Cisco Anyconnect Connect Before Logon Windows 10



Start Before Logon (SBl) on Windows 10 not working in AnyConnect Mobile client. My office is using Cisco AnyConnect Mobility Client 3.x on Windows 10 and 8.1. When I select the SBL option and/or reconnect option in settings AnyConnect, the VPN does not kick in before log on to Windows. Neither is there a network option available at log on to.

  1. See full list on cisco.com.
  2. Jun 15, 2020 Start Before Login - User sees the AnyConnect GUI logon dialog before the Windows logon dialog box appears. Network Access Manager - It is a client software that provides a secure Layer 2 network. VPN Posture (Hostscan) - Provides the client the ability to identify the operating system, anti-virus, anti-spyware, and firewall software installed.
  3. Download this app from Microsoft Store for Windows 10, Windows 10 Mobile, Windows 10 Team (Surface Hub), HoloLens, Xbox One. See screenshots, read the latest customer reviews, and compare ratings for AnyConnect.
  4. To use the VPN Before Login Module, you must be using a computer that is: Running Windows 10 (SCCM Template) Supported by ITServices has an Asset or Service tag Connected to the internet (wired/wireless).

Contents

Introduction

With Start Before Logon (SBL) enabled, the user sees the AnyConnect GUI logon dialog before the Windows® logon dialog box appears. This establishes the VPN connection first. Available only for Windows platforms, Start Before Logon lets the administrator control the use of login scripts, password caching, mapping network drives to local drives, and more. You can use the SBL feature to activate the VPN as part of the logon sequence. SBL is disabled by default.

For more information on configuring AnyConnect VPN Client features, refer to the section Configuring AnyConnect Client Features.

Note: Within the AnyConnect client, the only configuration you do for SBL is to enable the feature. Network administrators handle the processing that goes on before logon based upon the requirements of their situation. Logon scripts can be assigned to a domain or to individual users. Generally, the administrators of the domain have batch files or the like defined with users or groups in Active Directory. As soon as the user logs on, the login script is executed.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco ASA 5500 Series Adaptive Security Appliances that run software version 8.x

  • Cisco AnyConnect VPN version 2.0

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

The point of SBL is that it connects a remote computer to the company infrastructure prior to logon to the PC. For example, a user can be outside the physical corporate network, unable to access corporate resources until his or her PC has joined the corporate network. With SBL enabled, the AnyConnect client connects before the user sees the Microsoft login window. The user must also log in, as usual, to Windows when the Microsoft login window appears.

These are several reasons to use SBL:

  • The PC of the user is joined to an Active Directory infrastructure.

  • The user cannot have cached credentials on the PC, that is, if the group policy disallows cached credentials.

  • The user must run login scripts that execute from a network resource or that require access to a network resource.

  • A user has network-mapped drives that require authentication with the Active Directory infrastructure.

  • Networking components, such as MS NAP/CS NAC, can require connection to the infrastructure.

SBL creates a network that is equivalent to inclusion on the local corporate LAN. With SBL enabled, since the user has access to the local infrastructure, the logon scripts that normally run for a user in the office are also available to the remote user.

For information about how to create logon scripts, refer to this Microsoft TechNet article .

For information about how to use local logon scripts in Windows XP, refer to this Microsoft article .

In another example, a system can be configured to disallow cached credentials for logon to the PC. In this scenario, users must be able to communicate with a domain controller on the corporate network for their credentials to be validated prior to access to the PC. SBL requires a network connection to be present at the time it is invoked. In some cases, this is not possible because a wireless connection can depend on user credentials to connect to the wireless infrastructure. Since SBL mode precedes the credential phase of a login, a connection is not available in this scenario. In this case, the wireless connection needs to be configured to cache the credentials across login, or another wireless authentication needs to be configured for SBL to work.

Install Start Before Logon Components (Windows Only)

The Start Before Logon components must be installed after the core client has been installed. Additionally, the AnyConnect 2.2 Start Before Logon components require that version 2.2, or later, of the core AnyConnect client software be installed. If you pre-deploy the AnyConnect client and the Start Before Logon components with the MSI files (for example, you are at a big company that has its own software deployment (Altiris, Active Directory, or SMS), you must get the order right. The order of the installation is handled automatically when the administrator loads AnyConnect if it is web deployed and/or web updated. For complete installation information, refer to Release Notes for Cisco AnyConnect VPN Client, Release 2.2.

