Anyconnect 3.0 & Disable Automatic Certificate selection

tasoskypraios · ‎05-30-2012

HI,

I want to disable automatic certificate selection in Anyconnect 3.0 in order to connect from a single host (laptop) to two different groups in ASA. These are the steps that I have followed.

1. Create two groups in ASA

2. Create maps for certificates in "Certificate to AnyConnect and Clientless SSL VPN Connection Profile Maps"

3. Connect successfully to two groups, but the problem is that when i have both certificates installed in Laptop i can't select the group i want to log in.

4. Create the following xml from VPN Local Policy Editor

<?xml version="1.0" encoding="UTF-8"?>

<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>

<ShowPreConnectMessage>false</ShowPreConnectMessage>

<CertificateStoreOverride>false</CertificateStoreOverride>

<ProxySettings>Native</ProxySettings>

<AllowLocalProxyConnections>false</AllowLocalProxyConnections>

<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>

<LocalLanAccess UserControllable="true">false</LocalLanAccess>

<AutoReconnect UserControllable="false">true

<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>

</AutoReconnect>

<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>

<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>

<AutomaticVPNPolicy>false</AutomaticVPNPolicy>

<PPPExclusion UserControllable="false">Automatic

</PPPExclusion>

<EnableScripting UserControllable="false">false</EnableScripting>

<EnableAutomaticServerSelection UserControllable="true">false

</EnableAutomaticServerSelection>

<RetainVpnOnLogoff>false

</RetainVpnOnLogoff>

</ClientInitialization>

</AnyConnectProfile>

uploaded in ASA and added in both groups.

then connect again and in the preferences i can see that the automatic certificate selection in unchecked.

But when i disconnect and try to connect again this options dissapears and i cannot select the group i want to connect.

So i think that this option is not saved local somewhere in the Laptop,

Can anyone help me?

Is something wrong in the configuration?

Javier Portuguez · ‎05-30-2012

Hi,

That option is in the XML profile which you know should in the profiles folder of the AnyConnect client. Once in there, if you have more than one certificate in the user store the AC client will ask you to choose.

Is this what you have?

Thanks.

Sent from Cisco Technical Support Android App

tasoskypraios · ‎05-31-2012

Hi Javier,

What do you mean by "should in the profiles folder of the AnyConnect client."? Is this a folder in the Laptop? Like "

C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client" or somewhere in ASA?

Thank you

tasoskypraios · ‎06-01-2012

I am still quite confusing where to save the xml file in order to disable automatic certificate selection for Anyconnect client in Laptop. I have searched in the Cisco site but it is not clear what to do. Can anyone describes to me step by step the procdure? I think that i miss something quite simple.

Thank you

Javier Portuguez · ‎06-01-2012

Hi,

The file is in here:

<>\%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile

Please keep me posted.

Thanks.

tasoskypraios · ‎06-01-2012

Hi i have allready the file there but still it does not working. it's file name is 1.xml

this is the xml file

http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

false

All

false

Native

false

12

false

true

false

true

DisconnectOnSuspend

true

Automatic

SingleLocalLogon

LocalUsersOnly

false

Automatic

false

Could you please check it?

thank you

tasoskypraios · ‎06-01-2012

Here is all the path

C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

and ther is a file also "AnyConnectProfile.xsd"

thank you

tasoskypraios · ‎06-06-2012

Can anyone give me the correct path in Win7 & WinXP because i still haven't find any sollution.

Thank you

john.ebrahim83 · ‎04-27-2013

hi man,

did you get any solution ? because i am facing exactly the same problem.

1- on website i am able to get certification selection dialog box.

2- but on anyconnect software it does not prompt, automatically selects certificates.

i have done most of the things advised on cisco forum but can't find any solution. please share if you found any solution.

thanks.

Javier Portuguez · ‎04-29-2013

Hi John,

It should work without any issues as long as the AnyConnect client has rights to access the certificate store.

Are you running the latest 3.1.x AnyConnect client or still on 3.0.x?

Are you testing with an admin account?

Thanks for your time.

john.ebrahim83 · ‎05-01-2013

thanks javier,

i have admin rights on windows and anyconnect can access certificate store. i am using anyconnect client 3.1.

i tried so much but couldnt do it on client but on web i am getting certificate seletion manually. however on anyconnect client is able to access the certificate store i can see on debug on asa 4.8 that there are 4 certificates available on certificate store and anyconnect tries all and matches the one which is valid. so this means that it can access the certificate store.

if you need any specific debugs i can provide you that too.

thanks for replying to my issue.