Jamf Nation Community

mapurcel · ‎06-14-2017

We currently deploy Cisco AnyConnect with a user certificate stored in the login keychain. Because the login keychain is often recreated by our admin users as part of password troubleshooting, we are looking at authenticating against a device certificate in the System keychain instead, does anyone have experience doing this? thanks

tep · ‎06-14-2017

Check out https://www.jamf.com/jamf-nation/discussions/10042/cisco-anyconnect-3-1-04072-10-9-and-admin-credentials

We ended up putting the certs outside the keychain, and using a custom xml to point to them. Works well.

mapurcel · ‎06-15-2017

@tep thanks for the response. Because of the way our certificates expire/renew, we need to deploy them via Configuration Profile so I'm looking to see if there is a way to do that via System Keychain specifically..

I take it that you don't deploy your certificates via Configuration Profile if you are putting them outside of the keychain?

tep · ‎06-15-2017

@mapurcel For this specific use, I package up the .pem and .key certs and place them in /opt/.cisco/certificates/client/ and /opt/.cisco/certificates/client/private, respectively.

Stubakka · ‎11-07-2019

@tep I wrote you on Twitter, but I actually need help with this very thing if your willing to explain it to me. Im in situation right now where I also would like to store the user Cert VPN wants, outside of keychain and also having issues with Cisco VPN prompting for admin to access system keychain (non admin users) when they try to connect

tep · ‎11-07-2019

@Stubakka I just replied to your twitter msg. :-)

drwjamf-admins · ‎02-25-2020

@Stubakka @tep Would either of you be willing to do a quick write up of the steps involved in this? Our Cisco admins are trying to implement user certs for AnyConnect and we're having a difficult time getting it off the ground for testing and deployment. How do we generate the certs to begin with? Thanks!

Jamf Nation Community

Cisco AnyConnect Certificates