topic Re: I try to use AnyConnect as in Network Access Control

Anyconnect NAM vs windows native client

wkw.domain1 — Mon, 11 Mar 2019 06:20:36 GMT

Hi all,

I would like to get your expert opinion on anyconnect NAM vs windows native client

We are planning to deploy CISCO ISE with anyconnect NAM as the supplicant. Proposed method of authentication is EAP-FAST with both machine and user authentication. A custom ACL will be applied to each port after successful authentication.

However there is another option which seems to be much simpler than the above, which is to use the windows native supplicant. I understand that windows client does not have same features as anyconnect but following is what I am planning to configure.

• Use the windows client to authenticate only the machine using EAP-TLS
(Each windows machine has a certificate issued by internal CA)
• Offload the user authentication to the next generation firewall that we already have

Offloading user access control to firewall is much more secure as the switch is not a proper security device. Also, I notice that its much more easier to get the native client working than the anyconnect.
It may be due to native client and the OS understand each other well.

However one of my concerns is that CISCO strongly recommends to use the anyconnect client due its rich feature set and convenience in troubleshooting. But in our network, we dont really need the features like EAP-chaining, MACsec.

What are your thoughts on this?
I am interested to know about the native client behavior in production networks ?

I have done many ISE

nspasov — Wed, 23 Dec 2015 22:31:47 GMT

I have done many ISE deployments and designs and only a handful of them used the AnyConnect NAM over the native supplicant. Here are the issues with it:

1. It is one more piece of software that you need push and keep updated to your workforce machines

2. Bugs. I have seen a fair share of bugs related to the supplicant causing issues

3. Cost. With AnyConnect 4 the cost of the client is no longer free

4. The client is not available for OSX (Not-Cisco's fault but still something to keep in mind)

With that being said, if you do want to use EAP-TEAP aka EAP-Chaining then the only option that you have is to use the AnyConnect supplicant.

I hope this helps!

Thank you for rating helpful posts!

I try to use AnyConnect as

Marvin Rhoads — Thu, 24 Dec 2015 16:45:36 GMT

I try to use AnyConnect as the supplicant more often than not with my ISE deployments.

Besides the supplicant functionality (Network Access Module) that allows for EAP chaining, it also enforces that a client must be exclusively connected to a single network. It requires a client use one of the configured networks if it is available. Overall it lets you lock down things a bit more. Yes there are other ways to do all of that; but you're more on your own if you want to roll that way.

Enforcing policy on your firewall is fine for as far as it goes but what about policy within your network? Having the user identity of the current session enables a lot more granularity and dynamic authorization. It also opens the door for you to be able to do things like Trustsec Security Group Tags (SGTs).

And then there's the ISE Posture Module... (and the brand new Network Visibility Module)

Hi Neno and Marvin,

wkw.domain1 — Wed, 30 Dec 2015 00:31:35 GMT

Hi Neno and Marvin,

Thanks both for your informative responses. Really appreciate it.

Few reasons I am inclined towards the windows client are;
• We don’t really need EAP-chaining in our environment
Because we’ve got a Next Gen firewall with User-ID enabled which inspects the traffic within the corporate network as well. So the firewall will restrict access from client to server based on user ID if required.
• Frequent drive mapping errors at logon
We noticed that windows is unable to connect to network drives at the the logon (shows the pop up message “could not connect to all the drives”). This was not observed with with the native client at all. I think the reason is that the native client is tightly integrated with the OS so windows know exactly when to connect network drives. However this could be a timing thing in anyconnect
• Issues with remote desktop access when user authentication is enabled
• Having to spend time on routine version updates

Marvin,
One thing I am not clear is your remark about enforcing the client to be connected to a single network. Can you please clarify this and provide any reference documents ?

Once again thanks for your valuable feedback.

