Anyconnect VPN Pre-logon message

CaptainBeRad
Here to help

Anyconnect VPN Pre-logon message

Hi Everyone, hoping somebody has had experience with this. I am working on a VPN deployment with MX250 and Anyconnect. Everything is working great, I even got MFA to work with AzureAD via NPS. The problem I have is that users are not realizing they are supposed to look at their phone for the Microsoft Authenticator push. Meraki with Anyconnect doesn't support an interactive prompt for 2FA, but I can do a push via MFA extension on the RADIUS server. The push works and everything works when I test it but I want to pop a message for the user at some point during the process. 

 

I explored a prompt for MFA but it isn't supported, so I am researching the "showprelogon message" attribute of the anyconnect profile. I'm having trouble finding useful documentation. In the anyconnect XML you can see this section

 

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>
<ShowPreConnectMessage>true</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreLinux>All</CertificateStoreLinux>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>

 

 

I want to make that part "True" and populate a message (basically telling the user to enter creds then expect a microsoft authenticator push), but I'm not sure where to put the message or the XML syntax required to define the message string. Anyone have any examples, or am I barking up the wrong tree here? I was thinking maybe this might be an ASA only thing where the message is defined on an ASA group policy but I'm not sure.

 

-Brad

5 REPLIES 5
Brash
Kind of a big deal
Kind of a big deal

Probably not of much help here as my Anyconnect knowledge is very limited but it's definitely possible.

My previous company had something similar.

 

Looking at the XML schema, I don't see anywhere to insert a message via XML directly.

However, the description indicates it should be editable in the message catalog.

 

+        <!--
+            This control enables an administrator to have a one time message
+            displayed prior to a users first connection attempt.  As an example,
+            the message could be used to remind a user to insert their smart
+            card into it's reader. 
+
+            The message to be used with this control is localizable and can be
+            found in the AnyConnect message catalog.
+            (default: "This is a pre-connect reminder message.")
+          -->
+        <ShowPreConnectMessage>false</ShowPreConnectMessage>

Source: [PATCH] Provide profile.xml for AnyConnect (infradead.org)

 

 

Looks like the message string is under localization settings

Solved: SSL VPN (AnyConnect) and Customize Preconnect Message - Cisco Community

 

 

I found this too, but I think that this method is only valid on ASA's. There doesn't appear to be a way in Meraki to edit these message ID's or the catalog on the Meraki MX platform.

That method would be painful.  You would have to create an AnyConnect transform for the installer (an additional MSI).  You'll pretty much need to be a developer to have the right tools to be able to do this.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/gui...

 

I bet it won't be too long and your users will get used to checking their phones'.

Brash
Kind of a big deal
Kind of a big deal

Sorry, when writing up the reply, i forgot that this would be specific to Meraki (*facepalm*).

Yes, the information I provided was for an ASA.

Still not available on the MX Anyconnect. I was looking for a way to modify the MFA prompt window, which looks identical to the regular prompt window, except it says "Login error." instead of "Login failed.". Unfortunately, this would require a transform file or something.

 

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_on_ASA_vs._...

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels