cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11577
Views
0
Helpful
4
Replies

Anyconnect client auto connect

terry.johnson2
Level 1
Level 1

Hello

  I trying to get cisco anyconnect 4.4 client to connect at login. when away from the company.  I have starting and logging in as expected except before it finishes connecting I have to click on ok.  see attachment.  Is there a way to make it except the certificate with having to click ok.

 

Thanks for any help

1 Accepted Solution

Accepted Solutions

Try to configure certificate map to pin client certificate to tunnel-group.
In this case, it won't ask you to select the client certificate.

This is happening because you have multiple certificates in your store with
EKU as client authentication.

Otherwise, you can delete all other client certificates if you don't need
them.

For certificate maps, you can match attributes from the certificate such
as CA, Domain, etc and point it to TG. this is done from AnyConnect Profile
Editor

View solution in original post

4 Replies 4

Hi,

If you use the Always On option with Trusted Network detection option, this should allow the client to automatically connected when on an untrusted network (as in not the corp network). You would need to use the AnyConnect Profile Editor to configure these preferences.

 

Link here.

 

HTH

Try to configure certificate map to pin client certificate to tunnel-group.
In this case, it won't ask you to select the client certificate.

This is happening because you have multiple certificates in your store with
EKU as client authentication.

Otherwise, you can delete all other client certificates if you don't need
them.

For certificate maps, you can match attributes from the certificate such
as CA, Domain, etc and point it to TG. this is done from AnyConnect Profile
Editor

Thanks I did this and my problem was solved.

 

Try to configure certificate map to pin client certificate to tunnel-group.
In this case, it won't ask you to select the client certificate.  

stsargen
Cisco Employee
Cisco Employee

Hi,

 

The dialog in the screenshot is for tunnel group selection, and not certificate selection. In your case you have multiple tunnel groups configured on the headend so AnyConnect needs to prompt you to select one.  If you have auto-cert selection enabled and you click on the "OK" button, AnyConnect will send all certificates in the store (machine/user) depending on profile configuration until one works, or you run out of certs.

 

If you want to avoid the tunnel group selection you could us a group URL in the profile to bypass this dialog and be sent directly to the tunnel group specified.  If you want to specify a single certificate to send you can add a cert match rule to your profile.  

 

As for forcing a connection when off of the corporate network, you could use Trusted Network Detection with, or without Always On functionality as mentioned by   Mohammad

 

Steve S.