Help

AnyConnect & Symantec PKI

SQR
New Contributor

Posted on ‎02-03-2016 12:36 PM

We're in a predominantly windows environment with a ton of various vender services. With a small Mac population peaking its head out wanting to be able to be seen/heard and vice versa, they want the macs to have equivalent services and abilities. Most of the users will be remote. Mind you we don't have casper....yet...

I've handled AnyConnect before, but seemed to be a lot more seamless than this.

So the process is to go to a internal PKI site that leads to pki.symauth.com where the user enters their AD credentials to get a cert.
ultimately it installs PKI Client.app and has the certificate generated by Symantec.

Next the user installs AnyConnect, it makes the connection with the cert and you have to enter in the companies VPN url.
sometimes it bugs the user the enter in a Symentac Keychain password. Turns out its not the local account/ad account password but the PIN created by the Symantec PKI cert creator.

Ideally i'd like to find a way where it doesn't require the user to enter in the URL for the VPN connection, and that it doesn't request the PIN for the certificate.
I'm new to the environment so maybe its the way things are, but something tells me this can be cleaned up quite a bit more

where I can deploy a PKI App + AnyConnect and let it do its thing from there.

Any thoughts?

0 Kudos
Reply
3 REPLIES 3

bvrooman
Valued Contributor

Posted on ‎02-04-2016 06:07 AM

I can't help you on the certificate since I've not used that product, but you can create a file at /opt/cisco/anyconnect/profile/new.xml to pre-populate the address field in AnyConnect. It should look like this:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

    <ServerList>
        <HostEntry>
            <HostName>Human-Readable Name</HostName>
            <HostAddress>vpnserver.example.com</HostAddress>
        </HostEntry>
    </ServerList>
</AnyConnectProfile>
0 Kudos
Reply

SQR
New Contributor

Posted on ‎02-09-2016 10:44 AM

and when I do that I can repackage the AnyConnect app into a DMG? or PKG? and deploy it that way?

Thank you for the advice

0 Kudos
Reply

Gonzalez
New Contributor III

Posted on ‎11-16-2016 08:05 PM

If you have Enterprise Connect, it would be fairly easy to have Symantec's MPKI use AutoEnrollment. That would also give you the option to use post processing scripts with the PKI Client to create the .anyconnect file with the certificate preference. In order to not have a PIN on the certificate you need to create a new profile with a lower private key security setting. You would not need Casper but would need have config profile and a way to distribute software.

0 Kudos
Reply