Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
353
Views
0
Helpful
2
Replies

Anyconnect For New Imaged Machine With Users And Machine Certificate

AhmedALJAWAD44875
Level 1
Level 1

‎03-03-2023 08:40 AM

Hi All, 

 We have an issue with the new imaged machine. Here is a brief 

- We have a users and management tunnel with user certificates for the users and machine certificates for the Mgmt tunnel 

- User tunnel auto connect when the user logs in, and of course, mgmt tunnel connects automatically when users are not logged in the window. 

- Our IT support Imaging a new laptop with a preconfigured image. The new image it automatically domain joined and has the machine certificate included by default. 

- Management tunnel connect, The user is able to log in to the machine with AD credentials. There is a connection to AD from Mgmt tunnel

- THE ISSUE IS: when the first time user login to the machine " help desk doesn't want to access the user account on corp network" , the user account don't have a user certificate. it will try to download it from AD, BUT the mgmt tunnel is disconnecting cause the user is logged in to the window now. so there will be no connection to the certificate enrollment server to pull the user certificate

I guess what will solve my issue is if there is a way we can keep mgmt tunnel connected until the user account can connect the certificate enrolment server to pull the user certificate. 

Thank you in Advance 

 

 

 

0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎03-03-2023 09:12 AM

Hi @AhmedALJAWAD44875 when the user logs into the VPN this will disconnect the mgmt tunnel. Perhaps just use the machine certificate instead of the user certificate. You can specify which certificate store to use in the XML profile, use the AnyConnect Profile Editor to select this.

0 Helpful

AhmedALJAWAD44875
Level 1
Level 1
In response to Rob Ingram

‎03-03-2023 09:14 AM

Yes , I was thinking the same. hopfully our security department will like the idea.. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card