Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 9.1, Anyconnect 3.1, Profile for IPSEC with Smartcard (CAC)

At the end of my rope here, may as well try one more time--


I have an ASA running 9.1.x and am able to configure a remote VPN profile that works with the old Cisco VPN client (pre-anyconnect) to  require use of a Smartcard to authorize the user, then use local login to authenticate, and encrypt the tunnel. On removal of Smartcard from client system, tunnel terminates.

Have not been able to get this to work with Anyconnect client 3.1.05160, tried all kinds of things,no luck. Need it as IPSEC only (no SSL at all), and require the smartcard be inserted for the connection to work. Any clue on profiles? Have got parts of it working minus the smartcard, so not completely lost. The Smartcard subsystem workd perfectly with all apps that require it, and also with old Cisco VPN client.


Thanks in advance---

  • VPN
Hall of Fame Super Silver

The CAC (Common Access Card)

The CAC (Common Access Card) is (among other things) a place to store the user's identity certificate.

There is a TAC document for configuring AnyConnect over IKEv2 with AAA and Certificate Authentication.

Have a look at it and it should give you most everything you need in pretty good detail. If you still have questions after that, let us know. 

New Member

Marvin, Thanks for the info,



Thanks for the info, with that profile I am able to get to the username/login prompt, which I have managed to  do before, BUT without any Smartcard interaction at all.

I suppose I should add that I cannot use ssl port 443 at all for this connection. I am limited to those inbound ports the old Cisco VPN client uses, namely ISAKMP (500 & 4500). The profile referenced in the link utilizes webvpn urls and client services. I cannot use a web connection at all, due to the ports being specifically blocked by an outside provider.

So I suppose the question is, how can I use client services without using webvpn, and/or is there a way to have the CAC certificat and PIN entry window come up without using client services?

Hall of Fame Super Silver

Another poster was asking not

Another poster was asking not too long ago about using IKEv2 without client services. We determined it could be done if you predeploy or manually create the profiles.

The downside is you won't be able to push profile updates from the ASA as that depends on client services. (You can tell clients services to run over a non-standard port but if the organizational policy is not to use https then you would still be violating that even if you did a technical hack to circumvent it.)

If you setup a certificate to connection profile map (as described in the older IPsec CAC document) I believe that would make sure your users are prompted to unlock their certificate with their PIN.

New Member

Yeah, that was me, and still

Yeah, that was me, and still have not solved the issue. Have opened a TAC case, but have still not figured out how to make it work functionally like the old Cisco VPN client. That thing works fine all day long, so as far as I can tell, the certificate reader, PIN popup and all that works for both non-VPN apps and the old Cisco client. There does not appear to be a way that I have found, to have Anyconnect work the way I need it to. Perhaps the client must have SSL access for client services, always. If that's the case, I would hope theTAC would know. f