Clarifying as you requested:

Marvin Rhoads — Wed, 30 Dec 2015 00:48:32 GMT

Clarifying as you requested:

"Network Access Manager overrides Windows network management. Therefore, after installing the Network Access Manager, you cannot use the network status icon to connect to networks"

(source)

"The AnyConnect Network Access Manager provides superior connectivity features. Administrators can control which networks or resources that endpoints can connect to."

(source)

Hope that helps.

The Cisco NAM Supplicant /

netwerk — Wed, 09 Mar 2016 19:39:03 GMT

The Cisco NAM Supplicant / Posture module is for machines that do not use any other types of CND suites. We found that ActivClient 6.2 and 7 interferes with the NAM client when using EAP-TLS CAC authentication. No Certificate Error Can be reproduced. Also, NAM client does not like multiple CAC readers with CAC's in the reader. My vote - EAP-Chaining is nice...but use the Windows supplicant when possible if you are running CND suites like McAfee HIPS/VSE and ActivClient.

Just remember to lookout for Windows patches breaking DOT1x.

Re: I try to use AnyConnect as

kaizen — Thu, 09 Apr 2020 11:49:17 GMT

Sorry to reply in an old post but this topic seems relevant today.

Do you think the situation is still the same in 2020 regarding the benefits of Anyconnect NAM vs windows native supplicant?

I am doing a small deployment and probably will use the native supplicant as anyconnect NAM requires licensing from what I read. However I am wondering regarding ISE posture - is the NAM module required for Posture? Also if I want to do 802.1x machine authentication for users connecting via anyconnect is it possible to be done with the windows native supplicant?

Thanks in advance 🙂

Re: I try to use AnyConnect as

Marvin Rhoads — Thu, 09 Apr 2020 15:29:26 GMT

ISE Posture doesn't require NAM.

You can use the native supplicant for machine certificate authentication. Also for user authentication (certificate or username). You just cannot do both at once, AKA EAP-chaining (currently - Microsoft is supposed to be releasing EAP-TEAP support soon). So you have to trust one or the other for a given authentication session.

Re: I try to use AnyConnect as

MohammadQasimMurad56785 — Thu, 21 May 2020 17:15:02 GMT

Hello ,

Regarding your statement "ISE Posture doesn't require NAM." do you happen to have any official link or document to refer to this ?? i actually need to show it to higher management in my company as final decision on either to install NAM or go with windows native client, will be theirs.

also once we install NAM , there is no way to stop it from controlling windows network manager ?? or can this be achieved with tweaking windows registry ??

Your prompt response will be highly appreciated.

Thanks

Re: I try to use AnyConnect as

MALi-786 — Thu, 21 May 2020 17:57:58 GMT

Hi,

I am using anyconnect client 4.7 without NAM and posture is working fine.
you can also install NAM if you want and you can allow/deny network settings in profile. It’s easy.

let me know if you need any help.

Re: I try to use AnyConnect as

MohammadQasimMurad56785 — Thu, 21 May 2020 18:33:34 GMT

Hi, some of our end users will not be using Anyconnect VPN , so will need to push only NAM for them,which is not the ideal case, so it is certain that we can use posture assessment without NAM ?

Re: I try to use AnyConnect as

MALi-786 — Thu, 21 May 2020 20:17:55 GMT

Hi,

you don’t want to use anyconnect nor NAM so I don’t think posture will work anyway.

I think for such cases you can use machine and user authentication only.

Re: I try to use AnyConnect as

MohammadQasimMurad56785 — Thu, 21 May 2020 21:25:29 GMT

without NAM, it will be user OR machine authentication ? right ?
user AND machine authentication will require NAM ??

Re: I try to use AnyConnect as

Damien Miller — Thu, 21 May 2020 23:09:51 GMT

For now, ISE 2.7 introduces the support for EAP-TEAP, and Microsoft will introduce public windows 10 support for EAP-TEAP at the end of this month (expected 2xxx update release). EAP-TEAP supports both user + machine auth in the same way NAM has until now with EAP chaining functionality.

