Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
10781
Views
0
Helpful
6
Replies

Is there a way to prevent AnyConnect from caching the username of the last person who connected to the VPN?

Go to solution
Ahmad Qubo
Level 1
Level 1

‎11-30-2012 08:36 AM - edited ‎02-21-2020 06:31 PM

Is there a way to prevent AnyConnect from caching the username of the last  person who connected to the VPN?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-30-2012 09:08 AM

This can be done via specifying the "RestrictPreferenceCaching" parameter as described in the Anyconnect Admin Guide here:

By design, AnyConnect does not cache sensitive information to disk. Enabling this parameter extends this policy to any type of user information stored in the AnyConnect preferences.

Credentials—The user name and second user name are not cached.

Thumbprints—The client and server certificate thumbprints are not cached.

CredentialsAndThumbprints—Certificate thumbprints and user names are not cached.

All—No automatic preferences are cached.

false—All preferences are written to disk (default—behavior consistent with AnyConnect 2.3 and earlier).

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-30-2012 09:08 AM

This can be done via specifying the "RestrictPreferenceCaching" parameter as described in the Anyconnect Admin Guide here:

By design, AnyConnect does not cache sensitive information to disk. Enabling this parameter extends this policy to any type of user information stored in the AnyConnect preferences.

Credentials—The user name and second user name are not cached.

Thumbprints—The client and server certificate thumbprints are not cached.

CredentialsAndThumbprints—Certificate thumbprints and user names are not cached.

All—No automatic preferences are cached.

false—All preferences are written to disk (default—behavior consistent with AnyConnect 2.3 and earlier).

0 Helpful

Go to solution
Ahmad Qubo
Level 1
Level 1
In response to Marvin Rhoads

‎11-30-2012 10:00 AM

Thank you very much

I  just tested this in my lab set up and it actually worked, below what I  did:

1-  I retrieved a copy of the AnyConnect Local Policy file  (AnyConnectLocalPolicy.xml) from a client installation. In my XP, the file is in  C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect  Secure Mobility Client

2-  I changed the value below from false to Credentials

Credentials

3-  I then saved the xml file

4-  I quit AnyConnect and launched it again, I connected then disconnected and my  JBound no longer appears.

Below my current AnyConnectLocalPolicy.xml


Credentials
false
false
false

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Ahmad Qubo

‎11-30-2012 10:02 AM

Excellent. Thanks for the feedback and rating.

Note that in a production setting you'll want to change the profile.xml file on the ASA so that it is deployed properly to all clients.

0 Helpful

Go to solution
andrewdours
Level 1
Level 1
In response to Marvin Rhoads

‎03-27-2014 02:01 PM

Marvin, 

I tried your fix listed here.  Unfortunately, it just doesn't work.  Is there something I'm missing or something that is taking precedence over this?  I've made this change to the AnyConnectLocalPolicy.xml file and rebooted the computer.  The setting is still in the file, but my username continues to show up in the login box.  You also mentioned that this setting can be pushed from the ASA in profile.xml file.  How does this work?  I haven't seen anthing on this.  Any help is appreciated.

 

Andrew

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to andrewdours

‎03-27-2014 03:33 PM

I just double checked and it didn't work upon my initial launch of the AnyConnect VPN client. However, once I logged in and then out, when I went to log back in again the username credential field was blank as intended. (By the way, you can just kill the vpnui.exe process and relaunch it from your installation directory in liue of a complete reboot in order to force the client to reparse the preferences file.) 

From inspection of my profile directory it looks like there is a related file (ConfigParam.bin) that was updated in the process to make the change "stick".

The line I put in my AnyConnectLocalPolicy.xml is as follows:

<RestrictPreferenceCaching>Credentials</RestrictPreferenceCaching>

I misspoke last year when saying that file could be pushed out from the ASA. You'd have to use software distribution or a customized installer to modify that one. It's only the connection profile-related xml file that is pushed out / updated upon connection to a given ASA connection profile.

0 Helpful

Go to solution
andrewdours
Level 1
Level 1
In response to Marvin Rhoads

‎03-28-2014 05:06 AM

Thanks Marvin.  I'll keep working with it.  If I get it to work, I'll post back what I was doing wrong.  Thanks again for looking at this again a year later!

 

Andrew

0 Helpful
Top