28

OS X asks me -- twice -- to enter my admin username and password before it will let me connect to Cisco AnyConnect VPN. This is annoying and unnecessary.

Text of the prompt:

OS X wants to make changes. Type an administrator's name and password to allow this.

OS X wants to use the "System" keychain.

OS X wants to make changes

How can I configure the keychain to allow Cisco VPN access without prompting unnecessarily?

Community
  • 1
Jake Toronto
  • 779
  • 1
  • 8
  • 9
  • How do I block this request that I get (3 times) before it gets to the correct cert on the smartcard? – MattPark Nov 01 '19 at 15:12

2 Answers2

39

Found the answer on a Google Groups forum:

• Launch /Applications/Utilities/Keychain Access

• Select "System" from the Keychains menu in the upper left

• Select "Certificates" from the Category menu in the lower left

• Find the entry that corelates to your computer's name in the list on the right, and click on the disclosure triangle.

• Secondary click on the "Private Key" entry that appears and select "Get Info" from the contextual menu that appears.

• Select the Access Control tab.

• You can then either add AnyConnect to the the list at the bottom of the screen (more secure, but you will need to repeat this process anytime the version of AnyConnect changes), or toggle the radio button to "Allow all applications to access this item".

A similar answer shows a picture but provides fewer instructions

Community
  • 1
Jake Toronto
  • 779
  • 1
  • 8
  • 9
  • 1
    I've looking for this answer for ages! Thanks – raed Jul 13 '18 at 08:39
  • 5
    This was very useful in pointing me to the right spot; however, for others who may be getting here, the "entry that correlates to your computer's name" was not what worked for me: in my case, adding AnyConnect to the `localhost` entry did not fix the issue; what did, was adding it to a seeming "random hex" entry. – Marco Massenzio Dec 01 '18 at 07:22
  • For me, on two computers, the causative item was under "login" (instead of "System"). Removing the item solved the problem. In both cases it appeared that AnyConnect was trying to access a private key it didn't need. Anyways, thanks for the instructions! – mathandy Nov 02 '19 at 22:12
  • 1
    I was able to give permission to the app but even after saving, the access control list got reset. "Allow all applications to access this item" also didn't work...any suggestions? – rramakrishnaa Mar 31 '20 at 20:08
  • Thank you! My first thought was to transfer from System to login keychains but this makes more sense. – SaundersB Apr 21 '20 at 13:29
  • Thanks a lot, it worked out – Amarjit Dhillon Apr 28 '21 at 07:20
  • @rramakrishnaa Getting the same thing here. Did you ever sort it out? – Travis Jan 18 '22 at 17:50
  • Yes @Travis it got fixed by upgrading to the latest version of MacOS – rramakrishnaa May 10 '22 at 11:43
1

I've had this problem for sometime and none of the suggestions worked. What did work for me was changing the VPN profile (your sys admin will need to do this for you as its a server side profile that gets downloaded when you connect).

The setting that made the difference was CertificateStoreMac, the default seems to be All which causes AnyConnect to try to look in the system keychain. If you change this to Login it'll stop doing that and stop these login prompts. Your certificates for the server should be installed in the login keychain as thats what happens with current AnyConnect versions when you go through VPN enrolment and download the certs and use the OTP creds.

James MV
  • 131
  • 1
  • 4