- Jamf Nation Community
- Products
- Jamf Pro
- Using a user certificate as a form of MFA for VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Using a user certificate as a form of MFA for VPN
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-24-2019 11:17 AM
Hey, Hi. Hello. Wondering if you guys could provide some assistance with a task I have. In short, I want to remove all connections (manual, accidently downloaded, etc) and replace with the new/current/correct connection settings for use with a user certificate as the second form of MFA. What should happen is that Cisco AnyConnect will look for a certificate which should be in keychain, find the UPN, insert the UPN into the username field and lock it (can’t type your own in). The user would then just type their AD password and voila, they are in.
Here is the script to pull this off.
rm -rf /opt/cisco/anyconnect/profile/*.xml
cp ./microsoftmfa-withusercerts.xml /opt/cisco/anyconnect/profile/
What I found out is that the rm -rf script doesn't work. Instead I used the following which pretty much removes the Cisco AnyConnect agent.
sudo /opt/cisco/vpn/bin/vpn_uninstall.sh
Here is the XML with the new /current/correct settings.
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>User</CertificateStore>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
<AuthenticationTimeout>120</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">false</MinimizeOnConnect>
<LocalLanAccess UserControllable="false">true</LocalLanAccess>
<ClearSmartcardPin UserControllable="false">false</ClearSmartcardPin>
<IPProtocolSupport>IPv4</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="false">false</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<CertificateMatch>
<KeyUsage>
<MatchKey>Key_Encipherment</MatchKey>
<MatchKey>Digital_Signature</MatchKey>
</KeyUsage>
<ExtendedKeyUsage>
<CustomExtendedMatchKey>1.3.6.1.5.5.7.3.2</CustomExtendedMatchKey>
<CustomExtendedMatchKey>1.3.6.1.5.5.7.3.4</CustomExtendedMatchKey>
<CustomExtendedMatchKey>1.3.6.1.4.1.311.10.3.4</CustomExtendedMatchKey>
</ExtendedKeyUsage>
</CertificateMatch>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>1. Auto Connect</HostName>
<HostAddress>https://vpn01.mrcooper.com</HostAddress>
<UserGroup>certs</UserGroup>
<BackupServerList>
<HostAddress>https://vpn02.mrcooper.com</HostAddress>
</BackupServerList>
</HostEntry>
<HostEntry>
<HostName>2. Carrollton, TX</HostName>
<HostAddress>https://vpn01.mrcooper.com</HostAddress>
<UserGroup>certs</UserGroup>
</HostEntry>
<HostEntry>
<HostName>3. Chandler, AZ</HostName>
<HostAddress>https://vpn02.mrcooper.com</HostAddress>
<UserGroup>certs</UserGroup>
</HostEntry>
</ServerList>
</AnyConnectProfile>
My question is how do I package this together to remove the current Cisco AnyConnect settings/agent and then look to the XML to copy the new/current/correct settings. I need help with a Step 1, Step 2, Step 3 format.
Thanks everyone for your help.
0 REPLIES 0