Differences Between Windows-VistaWindows 7 and Pre-Vista Start Before Logon

The procedures to enable SBL differ slightly on Windows Vista and Windows 7 systems. Pre-Vista systems use a component called virtual private network graphical identification and authentication (VPNGINA) to implement SBL. Vista and Windows 7 systems use a component called PLAP to implement SBL.

Connect

In the AnyConnect client, the Windows Vista Start Before Logon feature is known as the Pre-Login Access Provider (PLAP), which is a connectable credential provider. This feature lets network administrators perform specific tasks, such as the collection of credentials or connection to network resources, prior to login. PLAP provides Start Before Logon functions on Windows Vista, Windows 7 and the Windows 2008 server. PLAP supports 32-bit and 64-bit versions of the operating system with vpnplap.dll and vpnplap64.dll, respectively. The PLAP function supports Windows Vista x86 and x64 versions.

Note: In this section, VPNGINA refers to the Start Before Logon feature for pre-Vista platforms, and PLAP refers to the Start Before Logon feature for Windows Vista and Windows 7 systems.

In pre-Vista systems, Start Before Logon uses a component known as the VPN Graphical Identification and Authentication Dynamic Link Library (vpngina.dll) to provide Start Before Logon capabilities. The Windows PLAP component, which is part of Windows Vista, replaces the Windows GINA component.

A GINA is activated when a user presses the Ctrl+Alt+Del key combination. With PLAP, the Ctrl+Alt+Del key combination opens a window where the user can choose either to log in to the system or activate any Network Connections (PLAP components) with the Network Connect button in the lower-right corner of the window.

The sections that immediately follow describe the settings and procedures for both VPNGINA and PLAP SBL. For a complete description of enablement and use of the SBL feature (PLAP) on a Windows Vista platform, refer to Configuring Start Before Logon (PLAP) on Windows Vista Systems.

XML Settings to Enable SBL

The element value for UseStartBeforeLogon allows this feature to be turned on (true) or off (false). If you set this value to true in the profile, additional processing occurs as part of the logon sequence. See the Start Before Logon description for additional details. Set the <UseStartBefore Logon> value in the CiscoAnyConnect.xml file to true to enable SBL:

In order to disable SBL, set the same value to false.

See All Results For This Question

In order to enable the UserControllable feature, use this statement when you enable SBL:

Any user setting associated with this attribute is stored elsewhere.

Enable SBL

In order to minimize download time, the AnyConnect client requests downloads (from the security appliance) only of core modules that it needs for each feature that it supports. In order to enable new features, such as SBL, you must specify the module name with the svc modules command from group policy WebVPN or username WebVPN configuration mode:

The string value for SBL is vpngina.

In this example, the network administrator enters group-policy attributes mode for the group policy telecommuters; enters WebVPN configuration mode for the group policy; and specifies the string VPNGINA to enable SBL:

Logon

In addition, the administrator must ensure that the AnyConnect <profile.xml> file, where <profile.xml> is the name that the network administrator has assigned to the XML file, has the <UseStartBeforeLogon> statement set to true, for example:

The system must be rebooted before Start Before Logon takes effect. You must also specify on the security appliance that you want to allow SBL, or any other modules for additional features. Refer to the description in the Enabling Modules for Additional AnyConnect Features, page 2-5 (ASDM) section or Enabling Modules for Additional AnyConnect Features, page 3-4 (CLI) for more information.

Start Before Logon Configuration with CLI

This scenario shows you how to set up the XML file with CLI:

  1. Create a profile to be pushed down to the client PCs that looks similar to this:

  2. Copy the file to the Flash on the security appliance:

  3. On the security appliance, add the profile as an available profile to the WebVPN global section, as long as everything else is set up correctly for AnyConnect connections:

  4. Edit the group policy that you use, and add the svc modules and svc profile commands:

Start Before Logon Configuration with ASDM

Complete these steps to configure the SBL with ASDM:

  1. Create a profile to be pushed down to the client PCs that looks similar to this:

  2. Save the profile as AnyConnectProfile.xml in the local computer.

  3. Launch the ASDM, and go to the Home page.

  4. Go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add , and click the Internal Group Policy.

  5. Enter the name of the group policy, for example, SBL.

  6. Go to Advanced > SSL VPN Client. Remove the Inherit check mark in the Optional Client Module to Download, and choose vpngina from the drop-down box.

