Enabling Start Before Logon (Sbl) For The Anyconnect Client; Xml Settings For Enabling Sbl; Cli Settings For Enabling Sbl - Cisco 5505 - ASA Firewall Edition Bundle Administrator's Manual
Administration guide
Hide thumbs
Also See for 5505 - ASA Firewall Edition Bundle:
- Configuration manual (1822 pages) ,
- Getting started manual (168 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Chapter 7
Configuring and Using AnyConnect Client Operating Modes and User Profiles
The following sections describe how to modify the profiles template to configure the profile attributes.
Enabling Start Before Logon (SBL) for the AnyConnect Client
With SBL enabled, the user sees the AnyConnect GUI logon dialog before the Windows logon dialog
box appears. This establishes the VPN connection first. Available only for Windows platforms, Start
Before Logon lets the administrator control the use of login scripts, password caching, mapping network
drives to local drives, and more. You can use the SBL feature to activate the VPN as part of the logon
sequence. SBL is disabled by default.
XML Settings for Enabling SBL
The element value for UseStartBeforeLogon allows this feature to be turned on (true) or off (false). If
the you set this value to true in the profile, additional processing occurs as part of the logon sequence.
See the Start Before Logon description for additional details.
You enable SBL by setting the <UseStartBefore Logon> value in the CiscoAnyConnect.xml file to true:
<?xml version="1.0" encoding="UTF-8" ?>
<Configuration>
<ClientInitialization>
<UseStartBeforeLogon>true</UseStartBeforeLogon>
</ClientInitialization>
To disable SBL, set the same value to false.
To enable the UserControllable feature, use the following statement when enabling SBL:
<UseStartBeforeLogon userControllable="false">true</UseStartBeforeLogon>
Any user setting associated with this attribute is stored elsewhere.
CLI Settings for Enabling SBL
To minimize download time, the AnyConnect client requests downloads (from the security appliance)
only of core modules that it needs for each feature that it supports. To enable new features, such as Start
Before Logon (SBL), you must specify the module name using the svc modules command from group
policy webvpn or username webvpn configuration mode:
The string for SBL is vpngina
In the following example, the user enters group-policy attributes mode for the group policy
telecommuters, enters webvpn configuration mode for the group policy, and specifies the string vpngina
to enable SBL:
hostname(config)# group-policy telecommuters attributes
hostname(config-group-policy)# webvpn
hostame(config-group-webvpn)# svc modules value vpngina
In addition, the administrator must ensure that the AnyConnect profile.xml file has the
<UseStartBeforeLogon> statement set to true. For example:
<UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon>
The system must be rebooted before Start Before Logon takes effect.
OL-12950-012
[no] svc modules {none | value string}
Configuring Profile Attributes
Cisco AnyConnect VPN Client Administrator Guide
7-11
Advertisement
Table of Contents
