Prevent caching of credentials on Cisco AnyConnect VPN

nfinter · ‎03-08-2018

I am trying to configure the Cisco AnyConnect VPN client to not cache user credentials after logging in.

I am making this change on mac OS 10.13.3 (High Sierra). The version of the client is 3.1.06078.

I have followed the steps in the Cisco AnyConnect Administrator Guide to edit the AnyConnectLocalPolicy file. I have set the parameter for RestrictPreferenceCaching to "Credentials" per the guide.

AnyConnect Administrator Guide

I have found the local policy file is in .XMD format not .XML per the guide. I checked the file on a Windows PC and found it has both .XML and .XMD files. However, even after editing the RestrictPreferenceCaching parameter on both of those files the credentials are still cached.

Does anyone have any ideas why the change to the local policy file does not prevent the caching of credentials?

Francesco Molino · ‎03-08-2018

Hi

Did you look anyconnect or reboot the machine?

Sometimes you need to login and logout once after modifying the file and at the 2nd login it works.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

nfinter · ‎03-09-2018

Thanks for the response Francesco.

I have tried rebooting the machine after editing the file and have logged in/out multiple times to no avail.

I tried uninstalling AnyConnect, completely removed the /opt/cisco/anyconnect folder and restarted the computer. Then re-installed the client and my credentials are still cached.

Are you familiar with where the credentials get stored?

Francesco Molino · ‎03-09-2018

I don't remember I need to found out.

I've tested the solution I gave you by connecting at least once and then disconnect and the next connection you gonna find the field username empty.

Attached my xml config

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

nfinter · ‎03-09-2018

Interestingly, the contents of your LocalPolicy file is very different than mine. I have attached mine for comparison.

Regardless, I tried replacing my LocalPolicy file with the one you attached (replaced the RestrictPreferenceCaching parameter "False" with "Credentials") but I am still seeing my credentials cached.

I have tried connecting, disconnecting and then reconnecting. I have also tried connecting, disconnecting, restarting the Mac and then reconnecting but still see my credentials cached.

Francesco Molino · ‎03-11-2018

Hi

What you shared is your xsd file not the xml. This is as to be kept as is and you must have another xml like the one I shared with you

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

nfinter · ‎03-13-2018

Oddly enough I only had the .xmd file present, I did not have an .xml file by default. Is that typical on macOS? I have both .xml and .xmd files on my Windows PC.

I copied the .xml file you provided (after changing the RestrictPreferenceCaching parameter to "credentials") and kept the .xmd file but it hasn't changed the behaviour unfortunately.

nfinter · ‎03-13-2018

I was able to get it working, but have no idea why.

I opened "/opt/cisco/anyconnect/profile/custom1.xml" and manually removed the server address under <ServerList>. When I connect again the server address is still present but the username has been forgotten.

Bizarre but I've got it in the state that I wanted it. Thanks for your suggestions Francesco.

Francesco Molino · ‎03-13-2018

Glad it's working

You're welcome

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question