10-21-2011 08:31 AM - edited 02-21-2020 05:40 PM
Hi,
I have got Anyconnect smartcard authentication running from Linux-clients using NetId.
My problem is that this only works the very first time an anyconnect client is started.
I can do connect/reconnect as many times as I want, but if I quit the anyconnect client and start it again smartcard authentication will not work any more.
I sort of nailed the problem down to beeing associated with the user profile for anyconnect beeing created (which seams to be read on client startup).
~/.anyconnect
Even further the problem seams to be specific with the element
<ClientCertificateThumbprint>
If I either remove this specific element from the profile or entirely remove the profile, then start the client again, smartcard authentication will work.
The anyconnect logs do not seam to shed any light on the problem.
The Thumbprint written in the profile is alway the same.
Hope this is understandable and that some one could give an explanation to this.
Do not hesitate to ask if anything is unclear or you need further information.
Best regards
/Mattias
Solved! Go to Solution.
10-25-2011 07:40 AM
Mattias,
Please understand that these issues are all new to us. We had not seen these prior to two cases that I know of opened in the same week as yours. If you wish to pursue a fix, beyond the successful workaround, for this further please open a TAC case so that we can collect the details and file another bug is needed. Please ensure that you include the workaround in your case opening notes so that the TAC engineer who gets it can note that.
-Craig
10-21-2011 09:26 AM
Hello Mattias,
It would be helpful to indicate the exact version of AnyConnect you are seeing this issue with. Also, if the issue is seen/not seen with other versions of the AnyConnect client.
As a workaround, since you have found it to be related to the cached Thumbprint, can you test disabling this caching?
The Local Profile can be created in /opt/cisco/anyconnect/ as AnyConnectLocalPolicy.xml
Creat a new xml file and add the following to it
-----
----- please find this file attached
Then we should delete the preferences (~/.anyconnect)
and re-test to see if we can still reproduce the issue.
More information on these Restriction options
This may be related to a new bug filed agains 3.0.4235
CSCtt26527 AnyConnect 3.0.4235 password authentication fails w/ CAC Certs cached
Regards,
Craig
10-25-2011 01:55 AM
Hi Craig,
You are right, the version tested was 3.0.4235.
I have also tested 3.0.1047 with the same result.
Version 2.5.3054 was tested okey.
Your work-around to the problem with
AnyConnectLocalPolicy.xml with
works as well.
Best regards
/Mattias
10-25-2011 06:43 AM
I have had a look at
and the description does not seam to be the same.
I can mention that I have done the same tests on both windows and linux. The problem does not exist on the windows client version 3.0.4235 but only in linux.
Best regards.
/Mattias
10-25-2011 07:40 AM
Mattias,
Please understand that these issues are all new to us. We had not seen these prior to two cases that I know of opened in the same week as yours. If you wish to pursue a fix, beyond the successful workaround, for this further please open a TAC case so that we can collect the details and file another bug is needed. Please ensure that you include the workaround in your case opening notes so that the TAC engineer who gets it can note that.
-Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide