Solved: Re: Possible bug in Anyconnect using SmartCard on linux

Mattias Andersson · ‎10-21-2011

Hi,

I have got Anyconnect smartcard authentication running from Linux-clients using NetId.

My problem is that this only works the very first time an anyconnect client is started.

I can do connect/reconnect as many times as I want, but if I quit the anyconnect client and start it again smartcard authentication will not work any more.

I sort of nailed the problem down to beeing associated with the user profile for anyconnect beeing created (which seams to be read on client startup).

~/.anyconnect

Even further the problem seams to be specific with the element

If I either remove this specific element from the profile or entirely remove the profile, then start the client again, smartcard authentication will work.

The anyconnect logs do not seam to shed any light on the problem.

The Thumbprint written in the profile is alway the same.

Hope this is understandable and that some one could give an explanation to this.

Do not hesitate to ask if anything is unclear or you need further information.

Best regards

/Mattias

Craig Lorentzen · ‎10-25-2011

Mattias,

Please understand that these issues are all new to us. We had not seen these prior to two cases that I know of opened in the same week as yours. If you wish to pursue a fix, beyond the successful workaround, for this further please open a TAC case so that we can collect the details and file another bug is needed. Please ensure that you include the workaround in your case opening notes so that the TAC engineer who gets it can note that.

-Craig

View solution in original post

Craig Lorentzen · ‎10-21-2011

Hello Mattias,

It would be helpful to indicate the exact version of AnyConnect you are seeing this issue with. Also, if the issue is seen/not seen with other versions of the AnyConnect client.

As a workaround, since you have found it to be related to the cached Thumbprint, can you test disabling this caching?

The Local Profile can be created in /opt/cisco/anyconnect/ as AnyConnectLocalPolicy.xml

Creat a new xml file and add the following to it

-----

http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd" acversion="3.9.9999">

Thumbprints

----- please find this file attached

Then we should delete the preferences (~/.anyconnect)

and re-test to see if we can still reproduce the issue.

More information on these Restriction options

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac13vpnxmlref.html#wp1059543

This may be related to a new bug filed agains 3.0.4235

CSCtt26527 AnyConnect 3.0.4235 password authentication fails w/ CAC Certs cached

Regards,

Craig

Mattias Andersson · ‎10-25-2011

Hi Craig,

You are right, the version tested was 3.0.4235.

I have also tested 3.0.1047 with the same result.

Version 2.5.3054 was tested okey.

Your work-around to the problem with

AnyConnectLocalPolicy.xml with Thumbprints

works as well.

Best regards

/Mattias

Mattias Andersson · ‎10-25-2011

I have had a look at

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtt26527

and the description does not seam to be the same.

I can mention that I have done the same tests on both windows and linux. The problem does not exist on the windows client version 3.0.4235 but only in linux.

Best regards.

/Mattias

Craig Lorentzen · ‎10-25-2011

Mattias,

Please understand that these issues are all new to us. We had not seen these prior to two cases that I know of opened in the same week as yours. If you wish to pursue a fix, beyond the successful workaround, for this further please open a TAC case so that we can collect the details and file another bug is needed. Please ensure that you include the workaround in your case opening notes so that the TAC engineer who gets it can note that.

-Craig