Running AnyConnect

jbkiggins
New Contributor

So, I'm using Composer to watch for the install and set the vpn server for Cisco AnyConnect and create a package. I can then also deploy this out to clients and it installs ok. But whenever it goes to connect, AnyConnect wants admin credentials like three times. Has anyone been able to get around this? I do use client certificates to authenticate. I've read that others who have had a similar problem can at least click deny a few times and then AnyConnect will connect. Not the case for me though. Thanks.

18 REPLIES 18

jonnydford
Contributor II

Are you just trying to set the server for AnyConnect?

I do this with an xml file, I'll have to check tomorrow what exactly I do and where if that's the case.

Then you can deploy the AnyConnect app with the xml

jbkiggins
New Contributor

I can get the server set. It's just when AnyConnect tries to connect to it, it wants system access and so asks for admin creds. I'm not sure if I'm doing it wrong or what. I launch Composer, install AnyConnect, and then finish in Composer.

Thanks.

mroiger
New Contributor III

Hi,

the issue in our environment is related to Cisco endpoint checking for certificates to determine VPN access.
We have AD issued machine certificates in system keychain where users don't have access rights. This causes the admin prompt at connection. If you skip the prompt AnyConnect will work anyway.

Our first workaround was to allow access to the machine certificate for all applications manually. This was very annoying and had to be done on every Mac because we deploy the certificate with an AD certificate configuration profile, thus unable to allow access at import.

We now deploy a ~/.anyconnect with FUT and FEU containing a <ServerCertificateThumbprint> containing our Sub-CA thumbprint, that works for us:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser></DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint></ClientCertificateThumbprint>
<ServerCertificateThumbprint>THUMBPRINT_FROM_KEYCHAIN</ServerCertificateThumbprint>
<DefaultHostName>endpoint.domain.com</DefaultHostName>
<DefaultHostAddress></DefaultHostAddress>
<DefaultGroup></DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>

roiegat
Contributor II

We have the issue as well, but took a different approach. When deploying our AD cert and other Cert via configuration profile, we checked the "Allow access to all applications" in the AD certificate section. In theory you could limit this down just to specific applications if you wanted to, but not within Casper as far as I know. This has worked for us.

I haven't tried @mroiger method, but it also look viable.

bpavlov
Honored Contributor

@jbkiggins The AnyConnect installer should be good as is. Snapshotting should not be needed.

jbkiggins
New Contributor

@mroiger I believe that is our issue as well. I'm using Centrify to issue machine certs to the client. So that is just like an xml file that you created, with your ca thumbprint that is letting it not have to ask for admin creds? Where are you putting that if so? Thanks.

ooshnoo
Valued Contributor

I agree with @bpavlov Snapshotting is should not be needed. I just extracted the VPN package from the mpkg using Pacifist and installed that.

jbkiggins
New Contributor

@bpavlov You just put the installer into Admin and push it?

jbkiggins
New Contributor

Sorry @ooshnoo not sure why, but it took a few hours for my last post to post. Unfortunately, I talked to my IA team today and they gave a no-go on using Pacifist.

mroiger
New Contributor III

@jbkiggins the .anyconnect needs to be placed in the home folder of every user.
We use a policy with FUT and FEU and the /Users/anyusers/.anyconnect as a DMG payload to accomplish this.

@roiegat I'll check if your method works for clients with a fresh install. We migrated from Centrify and therefore had two machine certificates on most of our clients. AnyConnect tries "any" certificate that it finds first in keychain so we needed a different solution but I would love an easier solution, like the on you use.

brennanma
New Contributor

@mroiger I can't figure out how to add the .anyconnect file to the install DMG (so that FUT / FEU) are an option. Any chance you can explain how you did that? I can't even seem to find an option to build a separate User Template DMG in Composer.

-Matt

chriscollins
Valued Contributor

If you use cert based auth with anyconnect and your users constantly get prompted to enter in an admin username and password to (usually) access the system keychain, its because anyconnect is searching all keychains for certs and it hits a cert in there and wants to read it to see if it is valid and the system keychain requires an admin authentication to access it (usually the JAMF Identity cert that gets installed during enrollment). To get it to stop doing this you can:

  1. go into Keychain Access select your system keychain
  2. filter the category by My Certificates
  3. select the private key in the certificate pair
  4. right click it and do a get info on it
  5. in the Access Control tab, manually add the Cisco AnyConnect app to the always allow access box. cdf8eb3e5b4642f583741f85863e1e29

It will prompt you for admin credentials a few times but you shouldn't get bugged again.

brennanma
New Contributor

@chriscollins Thanks for your reply. I'm aware I can do this, but manually doing that across ~150 machines and growing is not really a task I'm able to undertake ... not to mention running it again when the certificate expires and the machine pulls a new one.

My preference here is to use the .anyconnect file, as @mroiger referenced; I just can't figure out how to get the file into the DMG so I can deploy it.

-Matt

chriscollins
Valued Contributor

@brennanma

Make the Finder show invisible items (items with dot as first character in their name) so you can see the file:

defaults write com.apple.finder AppleShowAllFiles 1
killall Finder

Drag .anyconnect file into Composer sidebar to create a new package source.

Pro-tip: after it adds .anyconnect under the Sources section, immediately rename the package source name to something else without the dot in the front. Or else the next time you launch composer it will be hidden because composer won't find package sources that have a period in front of their name either.

Little visual just incase you have never made a package that way before: https://dl.dropboxusercontent.com/u/519077/ComposerAnyConnect.mp4

al_platt
Contributor II

This works for us,

Extracted VPN.pkg from the installer using Pacifist

Install that along with .xml with server address.

AD certs are installed per machine via profile.

brennanma
New Contributor

@chriscollins Got it working. Thanks for your help.

-Matt

MatG
Contributor III

Old thread but issue fixed for me with:

        <DistinguishedName>
        <DistinguishedNameDefinition Wildcard="Enabled" MatchCase="Disabled">
        <Name>ISSUER-CN</Name>
        <Pattern>YourCNIssuerNameHere</Pattern>
        </DistinguishedNameDefinition>
        </DistinguishedName>

This was added to the XML we are provided by our VPN team just before

    </CertificateMatch>

Just replace YourCNIssuerNameHere with the Common Name of the cert, you can get this in the Keychain. Note its wild carded as well.

RNCNetops
New Contributor

I have extacted the vpn.pkg, I have the Profile.xml off the ASA, how and where do I put the XML file to install it when I install the Software? Thanks