02-06-2014 04:25 AM - edited 02-21-2020 07:29 PM
Hi. Can anyone explain to me what exactly is the "Disable Automatic Certificate Selection" supposed to achieve?
My theory is that upon connecting to a VPN gateway (ASA) I am given an option to select the certificate I would like to use for authenticating myself.
However this option seems to have no effect at all.
Anyconnect always selects the certificate on its own and tries authenticating with it automatically.
Lets say one user account has several user-certificates installed. The user cant select the desired certificate for authentication- some certificate is chosen randomly. Or maybe that user actually just wants to authenticate via computer-certificate.
I have disabled preference caching in AnyConnectLocalPolicy.xml (<RestrictPreferenceCaching>Thumbprints</RestrictPreferenceCaching>)
so none of the certificate thumbprints are cached in preferences.xml
The client profile pushed to anyconnect clients do have automatic cert selection disabled:
<AutomaticCertSelection UserControllable="false">false</AutomaticCertSelection>
Any suggestions? thanks!
02-06-2014 06:01 AM
Hi,
I already had this problem and option you descibed helped me. So it depends on where your profile is stored and what system you are using.
On my Win7 default profile path is:
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\AnyConnectProfile.xml
And option which enable certificate selection is:
Please restart Anyconnect services after profile modification or restart your system.
Also try to run Anyconnect client "Run as administrator"
Best regards,
Jan
02-06-2014 07:29 AM
thats funny because that is exactly how im running this.
Can you also choose between connection profiles when prompted to choose certificate?
What I really need is to choose between certificates AND an option to authenticate with plain AAA only.
Because I can choose AAA authentication (or any other connection profile) only when certificate-based validation fails.
02-06-2014 07:44 AM
Hi,
if I understand you well you want two selection options during logging in to VPN.
It is possible and it depends on how you configure VPN on ASA side. If you will have more VPN profiles, one will have certificate selection and another will have simple LOCAL AAA authentication so finally client will offer you this two options in combo box.
So have you solved your problem with cert. selection?
Best regards,
Jan
02-06-2014 11:35 PM
No, the issue is not resolved. I fixed the connection profile selection issue- I forgot I had previously done a certificate to connection profile mapping.
But still, not prompted for certificate selection. If I find a solution I will update.
thanks for the help so far!
02-07-2014 01:20 AM
Hi,
what I woul try is uninstall Anyconnect client then backup your profile folder then remove this profile folder and install Anyconnect client again from scratch.
With clear profile I would modify just AutomaticCertSelection option and then restart computer.
I also has experience with computers which are in domain. Sometimes Anyconnect have not sufficient privileges to look insisde certstore of Windows system. When I installed new system and used same configuration from computer with domain policy so it worked with no problem.
Also check anyconnect logs in event viewer.
Jan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide