Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anyconnect Windows profile settings mandate a single local user - Way to disable?

Is their a way to disable this restriction:

"profile settings mandate a single local user"

We do alot of remote domain joins where we login as the local user, fireup the VPN, join to the domain, reboot, login as the local user, fireup the vpn, switch users to the domain user and let it sync gpo',shares,printers etc..

Works fine with the old IPpsec clients but the anyconnect dumps this error when you try and login as the domain user with the local user.

Thanks,

4 REPLIES
Hall of Fame Super Silver

Anyconnect Windows profile settings mandate a single local user

I believe this behavior is goverened by the Anyconnect Cleitn Profile preferences under the Windows Logon Enforcement section. In there, you can choose "Single Logon" over the default "Single Local Logon". Reference

New Member

Anyconnect Windows profile settings mandate a single local user

The terminator is a Cisco 881, not asa.

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect23/release/notes/anyconnect23rn.html#wp908545

I don't see a setting that allows 2 local users to be logged in and have an established VPN connection

Hall of Fame Super Silver

Anyconnect Windows profile settings mandate a single local user

Sorry, I'm not as familiar with using the IOS-based headend.

The setting in ASA-based VPN allows a user (one at a time) to be logged into VPN whether they are local users (default) or domain user (second, non-default choice). I'm not aware of any setting allowing two users (local or otherwise) to be logged into the remote access VPN simultaneously from one machine.

New Member

I know this thread is old but

I know this thread is old but I found it relevant to my question and hopefully Marvin or someone else can elaborate Windows Logon Enforcement behavior.

I find the Cisco's explanations confusing to me. At a first glance, "Single Local Logon" appears more restrictive compared to "Single Logon" because it is a default setting and because mentions a local user only - both opposed to "Single Logon". Yet, moving through "Single Logon" characteristics, I get a feeling that more restrictions apply here.

I was unsure what the author meant by "local user". Marvin's interpretation is more clear to me but in my test I could establish a Remote Access VPN regardless of whether I was logged on to RDP via a local account or via domain authentication.

So I also checked if there was any difference if I connect to Windows machine via RDP or via a VMWare console (however I realize the latter does not fulfill the purpose of a VPN session established from a RDP session). Again, no difference.

I hope someone can rephrase the feature description, especially by exposing the difference between its two settings. Thank you.

******************************************************************************************************************************************************************

Source: AnyConnect Profile Editor, Preferences (Part 1)

Windows Logon EnforcementAllows a VPN session to be established from a Remote Desktop Protocol (RDP) session. Split tunneling must be configured in the group policy. AnyConnect disconnects the VPN connection when the user who established the VPN connection logs off. If the connection is established by a remote user, and that remote user logs off, the VPN connection terminates.

  • Single Local Logon (Default)—Allows only one local user to be logged on during the entire VPN connection. Also, a local user can establish a VPN connection while one or more remote users are logged on to the client PC. This setting has no effect on remote user logons from the enterprise network over the VPN connection.
  • Single Logon—Allows only one user to be logged on during the entire VPN connection. If more than one user is logged on, either locally or remotely, when the VPN connection is being established, the connection is not allowed. If a second user logs on, either locally or remotely, during the VPN connection, the VPN connection terminates. No additional logons are allowed during the VPN connection, so a remote logon over the VPN connection is not possible.

4678
Views
0
Helpful
4
Replies
CreatePlease login to create content