[c-nsp] AnyConnect 3.x certificate auth prompts
Mick O'Rourke
mkorourke at gmail.com
Thu Feb 23 23:31:45 EST 2012
If your talking Windows 32 and 64bit I've had the same issues over the
years albeit it was by far the minority of machines that would have
problems:
- The easiest work-around in the end has been to use AnyConnect 2.3, 2.4
onwards to 3.x have all had the same result.
- Different result re: clicking cancel: No further prompt only denied
access.
- Have been able to re-produce the problem with IOS 12.4, 15.x and ASA 8.x
as the back-end
- YMMV but I haven't been able to re-produce on the 3.x Mac clients or
Linux be it the OpenConnect or AnyConnect clients.
Keen to know if you've found an answer to this.
Mick
For what it's worth my AnyConnect XML config:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="
http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection
UserControllable="true">false</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>true</AllowLocalProxyConnections>
<AuthenticationTimeout>12</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="true">true</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="true">true</LocalLanAccess>
<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
<AutoReconnect UserControllable="true">true
<AutoReconnectBehavior
UserControllable="true">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<AutoUpdate UserControllable="true">true</AutoUpdate>
<RSASecurIDIntegration
UserControllable="true">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLogon</WindowsLogonEnforcement>
<WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<EnableAutomaticServerSelection UserControllable="true">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>8.8.8.8</HostName>
<HostAddress>8.8.8.8</HostAddress>
</HostEntry>
</ServerList>
</AnyConnectProfile>
On Fri, Feb 24, 2012 at 8:14 AM, James Michael Keller <
jmkeller at houseofzen.org> wrote:
> All,
>
> Is there a way to prevent AnyConnect from prompting users with local
> identify certificates (including CaC ones) from being prompted when we only
> have AAA selected for auth on the profile?
>
> With the default automatic certificate selection, if they have one cert
> installed it tries to use that automatically and fails without prompting
> for username/passcode (rsa tokens).
>
> With automatics selection installed they get prompted but can cancel from
> that window and get the login/passcode prompt as expected.
>
> --
>
> -James
> ______________________________**_________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/**mailman/listinfo/cisco-nsp<https://puck.nether.net/mailman/listinfo/cisco-nsp>
> archive at http://puck.nether.net/**pipermail/cisco-nsp/<http://puck.nether.net/pipermail/cisco-nsp/>
>
More information about the cisco-nsp
mailing list