Posted on 01-25-2019 01:17 AM
The Cisco anyconnect VPN software it seems to be a nightmare and try to make it more user friendly.
When connecting it constantly prompts for keychain prompts for a system private key- think 4-5 times the user needs to enter their user and password to finally to be able to connect
If I in Keychain go to system store and add the cisco anyconnect vpn client to the private key it works. But each user have a different private key, so don´t know if that is possible to solve somehow in a script ? - or something can be made in the package direct
Do any have some input on this?
Posted on 01-25-2019 01:22 AM
We do it the same way as you by adding the program to the keychain manually as we build the Macs. We're all in one building so we build all the Macs for the users, so its not a major problem for us, just a pain. We had a go, but couldn't work it out.
But if anyone out there has worked out how to do it then we will be eternally grateful :)
Posted on 01-25-2019 05:56 AM
This was also a nightmare for us!
There are several workarounds on the internet, but nothing worked in our environment. (It's related to certificate based authentication only I guess)
But we found the reason and could solve it with a small change in our vpn profile (have to be done on the Cisco server!).
Here's an extract of the important part:
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> <ClientInitialization> <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon> <AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection> <ShowPreConnectMessage>false</ShowPreConnectMessage> <CertificateStore>User</CertificateStore> <CertificateStoreMac>Login</CertificateStoreMac> <CertificateStoreOverride>false</CertificateStoreOverride>
The bold line was missing in our old profile. Windows clients will recognize the "CertificateStore=User", but the Mac computer does not know, where to look for the certificate and will then try to browse through your system keychain.
Cisco later implemented this special "CertificateStoreMac=Login" item. And if its embedded in the profile xml, all Mac computers will first look in the user (login) keychain for a user certificate.
After we changed this, everything worked correctly again.
btw. it worked without this special configuration key until Cisco AnyConnect version 4.3