Cisco Anyconnect Start Before Logon


Cisco AnyConnect VPN Start before Logon Note: if your device is already configured for start before login, skip to step 8. Launch the “Cisco AnyConnect Secure Mobility Client” 2. Connect to vpn.njit.edu 3. Type in your UCID and password 4. VPN - Cisco AnyConnect Start Before Login Module Article ID: 1026 Last Updated: Wed, Apr 1, 2020 at 11:29 AM This article outlines the process of connecting up to VPN prior to login.

  1. Cisco Anyconnect Start Before Logon Download
  2. Cisco Anyconnect At Logon Screen

Cisco Anyconnect Start Before Logon Download

This article refers to the Cisco AnyConnect VPN. If you're looking for information on the Prisma Access VPN Beta that uses the GobalConnect app, see: Prisma Access VPN Beta Landing Page.
If you're not sure which service you're using, see: How do I know if I'm using the Cisco AnyConnect VPN or the Prisma Access VPN Beta?


Cisco Anyconnect Start Before Logon

Cisco offers a Start Before Logon (SBL) VPN component that provides a mechanism for joining MIT's network through the VPN before the typical Windows logon. This ensures that a computer can contact the domain controller for authentication as well as receive group policy. This also provides network connectivity at logon for mapped drives and printers but also can provide network connectivity for other MIT services that typically are only available while connected to MIT's network. This will provide for an overall computing experience that more closely replicates being on-campus.

Deploying the Start Before Logon Module via MECM

The End User Computing team has provided a Cisco AnyConnect Start Before Logon package in MECM for you to deploy to your computers. This package is listed under MIT Applications and is labeled as 'EPM - Cisco AnyConnect VPN Client VersionNumber with Start Before Login Module'. This application will install both the Start Before Logon component as well as the main Cisco AnyConnect VPN client.

Cisco Anyconnect At Logon Screen

This package includes a component that provides an additional logon field at the Windows logon screen. This is located in the lower right corner of the logon screen as illustrated in the screenshot below.

Not Seeing the VPN Button at the Windows logon screen?
You may need to logon with a local account and/or reboot the computer before the Start Before Logon field is active

Once you've started the VPN logon process, simply proceed to authenticate to the VPN as usual.

Additionally, the Cisco AnyConnect VPN Client with Start Before Login Module has been made available in the Software Center for most computers already. Unless you've opted out your computer collection from receiving the standard set of software deployments, you should see this application in the Software Center on your client computers.

Installing the Cisco AnyConnect with SBL using the Software Center:

  1. Connect to an MIT VPN connection.
  2. Click the Windows key and type 'Software Center'.
  3. Search for 'Cisco AnyConnect VPN Client (with Start Before Login Module).
  4. Click 'Install'.
  5. Upon installation your computer will need to restart.

If you get the error 'The software change returned error code 0x87d00607' MECM may need to check-in for your computer's policy and that will take 15 minutes. To do this manually:

  1. Click the Windows key and type 'Control Panel'.
  2. In the search bar in the top right type 'Configuration Manager'.
  3. Click the Actions tab.
  4. Select 'User Policy Retrieval & Evaluation Cycle'.
  5. Click Run Now.

AnyConnect SBL is to allow users to connect to the VPN before signing into their Laptop/Desktop. This is useful for companies that want all of their Laptops to use Active Directory to sign into the laptop but need a secure way to reach the AD Server.

  • Must be using the AnyConnect client and the user must be using a Windows 7 or XP machine. This does not work with 8+ from what I have tested.
  1. Create the default configuration for the AnyConnect VPN.
    Note: If you plan on using a Self Signed Certificate the FQDN must be the IP of the firewall or the customer must setup a DNS entry for the FQDN.
  2. Upload the SBL.xml page to the firewall.
    The key thing to change is the value between the <UseStartBeforeLogon> to true. If you are currently using a xml profile, you can also edit this line, or add, for this configuration to work.
  3. Add the SBL.xml file to the webvpn settings.

    ASA 8.x Code
    svc profiles SBL disk0:/SBL.xml

    ASA 9.x Code
    anyconnect profiles SignOn disk0:/SBL.xml

  4. Add this profile along with the vpngina module to that group-policy that you applied to your AnyConnect VPN tunnel-group.
    ASA 8.x Code
    svc profiles value SignOn
    anyconnect profiles value SBL
  5. Connect to the VPN as a new session to make sure that your new profile gets pushed from the Firewall.
  6. If you used an Authorized Certificate – proceed to step 8, otherwise, follow step 9 for Self Signed Certificates
  7. Self Signed Certificate steps

    1. Go to https://<Firewall IP>
    2. Click on the Lock icon in the URL. Click more information then click view certificate.
    3. Go to the details tab and click export. Save it as a X.509 certificate with chain (PEM) (*.crt,*.pem).
    4. Run Microsoft Management Console, by entering “mmc” in the run or search box (requires administrator permissions).
    5. In the MMC utility go to file and click on add/remove snap-in.
    6. You will want to add the certificates snap, and set it to computer then local computer.
    7. Open trusted root certificates and right click on certificates and click import.
    8. Locate the file you saved earlier, then import that file.
    9. Save the configuration. The name doesn’t matter.
  8. Reboot the machine. Once rebooted you can click on switch users and see the following icon:
  9. Use this button to login to the VPN before logging into the OS.