Cisco AnyConnect VPN Client

Anyconnect Start Before Logon and RSA SDI Token Configuration Example

Document ID: 116017

Updated: Apr 15, 2013

Contributed by Atri Basu, Cisco TAC Engineer.



RSA SecurID software authenticators reduce the number of items a user must manage for safe and secure access to corporate assets. RSA SecurID software tokens that reside on a remote device generate a random, one-time-use passcode that changes every 60 seconds. This one-time password generation technology uses hardware and software token and is known as SDI (Security Dynamics, Inc.) technology.

This document describes how to configure the RSA SecurID software to work in Start Before Logon (SBL) mode.



Cisco recommends that you have knowledge of how to configure the ASA and the Anyconnect for SDI token inegration; for more information, refer to SDI Token (SoftID) Integration.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Refer to Cisco Technical Tips Conventions for information on document conventions.

Background Information

The first time that a user runs the SecurID desktop application, a token storage database is created on the user?s computer. This database is a container for the tokens imported to the local hard drive. When a user performs a SecurID authentication, the application retrieves the tokencode from the token in the database. The default token storage database is a per-user database, meaning that it contains only those tokens that belong to a specific user of the computer. The per-user database is intended to be used by VPN client applications that are running in the user context.


  1. Install in single database mode.

    When using SecurID app with the SBL feature in Anyconnect, the user logs on to the VPN client before logging on to Windows. Therefore, the user context is not known, and the SecurID desktop application cannot locate the user?s token. In this scenario, the user must configure the installation to create a single database that contains all tokens stored on the hard drive. In order to create a single database, you must install the desktop application from the msiexec command line, using the SETSINGLEDATABASE property. This property creates a single database in the All Users directory. When the user starts pre-logon to the VPN client, for example, the VPN client retrieves a token from All Users.

  2. Set the VpnMode policy.

    If you use Windows XP, you must ensure that the VpnMode policy is set. This policy ensures that the Cisco VPN Client can funtion properly on Windows XP machines when users log on to the VPN client application with tokens stored on a Trusted Platform Module (TPM) or a biometric device.

Here are some points to keep in mind when you use RSA SecurID in single database mode:

  • Due to the user context issues, the RSA SecurID Software Token for Windows supports pre-logon VPN authentication and running the VPN client as a service for only one user who has been issued only one software token. However, the application supports a single user with multiple tokens if the VPN client application provides the option of selecting a token from a list.
  • The SETSINGLEDATABASE property should be used only on single-user machines. Do not use this property if multiple users share a computer; if you do, all users can access all tokens stored in the single database.
  • The single database mode is supported as of RSA SecurID Software Token v4.1. None of the previous versions will work with SBL. 


There is currently no verification procedure available for this configuration.


There is currently no specific troubleshooting information available for this configuration.

Related Information

These links redirect you to third-party websites that are not affiliated with Cisco:

Updated: Apr 15, 2013
Document ID: 116017