Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15113
Views
20
Helpful
4
Replies

AnyConnect 4.5 and Yubikey

mmelbourne
Level 5
Level 5

‎09-24-2017 04:38 AM - edited ‎03-12-2019 04:34 AM

Hi,

I have an installation whereby I cannot connect using AnyConnect 4.5.01044 (on Windows 10) when a Yubico Yubikey is present. This is because the certificate required is on the machine, not the Yubikey (which is presenting a Smart Card certificate store). Is there any way (through policy or AC profiles) to force AnyConnect to ignore the (empty) certificate store on the Yubikey?

 

Cheers,
Matt

3 people had this problem
Labels:
0 Helpful
4 Replies 4

Josue Brenes
Cisco Employee
Cisco Employee

‎10-02-2017 07:36 PM - edited ‎10-02-2017 07:46 PM

Hi Matt,

This was determined to be an issue with yubikey, not a Cisco problem.

In order to fix it, please, do the following:

We can disable the "Smartcard Removal Feature" using the smartcard-removal-disconnect command:

 

group-policy name attributes

smartcard-removal-disconnect disable.

 

Rate if it helps.

 

Regards,

Josue Brenes

TAC - VPN Engineer.

mmelbourne
Level 5
Level 5
In response to Josue Brenes

‎01-15-2018 08:07 AM

This is not an issue with Yubikey removal. The certificate required for VPN access in on the machine; this together with a second factor username/password provides access. When the Yubikey is inserted, it presents an (empty) certificate store to the host, and AnyConnect cannot then find the user certificate for authentication. Is there a way to select the certificate store, or ignore the empty store on the Yubikey (or indeed any other smart card)?

0 Helpful

_hg_
Level 1
Level 1
In response to mmelbourne

‎02-13-2019 11:45 AM

Fix for us was to use the yubikey manager app to disable the CCID/smartcard interface on the key - this way no empty store is presented and the local machine/local user is used as expected

0 Helpful

asgerhartmann
Level 1
Level 1
In response to Josue Brenes

‎03-30-2020 01:20 AM

Hi there.

 

Reaching out to you guys in hope of some help.

Company has decided to go down the Yubikey route for higher login security. We have AD and work with user/pass verification at login.

Our ASA/Anyconnect setup is working based on the AD being set as the validating identity for the user/pass combo given at Anyconnect connection attempt.

The yubikey will be a passwordless system i am told ... So i am wondering what changes to make in the ASA to make this work?

I read some articles about setting Yubikey as the 2nd factor  - but in our case i think it will be 1st and only factor. Any guidance will be highly appreciated.

0 Helpful
Customers Also Viewed These Support Documents