Anyconnect always promts user to select authentication certificate when connecting

chrisolson79 · ‎02-16-2017

I have implemented cisco anyconnect on my asa 5525, to use both login and certificate. It is working perfectly except that every time a user connects they get prompted to select the certificate. Only the one certificate is listed and if you click ok, you get prompted for the password then you connect. Is it possible to not have to select the certificate every time? I tried setting up certificate matching but users still get prompted.

Rahul Govindan · ‎02-16-2017

Uncheck the "Disable Automatic Certificate Selection" under the Anyconnect client XML Profile Preferences sections.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/anyconnect-profile-editor.html

This is enabled by default when a profile is used.

chrisolson79 · ‎02-16-2017

Thanks for the quick response, I did try that but I still get prompted every time. Here is a copy of my settings.

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
   <ClientInitialization>
       <UseStartBeforeLogon UserControllable="false">true</UseStartBeforeLogon>
       <AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
       <ShowPreConnectMessage>false</ShowPreConnectMessage>
       <CertificateStore>Machine</CertificateStore>
       <CertificateStoreOverride>true</CertificateStoreOverride>
       <ProxySettings>Native</ProxySettings>
       <AllowLocalProxyConnections>true</AllowLocalProxyConnections>
       <AuthenticationTimeout>12</AuthenticationTimeout>
       <AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>
       <MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>
       <LocalLanAccess UserControllable="true">true</LocalLanAccess>
       <DisableCaptivePortalDetection UserControllable="true">false</DisableCaptivePortalDetection>
       <ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>
       <IPProtocolSupport>IPv4,IPv6</IPProtocolSupport>
       <AutoReconnect UserControllable="false">true
           <AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>
       </AutoReconnect>
       <AutoUpdate UserControllable="false">true</AutoUpdate>
       <RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
       <WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
       <WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
       <AutomaticVPNPolicy>false</AutomaticVPNPolicy>
       <PPPExclusion UserControllable="false">Disable
           <PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
       </PPPExclusion>
       <EnableScripting UserControllable="false">false</EnableScripting>
       <CertificateMatch>
           <DistinguishedName>
               <DistinguishedNameDefinition Operator="Equal" Wildcard="Enabled" MatchCase="Disabled">
                   <Name>DC</Name>
                   <Pattern>encore</Pattern>
               </DistinguishedNameDefinition>
           </DistinguishedName>
       </CertificateMatch>
       <EnableAutomaticServerSelection UserControllable="false">false
           <AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
           <AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
       </EnableAutomaticServerSelection>
       <RetainVpnOnLogoff>false
       </RetainVpnOnLogoff>
       <AllowManualHostInput>true</AllowManualHostInput>
   </ClientInitialization>
   <ServerList>
       <HostEntry>
           <HostName>vpn.company.com</HostName>
           <HostAddress>vpn.company.com</HostAddress>
           <UserGroup>AnyConnect-EU-Mobile</UserGroup>
       </HostEntry>
       <HostEntry>
           <HostName>EU-C5525x-SP-01</HostName>
           <HostAddress>123.12.12.12</HostAddress>
       </HostEntry>
   </ServerList>
</AnyConnectProfile>

Rahul Govindan · ‎02-16-2017

Did you make the change on the ASA or the local file? If the ASA, wait for the second attempt as the first attempt is used to update the profile. If made local to the client only, this will be updated back to the old setting after a connection.

Also, try removing the cert matching rules. Do you have more than 1 client certificate in your user store that matches the rules?

chrisolson79 · ‎02-16-2017

change was made on the asa and I did try logging out and back in a few times. I removed the matching rules and it made no difference. Only one cert is matching but users still have to hit OK to accept it every time. I've read through the setup guide a few times and read several post on the subject. Everything looks correct as far as I can tell.

Rahul Govindan · ‎02-16-2017

Strange. So the client XML is updated from the ASA. Everything looks correct to me too. Do you have other profiles also in the same profile folder? The settings merge for the same host entry if multiple profiles exist. Also, are you choosing the entry from the dropdown or manually typing in the VPN FQDN?

chrisolson79 · ‎02-17-2017

No other policies in the folder. I am picking the entry from the drop down.

Rahul Govindan · ‎02-18-2017

This looks weird. I would collect the DART bundle after a connection attempt and read the "Anyconnect.txt" file to see if the profile is being used for the connection or not. If you can attach it here so that I can take a look.