  7. In order to transfer the profile AnyConnectProfile.xml from the local computer to Flash, go to Tools, and click File Management.

  8. Click the File Transfer button.

  9. In order to transfer the profile from the local computer to ASA Flash memory, choose the Source File, path of the XML file (local computer), and the Destination File path as per your requirement.

  10. After the transfer, click the Refresh button to verify whether the profile file is in the Flash memory.

  11. Assign the profile to the internal group policy (SBL).

    Follow this path, Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Edit SBL ( Internal Group Policy ) > Advanced > SSL VPN Client > Client Profile to Download, and click the New button.

    In the Add SSL VPN Client Profiles, click the Browse button to choose the location of the profile(AnyConnectProfile.xml) stored in the ASA Flash memory. Assign the Name for the profile, for example, SBL. Click OK to complete.

  12. Remove the Inherit check box and choose SBL in the Client Profile to Download field. Click OK.

  13. Click Apply to complete.

Use the Manifest File

The AnyConnect package that is uploaded on the security appliance contains a file called VPNManifest.xml. This example shows a sample content of this file:

The security appliance has stored on it configured profiles, as explained in Step 1, and it also stores one or multiple AnyConnect packages that contain the AnyConnect client itself, downloader utility, manifest file, and any other optional modules or support files.

When a remote user connects to the security appliance with WebLaunch or a current standalone client, the downloader is downloaded first and run. It uses the manifest file to ascertain whether there is a current client on the remote user PC that needs to be upgraded, or a fresh installation is required. The manifest file also contains information about whether there are any optional modules that must be downloaded and installed, in this case, the VPNGINA. The client profile also is pushed down from the security appliance. The installation of VPNGINA is activated by the command svc modules value vpngina configured under the group-policy (webvpn) command mode as explained in Step 4. The AnyConnect client and VPNGINA are installed, and the user sees the AnyConnect Client at the next reboot, prior to Windows Domain logon.

When the user connects, the client and profile are passed down to the user PC; the client and VPNGINA are installed; and the user sees the AnyConnect client at the next reboot, prior to logon.

A sample profile is provided on the client PC when AnyConnect is installed: C:Documents and SettingsAll UsersApplication DataCiscoCiscoAnyConnect VPN ClientProfileAnyConnectProfile.

Troubleshoot SBL

Use this procedure if you encounter a problem with SBL:

  1. Ensure that the profile is pushed.

  2. Delete prior profiles; search for them on the hard drive to find the location: *.xml.

  3. When you go to the Add/Remove programs, do you have both an AnyConnect installation and AnyConnect VPNGINA installation?

  4. Uninstall the AnyConnect client.

  5. Clear the AnyConnect log of the user in the Event Viewer and retest.

  6. Web browse back to the security appliance to reinstall the client.

  7. Make sure that the profile also appears.

  8. Reboot once. On the next reboot, you are prompted with the Start Before Logon prompt.

  9. Send the AnyConnect event log to Cisco in .evt format .

  10. If you see this error, delete the user profile and use the default profile:

Problem 1

This error message is seen while trying to upload the AnyConnect profile: Error in validating the XML file against the latest schema. How is this error resolved?

Solution 1

This error message mostly occurs due to the syntax or configuration issues in the AnyConnect profile. In order to resolve this issue, make sure that the AnyConnect profile configured is similar to the Sample AnyConnect Profile present in the Sample AnyConnect Profile and XML Schema section of the Cisco AnyConnect VPN Client Administrator Guide.

Related Information

When you are off campus, some of Illinois State University’s electronic services are unavailable to you unless you establish a VPN connection.

Cisco AnyConnect is an application that the University makes available to students, faculty, and staff for free which may be used to establish a VPN connection with the University from off campus.

