Skip to main content

Mac: Connect to the Stanford VPN with a Cardinal Key

Two-factor authentication will be required for Cardinal Key VPN starting March 6. Learn more about the change.

Note

  • If your device is not compliant, you will be unable to use Cardinal Key to connect to the Cisco AnyConnect VPN.
  • Security Key devices do not work in the Cisco Secure Client VPN login process. You'll need to use Duo Push or other configured methods.
  • For clients accessing restricted library resources remotely, please use either the "Stanford" or "Stanford-Full" profile when connecting to the Stanford VPN

You can connect to the Stanford VPN using a Cardinal Key on your device to authenticate. This eliminates the need to enter your SUNet ID and  password, although two-step authentication authentication is still required. 

Cardinal Key is only authorized for the Cisco Secure Client VPN client.

Two types of Cardinal Key VPN connections are available:

  • CardinalKey (split-tunnel) allows access to network resources behind the Stanford firewall via the VPN connection but non-Stanford traffic flows normally on an unencrypted internet connection.
  • CardinalKey-Full(non-split-tunnel) encrypts all internet traffic from your computer but may inadvertently block you from using resources on your local network, such as a networked printer at home. However, this also allows access to library journals as if you were on campus.

Before you begin

Make sure you have the following installed on your device:

Connect to the Stanford VPN using a Cardinal Key for Mac

  1. Launch the Cisco Secure Client.app.
    Open your Applications folder and navigate to Cisco > Cisco Secure Client.app.
     
  2. Select su-vpn.stanford.edu and then click Connect.
    screenshot choose su-vpn
     
  3. When prompted for the keychain password, enter your computer administrator password and then click Always Allow. You may see this prompt more than once.
  4. Next, the prompt for two-step authentication displays. Depending on your screen resolution and window placement, the Duo pop-up window may cover the profile selection window. If you do not see the profile selection window, move the Duo pop-up window out of the way (do not close it). You should then see the profile selection window. 
    Duo prompt blocks drop down

  5. In the Group list, select CardinalKey or CardinalKey-Full and click OK.
     

    group list

     

  6. For macOS  Ventura (v. 13) and later users: You may see a System Extension Blocked message. Click OK to open the Security Preferences or navigate to System Preferences > Security & Privacy. Next to the message saying that system software from Cisco was blocked from loading, click Allow.
     
  7. A dialog box displays showing that the CardinalKey-VPN will be used for authentication. Click OK.
    Note: This step downloads the Cardinal Key profile for subsequent connections; it doesn't use the Cardinal Key for authentication on this connection. 


     
  8. A notice briefly appears in the menu bar to show that you are connected to the su-vpn.stanford.edu VPN.
  9. Click Disconnect to disconnect from su-vpn.stanford.edu.
  10. Launch the Cisco Secure Client app. When prompted for VPN, enter su-vpn.stanford.edu and the click Connect.

  11. From the Cisco AnyConnect client, select CardinalKey or CardinalKey-Full. Once you have successfully connected to he Stanford VPN using Cardinal Key, this becomes your default setting for subsequent connections to the VPN.
    screen shot of group list menu
     


     

Connect to the Stanford VPN without a client certificate

If you decide that you do not want to use a Cardinal Key for authentication, you can connect to the VPN using your SUNet ID and password, followed by two-step authentication. On the VPN website, see Connect to the Stanford VPN for instructions.

 

Last modified