cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1293
Views
2
Helpful
5
Replies

AnyConnect 4.10.x and Single sign on Problems

mehdimoujib
Level 1
Level 1

Hi Community,

I'm facing issues with anyconnect 4.10 in windows 11 computer. (Anyconnect Secure Mobility Client)

I have configured a file profile "configuration.xml" in attached file (rename in.txt) with Network Access Manager profile Editor and push it to the Client Directory cisco/Cisco AnyConnect Secure Mobility Client/Network Access Manager/System.

 

As you can see in attached file "the single sign on is configured for user credentials"

Nevertheless when the user open his session, a connexion popup (login/password) appears on user's computer side.

Have you already heard about this problem. What should i check? how can i fixe the issue?

 

Thanks you very much for your help.

Best regards

1 Accepted Solution

Accepted Solutions

What do you mean by "via SSO"?  Do you mean some just using cached Windows user credentials?  

What exact problems with the native Windows solution?  When was the last time you tested it?  The supplicant has been extremely reliable in my experience on Windows 10 and 11.  Before those versions, not so much.

"to use the same user session authentication data" Why? Why not migrate to certificates using EAP-TLS or TEAP?

Credential Guard is probably your issue.  You must disable credential guard on Windows 11 if you are wanting to use PEAP.  Microsoft (correctly since the encryption used by PEAP is broken) blocked automatically being able to reference Active Directory username/password from both the native and 3rd party supplicants (among other pieces within Windows).  This is one of the other reasons you should consider migrating to a certificate based authentication method.

View solution in original post

5 Replies 5

What is your use-case for the NAM module at all?  Why not use the native Windows supplicant?  Why use username/password at all?  Why not certificate based authentication?  Is credential guard enabled on the Windows device?

https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/anyconnect-secure-mobility-client-v4x-eol.html

Hello ahollifield,

What is your use-case for the NAM module at all?
we use NAM to control access to the company network via SSO with the same session authentication data

Why not use the native Windows supplicant?
We encountered problems with the native Windows solution


Why use username/password at all?
to use the same user session authentication data

Is credential guard enabled on the Windows device?
yes it is activated

What do you mean by "via SSO"?  Do you mean some just using cached Windows user credentials?  

What exact problems with the native Windows solution?  When was the last time you tested it?  The supplicant has been extremely reliable in my experience on Windows 10 and 11.  Before those versions, not so much.

"to use the same user session authentication data" Why? Why not migrate to certificates using EAP-TLS or TEAP?

Credential Guard is probably your issue.  You must disable credential guard on Windows 11 if you are wanting to use PEAP.  Microsoft (correctly since the encryption used by PEAP is broken) blocked automatically being able to reference Active Directory username/password from both the native and 3rd party supplicants (among other pieces within Windows).  This is one of the other reasons you should consider migrating to a certificate based authentication method.

mehdimoujib
Level 1
Level 1

hello , 

Yes, indeed, the issue is with Credential Guard, which became enabled by default on Windows 11 starting from version 22H2. Cisco AnyConnect is working correctly now, but Microsoft recommends switching to one of the following authentication methods "certificate-based authentication (such as PEAP-TLS or EAP-TLS). Do you have an article or instructions on how to change the authentication method for Cisco AnyConnect?"