpful

christoph.waldner
Level 1
Level 1
In response to patoberli

‎07-02-2015 02:46 AM

Thank you for your information. I hope someone from Cisco can answer my question if a normal SSO is possible :)

0 Helpful

stsargen
Cisco Employee
Cisco Employee
In response to christoph.waldner

‎12-22-2015 10:16 AM

Single Sign On with AnyConnect VPN is not possible. 

Certificate login with SBL is possible.  The certificate will need to be in the local machine store and the VPN profile needs to be properly configured.  The user still needs to manually launch the VPN UI via the Windows PLAP.  Covered here starting on figure 3-3.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/ac03vpn.html#pgfId-152417

As for connecting to wireless networks pre-logon, this can be done if you install the Network Access Manager (NAM) module in conjunction with SBL.  The AnyConnect UI will be launched along with the NAM tile that can be used to connect to shared and open networks.  The only caveat to this is that you cannot remediate captive portal.

0 Helpful
Customers Also Viewed These Support Documents