User starts Anyconnect VPN via SBL (authenticated via a machine certificate).
User can now login to Windows as AD user.
User has now logged in to his AD Windows account.
Now I need the SBL VPN session to automatically disconnect and automatically reauthenticate with the AD user's personal certificate- without user intervention.
I can use Anyconnect's ability to push and execute scripts on VPN clients to achieve automation of this process.
Anyconnect also has a CLI based client I can use:
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpncli.exe
and the GUI client:
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
vpncli.exe can perform following tasks:
connect
disconnect
hosts
stats
state
block
Disconnect can be used whenever needed.
Connect can be used only if vpnui.exe is not running.
Otherwise you get a message:
>> error: Connect not available. Another AnyConnect application is runningI can write a script that is launched by the Anyconnect GUI client (vpnui.exe)
or this functionality was not requested by this application.
Anyconnect GUI client (vpnui.exe) is running in administrative rights- meaning launched scripts also run in administrative rights.
The script performs follwing actions:
1) Disconnects current SBL VPN session.
2) Kills vpnui.exe process (needs admin rights)
3) Starts vpncli.exe (in standard user rights) and starts VPN connection with user's personal certificate.
4) Starts vpnui.exe process
If all 4 steps are automated via script(s) then the user must enter login name and password only when logging in to Windows AD account.
to be continued...
No comments:
Post a Comment