Skip to content Skip to site navigation

Mac: Connect to the Stanford VPN with a Cardinal Key

Non-Stanford, but managed by BigFix and compliant devices, can use a Cardinal Key.

You can connect to the Stanford VPN using a Cardinal Key on your device to authenticate. This eliminates the need to enter your SUNet ID, password, and authentication method for two-step authentication.

You'll need to use the Cisco AnyConnect VPN client to connect to the Stanford VPN with a Cardinal Key.

Two types of Cardinal Key VPN connections are available:

  • CardinalKey-VPN (split-tunnel) allows access to anything at stanford.edu via the VPN connection but non-Stanford traffic flows normally on an unencrypted internet connection.
  • CardinalKey-FullTraffic (non-split-tunnel) encrypts all internet traffic from your computer but may inadvertently block you from using resources on your local network, such as a networked printer at home. This also allows access to library journals as if you were on campus.

Before you begin

Make sure you have the following installed on your device:

Connect to the Stanford VPN using a Cardinal Key for Mac

  1. Launch the Cisco AnyConnect Secure Mobility Client.app.
    Open your Applications folder and navigate to Cisco > Cisco AnyConnect Secure Mobility Client.app.
     
  2. Select su-vpn.stanford.edu and then click Connect.

    connect to the su vpn
     
  3. When prompted for the keychain password, enter your computer administrator password and then click Always Allow. You may see this prompt more than once.

    enter your administrator password
     
  4. In the Group list, select Cardinal Key-VPN or CardinalKey-FullTraffic and click OK.

    choose split-tunnel or full-traffic Cardinal Key VPN connection
     
  5. For macOS High Sierra (v. 10.13) and later users: You may see a System Extension Blocked message. Click OK to open the Security Preferences or navigate to System Preferences > Security & Privacy. Next to the message saying that system software from Cisco was blocked from loading, click Allow.

    click Allow to apporve Cisco System Extension
     
  6. A dialog box displays showing that the CardinalKey-VPN will be used for authentication. Click OK.
    Note: This step downloads the Cardinal Key profile for subsequent connections; it doesn't use the Cardinal Key for authentication on this connection.

    dialog box showing CardinalKey-VPN will be used for authentication
     
  7. A notice briefly appears in the menu bar to show that you are connected to the su-vpn.stanford.edu VPN.

    su-vpn.stanford.edu connection notice in menu bar
     
  8. Click Disconnect to disconnect from su-vpn.stanford.edu.

    disconnect from su-vpn.stanford.edu
     
  9. From the Cisco AnyConnect client, select CardinalKey-VPN or CadinalKey-FullTraffic.
    Once you have successfully connected to the Stanford VPN using a Cardinal Key, this becomes your default setting for subsequent connections to the VPN.
     

    connect to Cardinal Key VPN

  10. A notice briefly appears in the menu bar to show that you are connected to the VPN with a Cardinal Key.

    CardinalKey-VPN connection notice in menu bar

Connect to the Stanford VPN without a client certificate

If you decide that you do not want to use a Cardinal Key for authentication, you can connect to the VPN using your SUNet ID and password, followed by two-step authentication. On the VPN website, see Connect to the Stanford VPN for instructions.

 

Last modified February 14, 2019