In know Microsoft have their Always-on-VPN on Win10. I don’t mean Microsoft’s DirectAccess VPN implementation, Which is a Microsoft only network technology. I mean Microsoft’s Always-on-VPN, which is vendor agnostic. See here if you don’t believe me… Always On VPN - Config & Compatibility
Anyway, sorry about trying to slay dragons before I get to the question
We are a Cisco shop, AnyConnect clients connecting through to our ASA/Firepower appliances. We currently only do this after the user has logged on [user profile]. However, we have a use case for a solution where a user is remote and receives a device they haven’t logged on to before (so no cached Windows user profile). Now I know that Win10 always-on-VPN will do this using SSLVPN/SSTP [machine profile], it might even play nice with the Cisco ASA/Firepower appliances, but as we are a Cisco Shop, and the AnyConnect 4.8 client is already out there, I wanted to know if I can do the same with Cisco AC 4.8?
If an AnyConnect machine profile is possible, that starts the VPN as the machine boots, and uses a machine certificate to authenticate the device so the device is on the network before user logon, how do you do this?
Is it documented?
If it isn’t possible with AnyConnect 4.8 client how do I configure Windows 10 Always-on-VPN to play nicely with the Cisco ASA/Firepower appliance?
I have been using a feature called Management VPN Tunnel that was added in AC 4.7. It keeps a tunnel active until a user logs into AC (before or after windows login)
We are using it for field engineers. They are connecting to either 4G or untrusted Wifi and always build a tunnel.
Been in use since AC 3.1 and with SBL in combination with machine certs.
No real issues with normal operations, only sizing and availability is much more important if you want to use the “failclose” feature.
Hey u/laddyulike did you ever get this implemented? I really want a ‘true’ AO-VPN solution that establishes the VPN connection BEFORE Windows logon, and WITHOUT user intervention. It needs to happen automatically, so that our management software can control the device as long as it is powered on (and has internet). From what I can tell in the Cisco docs, AC Always-On feature only auto-connects VPN AFTER the user has logged into Windows…
If Always-On is enabled, but the user does not log on, AnyConnect does not establish the VPN connection. AnyConnect starts the VPN connection only post-login.
No, didn’t go down the MS route. Instead followed up on the suggestion in this thread to use Cisco AnyConnect Management Tunnel VPN by u/routeallthings
Just finishing it off ready for pilot now . During the journey we discovered that If your DMZ firewall rules are too locked down then users can be impacted by the management tunnel vpn at login, we observed a login time of 30 minutes in test. This was because the login process could see AD and little else. Having refined the firewall rules user login is now down to several seconds, and device management works very well
I did but couldn’t workout if it needed a pre-existing Windows user profile to allow the user to authenticate the start of AC VPN prior to Windows logo
To be honest, because SBL ‘enhances’ the Windows GINA we always avoid that because GINA replacement tools caused us a world of pain in NT4/XP
However, this is a needs must situation, and if SBL doesn’t need a pre-existing / cached Windows user profile to work then its a goer. so does SBL need a cached Windows user profile to work?
Sorry, I don’t know. We block captive portals because they represent a potential man-in-the-middle attack vector. However, if I remember AnyConnect does have settings for captive portal. Can anyone else provide some guidance on this one?
I set a few notebooks up this weekend using it for the first time. Works great. I did VPN under the local account, added to the domain, rebooted, started the VPN from the log in screen and then signed in with my domain user. Worked just like you would expect it should.
I know that all too well working for a multi-national. The thought process and the things that stick with people are… impressive. It’s a big uphill battle to change how they think.
. During the journey we discovered that If your DMZ firewall rules are too locked down then users can be impacted by the management tunnel vpn at login, we observed a login time of 30 minutes in test. This was because the login process could see AD and little else. Having refined the firewall rules user login is now down to several seconds, and device management works very well