Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10709
Views
0
Helpful
4
Replies

Anyconnect client auto connect

Go to solution
terry.johnson2
Level 1
Level 1

‎08-15-2018 10:33 AM - edited ‎03-12-2019 05:29 AM

Hello

  I trying to get cisco anyconnect 4.4 client to connect at login. when away from the company.  I have starting and logging in as expected except before it finishes connecting I have to click on ok.  see attachment.  Is there a way to make it except the certificate with having to click ok.

 

Thanks for any help

Labels:
Preview file
48 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎08-16-2018 12:45 AM

Try to configure certificate map to pin client certificate to tunnel-group.
In this case, it won't ask you to select the client certificate.

This is happening because you have multiple certificates in your store with
EKU as client authentication.

Otherwise, you can delete all other client certificates if you don't need
them.

For certificate maps, you can match attributes from the certificate such
as CA, Domain, etc and point it to TG. this is done from AnyConnect Profile
Editor

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎08-15-2018 01:55 PM

Hi,

If you use the Always On option with Trusted Network detection option, this should allow the client to automatically connected when on an untrusted network (as in not the corp network). You would need to use the AnyConnect Profile Editor to configure these preferences.

 

Link here.

 

HTH

0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎08-16-2018 12:45 AM

Try to configure certificate map to pin client certificate to tunnel-group.
In this case, it won't ask you to select the client certificate.

This is happening because you have multiple certificates in your store with
EKU as client authentication.

Otherwise, you can delete all other client certificates if you don't need
them.

For certificate maps, you can match attributes from the certificate such
as CA, Domain, etc and point it to TG. this is done from AnyConnect Profile
Editor
0 Helpful

Go to solution
terry.johnson2
Level 1
Level 1
In response to Mohammed al Baqari

‎09-10-2018 05:32 AM

Thanks I did this and my problem was solved.

 

Try to configure certificate map to pin client certificate to tunnel-group.
In this case, it won't ask you to select the client certificate.  

0 Helpful

Go to solution
stsargen
Cisco Employee
Cisco Employee

‎08-17-2018 12:59 PM

Hi,

 

The dialog in the screenshot is for tunnel group selection, and not certificate selection. In your case you have multiple tunnel groups configured on the headend so AnyConnect needs to prompt you to select one.  If you have auto-cert selection enabled and you click on the "OK" button, AnyConnect will send all certificates in the store (machine/user) depending on profile configuration until one works, or you run out of certs.

 

If you want to avoid the tunnel group selection you could us a group URL in the profile to bypass this dialog and be sent directly to the tunnel group specified.  If you want to specify a single certificate to send you can add a cert match rule to your profile.  

 

As for forcing a connection when off of the corporate network, you could use Trusted Network Detection with, or without Always On functionality as mentioned by   Mohammad

 

Steve S.

0 Helpful
Customers Also Viewed These Support Documents