I work for County Government and we are attempting to swtich from the Cisco VPN Client to the AnyConnect Client. It seems to work great when you have a single user assigned to a pc, however, it is a different story when you have multiple users assigned to one machine. Basically we do not know who will be logging into a machine during a certain day so we could have 5-6 users needing one pc and all of them being able to use the AnyConnect when they log in with their own Windows credentials. I understand there is an .XML file out there with some information that is needed but is there a way to modify it and place in each user's profile so that it will work for all of them? Any help would be greatly appreciated. Thank you!
A copy of the XML profile is placed in their directory when an individual successfully establishes a Remote Access VPN session using AnyConnect and is successfully authenticated. I do not believe that there is any individual user information stored in the XML profile so I do not believe that the profile is part of your problem and do not see how it would solve your problem.
Can you provide some details about what problems you are having when multiple users are using the same PC? As long as each user does have appropriate credentials in whatever you are using to authenticate VPN users then I am not sure what the problem would be with different users coming from the same PC.
Thank you for your fast response Rick! The issue we are having is when we go to log in as a second user we get a message stating "Please enter a secure gateway to connect to". This is after we set up the main user of a pc on the ASA and configure them on the pc. When you enter in the URL in the AnyConnect it comes up with a second box "Certificate Validation Failure" and prompts the user for a username and password.
Let me further explain this by saying we set up a user in the ASA (let's call him "Bob"), get Bob set up on his pc with installing the certificate and then we have a second user (let's call her "Susie") log in the same pc and we get the above issues.
By default, a locally logged-in user can establish a VPN connection only when no other local user is logged in. The VPN connection is terminated when the user logs out, and additional local logons during a VPN connection result in the connection being torn down. Remote logons and logoffs during a VPN connection are unrestricted.
With this feature, AnyConnect disconnects the VPN connection when the user who established the VPN connection logs off. If the connection is established by a remote user, and that remote user logs off, the VPN connection is terminated.
You can use the following settings for Windows Logon Enforcement:
•Single Local Logon—Allows only one local user to be logged on during the entire VPN connection. With this setting, a local user can establish a VPN connection while one or more remote users are logged on to the client PC, but if the VPN connection is configured for all-or-nothing tunneling, then the remote logon is disconnected because of the resulting modifications of the client PC routing table for the VPN connection. If the VPN connection is configured for split-tunneling, the remote logon might or might not be disconnected, depending on the routing configuration for the VPN connection. The SingleLocalLogin setting has no effect on remote user logons from the enterprise network over the VPN connection.
•SingleLogon—Allows only one user to be logged on during the entire VPN connection. If more than one user is logged on, either locally or remotely, when the VPN connection is being established, the connection is not allowed. If a second user logs on, either locally or remotely, during the VPN connection, the VPN connection is terminated.
Thanks for your response Naresh. The scenario you presented sounds like when more than one person is logged in at the same time. The scenario we are looking at is when only one person is logged in, yet the login credentials do not seem to follow to the second user (the user that was not originally set up in our ASA). So let's say "Bob" was set up but "Susie" needs to use his computer on a day when he is out. She logs in with her Windows domain credetnials but the AnyConnect is asking for a username/password. I attempted to copy and paste the XML file that was created under "Bob's" profile and move it to "Susie's" but it still asks for a username/password.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :