30-04-2021



Introduction

This document describes how to configure AnyConnect Modules for Remote Access VPN (RA VPN) configuration that pre-exists on a Firepower Threat Defense (FTD) managed by a Firepower Management Center (FMC) through Firepower Device Manager (FDM).

Prerequisites

  1. To enable SBL option on the Windows 7 logon screen, you first need to enable the feature from ASA. Every client connecting will be provisioned.xml configuration that enables SBL. The provisioned configuration is created under C: ProgramData Cisco Cisco AnyConnect Secure Mobility Client Profile prelogin.xml and the magic line is.
  2. AnyConnect SBL Requirements. Must be using the AnyConnect client and the user must be using a Windows 7 or XP machine. This does not work with 8+ from what I have tested. Create the default configuration for the AnyConnect VPN.
  3. When using Start Before Logon (SBL) and HostScan, you must install the AnyConnect/HostScan posture predeploy module on the endpoints to achieve full HostScan functionality, since SBL is pre-login. In HostScan 4.4 and later, endpoint data (endpoint attributes) for antivirus, antispyware, and firewall have changed.

Requirements

Feb 05, 2020 Make sure the AnyConnect installation directory (C: Program Files (x86) Cisco for Windows or /opt/cisco for macOS) is trusted and/or in the allowed/exclusion/trusted lists for endpoint antivirus, antimalware, antispyware, data loss prevention, privilege manager, or group policy objects.

Cisco recommends that you have knowledge of these topics:

  • Basic understanding of RA VPN working.
  • Understanding of navigation through the FMC/FDM.
  • Basic knowledge of REST API and FDM Rest API Explorer.

Components Used

The information in this document is based on these software versions:

  • Cisco Firepower Management Center (FMC) version 6.7.0
  • Cisco Firepower Threat Defense (FTD) version 6.7.0
  • Cisco Firepower Device Manager (FDM) version 6.7.0
  • Cisco AnyConnect Secure Mobility Client running 4.9.0086
  • Postman or any other API development tool

Note: FMC/FDM do not have an inbuilt Profile Editor and the AnyConnect Profile Editor for Windows has to be used to create a profile.

Cisco

Note: The information in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any configuration change.

Background Information

The Cisco AnyConnect Secure Mobility Client is not limited to its support as a VPN client, it has a number of other options that can be integrated as modules. Following modules are supported for Anyconnect :

  • Start Before Login (SBL):This module allows the user to establish a VPN connection into the enterprise before logging into Windows.
  • Diagnostic and Reporting Tool (DART): This module is used to perform both diagnostics and reporting about the AnyConnect installation and connection. DART works by assembling the logs, status, and diagnostic information for analysis.
  • Advanced Malware Protection (AMP): This module provides a cloud-delivered next-generation solution to detect, prevent, and respond to various threats.
  • ISE Posture: Cisco Identity Services Engine (ISE) provides a next-generation identity and access control policy. This module provides the ability to identify the Operating System (OS), the AntiVirus, the AntiSpyware, etc that are currently installed on a host. This information is then used along with a policy to determine whether the host will be able to connect to the network.
  • Network Visibility Module: The network visibility module monitors an endpoint application usage to uncover potential behavior anomalies and to make more informed network design decisions.
  • Umbrella: Cisco Umbrella Roaming is a cloud-delivered security service that protects devices when they are off the corporate network.
  • Web Security: Cisco Web Security Appliance (WSA), powered by Cisco Talos, protects the endpoint by automatically blocking risky sites and testing unknown sites.
  • Network Access Manager: Network Access Manager provides a secure Layer 2 network in accordance with its policies. It detects and selects the optimal Layer 2 access network and performs device authentication for access to both wired and wireless networks.
  • Feedback: This module collects the information and periodically sends it to the server. It helps the product team to improve the quality, reliability, performance, and user experience of AnyConnect.

In Firepower 6.7, FMC UI, and FTD Device REST API support is added to enable seamless deployment of all the mentioned AnyConnect Modules.

This table lists the Profiles Extensions and associated Module types needed to successfully deploy the endpoint functionality.

