AnyConnect password saved?

Unanswered Question
Mar 23rd, 2010

Just wondering if there is any way to configure AnyConnect to stored the user's password instead of asking for it every time I try to connect to the session.

I looked on the ASA AnyConnect GP but couldn't find anything.

Let me know if it is possible.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
ksirupa Tue, 03/23/2010 - 13:59

We don't have an option for AnyConnect to remember passwords. Some alternatives

1. Use certificate authentication and issue user certificates (Either with external CA server or using Local CA on ASA). Then, user will never have to enter passwords.

2. Alternatively, Enable "Auto Reconnect after Resume" in the AnyConnect profile so that AnyConnect can resume VPN during short network connectivity loss or when user roams from one wi-fi to other wi-fi, or from wi-fi to wired or 3G etc. This will remove user frustration. But, they will have to still enter username/password for the first time. I use my AnyConnect in this form and typically I don't have to disconnect the VPN for 4 days.

Read the below for profile editor:

http://www.networkworld.com/community/node/43773

Thanks,

kiran

Zeek Ferraros Tue, 03/23/2010 - 15:07

Thanks for the information.

I would like to eable the "auto reconnect after resume", how do you add this to the profile?

I've downloaded the AnyConnect profie editor but I am not sure how to do this.

Do I need to edit  a profile and upload to the ASA?

ksirupa Tue, 03/23/2010 - 22:41

Yes, all the instructions were in that network world article, including screenshots.

In short:

1. Download the profile editor from CCO

2. Select your options (including Reconnect Behavior, Server List, Local Lan Access, Remote login policy, Start Before Login etc).

3. Save the XML and upload it to the disk on ASA.

4. Create an AnyConnect profile which uses the uploaded XML file.

5. Associate the AnyConnect profile with the Group policy. Network Client Access->Group Policy-->Advanced-->SSL VPN Client->Client Profile.

After this, whenever a user establishes AnyConnect for that Group Policy,they will download the new profile.

It is very powerful once you get a hang of it. Many future features will depend on this profile, so its worth the investment to understand this procedure in detail.

Thanks,

Kiran

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";}

1. Use certificate authentication and issue user certificates (Either with external CA server or using Local CA on ASA). Then, user will never have to enter passwords.

For those Cisco Customers that must follow the PCI DSS (https://www.pcisecuritystandards.org ) Section 8.3 states:
8.3 Incorporate two-factor authentication for remote access  (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.

Thus using certificates alone would allow users to connect without prompting but does not meet the PCI requirement to use two factor authentication.Thus we still need some way for the password to be saved to fully automate connections.

2. Alternatively, Enable "Auto Reconnect after Resume" in the AnyConnect profile so that AnyConnect can resume VPN during short network connectivity loss or when user roams from one wi-fi to other wi-fi, or from wi-fi to wired or 3G etc. This will remove user frustration. But, they will have to still enter username/password for the first time. I use my AnyConnect in this form and typically I don't have to disconnect the VPN for 4 days.


The "auto reconnection after resume" feature does not seem to work after a reboot. Thus when users must reboot for whatever reason (applying security patches for instance) the client does not automatically reconnect and thus anything depending on the VPN connection fails until a human interceeds and re-enters the password.

The bottom line is that the Cisco IPSEC client has this feature so why doesn't AnyConnect?

Thanks

Brad

Actions

This Discussion