So, I'm using Composer to watch for the install and set the vpn server for Cisco AnyConnect and create a package. I can then also deploy this out to clients and it installs ok. But whenever it goes to connect, AnyConnect wants admin credentials like three times. Has anyone been able to get around this? I do use client certificates to authenticate. I've read that others who have had a similar problem can at least click deny a few times and then AnyConnect will connect. Not the case for me though. Thanks.
the issue in our environment is related to Cisco endpoint checking for certificates to determine VPN access.
We have AD issued machine certificates in system keychain where users don't have access rights. This causes the admin prompt at connection. If you skip the prompt AnyConnect will work anyway.
Our first workaround was to allow access to the machine certificate for all applications manually. This was very annoying and had to be done on every Mac because we deploy the certificate with an AD certificate configuration profile, thus unable to allow access at import.
We now deploy a ~/.anyconnect with FUT and FEU containing a <ServerCertificateThumbprint> containing our Sub-CA thumbprint, that works for us:
<?xml version="1.0" encoding="UTF-8"?> <AnyConnectPreferences> <DefaultUser></DefaultUser> <DefaultSecondUser></DefaultSecondUser> <ClientCertificateThumbprint></ClientCertificateThumbprint> <ServerCertificateThumbprint>THUMBPRINT_FROM_KEYCHAIN</ServerCertificateThumbprint> <DefaultHostName>endpoint.domain.com</DefaultHostName> <DefaultHostAddress></DefaultHostAddress> <DefaultGroup></DefaultGroup> <ProxyHost></ProxyHost> <ProxyPort></ProxyPort> <SDITokenType>none</SDITokenType> <ControllablePreferences></ControllablePreferences> </AnyConnectPreferences>
We have the issue as well, but took a different approach. When deploying our AD cert and other Cert via configuration profile, we checked the "Allow access to all applications" in the AD certificate section. In theory you could limit this down just to specific applications if you wanted to, but not within Casper as far as I know. This has worked for us.
I haven't tried @mroiger method, but it also look viable.
@jbkiggins the .anyconnect needs to be placed in the home folder of every user.
We use a policy with FUT and FEU and the /Users/anyusers/.anyconnect as a DMG payload to accomplish this.
@roiegat I'll check if your method works for clients with a fresh install. We migrated from Centrify and therefore had two machine certificates on most of our clients. AnyConnect tries "any" certificate that it finds first in keychain so we needed a different solution but I would love an easier solution, like the on you use.
If you use cert based auth with anyconnect and your users constantly get prompted to enter in an admin username and password to (usually) access the system keychain, its because anyconnect is searching all keychains for certs and it hits a cert in there and wants to read it to see if it is valid and the system keychain requires an admin authentication to access it (usually the JAMF Identity cert that gets installed during enrollment). To get it to stop doing this you can:
It will prompt you for admin credentials a few times but you shouldn't get bugged again.
@chriscollins Thanks for your reply. I'm aware I can do this, but manually doing that across ~150 machines and growing is not really a task I'm able to undertake ... not to mention running it again when the certificate expires and the machine pulls a new one.
My preference here is to use the .anyconnect file, as @mroiger referenced; I just can't figure out how to get the file into the DMG so I can deploy it.
Make the Finder show invisible items (items with dot as first character in their name) so you can see the file:
defaults write com.apple.finder AppleShowAllFiles 1 killall Finder
Drag .anyconnect file into Composer sidebar to create a new package source.
Pro-tip: after it adds .anyconnect under the Sources section, immediately rename the package source name to something else without the dot in the front. Or else the next time you launch composer it will be hidden because composer won't find package sources that have a period in front of their name either.
Little visual just incase you have never made a package that way before: https://dl.dropboxusercontent.com/u/519077/ComposerAnyConnect.mp4
Old thread but issue fixed for me with:
<DistinguishedName> <DistinguishedNameDefinition Wildcard="Enabled" MatchCase="Disabled"> <Name>ISSUER-CN</Name> <Pattern>YourCNIssuerNameHere</Pattern> </DistinguishedNameDefinition> </DistinguishedName>
This was added to the XML we are provided by our VPN team just before
Just replace YourCNIssuerNameHere with the Common Name of the cert, you can get this in the Keychain. Note its wild carded as well.