Cisco Anyconnect Keychain



This is to cover cases where the AnyConnect client attempts to collect user certificates from the keychain despite not needing to per the ASA setup. How to enable Certificate Matching: Log in to your Cisco Adaptive Security Device Manager (ASDM). Click the Configuration tab. In the left menu, click Remote Access VPN. Cisco AnyConnect is the recommended VPN client for Mac. The built-in VPN client for Mac is another option but is more likely to suffer from disconnects. Overview Stanford's VPN allows you to connect to Stanford's network as if you were on campus, making access to restricted services possible.

Cisco Anyconnect Windows 10

AnyConnect for Android supports managed configurations, which could be provisioned by MDM/EMM apps. The schema is embedded within AnyConnect's APK (in res/restrictions.xml) and could be retrieved via Google's EMM API. The schema includes detailed documentation on each field and defines a form that could be rendered by the EMM admin portal.

To provision only a single VPN configuration entry, admins may use the vpn_connection_* fields. To provision multiple VPN configurations, admins may use the vpn_configuration_list field, which is a BundleArray that may contain one or more vpn_configuration entries.

Some of the managed configuration keys are associated dynamic tokenized values that should be populated by EMM software.

Provisioning Client Certificates

Login

AnyConnect supports the standard process for EMM provisioning of client certificates. vpn_keychain_cert_alias should contain the Android KeyChain alias of the certificate. When this value is present, AnyConnect will call KeyChain.choosePrivateKeyAlias to start the import (if the alias has not already been imported). Normally, this will result in an OS prompt for the user to approve the request. For a more seamless user experience, the EMM app may implement onChoosePrivateKeyAlias to avoid prompting the user.

Most EMM portals allow the admin to input a special tokenized value for the vpn_keychain_cert_alias field. Once the EMM app has imported the certificate into Android KeyChain, it will use the actual certifiate alias in place of the special token.

Note: the value of of vpn_keychain_cert_alias must match the actual KeyChain alias of the certificate. Otherwise, the user may be prompted repeatedly because AnyConnect thinks the certificate has not been imported.

To recap the process of EMM provisioning of client certificate:

  1. EMM app obtains the certificate (e.g. via SCEP) and imports it into Android KeyChain.
  2. (Recommended) EMM app implements DeviceAdminReceiver.onChoosePrivateKeyAlias() so AnyConnect will be auto-approved to use the certificate
  3. EMM app sets the KeyChain alias of the imported certificate into the vpn_keychain_cert_alias field of AnyConnect's managed configuration.

Provisioning Device Identifier

AnyConnect supports EMM provisioning of a device identifier that could be used for network access control or reporting using the special tokenized value field vpn_connection_device_id. For more information about the device ID, please see this Tech Zone note.


10.6: Save Cisco IPSec password in the Keychain | 24 comments | Create New Account
Click here to return to the '10.6: Save Cisco IPSec password in the Keychain' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.

I can't find a IPSec XAuth Password entry in my keychain for my Cisco VPN in Snow Leopard. I only find the IPSec Shared Secret in my keychain.
When I connect it does not save my user password, it always says 'server will prompt for password' and it does not create a keychain item for my user password (only the shared secret). Any idea how to get it to save my password?

I believe this is defined by policy on the VPN server, and is a deliberate restriction put in by your network administrator. I have the same problem.
One way around this is to install vpnc as an alternative (see this hint, but I haven't tested if this works with Snow Leopard yet.

I've been using Shimo for some time now as an alternative front end to the awful Cisco VPN GUI and it always remembers my password. Maybe I'll just keep using it now that it has been updated for Snow Leopard. I was kind of hoping to avoid installing any 3rd party VPN software and stick with Apple's built in VPN support though. I've noticed that the Leopard Cisco VPN implementation keeps asking me for my password every few hours which is a bit of a pain. Anyways, thanks for the reply.

This isn't Apple's fault. The Cisco VPN Concentrator, PIX, or ASA to which you are connecting is probably configured to disable password saving. If the client software is designed to Cisco specs, nothing you do will enable it to save your password if the VPN server prohibits it.
The Cisco IPSec client in iPhone OS 2 was broken in such a way that it would save the password. This was fixed in iPhone OS 3, and the same fix seems to incorporated in the Mac OS 10.6 IPSec client.
Sorry to disappoint, but after all the whole point of VPN is private network security.
---
Chip Old
BCPL.NET Internet Services

Just to let you know, Shimo will apparently ignore the server's request to always prompt the user for a password and use the password stored in the keychain. I guess this is technically a 'bug' although I'm sure most Shimo users want to keep it that way.

