Cisco AnyConnect, Certificate Auth, and Admin Prompts

 

Requiring certificate auth to your ASA for VPN?  Then this prompt in AnyConnect probably looks familiar and results in too many calls to the help desk.

anyconnectprompt.png

 

Unless AnyConnect is aware of which certificate it needs, it's going to go gangbusters through your system keychain looking for it while prompting for local administrative rights at every useable certificate.

There are 2 ways to handle this:

1) Preferred - Push out an AnyConnect profile from the ASA including certificate match.  AnyConnect documentation here, but the idea is that you AnyConnect will look for a unique attribute in your VPN certificate.

You can match on any of the following criteria:

  • CN—Subject Common Name 
  • C—Subject Country 
  • DC—Domain Component 
  • DNQ—Subject Dn Qualifier 
  • EA—Subject Email Address 
  • GENQ—Subject Gen Qualifier 
  • GN—Subject Given Name 
  • I—Subject Initials 
  • L—Subject City 
  • N—Subject Unstruct Name 
  • O—Subject Company 
  • OU—Subject Department 
  • SN—Subject Sur Name 
  • SP—Subject State 
  • ST—Subject State 
  • T—Subject Title 
  • ISSUER-CN—Issuer Common Name 
  • ISSUER-DC—Issuer Component 
  • ISSUER-SN—Issuer Sur Name 
  • ISSUER-GN—Issuer Given Name 
  • ISSUER-N—Issuer Unstruct Name 
  • ISSUER-I—Issuer Initials 
  • ISSUER-GENQ—Issuer Gen Qualifier 
  • ISSUER-DNQ—Issuer Dn Qualifier 
  • ISSUER-C—Issuer Country 
  • ISSUER-L—Issuer City 
  • ISSUER-SP—Issuer State 
  • ISSUER-ST—Issuer State 
  • ISSUER-O—Issuer Company 
  • ISSUER-OU—Issuer Department 
  • ISSUER-T—Issuer Title 
  • ISSUER-EA—Issuer Email Address

 

2) Stage an ~/.anyconnect file.  You might want to stage this anyway to autofill the server address, but here you can inform AnyConnect of the correct certificate to use.  I'm assuming that the vpn certificate is installed in the user keychain.

Import your certificate allowing trust settings for the AnyConnect application.  In addition you may want to modify the partition IDs to hide the "Allow/Deny" prompt in macOS Sierra (I'll expand on this in another blog post).

#Get macOS version
OS_MIN_VERS=$(sw_vers | grep ProductVersion | awk '{print $2}' | cut -d "." -f2)

#Import Certificate
security import /PATH/TO/VPN_CERTIFICATE -P $VPN_CERTIFICATE_PASSWORD -T /Applications/Cisco/Cisco\ AnyConnect\ Secure\ Mobility\ Client.app

#Set key parition for AnyConnect if OS 10.12 or newer
if [ $OS_MIN_VERS -ge 12 ];then
security set-key-partition-list -S apple-tool:,apple:,cdhash:5f29a0a1780a52e5a9e83bac2962d49b3f23eb0a -l "$VPN_CERTIFICATE_NAME" -k $hash
fi

 

Grab the SHA-1 hash of your certificate:

security find-certificate -c $VPN_CERTIFICATE_NAME -Z | grep SHA | awk '{print $3}'

take that value and create an XML file located at ~/.anyconnect:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectPreferences>
<DefaultUser></DefaultUser>
<DefaultSecondUser></DefaultSecondUser>
<ClientCertificateThumbprint>$VPN_CERTIFICATE_SHA1_HASH</ClientCertificateThumbprint>
<ServerCertificateThumbprint></ServerCertificateThumbprint>
<DefaultHostName>$VPN_SERVER_HOSTNAME</DefaultHostName>
<DefaultHostAddress></DefaultHostAddress>
<DefaultGroup></DefaultGroup>
<ProxyHost></ProxyHost>
<ProxyPort></ProxyPort>
<SDITokenType>none</SDITokenType>
<ControllablePreferences></ControllablePreferences>
</AnyConnectPreferences>