Profile ExtensionsModule Type
.fspFEEDBACK
.asp or .xmlAMP_ENABLER
ISE_POSTURE
.nvmsp or .xml
NETWORK_VISIBILITY
NETWORK_ACCESS_MANAGER
.json or .xml
UMBRELLA
WEB_SECURITY

Note: DART and SBL modules do not require any Profile.

Note: No additional licensing is required for the use of this feature.

Configuration

Configuration on Firepower Management Center (FMC)

Step 1. Navigate to Device> VPN >Remote Access and click on Edit for the RA VPN configuration.

Step 2. Navigate to Advanced> Group Policies and click on Edit for the concerned Group-policy, as shown in this image.

Step 3. Navigate to AnyConnect>Client Modules and click on + to add the Modules, as shown in this image.

For the purpose of demonstration, Deployment of AMP, DART, and SBL modules are shown.

Step 4. Select the DART module and click on Add, as shown in this image.

Step 5. Click on + to add another module and select Start Before Login module, as shown in this image.

Note: This step allows you to download the SBL Module. SBL also has to enable in anyconnect client profile, which is uploaded as you navigate to AnyConnect>Profile under the Group Policy.

Step 6. Click on + to add another module and select AMP Enabler. Click on + to Add a Client Profile, as shown in this image.


Provide the Name of the Profile and upload the AMP Profile. Click on Save, as shown in this image.

Choose the profile created in the previous step and click on Enable Module download checkbox, as shown in this image.

Step 7. Click on Save once all the desired modules are added.

Cisco

Step 8. Navigate to Deploy>Deployment and deploy the configuration to the FTD.

Configuration on Firepower Device Manager (FDM)

Step 1. Launch the API Explorer of the FTD on a Browser Window.

Navigate tohttps://<FTD Management IP>/api-explorer

This contains the entire list of API available on the FTD. It is divided based on the main feature with multiple GET/POST/PUT/DELETE requests which is supported by the FDM.

RaVpnGroupPolicy is the API used.

Step 2. Add a Postman collection for AnyConnect Modules. Provide a Name for the collection. Click on Create.

Step 3. Add a new request Auth to create a login POST request to the FTD in order to get the token to authorize any POST/GET/PUT requests. Click on Save.

The Body of the POST request must contain these:

Typeraw - JSON (application/json)
grant_typepassword
usernameAdmin Username in order to log in to the FTD
passwordThe password associated with the admin user account

POST Request:https://<FTD Management IP>/api/fdm/latest/fdm/token

The Body of the Response contains the access token which is used in order to send any PUT/GET/POST requests to/from the FTD.

Step 4. Create aGet Group Policyrequest to add get details of the existing Group Policies. Click on Save, as shown in this image.

The Authorization tab must contain this for all subsequent GET/POST requests:

TypeBearer Token
TokenThe access token received by running the Auth POST Request

GET REQUEST:https://<FTD Management IP>/api/fdm/latest/object/ravpngrouppolicies

The Body of the response shows all the Group Policies configured on the device. ID of the Group Policy is used to update the specific Group Policy.

For the purpose of demonstration, Deployment of AMP, DART, and SBL modules are shown.

Step 5. Create a request to Upload a Profile. This step is needed only for the modules which require a profile. Upload the Profile in filetoUpload section. Click on Save.

POST REQUEST:https://<FTD Management IP>/api/fdm/latest/action/uploaddiskfile

The Body of the Request must contain the Profile file added in Body in form-data format. The profile needs to be created using AnyConnect Profile Editor for Windows

The key type should beFileforfiletoUpload.

The body of the response gives an id/filename which is used to refer to the profile with the concerned module.

Step 6. Create a request to Update AnyConnect Profile. This step is needed only for the modules which require a profile. Click on Save., as shown in this image.

POST REQUEST: https://<FDM IP>/api/fdm/latest/object/anyconnectclientprofiles

The body of the request contains this information:

nameLogical name that you would call the file
diskFileNameNeeds to match the fileName that is received in the Upload Profile POST response
anyConnectModuleTypeMeeds to match the appropriate module shown in Module Type Table
typeanyconnectclientprofile

The Body of the response shows the Profile ready to be pushed to the device. Name, version, id, and type received in response are used in the next step to bind the profile to Group Policy.

Step 6. Create a PUT request to add Client Profile and Module to existing Group Policy. Click on Save, as shown in this image.

PUT REQUEST:https://<FDM IP>/api/fdm/latest/object/ravpngrouppolicies/{objId}

ObjId is the id obtained in Step 4. Copy the contents of the concerned Group-policy obtained in Step 4 to the body of the request and add this:

Client Profile

Name, version, id, and type of Profile received in the previous Step.

Client Modules

The name of the Module which needs to be enabled should match exactly as given in Module Table.

The Body of the response shows the Profile and Module successfully bound to Group-Policy.

Note: This step allows the download SBL Module. SBL also has to enable in anyconnect client profile which can be uploaded as you navigate to Devices > Remote Access VPN>Group Policies> Edit Group Policy > General >AnyConnect Client Profile.

Step 7. Deploy the configuration to the device through FDM. Pending changes show client profile and modules to be pushed.

Configuration pushed to the FTD CLI after successful deployment:

Verify

Establish a successful connection to the FTD.

Navigate to Settings>VPN>Message History to see the details about modules that were downloaded.

Troubleshoot

Collect DARTfor troubleshooting issues with the installation of client modules.

Contents

Introduction

With Start Before Logon (SBL) enabled, the user sees the AnyConnect GUI logon dialog before the Windows® logon dialog box appears. This establishes the VPN connection first. Available only for Windows platforms, Start Before Logon lets the administrator control the use of login scripts, password caching, mapping network drives to local drives, and more. You can use the SBL feature to activate the VPN as part of the logon sequence. SBL is disabled by default.

For more information on configuring AnyConnect VPN Client features, refer to the section Configuring AnyConnect Client Features.

Note: Within the AnyConnect client, the only configuration you do for SBL is to enable the feature. Network administrators handle the processing that goes on before logon based upon the requirements of their situation. Logon scripts can be assigned to a domain or to individual users. Generally, the administrators of the domain have batch files or the like defined with users or groups in Active Directory. As soon as the user logs on, the login script is executed.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco ASA 5500 Series Adaptive Security Appliances that run software version 8.x

  • Cisco AnyConnect VPN version 2.0

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

See All Results For This Question

How to Configure Cisco AnyConnect VPN Client for Windows | Univ...

Conventions

Cisco anyconnect sbl module

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

The point of SBL is that it connects a remote computer to the company infrastructure prior to logon to the PC. For example, a user can be outside the physical corporate network, unable to access corporate resources until his or her PC has joined the corporate network. With SBL enabled, the AnyConnect client connects before the user sees the Microsoft login window. The user must also log in, as usual, to Windows when the Microsoft login window appears.

These are several reasons to use SBL:

  • The PC of the user is joined to an Active Directory infrastructure.

  • The user cannot have cached credentials on the PC, that is, if the group policy disallows cached credentials.

  • The user must run login scripts that execute from a network resource or that require access to a network resource.

  • A user has network-mapped drives that require authentication with the Active Directory infrastructure.

  • Networking components, such as MS NAP/CS NAC, can require connection to the infrastructure.

SBL creates a network that is equivalent to inclusion on the local corporate LAN. With SBL enabled, since the user has access to the local infrastructure, the logon scripts that normally run for a user in the office are also available to the remote user.

For information about how to create logon scripts, refer to this Microsoft TechNet article .

For information about how to use local logon scripts in Windows XP, refer to this Microsoft article .

In another example, a system can be configured to disallow cached credentials for logon to the PC. In this scenario, users must be able to communicate with a domain controller on the corporate network for their credentials to be validated prior to access to the PC. SBL requires a network connection to be present at the time it is invoked. In some cases, this is not possible because a wireless connection can depend on user credentials to connect to the wireless infrastructure. Since SBL mode precedes the credential phase of a login, a connection is not available in this scenario. In this case, the wireless connection needs to be configured to cache the credentials across login, or another wireless authentication needs to be configured for SBL to work.