The hint above doesn't explain very well how to find the IPSec XAuth Password entry.

By default, Keychain Access only shows you your own keychain. If you click the expand button (triangle inside a square) at the bottom left corner of the Keychain Access window, you can show other keychains, including the System keychain. Once you're looking at the System keychain, the item you want has a Name matching your VPN, and its Kind is 'IPSec XAuth Password'. You can find it by sorting by Kind.

An easier alternative (from here) is simply to type 'xauth' in the search box at the top right corner of the Keychain Access window. (This works even if you don't have the Keychain list expanded and aren't looking at the System keychain.)

Then you can follow the rest of the instructions above to allow configd to access the password.

Has anyone found a way to import the cisco PCF file which stores the shared secret? Having our IT support group type in the shared secret manually doesn't seem like a sustainable option.

I couldn't find a way to import the .pcf file, but you can decrypt the shared secret that's in the PCF file with this site, or you can download the source code for the decryption program from the same page, compile it (on a linux box, in my case) and run the decryption locally.

So, far it doesn't support import of .pcf files. There is a way to save OS X network configs to text files similar to a .pcf. I don't know if there is any ability to encrypt the password.
Even better though is that you can use a cert. If your organization has a cert your admin can put that on their machine in a secure way then use the above option to add an appropriate vpn config that uses the cert.

I found my problem. Apple once again half-assed a 'feature', it doesn't seem to support IPSec over UDP, only IPSec over TCP.
Now I've had TWO jobs over nine years....both use the same thing and Apple has had countless updates where VPN was mentioned, yet somehow this one stinkin' connection method just doesn't make it out of their hallowed halls. Bit dissapointed.
Oh and I had to go out and find the 'latest' cisco client to install just because the install broke my old one.

Cisco Anyconnect Enter The Login Keychain Password

Others I know have simply reinstalled the version they had and didn't need the latest version. They were all on some variant of 4.9.

I opened the file in textedit and manually entered the data into the fields.

Cisco Anyconnect Keychain

Cisco Anyconnect Keychain

What file did you open? I'm having the same problem as the first commenter. I don't see IPSec XAuth Password in my Keychain Access under system. Thus, I am not able to modify anything.

Wow. What nitwit thought that my VPN would be more secure if they made me type my password every time? I really thought I was screwed by the 'no UDP' support thing, but it was really just that 'TQrV9yo8varLjI' was too difficult for me to type with _no_ visual feedback. What bonehead thought that you should not be allowed to see while you are typing your password? It's not like it will be left around in my teletype printout... And why, oh why, would they think that disabling paste would make things more secure? I wrote my password down anyways in the keychain -- so disabling paste didn't stop me from writing it down.
The upshot is, I've changed my password to the shortest, simplest phrase that will be accepted as a password, surely totally defeating the purpose of having a VPN in the first place.

Seems to me that the mentioned setting in Keychain is lost when you log out. Can anyone confirm this?

Just to let you know, Shimo will apparently ignore the server's request to always prompt the user for a password and use the password stored in the keychain. I guess this is technically a 'bug' although I'm sure most Shimo users want to keep it that way.

This does not work with 10.6.1. I set the password in keychain to allow all applications to access it, but it was still deleted upon connection, and restoring a copy of it did not make the client refer to it later. If this did work in 10.6.0, then maybe I can revert the client.
This is stupid, because Cisco's own client saves my password. The idea that you can enforce client behavior from the server is ludicrous. If your security depends on that, you're in trouble.
I'll get a saved password solution, but I'd rather use the integrated client.

Install Cisco Anyconnect

I agree...This tip does not work on 10.6.1.

works for me in 10.6.2

I think Shimo 1.0.7 (the free version) works well enough for Cisco VPN:
http://code.google.com/p/shimogpl/
but I went with vpnc, which can now be successfully installed on Snow Leopard from Macports. Either way, no retyping required.
One more annoyance worked around.

I confirm it works with SL 10.6.4.

Nice! Thank you. This corrected the problem on 10.6.6.

Thanks! Works on my 10.6.7.

This trick doesn't work with Lion anymore.
The XAuth password doesn't show in Keychain anymore, but somehow I managed to get it appear for a little while (irreproducible unfortunately) but even then this trick won't work.
Anyone who knows a solution for Lion?