2

I use Cisco AnyConnect (4.2.05015) on Win10 Enterprise to handle my WiFi connections and VPN connections. Currently, whenever AnyConnect connects to WiFi it automatically attempts to connect to one of my VPN access points. I would like to disable this behavior. AnyConnect should only connect to VPN when I press the appropriate "Connect" button, but it should not attempt to connect to VPN automatically. How can I accomplish this?

Update C:/ProgramData/Cisco/Cisco AnyConnect Secure Mobility Client/Profile/

    <ClientInitialization>
    <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
    <AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
    <ShowPreConnectMessage>false</ShowPreConnectMessage>
    <CertificateStore>All</CertificateStore>
    <CertificateStoreOverride>false</CertificateStoreOverride>
    <ProxySettings>Native</ProxySettings>
    <AllowLocalProxyConnections>true</AllowLocalProxyConnections>
    <AuthenticationTimeout>12</AuthenticationTimeout>
    <AutoConnectOnStart UserControllable="false">false</AutoConnectOnStart>
    <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
    <LocalLanAccess UserControllable="true">true</LocalLanAccess>
    <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
    <IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
    <AutoReconnect UserControllable="true">true
        <AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
    </AutoReconnect>
    <AutoUpdate UserControllable="false">true</AutoUpdate>
    <RSASecurIDIntegration UserControllable="true">Automatic</RSASecurIDIntegration>
    <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
    <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
    <AutomaticVPNPolicy>true
        <TrustedDNSDomains>...</TrustedDNSDomains>
        <TrustedNetworkPolicy>Disconnect</TrustedNetworkPolicy>
        <UntrustedNetworkPolicy>Connect</UntrustedNetworkPolicy>
        <AlwaysOn>false
        </AlwaysOn>
    </AutomaticVPNPolicy>
    <PPPExclusion UserControllable="false">Disable
        <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
    </PPPExclusion>
    <EnableScripting UserControllable="false">false</EnableScripting>
    <CertificateMatch>
        <KeyUsage>
            <MatchKey>Key_Encipherment</MatchKey>
            <MatchKey>Digital_Signature</MatchKey>
        </KeyUsage>
        <ExtendedKeyUsage>
            <ExtendedMatchKey>ClientAuth</ExtendedMatchKey>
        </ExtendedKeyUsage>
        <DistinguishedName>
            <DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled" MatchCase="Enabled">
                <Name>ISSUER-CN</Name>
                <Pattern>Seamless Access CA</Pattern>
            </DistinguishedNameDefinition>
        </DistinguishedName>
    </CertificateMatch>
    <EnableAutomaticServerSelection UserControllable="true">false
        <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
        <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
    </EnableAutomaticServerSelection>
    <RetainVpnOnLogoff>false
    </RetainVpnOnLogoff>
    <AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>

(TrustedDNSDomains has been removed for privacy reasons).

ChaimKut
  • 543
  • Is Trusted Network Detection enabled in the VPN profile ? – Mahesh May 29 '17 at 13:30
  • @Mahesh you are probably correct. I am using a laptop with my company's OS image and it looks like it does not include AnyConnect Profile Editor or Adaptive Security Device Manager. Any ideas how I can modify my VPN profiles? Perhaps via the Windows Registry? – ChaimKut May 30 '17 at 05:43
  • Modifying profile is not a good idea as the profile gets updated whenever you make a connection to a VPN access point. However, if the admin has made TND feature user controllable, you can achieve what you are looking for. If you click on VPN (it is actually a clickable link) on UI, it will bring up user preferences. And if the admin has made TND feature user controllable, you can disable the feature in preferences window. This will help not to initiate an automation connection on changing WiFi networks. – Mahesh May 30 '17 at 19:54
  • @Mahesh Unfortunately it looks like this is disabled by my administrator. In any event, if you copy/paste your solution into an "Answer" below, I will be glad to accept it as the official answer. – ChaimKut May 31 '17 at 20:24
  • Before we conclude TND is the culprit in your case for automatic connection, can you please edit the question with <ClientInitialization> information present in the VPN profile. VPN profile is a XML file present at C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile. – Mahesh Jun 01 '17 at 13:25
  • @Mahesh I've updated the question accordingly. – ChaimKut Jun 05 '17 at 06:15

2 Answers2

2

Trusted Network Detection(TND) is not a user controllable security feature. It is enforced by your VPN Access Point administrator through VPN profile.

When the client's DNS domain does not fall under the listed domains in the VPN profile, AnyConnect considers client is under untrusted domain and takes course of action based on the TND policy in the VPN profile. In your case, untrusted network policy is to establish VPN connection (which should be course of action for untrusted networks anyway). And yes, it is highly likely that AnyConnect is automatically initiating VPN connection when you are switching Wi-Fi networks because of TND feature.

Had if your admin configured AlwaysOn too for the AutomaticVPNPolicy, you will be locked from internet access unless VPN connection is established.

PS: User control is not relevant for TND feature and sorry for my misleading comments earlier.

Mahesh
  • 348
  • 1
  • 7
1
  1. Open file C:\Users\%USER%\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client\preferences.xml
  2. Put line between tags <AnyConnectPreferences>...</AnyConnectPreferences> <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
  3. Save file and restart cisco AnyConnect (or restart computer if needed)
hwak
  • 111