Install Start Before Logon Components (Windows Only)

The Start Before Logon components must be installed after the core client has been installed. Additionally, the AnyConnect 2.2 Start Before Logon components require that version 2.2, or later, of the core AnyConnect client software be installed. If you pre-deploy the AnyConnect client and the Start Before Logon components with the MSI files (for example, you are at a big company that has its own software deployment (Altiris, Active Directory, or SMS), you must get the order right. The order of the installation is handled automatically when the administrator loads AnyConnect if it is web deployed and/or web updated. For complete installation information, refer to Release Notes for Cisco AnyConnect VPN Client, Release 2.2.

Differences Between Windows-VistaWindows 7 and Pre-Vista Start Before Logon

The procedures to enable SBL differ slightly on Windows Vista and Windows 7 systems. Pre-Vista systems use a component called virtual private network graphical identification and authentication (VPNGINA) to implement SBL. Vista and Windows 7 systems use a component called PLAP to implement SBL.

In the AnyConnect client, the Windows Vista Start Before Logon feature is known as the Pre-Login Access Provider (PLAP), which is a connectable credential provider. This feature lets network administrators perform specific tasks, such as the collection of credentials or connection to network resources, prior to login. PLAP provides Start Before Logon functions on Windows Vista, Windows 7 and the Windows 2008 server. PLAP supports 32-bit and 64-bit versions of the operating system with vpnplap.dll and vpnplap64.dll, respectively. The PLAP function supports Windows Vista x86 and x64 versions.

Note: In this section, VPNGINA refers to the Start Before Logon feature for pre-Vista platforms, and PLAP refers to the Start Before Logon feature for Windows Vista and Windows 7 systems.

In pre-Vista systems, Start Before Logon uses a component known as the VPN Graphical Identification and Authentication Dynamic Link Library (vpngina.dll) to provide Start Before Logon capabilities. The Windows PLAP component, which is part of Windows Vista, replaces the Windows GINA component.

A GINA is activated when a user presses the Ctrl+Alt+Del key combination. With PLAP, the Ctrl+Alt+Del key combination opens a window where the user can choose either to log in to the system or activate any Network Connections (PLAP components) with the Network Connect button in the lower-right corner of the window.

The sections that immediately follow describe the settings and procedures for both VPNGINA and PLAP SBL. For a complete description of enablement and use of the SBL feature (PLAP) on a Windows Vista platform, refer to Configuring Start Before Logon (PLAP) on Windows Vista Systems.

XML Settings to Enable SBL

The element value for UseStartBeforeLogon allows this feature to be turned on (true) or off (false). If you set this value to true in the profile, additional processing occurs as part of the logon sequence. See the Start Before Logon description for additional details. Set the <UseStartBefore Logon> value in the CiscoAnyConnect.xml file to true to enable SBL:

In order to disable SBL, set the same value to false.

In order to enable the UserControllable feature, use this statement when you enable SBL:

Any user setting associated with this attribute is stored elsewhere.

Enable SBL

In order to minimize download time, the AnyConnect client requests downloads (from the security appliance) only of core modules that it needs for each feature that it supports. In order to enable new features, such as SBL, you must specify the module name with the svc modules command from group policy WebVPN or username WebVPN configuration mode:

The string value for SBL is vpngina.

In this example, the network administrator enters group-policy attributes mode for the group policy telecommuters; enters WebVPN configuration mode for the group policy; and specifies the string VPNGINA to enable SBL:

In addition, the administrator must ensure that the AnyConnect <profile.xml> file, where <profile.xml> is the name that the network administrator has assigned to the XML file, has the <UseStartBeforeLogon> statement set to true, for example:

The system must be rebooted before Start Before Logon takes effect. You must also specify on the security appliance that you want to allow SBL, or any other modules for additional features. Refer to the description in the Enabling Modules for Additional AnyConnect Features, page 2-5 (ASDM) section or Enabling Modules for Additional AnyConnect Features, page 3-4 (CLI) for more information.

