Anyconnect SBL (Start Before Logon)

Published by John Finnegan on

AnyConnect SBL is to allow users to connect to the VPN before signing into their Laptop/Desktop. This is useful for companies that want all of their Laptops to use Active Directory to sign into the laptop but need a secure way to reach the AD Server.

AnyConnect SBL Requirements

  • Must be using the AnyConnect client and the user must be using a Windows 7 or XP machine. This does not work with 8+ from what I have tested.

Instructions

  1. Create the default configuration for the AnyConnect VPN.
    Note: If you plan on using a Self Signed Certificate the FQDN must be the IP of the firewall or the customer must setup a DNS entry for the FQDN.
  2. Upload the SBL.xml page to the firewall.
    The key thing to change is the value between the <UseStartBeforeLogon> to true. If you are currently using a xml profile, you can also edit this line, or add, for this configuration to work.

    SBL XML file:
    SignOn.xml 
    <?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">false</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Automatic
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="true">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
</ClientInitialization>
</AnyConnectProfile>
  3. Add the SBL.xml file to the webvpn settings.

    ASA 8.x Code
    webvpn
    svc profiles SBL disk0:/SBL.xml

    ASA 9.x Code
    webvpn
    anyconnect profiles SignOn disk0:/SBL.xml
  4. Add this profile along with the vpngina module to that group-policy that you applied to your AnyConnect VPN tunnel-group.
    ASA 8.x Code
    group-policy <groupname> attributes
    webvpn
    svc modules value vpngina
    svc profiles value SignOn
    ASA 9.x Code
    group-policy <groupname> attributes
    webvpn
    anyconnect modules value vpngina
    anyconnect profiles value SBL
  5. Connect to the VPN as a new session to make sure that your new profile gets pushed from the Firewall.
  6. If you used an Authorized Certificate – proceed to step 8, otherwise, follow step 9 for Self Signed Certificates

  7. Self Signed Certificate steps

    1. Go to https://<Firewall IP>
    2. Click on the Lock icon in the URL. Click more information then click view certificate.
    3. Go to the details tab and click export. Save it as a X.509 certificate with chain (PEM) (*.crt,*.pem).
    4. Run Microsoft Management Console, by entering “mmc” in the run or search box (requires administrator permissions).
    5. In the MMC utility go to file and click on add/remove snap-in.
    6. You will want to add the certificates snap, and set it to computer then local computer.
    7. Open trusted root certificates and right click on certificates and click import.
    8. Locate the file you saved earlier, then import that file.
    9. Save the configuration. The name doesn’t matter.
  8. Reboot the machine. Once rebooted you can click on switch users and see the following icon:

  9. Use this button to login to the VPN before logging into the OS.

 

Categories: ASAFirewalls
Tags:

0 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Route VPN
ASA

ASA Route Based VPN (Using BGP)

ASA Route Based VPN (BGP) In the previous ASA Route Based VPN article, we only covered the basics of using a VTI and getting a tunnel to pass traffic using static routes. A lot of clients will Read more…

Route VPN
ASA

ISAKMP (IKE Phase 1) Status Messages MM_WAIT_MSG

ISAKMP (IKE Phase 1) Status Messages MM_WAIT_MSG To establish Phase 1 of a IKE VPN, 6 messages need to be sent between the 2 peers before it can complete. Sometimes when you try to establish Read more…

ASA

VPN Troubleshoot (IKEv1 Site to Site)

VPN Troubleshoot (IKEv1 Site to Site) When troubleshooting VPNs, the easiest way to figure out what is wrong with the VPN is to have the other side send traffic. This will allow you to narrow Read more…

Close Bitnami banner
Bitnami
Close Bitnami banner
Bitnami