Monday, September 24, 2012

Enabling Start Before Logon for Cisco ASA anyconnect clients

How to enable Anyconnect Start Before Logon

This is useful if your workstation is not in the secure zone but you
want to connect it to the domain anyway.

SBL allows the anyconnect client to be started before the windows logon process.
This way you can reach the secure network for domain authentication, etc.
1. SBL only works with a trusted host, therefore if your vpn host does
not have a certificate endorsed by a CA authority, create a self
signed certificate and import it to the machine.

- Firstly, create self sign cert for the interface that anyconnect
connects to and assign it to the interface
crypto key generate rsa label sslvpnkeypair modulus 1024
crypto ca trustpoint self
enroll self
fqdn myasa.cisco.com
subject-name CN=myasa.cisco.com
keypair sslvpnkeypair
crypto ca enroll self noconfirm
ssl trust-point self outside
(reference: https://supportforums.cisco.com/docs/DOC-11433)
- Download the certificate to the local machine (either directly from
the ASA, or using your web browser to download it after trusting it.
Then add it to the computer's trusted root certificate store.
(reference: http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx)

2. If you do not want this option on all of the ssl vpn users, create
another anyconnect vpn profile.
Under Remote Access VPN -> Network Client Access -> AnyConnect Client Profile
On the profile make sure these are ticked:
o Use Start Before Logon
On the server list, make sure you enter the FQDN of the vpn server on
the "Hostname" and "Host Address" section

Either create a new group policy under Remote Access VPN -> Network
Client Access -> Group Policy
or assign it to an existing one.
And lastly make sure to create an Anyconnect connection profile and
give it an alias so that user can choose the right one when
connecting
(reference http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809f0d75.shtml#dfgh)
3. Join the computer to the domain, you might have to reinstall the
vpn client for SBL to take effect among the domain accounts.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)