NOTE: If you need to request and install the application on your computer, please skip to the section further below entitled Download and Install Cisco AnyConnect. If you already have the application installed and would like to know how to connect to it, please read the section immediately below entitled Connect to the Cisco AnyConnect VPN Client Once Downloaded. The instructions below are listed for both Windows and Mac machines, respectively.

Connect to the Cisco AnyConnect VPN Client Once Downloaded

Windows:

  1. Open the Cisco AnyConnect VPN client.
  • Windows 8: On the Start screen, click Cisco AnyConnect Secure Mobility Client.
  • Windows 10: Start > All Apps > Cisco > Cisco AnyConnect Secure Mobility Client.
  • Alternatively, you can click Start and begin typing Cisco AnyConnect Secure Mobility Client and the application will show up. Click on the icon to start the application.
  1. Verify that the path in the field underneath “Ready to connect.” is VPN01.ILSTU.EDU.
  • If the path name does not automatically appear, click the arrow to the right of the field and select VPN01.ILSTU.EDU from the drop down menu, or enter the path name manually.
  1. Click Connect.

Figure 1:

  1. When prompted, select the appropriate Group (Figure 1):
  • To access most ISU resources, you will select –ISU-.
  • Important: To access ISU Oracle or SQL database resources directly (via software such as Microsoft Access, Oracle SQL Developer, Microsoft SQL Management Studio, etc.), select DB-User_Access.

Note: When you attempt to connect, you may receive a prompt that tells you that Cisco AnyConnect is updating. Do not attempt to cancel this update, as this update will allow your VPN software to work.

Figure 2:

  1. Enter your ULID and password in the appropriate fields, then click OK.
  2. After a moment, an informational banner window will appear that typically says “Welcome to Illinois State University,” but could display a different, informational message.
  3. Click Accept.

You are now connected with the Cisco AnyConnect VPN client. A Cisco AnyConnecticon with a yellow, locked padlock will be visible in your system tray (in the lower-right corner of your desktop, next to the clock). This indicates that you are connected. If the icon appears without a padlock, this indicates you are no longer connected through VPN.

Mac OS X:

  1. Open the Cisco AnyConnect VPN client. Click Finder > Applications> Cisco > Cisco AnyConnect Secure Mobility Client.

Figure 3:

  • Alternatively, you can search for the application in your “Dashboard” by simply clicking the rocket icon on your bottom toolbar. After that, start typing Cisco AnyConnect Secure Mobility Client and you will see the application. Click on the application to start the set-up process, or to access it once you’ve configured the settings properly.

Figure 4:

  1. Verify that the path in the field underneath “Ready to connect.” reads VPN01.ILSTU.EDU. If the field is empty, you will need to manually enter the file path exactly how it is shown in this article.

Figure 5:

  1. Click Connect.
  2. When prompted, select the appropriate Group (Figure 6):
  • For most ISU resources, you will select –ISU-.
  • Important: To access ISU Oracle or SQL database resources directly (via software such as Microsoft Access, Oracle SQL Developer, Microsoft SQL Management Studio, etc.), select DB-User_Access.

Figure 6:

  1. Enter your ULID and password when prompted to do so and click Connect.
  2. After a moment, an informational banner window will appear that typically says “Welcome to Illinois State University,” but could display a different, informational message.
  3. Click Accept.

You are now connected with the Cisco AnyConnect VPN client. A Cisco AnyConnect icon with a yellow, locked padlock is now in your system tray (in the lower-right corner of your desktop). This indicates that you are connected. If the icon appears without a padlock, this indicates you are no longer connected through VPN.

Disconnect from the VPN

Windows:

To disconnect from the VPN on a Window’s machine:

  1. Locate the Cisco AnyConnect VPN client icon and click on it. It is usually on your toolbar, but if it is not, here are some additional ways to find the application:
  • Windows 8: On the Start screen, click Cisco AnyConnect Secure Mobility Client.
  • Windows 10: Start > All Apps > Cisco > Cisco AnyConnect.
    • Alternatively, you can click [Start] and begin typing Cisco AnyConnect Secure Mobility Client and the application will show up. Click on the icon to start the application so you can disconnect from the VPN.
  1. In the Cisco AnyConnect Secure Mobility Client pane, click Disconnect.

