09-24-2017 04:38 AM - edited 03-12-2019 04:34 AM
Hi,
I have an installation whereby I cannot connect using AnyConnect 4.5.01044 (on Windows 10) when a Yubico Yubikey is present. This is because the certificate required is on the machine, not the Yubikey (which is presenting a Smart Card certificate store). Is there any way (through policy or AC profiles) to force AnyConnect to ignore the (empty) certificate store on the Yubikey?
Cheers,
Matt
10-02-2017 07:36 PM - edited 10-02-2017 07:46 PM
Hi Matt,
This was determined to be an issue with yubikey, not a Cisco problem.
In order to fix it, please, do the following:
We can disable the "Smartcard Removal Feature" using the smartcard-removal-disconnect command:
group-policy name attributes
smartcard-removal-disconnect disable.
Rate if it helps.
Regards,
Josue Brenes
TAC - VPN Engineer.
01-15-2018 08:07 AM
This is not an issue with Yubikey removal. The certificate required for VPN access in on the machine; this together with a second factor username/password provides access. When the Yubikey is inserted, it presents an (empty) certificate store to the host, and AnyConnect cannot then find the user certificate for authentication. Is there a way to select the certificate store, or ignore the empty store on the Yubikey (or indeed any other smart card)?
02-13-2019 11:45 AM
Fix for us was to use the yubikey manager app to disable the CCID/smartcard interface on the key - this way no empty store is presented and the local machine/local user is used as expected
03-30-2020 01:20 AM
Hi there.
Reaching out to you guys in hope of some help.
Company has decided to go down the Yubikey route for higher login security. We have AD and work with user/pass verification at login.
Our ASA/Anyconnect setup is working based on the AD being set as the validating identity for the user/pass combo given at Anyconnect connection attempt.
The yubikey will be a passwordless system i am told ... So i am wondering what changes to make in the ASA to make this work?
I read some articles about setting Yubikey as the 2nd factor - but in our case i think it will be 1st and only factor. Any guidance will be highly appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide