OS X asks me -- twice -- to enter my admin username and password before it will let me connect to Cisco AnyConnect VPN. This is annoying and unnecessary.
Text of the prompt:
OS X wants to make changes. Type an administrator's name and password to allow this.
OS X wants to use the "System" keychain.
How can I configure the keychain to allow Cisco VPN access without prompting unnecessarily?
Found the answer on a Google Groups forum:
• Launch /Applications/Utilities/Keychain Access
• Select "System" from the Keychains menu in the upper left
• Select "Certificates" from the Category menu in the lower left
• Find the entry that corelates to your computer's name in the list on the right, and click on the disclosure triangle.
• Secondary click on the "Private Key" entry that appears and select "Get Info" from the contextual menu that appears.
• Select the Access Control tab.
• You can then either add AnyConnect to the the list at the bottom of the screen (more secure, but you will need to repeat this process anytime the version of AnyConnect changes), or toggle the radio button to "Allow all applications to access this item".
A similar answer shows a picture but provides fewer instructions
I've had this problem for sometime and none of the suggestions worked. What did work for me was changing the VPN profile (your sys admin will need to do this for you as its a server side profile that gets downloaded when you connect).
The setting that made the difference was CertificateStoreMac, the default seems to be All which causes AnyConnect to try to look in the system keychain. If you change this to Login it'll stop doing that and stop these login prompts. Your certificates for the server should be installed in the login keychain as thats what happens with current AnyConnect versions when you go through VPN enrolment and download the certs and use the OTP creds.
