Help

Cisco Anyconnect - anyone solved to get rid of those popups ?

Captainamerica
Contributor II

Posted on ‎01-25-2019 01:17 AM

The Cisco anyconnect VPN software it seems to be a nightmare and try to make it more user friendly.
When connecting it constantly prompts for keychain prompts for a system private key- think 4-5 times the user needs to enter their user and password to finally to be able to connect

If I in Keychain go to system store and add the cisco anyconnect vpn client to the private key it works. But each user have a different private key, so don´t know if that is possible to solve somehow in a script ? - or something can be made in the package direct

Do any have some input on this?

0 Kudos
2 REPLIES 2

JustCallMeAJ
New Contributor III

Posted on ‎01-25-2019 01:22 AM

We do it the same way as you by adding the program to the keychain manually as we build the Macs. We're all in one building so we build all the Macs for the users, so its not a major problem for us, just a pain. We had a go, but couldn't work it out.
But if anyone out there has worked out how to do it then we will be eternally grateful :)

0 Kudos

hansjoerg_watzl
Contributor II

Posted on ‎01-25-2019 05:56 AM

This was also a nightmare for us!
There are several workarounds on the internet, but nothing worked in our environment. (It's related to certificate based authentication only I guess)

But we found the reason and could solve it with a small change in our vpn profile (have to be done on the Cisco server!).

Here's an extract of the important part:

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> <ClientInitialization> <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon> <AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection> <ShowPreConnectMessage>false</ShowPreConnectMessage> <CertificateStore>User</CertificateStore> <CertificateStoreMac>Login</CertificateStoreMac> <CertificateStoreOverride>false</CertificateStoreOverride>

The bold line was missing in our old profile. Windows clients will recognize the "CertificateStore=User", but the Mac computer does not know, where to look for the certificate and will then try to browse through your system keychain.

Cisco later implemented this special "CertificateStoreMac=Login" item. And if its embedded in the profile xml, all Mac computers will first look in the user (login) keychain for a user certificate.

After we changed this, everything worked correctly again.

btw. it worked without this special configuration key until Cisco AnyConnect version 4.3