Solved: the SBL is enabled however I

Russell Meyer · ‎09-11-2016

I have been working on Trusted Network Detection and always on...works pretty good...but was playing with VPNCLI on boot to help 100% remote folks get authenticated properly for GPOs, passwords etc (I know, use SBL/PLAP) but was trying for a seamless integration similar to DirectAccess...if VPNCLI kicks off and connects (via machine certs), it gets the trusted DNS Servers and is now flagged trusted network...the problem is, when the session transfers to the user (tunnel dies after login as expected) it thinks its on the trusted net and its actually on untrusted...

is there a time period that TND redetects for trusted nets? the only thing I have seen to reset it is reset of the cisco anyconnect service...thoughts? or am I trying to make myself go crazy?

Shakti Kumar · ‎09-11-2016

Hi Russell Meyer ,

What i understand is that you are using TND/Always on along with Start Before Logon . The problem with such an implementation is that the machine cannot determine whether it is in trusted or untrusted network untill a user logs on to his profile , reason for that is any connect probes the trusted DNS server to detect whether or not they are reachable or not and that probe cannot be sent untill the user has actually logged on to his machine .

So Always On along with SBL should not work as expected .

Hope that helps

Thanks

Shakti

View solution in original post

Shakti Kumar · ‎09-11-2016

Hi Russell Meyer ,

What i understand is that you are using TND/Always on along with Start Before Logon . The problem with such an implementation is that the machine cannot determine whether it is in trusted or untrusted network untill a user logs on to his profile , reason for that is any connect probes the trusted DNS server to detect whether or not they are reachable or not and that probe cannot be sent untill the user has actually logged on to his machine .

So Always On along with SBL should not work as expected .

Hope that helps

Thanks

Shakti

Russell Meyer · ‎09-12-2016

Does Cisco plan an offering similar to globalprotect by Pali alto or direct access by MS? A true always on?

that is what I am trying to achieve with the vpncli command at boot with always on

Shakti Kumar · ‎09-12-2016

Hi Russell Meyer ,

i checked and found that SBL should work with Always on . So if i understand correctly you are achieving this by checking SBL and Always on under XML profile right ??

Thanks

Shakti

Russell Meyer · ‎09-15-2016

the SBL is enabled however I am having the system itself log in via vpncli prior to user login with machine certs...this will allow the box to automatically phone home and validate the user...granted upon login the tunnel is torn down...

Shakti Kumar · ‎09-15-2016

Hi Russell Meyer ,

Does that mean that Always on is not triggering or it is triggering but VPN client somehow fails to connect ?

Thanks

Shakti

Russell Meyer · ‎09-19-2016

it doesnt initiate...but if I restart the cisco service and relaunch, it works...my theory is that due to the connection starting and connecting before the user is logged in it grabs the proper DNS servers, then when the user logs in, its still in its memory somehow and the flag is set to trusted net

Russell Meyer · ‎11-17-2016

so I abandoned the vpncli startup task...thanks for your help