Anyconnect Macos

Posted on  by



Many people have discussed configuring the OS X built-in VPN client to connect to Cisco VPNs in place of the AnyConnect client. However, all discussion focuses on copying critical config information (shared secret or certificate, in particular) from a PCF or Profile.xml file included in a site-specific AnyConnect installer.

The AnyConnect installer where I am now (version 4.2.01035) seems not to deploy any profile information. /opt/cisco/anyconnect/profile contains only AnyConnectProfile.xsd (a standard schema definition, not anything specific to this configuration). There’s no sign of any profile XML or PCF files that I can find in /opt/cisco, /Library, or $HOME/Library.

Anyconnect Macos

Overview CU Boulder's VPN service provides a secure connection to the campus network from any location, as long as the device has an internet connection. The VPN can be used to access campus resources (e.g. Library resources, file servers) or to securely browse the Internet. The Cisco AnyConnect Secure Mobility Client provides users with a secure, private connection to the DevNet Sandbox Labs.

This matches the UI experience: there don’t seem to be any preconfigured profiles. Instead, on first launch I just get a blank VPN field in which I simply enter a hostname by hand (in this case, ucbvpn.berkeley.edu) and hit connect. This gives a login prompt including a group selection dropdown, and username and password fields. Simply entering a username and password initiates the connection in the mode specified by the given “group,” and everything works fine.

I cannot, however, figure out how this configuration can be fully transferred to the OS X native VPN client. Transferring a chosen group name from the list seemingly auto-discovered by the AnyConnect client, but the OS X VPN configuration seems to also require explicitly entering either a shared secret or a certificate.

Anyconnect

Anyconnect Macos Big Sur

My best guess is that the Cisco client is operating in a perhaps new mode where it can negotiate directly with the server to auto-discover any necessary configuration information, and that it’s not stored on disk anywhere. Does anyone have any experience with a setup like this, or have any suggestions of what else to try?