cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3369
Views
0
Helpful
6
Replies
Highlighted
Beginner

Is there a way to prevent AnyConnect from caching the username of the last person who connected to the VPN?

Is there a way to prevent AnyConnect from caching the username of the last  person who connected to the VPN?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Guru

This can be done via specifying the "RestrictPreferenceCaching" parameter as described in the Anyconnect Admin Guide here:

By design, AnyConnect does not cache sensitive information to disk. Enabling this parameter extends this policy to any type of user information stored in the AnyConnect preferences.

Credentials—The user name and second user name are not cached.

Thumbprints—The client and server certificate thumbprints are not cached.

CredentialsAndThumbprints—Certificate thumbprints and user names are not cached.

All—No automatic preferences are cached.

false—All preferences are written to disk (default—behavior consistent with AnyConnect 2.3 and earlier).

View solution in original post

6 REPLIES 6
Highlighted
Hall of Fame Guru

This can be done via specifying the "RestrictPreferenceCaching" parameter as described in the Anyconnect Admin Guide here:

By design, AnyConnect does not cache sensitive information to disk. Enabling this parameter extends this policy to any type of user information stored in the AnyConnect preferences.

Credentials—The user name and second user name are not cached.

Thumbprints—The client and server certificate thumbprints are not cached.

CredentialsAndThumbprints—Certificate thumbprints and user names are not cached.

All—No automatic preferences are cached.

false—All preferences are written to disk (default—behavior consistent with AnyConnect 2.3 and earlier).

View solution in original post

Highlighted

Thank you very much

I  just tested this in my lab set up and it actually worked, below what I  did:

1-  I retrieved a copy of the AnyConnect Local Policy file  (AnyConnectLocalPolicy.xml) from a client installation. In my XP, the file is in  C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect  Secure Mobility Client

2-  I changed the value below from false to Credentials

Credentials

3-  I then saved the xml file

4-  I quit AnyConnect and launched it again, I connected then disconnected and my  JBound no longer appears.

Below my current AnyConnectLocalPolicy.xml


Credentials
false
false
false

Highlighted

Excellent. Thanks for the feedback and rating.

Note that in a production setting you'll want to change the profile.xml file on the ASA so that it is deployed properly to all clients.

Highlighted

Marvin, 

I tried your fix listed here.  Unfortunately, it just doesn't work.  Is there something I'm missing or something that is taking precedence over this?  I've made this change to the AnyConnectLocalPolicy.xml file and rebooted the computer.  The setting is still in the file, but my username continues to show up in the login box.  You also mentioned that this setting can be pushed from the ASA in profile.xml file.  How does this work?  I haven't seen anthing on this.  Any help is appreciated.

 

Andrew

Highlighted

I just double checked and it didn't work upon my initial launch of the AnyConnect VPN client. However, once I logged in and then out, when I went to log back in again the username credential field was blank as intended. (By the way, you can just kill the vpnui.exe process and relaunch it from your installation directory in liue of a complete reboot in order to force the client to reparse the preferences file.) 

From inspection of my profile directory it looks like there is a related file (ConfigParam.bin) that was updated in the process to make the change "stick".

The line I put in my AnyConnectLocalPolicy.xml is as follows:

<RestrictPreferenceCaching>Credentials</RestrictPreferenceCaching>

I misspoke last year when saying that file could be pushed out from the ASA. You'd have to use software distribution or a customized installer to modify that one. It's only the connection profile-related xml file that is pushed out / updated upon connection to a given ASA connection profile.

Highlighted

Thanks Marvin.  I'll keep working with it.  If I get it to work, I'll post back what I was doing wrong.  Thanks again for looking at this again a year later!

 

Andrew