Meraki

Community

Anyconnect VPN Pre-logon message

CaptainBeRad
Here to help
‎Oct 20 2021 1:01 PM
‎Oct 20 2021 1:01 PM

Anyconnect VPN Pre-logon message

Hi Everyone, hoping somebody has had experience with this. I am working on a VPN deployment with MX250 and Anyconnect. Everything is working great, I even got MFA to work with AzureAD via NPS. The problem I have is that users are not realizing they are supposed to look at their phone for the Microsoft Authenticator push. Meraki with Anyconnect doesn't support an interactive prompt for 2FA, but I can do a push via MFA extension on the RADIUS server. The push works and everything works when I test it but I want to pop a message for the user at some point during the process. 

 

I explored a prompt for MFA but it isn't supported, so I am researching the "showprelogon message" attribute of the anyconnect profile. I'm having trouble finding useful documentation. In the anyconnect XML you can see this section

 

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>true</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreLinux>All</CertificateStoreLinux>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>

 

 

I want to make that part "True" and populate a message (basically telling the user to enter creds then expect a microsoft authenticator push), but I'm not sure where to put the message or the XML syntax required to define the message string. Anyone have any examples, or am I barking up the wrong tree here? I was thinking maybe this might be an ASA only thing where the message is defined on an ASA group policy but I'm not sure.

 

-Brad

Labels:
0 Kudos
5 Replies 5
Brash
Kind of a big deal
Kind of a big deal
‎Oct 20 2021 2:12 PM
‎Oct 20 2021 2:12 PM

Probably not of much help here as my Anyconnect knowledge is very limited but it's definitely possible.

My previous company had something similar.

 

Looking at the XML schema, I don't see anywhere to insert a message via XML directly.

However, the description indicates it should be editable in the message catalog.

 

+        <!--
+            This control enables an administrator to have a one time message
+            displayed prior to a users first connection attempt.  As an example,
+            the message could be used to remind a user to insert their smart
+            card into it's reader. 
+
+            The message to be used with this control is localizable and can be
+            found in the AnyConnect message catalog.
+            (default: "This is a pre-connect reminder message.")
+          -->
+        <ShowPreConnectMessage>false</ShowPreConnectMessage>

Source: [PATCH] Provide profile.xml for AnyConnect (infradead.org)

 

 

Looks like the message string is under localization settings

Solved: SSL VPN (AnyConnect) and Customize Preconnect Message - Cisco Community

 

 

In response to Brash
CaptainBeRad
Here to help
‎Oct 21 2021 6:23 AM
‎Oct 21 2021 6:23 AM

I found this too, but I think that this method is only valid on ASA's. There doesn't appear to be a way in Meraki to edit these message ID's or the catalog on the Meraki MX platform.

0 Kudos
In response to CaptainBeRad
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 21 2021 12:30 PM
‎Oct 21 2021 12:30 PM

That method would be painful.  You would have to create an AnyConnect transform for the installer (an additional MSI).  You'll pretty much need to be a developer to have the right tools to be able to do this.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/gui...

 

I bet it won't be too long and your users will get used to checking their phones'.

In response to CaptainBeRad
Brash
Kind of a big deal
Kind of a big deal
‎Oct 21 2021 2:32 PM
‎Oct 21 2021 2:32 PM

Sorry, when writing up the reply, i forgot that this would be specific to Meraki (*facepalm*).

Yes, the information I provided was for an ASA.

0 Kudos
In response to Brash
Seirui
Just browsing
‎Aug 7 2023 4:21 PM
‎Aug 7 2023 4:21 PM

Still not available on the MX Anyconnect. I was looking for a way to modify the MFA prompt window, which looks identical to the regular prompt window, except it says "Login error." instead of "Login failed.". Unfortunately, this would require a transform file or something.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_on_ASA_vs._...

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.