Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Anyconnect 3.0 & Disable Automatic Certificate selection

HI,

I want to disable automatic certificate selection in Anyconnect 3.0 in order to connect from a single host (laptop) to two different groups in ASA. These are the steps that I have followed.

1. Create two groups in ASA

2. Create maps for certificates in "Certificate to AnyConnect and Clientless SSL VPN Connection Profile Maps"

3. Connect successfully to two groups, but the problem is that when i have both certificates installed in Laptop i can't select the group i want to log in.

4. Create the following xml from VPN Local Policy Editor

<?xml version="1.0" encoding="UTF-8"?>

<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

<ClientInitialization>

<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>

<AutomaticCertSelection UserControllable="true">true</AutomaticCertSelection>

<ShowPreConnectMessage>false</ShowPreConnectMessage>

<CertificateStore>All</CertificateStore>

<CertificateStoreOverride>false</CertificateStoreOverride>

<ProxySettings>Native</ProxySettings>

<AllowLocalProxyConnections>false</AllowLocalProxyConnections>

<AuthenticationTimeout>12</AuthenticationTimeout>

<AutoConnectOnStart UserControllable="true">false</AutoConnectOnStart>

<MinimizeOnConnect UserControllable="true">true</MinimizeOnConnect>

<LocalLanAccess UserControllable="true">false</LocalLanAccess>

<ClearSmartcardPin UserControllable="true">true</ClearSmartcardPin>

<AutoReconnect UserControllable="false">true

<AutoReconnectBehavior UserControllable="false">DisconnectOnSuspend</AutoReconnectBehavior>

</AutoReconnect>

<AutoUpdate UserControllable="false">true</AutoUpdate>

<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>

<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>

<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>

<AutomaticVPNPolicy>false</AutomaticVPNPolicy>

<PPPExclusion UserControllable="false">Automatic

<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>

</PPPExclusion>

<EnableScripting UserControllable="false">false</EnableScripting>

<EnableAutomaticServerSelection UserControllable="true">false

<AutoServerSelectionImprovement></AutoServerSelectionImprovement>

<AutoServerSelectionSuspendTime></AutoServerSelectionSuspendTime>

</EnableAutomaticServerSelection>

<RetainVpnOnLogoff>false

</RetainVpnOnLogoff>

</ClientInitialization>

</AnyConnectProfile>

uploaded in ASA and added in both groups.

then connect again and in the preferences i can see that the automatic certificate selection in unchecked.

But when i disconnect and try to connect again this options dissapears and i cannot select the group i want to connect.

So i think that this option is not saved local somewhere in the Laptop,

Can anyone help me?

Is something wrong in the configuration?

Everyone's tags (3)
10 REPLIES

Re:Anyconnect 3.0 & Disable Automatic Certificate selection

Hi,

That option is in the XML profile which you know should in the profiles folder of the AnyConnect client. Once in there, if you have more than one certificate in the user store the AC client will ask you to choose.

Is this what you have?

Thanks.

Sent from Cisco Technical Support Android App

New Member

Re:Anyconnect 3.0 & Disable Automatic Certificate selection

Hi Javier,

What do you mean by "should in the profiles folder of the AnyConnect client."? Is this a folder in the Laptop? Like "

C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client" or somewhere in ASA?

Thank you

New Member

Anyconnect 3.0 & Disable Automatic Certificate selection

I am still quite confusing where to save the xml file in order to disable automatic certificate selection for Anyconnect client in Laptop. I have searched in the Cisco site but it is not clear what to do. Can anyone describes to me step by step the procdure? I think that i miss something quite simple.

Thank you

Re: Anyconnect 3.0 & Disable Automatic Certificate selection

Hi,

The file is in here:

<>\%ALLUSERSPROFILE%\Application Data\Cisco\Cisco AnyConnect VPN Client\Profile

Please keep me posted.

Thanks.

New Member

Anyconnect 3.0 & Disable Automatic Certificate selection

Hi i have allready the file there but still it does not working. it's file name is 1.xml

this is the xml file

http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">

false

false

false

All

false

Native

false

12

false

true

false

true

true

DisconnectOnSuspend

true

Automatic

SingleLocalLogon

LocalUsersOnly

false

Automatic

false

false

false

Could you please check it?

thank you

New Member

Anyconnect 3.0 & Disable Automatic Certificate selection

Here is all the path

C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Profile

and ther is a file also "AnyConnectProfile.xsd"

thank you

New Member

Anyconnect 3.0 & Disable Automatic Certificate selection

Can anyone give me the  correct path in Win7 & WinXP because i still haven't find any sollution.

Thank you

New Member

Anyconnect 3.0 & Disable Automatic Certificate selection

hi man,

did you get any solution ? because i am facing exactly the same problem.

1- on website i am able to get certification selection dialog box.

2- but on anyconnect software it does not prompt, automatically selects certificates.

i have done most of the things advised on cisco forum but can't find any solution. please share if you found any solution.

thanks.

Anyconnect 3.0 & Disable Automatic Certificate selection

Hi John,

It should work without any issues as long as the AnyConnect client has rights to access the certificate store.

Are you running the latest 3.1.x AnyConnect client or still on 3.0.x?

Are you testing with an admin account?

Thanks for your time.

New Member

Re: Anyconnect 3.0 & Disable Automatic Certificate selection

thanks javier,

i have admin rights on windows and anyconnect can access certificate store. i am using anyconnect client 3.1.

i tried so much but couldnt do it on client but on web i am getting certificate seletion manually. however on anyconnect client is able to access the certificate store i can see on debug on asa 4.8 that there are 4 certificates available on certificate store and anyconnect tries all and matches the one which is valid. so this means that it can access the certificate store.

if you need any specific debugs i can provide you that too.

thanks for replying to my issue.      

11920
Views
0
Helpful
10
Replies
CreatePlease to create content