Start Before Logon Configuration with CLI

This scenario shows you how to set up the XML file with CLI:

  1. Create a profile to be pushed down to the client PCs that looks similar to this:

  2. Copy the file to the Flash on the security appliance:

  3. On the security appliance, add the profile as an available profile to the WebVPN global section, as long as everything else is set up correctly for AnyConnect connections:

  4. Edit the group policy that you use, and add the svc modules and svc profile commands:

Start Before Logon Configuration with ASDM

See More Results

Complete these steps to configure the SBL with ASDM:

  1. Create a profile to be pushed down to the client PCs that looks similar to this:

  2. Save the profile as AnyConnectProfile.xml in the local computer.

  3. Launch the ASDM, and go to the Home page.

  4. Go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add , and click the Internal Group Policy.

  5. Enter the name of the group policy, for example, SBL.

  6. Go to Advanced > SSL VPN Client. Remove the Inherit check mark in the Optional Client Module to Download, and choose vpngina from the drop-down box.

  7. In order to transfer the profile AnyConnectProfile.xml from the local computer to Flash, go to Tools, and click File Management.

  8. Click the File Transfer button.

  9. In order to transfer the profile from the local computer to ASA Flash memory, choose the Source File, path of the XML file (local computer), and the Destination File path as per your requirement.

  10. After the transfer, click the Refresh button to verify whether the profile file is in the Flash memory.

  11. Assign the profile to the internal group policy (SBL).

    Follow this path, Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Edit SBL ( Internal Group Policy ) > Advanced > SSL VPN Client > Client Profile to Download, and click the New button.

    In the Add SSL VPN Client Profiles, click the Browse button to choose the location of the profile(AnyConnectProfile.xml) stored in the ASA Flash memory. Assign the Name for the profile, for example, SBL. Click OK to complete.

  12. Remove the Inherit check box and choose SBL in the Client Profile to Download field. Click OK.

  13. Click Apply to complete.

Use the Manifest File

The AnyConnect package that is uploaded on the security appliance contains a file called VPNManifest.xml. This example shows a sample content of this file:

The security appliance has stored on it configured profiles, as explained in Step 1, and it also stores one or multiple AnyConnect packages that contain the AnyConnect client itself, downloader utility, manifest file, and any other optional modules or support files.

When a remote user connects to the security appliance with WebLaunch or a current standalone client, the downloader is downloaded first and run. It uses the manifest file to ascertain whether there is a current client on the remote user PC that needs to be upgraded, or a fresh installation is required. The manifest file also contains information about whether there are any optional modules that must be downloaded and installed, in this case, the VPNGINA. The client profile also is pushed down from the security appliance. The installation of VPNGINA is activated by the command svc modules value vpngina configured under the group-policy (webvpn) command mode as explained in Step 4. The AnyConnect client and VPNGINA are installed, and the user sees the AnyConnect Client at the next reboot, prior to Windows Domain logon.

When the user connects, the client and profile are passed down to the user PC; the client and VPNGINA are installed; and the user sees the AnyConnect client at the next reboot, prior to logon.

A sample profile is provided on the client PC when AnyConnect is installed: C:Documents and SettingsAll UsersApplication DataCiscoCiscoAnyConnect VPN ClientProfileAnyConnectProfile.

Troubleshoot SBL

Use this procedure if you encounter a problem with SBL:

  1. Ensure that the profile is pushed.

  2. Delete prior profiles; search for them on the hard drive to find the location: *.xml.

  3. When you go to the Add/Remove programs, do you have both an AnyConnect installation and AnyConnect VPNGINA installation?

  4. Uninstall the AnyConnect client.

  5. Clear the AnyConnect log of the user in the Event Viewer and retest.

  6. Web browse back to the security appliance to reinstall the client.

  7. Make sure that the profile also appears.

  8. Reboot once. On the next reboot, you are prompted with the Start Before Logon prompt.

  9. Send the AnyConnect event log to Cisco in .evt format .

  10. If you see this error, delete the user profile and use the default profile:

Problem 1

This error message is seen while trying to upload the AnyConnect profile: Error in validating the XML file against the latest schema. How is this error resolved?

Solution 1

This error message mostly occurs due to the syntax or configuration issues in the AnyConnect profile. In order to resolve this issue, make sure that the AnyConnect profile configured is similar to the Sample AnyConnect Profile present in the Sample AnyConnect Profile and XML Schema section of the Cisco AnyConnect VPN Client Administrator Guide.

Start Before Logon Anyconnect

Related Information