Posted on 03-01-2016 12:44 PM
So, I'm using Composer to watch for the install and set the vpn server for Cisco AnyConnect and create a package. I can then also deploy this out to clients and it installs ok. But whenever it goes to connect, AnyConnect wants admin credentials like three times. Has anyone been able to get around this? I do use client certificates to authenticate. I've read that others who have had a similar problem can at least click deny a few times and then AnyConnect will connect. Not the case for me though. Thanks.
Posted on 03-01-2016 02:21 PM
Are you just trying to set the server for AnyConnect?
I do this with an xml file, I'll have to check tomorrow what exactly I do and where if that's the case.
Then you can deploy the AnyConnect app with the xml
Posted on 03-01-2016 05:05 PM
I can get the server set. It's just when AnyConnect tries to connect to it, it wants system access and so asks for admin creds. I'm not sure if I'm doing it wrong or what. I launch Composer, install AnyConnect, and then finish in Composer.
Thanks.
Posted on 03-02-2016 12:07 AM
Hi,
the issue in our environment is related to Cisco endpoint checking for certificates to determine VPN access.
We have AD issued machine certificates in system keychain where users don't have access rights. This causes the admin prompt at connection. If you skip the prompt AnyConnect will work anyway.
Our first workaround was to allow access to the machine certificate for all applications manually. This was very annoying and had to be done on every Mac because we deploy the certificate with an AD certificate configuration profile, thus unable to allow access at import.
We now deploy a ~/.anyconnect with FUT and FEU containing a <ServerCertificateThumbprint> containing our Sub-CA thumbprint, that works for us:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser></DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<ServerCertificateThumbprint>THUMBPRINT_FROM_KEYCHAIN</ServerCertificateThumbprint>
<DefaultHostName>endpoint.domain.com</DefaultHostName>
<DefaultHostAddress></DefaultHostAddress>
<DefaultGroup></DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>
Posted on 03-02-2016 06:52 AM
We have the issue as well, but took a different approach. When deploying our AD cert and other Cert via configuration profile, we checked the "Allow access to all applications" in the AD certificate section. In theory you could limit this down just to specific applications if you wanted to, but not within Casper as far as I know. This has worked for us.
I haven't tried @mroiger method, but it also look viable.
Posted on 03-02-2016 08:19 AM
@jbkiggins The AnyConnect installer should be good as is. Snapshotting should not be needed.
Posted on 03-02-2016 11:25 AM
@mroiger I believe that is our issue as well. I'm using Centrify to issue machine certs to the client. So that is just like an xml file that you created, with your ca thumbprint that is letting it not have to ask for admin creds? Where are you putting that if so? Thanks.
Posted on 03-02-2016 11:29 AM
I agree with @bpavlov Snapshotting is should not be needed. I just extracted the VPN package from the mpkg using Pacifist and installed that.
Posted on 03-02-2016 03:34 PM
@bpavlov You just put the installer into Admin and push it?
Posted on 03-02-2016 04:06 PM
Sorry @ooshnoo not sure why, but it took a few hours for my last post to post. Unfortunately, I talked to my IA team today and they gave a no-go on using Pacifist.
Posted on 03-02-2016 11:52 PM
@jbkiggins the .anyconnect needs to be placed in the home folder of every user.
We use a policy with FUT and FEU and the /Users/anyusers/.anyconnect as a DMG payload to accomplish this.
@roiegat I'll check if your method works for clients with a fresh install. We migrated from Centrify and therefore had two machine certificates on most of our clients. AnyConnect tries "any" certificate that it finds first in keychain so we needed a different solution but I would love an easier solution, like the on you use.
Posted on 10-04-2016 02:12 PM
@mroiger I can't figure out how to add the .anyconnect file to the install DMG (so that FUT / FEU) are an option. Any chance you can explain how you did that? I can't even seem to find an option to build a separate User Template DMG in Composer.
-Matt
Posted on 10-04-2016 03:27 PM
If you use cert based auth with anyconnect and your users constantly get prompted to enter in an admin username and password to (usually) access the system keychain, its because anyconnect is searching all keychains for certs and it hits a cert in there and wants to read it to see if it is valid and the system keychain requires an admin authentication to access it (usually the JAMF Identity cert that gets installed during enrollment). To get it to stop doing this you can:
It will prompt you for admin credentials a few times but you shouldn't get bugged again.
Posted on 10-04-2016 09:08 PM
@chriscollins Thanks for your reply. I'm aware I can do this, but manually doing that across ~150 machines and growing is not really a task I'm able to undertake ... not to mention running it again when the certificate expires and the machine pulls a new one.
My preference here is to use the .anyconnect file, as @mroiger referenced; I just can't figure out how to get the file into the DMG so I can deploy it.
-Matt
Posted on 10-04-2016 09:23 PM
Make the Finder show invisible items (items with dot as first character in their name) so you can see the file:
defaults write com.apple.finder AppleShowAllFiles 1
killall Finder
Drag .anyconnect file into Composer sidebar to create a new package source.
Pro-tip: after it adds .anyconnect under the Sources section, immediately rename the package source name to something else without the dot in the front. Or else the next time you launch composer it will be hidden because composer won't find package sources that have a period in front of their name either.
Little visual just incase you have never made a package that way before: https://dl.dropboxusercontent.com/u/519077/ComposerAnyConnect.mp4
Posted on 10-05-2016 04:30 AM
This works for us,
Extracted VPN.pkg from the installer using Pacifist
Install that along with .xml with server address.
AD certs are installed per machine via profile.
Posted on 10-05-2016 11:12 AM
@chriscollins Got it working. Thanks for your help.
-Matt
Posted on 03-19-2019 06:00 AM
Old thread but issue fixed for me with:
<DistinguishedName>
<DistinguishedNameDefinition Wildcard="Enabled" MatchCase="Disabled">
<Name>ISSUER-CN</Name>
<Pattern>YourCNIssuerNameHere</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
This was added to the XML we are provided by our VPN team just before
</CertificateMatch>
Just replace YourCNIssuerNameHere with the Common Name of the cert, you can get this in the Keychain. Note its wild carded as well.
Posted on 08-14-2020 10:52 AM
I have extacted the vpn.pkg, I have the Profile.xml off the ASA, how and where do I put the XML file to install it when I install the Software? Thanks