But back to the question you had here, posture without AnyConnect and NAM is possible. But the posture module is the most robust solution we have.
This document outlines the ISE posture types, agent and agentless.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010110.html#Posture_Types

Re: I try to use AnyConnect as

Marvin Rhoads — Fri, 22 May 2020 10:05:32 GMT

As noted in the link that @Damien Miller provided, the temporal agent is available for ISE Posture checking and enforcement without requiring NAM. It's not as full-featured; but it does work fine within the parameters it supports.

Re: Anyconnect NAM vs windows native client

BrianODonnell35525 — Fri, 24 Jul 2020 07:09:40 GMT

IMO AnyConnect is the better option of the two.

Disadvantage of AnyConnect NAM pushing out the software and maintaining the configuration.xml files is a big knowledge curve for the entire IT from SCCM admins to Service Desk. There can be extreme one off in random issues if AnyConnect was installed while Antivirus/malware services are running. However BP says to have AV/AM turned off. I typically have to make 2 registry edits to have RDP behave the same prior to AnyConnect. You cannot use the native windows network which is usually a common issues with users, but there is a 3rd registry edit you can do to hide this.

Disadvantages of win10 native suppliant machine authentication does not provide the security requirements due to the fact it only happens when a user is not logged into the machine. Most users, more so for desktops, do not log off/restart their machines at the end of the day. For laptops when going from Wired to Wireless or vice versa Single Sign on does not work. Microsoft breaks this way more than cisco breaks AnyConnect. Also Microsoft introduces more vulnerabilities requiring patching than Cisco AC NAM which leads to the reason they break this more. No fault to Microsoft because they are dealing with an entire OS while Cisco AC NAM is just an application doing a specific job. There are more one off issues that arise due to certain models coupled with patches. You are limited to what authentication frameworks you can use. It requires you to configure the Wired and Wireless separately.

Benefits of Windows 10 native supplicant are that it's easier to convince a customer to go this route. You do not have to install an application. Lastly users are more familiar with it.

Benefits of AC NAM added security through the use of corporate wireless. You can configured both wired and wireless settings through one configuration.xml file. Eap chaining is the only true user and machine auth out there where machine auth happens every time. Single-sign on works perfectly from wired to wireless. You can control what format the username and hostname comes in as. With DART installed you have all the Shoot files you'll ever need to diagnose a problem. Though the use of configuration.xml files you maintain a change version.

Small AC NAM benefits are you can order all your wireless networks in terms of preference, you can update the settings without having to forget the network or fail a login. It displays your IP address on the NAM window which is great for service desk when working with a user. Lastly NAM has logs in its settings that are great for basic troubleshooting.

Re: I try to use AnyConnect as

kaizen — Mon, 27 Jul 2020 07:03:46 GMT

@kaizen wrote:
...However I am wondering regarding ISE posture - is the NAM module required for Posture? Also if I want to do 802.1x machine authentication for users connecting via anyconnect is it possible to be done with the windows native supplicant?

Here actually what I meant is if it is possible to do machine authentication (by checking membership of the AD domain) with the Posture module when connecting with Anyconnect VPN. Apparently at the moment it is not possible. I found a forum thread for a registry check but it seems not very secure. I suppose if a machine authentication is required Anyconnect vpn with certificate authentication is the right option.

Re: Anyconnect NAM vs windows native client

paul_dmitri — Mon, 26 Sep 2022 03:04:44 GMT

You can automate the config.xml files distribution and anyconnect updates from the ASA. Also integrate windows radius server with the ASA to automate and link everything.

Re: Anyconnect NAM vs windows native client

felipe.bsilva — Thu, 11 Jul 2024 20:51:36 GMT

In this material there is a simple comparison, but it can help to understand the main differences. But recently, with the improvement of OSs, there are few differences.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-2430.pdf

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-2660.pdf