Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
2
Helpful
5
Replies

AnyConnect 4.10.x and Single sign on Problems

Go to solution
mehdimoujib
Level 1
Level 1

‎09-13-2023 03:47 AM

Hi Community,

I'm facing issues with anyconnect 4.10 in windows 11 computer. (Anyconnect Secure Mobility Client)

I have configured a file profile "configuration.xml" in attached file (rename in.txt) with Network Access Manager profile Editor and push it to the Client Directory cisco/Cisco AnyConnect Secure Mobility Client/Network Access Manager/System.

 

As you can see in attached file "the single sign on is configured for user credentials"

Nevertheless when the user open his session, a connexion popup (login/password) appears on user's computer side.

Have you already heard about this problem. What should i check? how can i fixe the issue?

 

Thanks you very much for your help.

Best regards

Labels:
DARTBundle_0913_1113.zip
configuration.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP
In response to mehdimoujib

‎09-15-2023 03:57 AM

What do you mean by "via SSO"?  Do you mean some just using cached Windows user credentials?  

What exact problems with the native Windows solution?  When was the last time you tested it?  The supplicant has been extremely reliable in my experience on Windows 10 and 11.  Before those versions, not so much.

"to use the same user session authentication data" Why? Why not migrate to certificates using EAP-TLS or TEAP?

Credential Guard is probably your issue.  You must disable credential guard on Windows 11 if you are wanting to use PEAP.  Microsoft (correctly since the encryption used by PEAP is broken) blocked automatically being able to reference Active Directory username/password from both the native and 3rd party supplicants (among other pieces within Windows).  This is one of the other reasons you should consider migrating to a certificate based authentication method.

View solution in original post

5 Replies 5

Go to solution
ahollifield
VIP
VIP

‎09-14-2023 05:27 AM

What is your use-case for the NAM module at all?  Why not use the native Windows supplicant?  Why use username/password at all?  Why not certificate based authentication?  Is credential guard enabled on the Windows device?

https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/anyconnect-secure-mobility-client-v4x-eol.html

0 Helpful

Go to solution
mehdimoujib
Level 1
Level 1
In response to ahollifield

‎09-15-2023 01:40 AM

Hello ahollifield,

What is your use-case for the NAM module at all?
we use NAM to control access to the company network via SSO with the same session authentication data

Why not use the native Windows supplicant?
We encountered problems with the native Windows solution


Why use username/password at all?
to use the same user session authentication data

Is credential guard enabled on the Windows device?
yes it is activated

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to mehdimoujib

‎09-15-2023 03:57 AM

What do you mean by "via SSO"?  Do you mean some just using cached Windows user credentials?  

What exact problems with the native Windows solution?  When was the last time you tested it?  The supplicant has been extremely reliable in my experience on Windows 10 and 11.  Before those versions, not so much.

"to use the same user session authentication data" Why? Why not migrate to certificates using EAP-TLS or TEAP?

Credential Guard is probably your issue.  You must disable credential guard on Windows 11 if you are wanting to use PEAP.  Microsoft (correctly since the encryption used by PEAP is broken) blocked automatically being able to reference Active Directory username/password from both the native and 3rd party supplicants (among other pieces within Windows).  This is one of the other reasons you should consider migrating to a certificate based authentication method.

Go to solution
mehdimoujib
Level 1
Level 1

‎09-21-2023 06:45 AM

hello , 

Yes, indeed, the issue is with Credential Guard, which became enabled by default on Windows 11 starting from version 22H2. Cisco AnyConnect is working correctly now, but Microsoft recommends switching to one of the following authentication methods "certificate-based authentication (such as PEAP-TLS or EAP-TLS). Do you have an article or instructions on how to change the authentication method for Cisco AnyConnect?"

0 Helpful
Customers Also Viewed These Support Documents