Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Smart card authentication with 3000 Series VPN Concentrator


I have a group of end users using certificate-based authentication stored on smart cards to access internal resources from remote locations. The smart cards are also used to authenticate and lock user's workstations/laptops. The problem is when an end user has an IPSec tunnel established and locks his environment, the only way to log back on is to remove and reinsert the smart card to get to the PIN prompt. This effectively breaks the VPN IPSec tunnel.

VPN client documentation states, "When a smart card is removed from the system, the tunnel is now automatically torn down. This enhancement causes the tunnel to immediately drop upon removal of the smart card from the system. This is an "always on" feature."

I understand the idea here is to break the secure tunnel when credentials are removed. But in the situation I just described, are there suggestions to getting around this? Local authentication using a user/pass pair is not an option; strictly the PIN supplied on the smart card.

Perhaps the vpnclient.ini file can be modified with a string to prevent the tunnel from breaking when the smart card is removed?

Thanks for any input you may have.


CreatePlease to create content