Figure 7:

  1. Close Cisco AnyConnect Secure Mobility Client.

You are now disconnected from VPN.

Windows

Mac OSX:

To disconnect from a VPN connection on Cisco AnyConnect on Mac running Mac OS X or later:

  1. Click on the Cisco AnyConnect icon in your Dock.
  2. Click Disconnect.
  3. Close Cisco AnyConnect Secure Mobility Client.

Figure 8:

You are now disconnected from VPN.

Download and Install Cisco AnyConnect for Windows or Mac OS X

Students, faculty, and staff may download the Cisco AnyConnect VPN Client for Windows or Mac OS X from the University IT Help portal by following the directions below:

Logon

Windows:

  1. Navigate to the IT Help portal (at ITHelp.IllinoisState.edu),
  2. Click Downloads in the middle of the screen.
  3. Under Cisco AnyConnect, select the version you would like to download. You will need to select the version that is compatible with your machine. You can choose either Windows or Mac.
  4. Click on Windows or Mac and log in with your ULID and password if prompted to do so. You will be directed to a form to request the download file be sent to you. You will need to fill out the required fields in the submission form. Once submitted, your request will be handled in the order it was received. Once approved, you will receive an email. You will then click Download Files and you may be navigated to a Central Login page where you will need to enter your ULID and password. Once you log in, click the file next to Attached Files.

NOTE: If you have never access Liquid Files (SendTo) before, you may see a log in page to log into Liquid Files itself. Instead, you will want to click the SSO Sign In button to be navigated to a Central Login page. You will enter your ULID and password. Upon logging in, you will need to accept some terms and conditions. Once you have done that, you will never be prompted again for an SSO sign in.

  • Upon successfully downloading the installer, you will need to open the installer and follow the prompts.

Figure 9:

  • Agree to the Terms and Conditions and proceed with the installation by clicking Accept. You may need to enter your computer’s profile credentials in order to accept the installation.

Figure 10:

  • Once the software has finished downloading, click Finish to close out of the installation process. You can now access the VPN software.

Mac OS X:

  1. Navigate to the IT Help portal (at ITHelp.IllinoisState.edu),
  2. Click Downloads in the middle of the screen.
  3. Under Cisco AnyConnect, select the version you would like to download. You will need to select the version that is compatible with your machine. You can choose either Windows or Mac.
  4. Click on Windows or Mac and log in with your ULID and password if prompted to do so. You will be directed to a form to request the download file be sent to you. You will need to fill out the required fields in the submission form. Once submitted, your request will be handled in the order it was received. Once approved, you will receive an email. You will then click Download Files and you may be navigated to a Central Login page where you will need to enter your ULID and password. Once you log in, click the file next to Attached Files.

NOTE: If you have never access Liquid Files (SendTo) before, you may see a log in page to log into Liquid Files itself. Instead, you will want to click the SSO Sign In button to be navigated to a Central Login page. You will enter your ULID and password. Upon logging in, you will need to accept some terms and conditions. Once you have done that, you will never be prompted again for an SSO sign in.

  • Upon successfully downloading the installer, you will need to open the installer and follow the prompts. When you get to the Installation Type screen, ensure that only the VPN checkbox is selected, then click Continue to proceed with the installation

Figure 11:

  • Click Continue to finish the installation. Once finished, open the Cisco AnyConnect Secure Mobility Client. You can find it in the Cisco folder in your applications, or can be manually searched in your Launchpad, as instructed above.

Figure 12:

  • Type VPN01.ILSTU.EDU in the empty text field, then press Connect.

Figure 13:

  • Enter your ULID in the Username field and your current password in the Password field. Click OK.

Figure 14:

  • You will see a welcome window. Click Accept to be connected to the VPN.

Figure 15:

  • Now that you are connected, you will be able to access university-restricted applications such as iPeople.
  • When you are ready to disconnect from the VPN, go back to the application and click Disconnect and close out of the application.

Figure 16:

How to Get Help

For technical assistance, you may contact the Technology Support Center at 309-438-4357 or by email at SupportCenter@IllinoisState.edu.

Cisco Connect - Should I Remove It?

Back to Overview:

Anyconnect

Related Articles: