Cisco Anyconnect Rdp

Posted onby


Solved: Hi, When users are trying to get connected to VPN from Remote machines. They are getting below Err. Some one could help me in fixing this issue by command line. " VPN Establishment capability from a Remote Desktop is disabled. If you get the following error when connecting to a Cisco AnyConnect VPN from Windows, it's because the VPN establishment capability in the client profile doesn't allow connections from a remote desktop session. VPN establishment capability for a remote user is disabled. A VPN connection will not be established.

    Activating Offline Access with a Security Key
Cisco anyconnect vpn client download

Duo Authentication for Windows Logon defaults to auto push.


After entering your Microsoft Windows username and password, an authentication request will automatically be pushed to the Duo Mobile app on your phone.

If auto-push is disabled or if you click the Cancel button on the Duo Prompt, you can select a different device from the drop-down at the top (if you've enrolled more than one) or select any available factor to verify your identity to Duo:

  • Duo Push: Send a request to your smartphone. You can use Duo Push if you've installed and activated Duo Mobile on your iOS, Android, or Windows Phone device.
  • Call Me: Perform phone callback authentication.
  • Passcode: Log in using a passcode generated with Duo Mobile, received via SMS, generated by your hardware token, or provided by an administrator.
    To have a new batch of SMS passcodes sent to you click the Send me new codes button. You can then authenticate with one of the newly-delivered passcodes.

Note that Duo Authentication for Windows Logon does not support U2F security keys for online authentication.

The optional User Elevation configuration adds Duo two-factor authentication to password-protected Windows User Account Control (UAC) elevation attempts. When enabled, you'll see the Duo authentication prompt after you enter your password for a credentialed elevation request. The application you were trying to launch runs after you approve the Duo two-factor request.Cisco anyconnect rdp session

Offline access for Duo Windows Logon helps you log on to Windows systems securely even when unable to contact Duo’s cloud service. You can activate one method for offline access, either Duo Mobile on iOS or Android or a U2F security key.

If your organization allows you to use this feature, you'll see the offline activation prompt after successful Duo two-factor authentication when you log in to, unlock the workstation, or approve a user elevation request while the system is online and able to contact Duo's service. Check with your organization's Duo administrators or Help Desk to verify availability of Offline Access on your workstation.

Activating Offline Access with Duo Mobile

To activate Duo Mobile for offline access:

  1. Select Duo Mobile Passcode and click Activate Now to begin setting up offline access (or click Enroll later (May prevent offline login) to set it up another time).
  2. Scan the activation QR code using the Duo Mobile app installed on your iOS or Android device. Tap the + in the app to begin adding the account.
  3. Duo Mobile saves the new account information and prompts you to verify the name for this computer. Tap SAVE COMPUTER NAME to continue.
  4. Once Duo Mobile completes activation you’ll need to enter a code from the app into the prompt on your Windows system to complete offline activation. Tap TAKE ME TO MY OFFLINE CODE.
  5. Tap the WINDOWS OFFLINE account in the Duo Mobile account list to generate a six digit passcode.
  6. Enter the passcode from Duo Mobile (without a space) into the offline activation screen on your computer and then click the Activate Offline Login button to finish setting up offline access.

Activating Offline Access with a Security Key

Duo's offline access works with these security keys:

  • Yubico brand keys supporting U2F/FIDO2
  • Google Titan
  • Feitian ePass FIDO
  • Thetis FIDO

HyperFIDO tokens are not supported for offline access activation, nor are simple OTP passcode tokens or Duo D-100 hardware tokens. If you're not sure whether your security will work, ask your organization's Duo administrator or your IT Help Desk.

To activate your security key for offline access:

  1. Select Security Key (Yubikey) and click Activate Now to begin setting up offline access (or click Enroll later (May prevent offline login) to set it up another time).
  2. Duo for Windows Logon attempts to contact your security key. If you don't have it plugged in, go ahead and insert it. You should see the security key begin flashing, and the Duo screen say Security key found - Tap to enroll. Touch your blinking security key to register it.
  3. Tap the security key again to verify.
  4. If successful, the Duo offline activation window says Security key verified - enrollment complete. Click the Activate Offline Login button to finish setting up offline access.

Authenticating with Offline Access

Once you’ve activated offline access for your account, when your computer isn’t able to contact Duo’s cloud service you’ll automatically be offered the option to login with an offline code or security key (depending on which type of device you activated earlier) after successfully submitting your Windows username and password during system logon or after entering your password in a UAC elevation prompt (if User Elevation is enabled).

If you activated Duo Mobile, tap the entry for your Windows computer in Duo Mobile to generate a passcode, enter it into the Duo prompt, and click Log In.

Install Cisco Anyconnect

If you activated a security key, you should see it start blinking. Tap your security key to log in.

The offline two-factor authentication prompt shows you how many remaining offline logins you have left, or the last day you’ll be allowed to authenticate using offline access (depending on which option your organization's administrator chose when enabling offline access in the Duo Admin Panel).

Cisco Anyconnect Rdp Not Working

Once you reach the offline access limit, the Duo prompt informs you that you must complete online authentication to Duo before you can log in again with an offline passcode. Offline access refreshes when you perform an online Duo authentication.

If Duo Authentication for Windows Logon was installed with the fail mode set to “fail closed”, then a user who does not activate offline access on that computer may not log in while disconnected from the internet. Make sure to complete offline activation the next time the computer has internet access.

Reactivating Offline Access

If you need to add the Windows Offline account to Duo Mobile on a different phone than you originally used for activation, you can do this from the online Duo MFA prompt.

  1. With the Windows computer connected to the internet, log in with your username and password.
  2. Click the Replace/Reconnect an offline device link on the left side of the Duo prompt to begin. If your Duo for Windows Logon application is configured to autpmatically send a push request to your phone, you can cancel the authentication in progress and click the link on the left (don't approve the request on your phone).
  3. Next, you’ll need to complete Duo authentication. Click on an available method and approve the login request.
  4. Continue the activation process by scanning the QR code with Duo Mobile on the replacement phone and entering the verification code when prompted, just like the first time you activated an offline access device.
IMPORTANT: Only one phone may be activated for offline access at a time. Activating offline access on another phone invalidates the previously activated phone.

Script types:portrule
Categories: brute, intrusive

User Summary

Performs brute-force password auditing against telnet servers.

Script Arguments


Whether to automatically reduce the thread count based on the behavior of the target (default: 'true')


Connection time-out timespec (default: '5s')


passdb, unpwdb.passlimit, unpwdb.timelimit, unpwdb.userlimit, userdb

See the documentation for the unpwdb library.


See the documentation for the creds library.

brute.credfile, brute.delay, brute.emptypass, brute.firstonly, brute.guesses, brute.mode, brute.passonly, brute.retries, brute.start, brute.threads, brute.unique, brute.useraspass

See the documentation for the brute library.

Example Usage

Script Output



License: Same as Nmap--See