Skip to content Skip to site navigation

Mac: Connect to the Stanford VPN with a Cardinal Key

Non-Stanford Devices that are managed by BigFix/VLRE and are compliant can use Cardinal Key to sign into VPN without multifactor authentication. 

Note: If your device is not compliant, you will be unable to use Cardinal Key to connect to the Cisco Secure Client VPN.

You can connect to the Stanford VPN using a Cardinal Key on your device to authenticate. This eliminates the need to enter your SUNet ID, password, and authentication method for two-step authentication.

Cardinal Key is only authorized for the Cisco Secure Client VPN client

Two types of Cardinal Key VPN connections are available:

  • CardinalKey-VPN (split-tunnel) allows access to network resources behind the Stanford firewall via the VPN connection but non-Stanford traffic flows normally on an unencrypted internet connection.
  • CardinalKey-FullTraffic (non-split-tunnel) encrypts all internet traffic from your computer but may inadvertently block you from using resources on your local network, such as a networked printer at home. However, this also allows access to library journals as if you were on campus.

Before you begin

Make sure you have the following installed on your device:

Connect to the Stanford VPN using a Cardinal Key for Mac

  1. Launch the Cisco Secure
    Open your Applications folder and navigate to Cisco > Cisco Secure
  2. Select and then click Connect.
  3. When prompted for the keychain password, enter your computer administrator password and then click Always Allow. You may see this prompt more than once.
  4. In the Group list, select Cardinal Key-VPN or CardinalKey-FullTraffic and click OK.

  5. For macOS Big Sur (v. 10.11) and later users: You may see a System Extension Blocked message. Click OK to open the Security Preferences or navigate to System Preferences > Security & Privacy. Next to the message saying that system software from Cisco was blocked from loading, click Allow.
  6. A dialog box displays showing that the CardinalKey-VPN will be used for authentication. Click OK.
    Note: This step downloads the Cardinal Key profile for subsequent connections; it doesn't use the Cardinal Key for authentication on this connection.

  7. A notice briefly appears in the menu bar to show that you are connected to the VPN.
  8. Click Disconnect to disconnect from
  9. From the Cisco AnyConnect client, select CardinalKey-VPN or CadinalKey-FullTraffic.
    Once you have successfully connected to the Stanford VPN using a Cardinal Key, this becomes your default setting for subsequent connections to the VPN.

Connect to the Stanford VPN without a client certificate

If you decide that you do not want to use a Cardinal Key for authentication, you can connect to the VPN using your SUNet ID and password, followed by two-step authentication. On the VPN website, see Connect to the Stanford VPN for instructions.


Last modified March 15, 2024