cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20352
Views
50
Helpful
17
Replies

Anyconnect NAM vs windows native client

wkw.domain1
Beginner
Beginner

Hi all,

I would like to get your expert opinion on anyconnect NAM vs windows native client

We are planning to deploy CISCO ISE with anyconnect NAM as the supplicant. Proposed method of authentication is EAP-FAST with both machine and user authentication. A custom ACL will be applied to each port after successful authentication.

However there is another option which seems to be much simpler than the above, which is to use the windows native supplicant. I understand that windows client does not have same features as anyconnect but following is what I am planning to configure.

• Use the windows client to authenticate only the machine using EAP-TLS
(Each windows machine has a certificate issued by internal CA)
• Offload the user authentication to the next generation firewall that we already have


Offloading user access control to firewall is much more secure as the switch is not a proper security device. Also, I notice that its much more easier to get the native client working than the anyconnect.
It may be due to native client and the OS understand each other well.

However one of my concerns is that CISCO strongly recommends to use the anyconnect client due its rich feature set and convenience in troubleshooting. But in our network, we dont really need the features like EAP-chaining, MACsec.

What are your thoughts on this?
I am interested to know about the native client behavior in production networks ?

17 Replies 17

nspasov
Cisco Employee
Cisco Employee

I have done many ISE deployments and designs and only a handful of them used the AnyConnect NAM over the native supplicant. Here are the issues with it:

1. It is one more piece of software that you need push and keep updated to your workforce machines

2. Bugs. I have seen a fair share of bugs related to the supplicant causing issues

3. Cost. With AnyConnect 4 the cost of the client is no longer free

4. The client is not available for OSX (Not-Cisco's fault but still something to keep in mind)

With that being said, if you do want to use EAP-TEAP aka EAP-Chaining then the only option that you have is to use the AnyConnect supplicant. 

I hope this helps!

Thank you for rating helpful posts!

Hi Neno and Marvin,

Thanks both for your informative responses. Really appreciate it.

Few reasons I am inclined towards the windows client are;
• We don’t really need EAP-chaining in our environment
Because we’ve got a Next Gen firewall with User-ID enabled which inspects the traffic within the corporate network as well. So the firewall will restrict access from client to server based on user ID if required.
• Frequent drive mapping errors at logon
We noticed that windows is unable to connect to network drives at the the logon (shows the pop up message “could not connect to all the drives”). This was not observed with with the native client at all. I think the reason is that the native client is tightly integrated with the OS so windows know exactly when to connect network drives. However this could be a timing thing in anyconnect
• Issues with remote desktop access when user authentication is enabled
• Having to spend time on routine version updates

Marvin,
One thing I am not clear is your remark about enforcing the client to be connected to a single network. Can you please clarify this and provide any reference documents ?

Once again thanks for your valuable feedback.

Clarifying as you requested:

"Network Access Manager overrides Windows network management. Therefore, after installing the Network Access Manager, you cannot use the network status icon to connect to networks"

(source)

"The AnyConnect Network Access Manager provides superior connectivity features. Administrators can control which networks or resources that endpoints can connect to."

(source)

Hope that helps.

The Cisco NAM Supplicant / Posture module is for machines that do not use any other types of CND suites. We found that ActivClient 6.2 and 7 interferes with the NAM client when using EAP-TLS CAC authentication. No Certificate Error Can be reproduced. Also, NAM client does not like multiple CAC readers with CAC's in the reader. My vote - EAP-Chaining is nice...but use the Windows supplicant when possible if you are running CND suites like McAfee HIPS/VSE and ActivClient.

Just remember to lookout for Windows patches breaking DOT1x.

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

I try to use AnyConnect as the supplicant more often than not with my ISE deployments.

Besides the supplicant functionality (Network Access Module) that allows for EAP chaining, it also enforces that a client must be exclusively connected to a single network. It requires a client use one of the configured networks if it is available. Overall it lets you lock down things a bit more. Yes there are other ways to do all of that; but you're more on your own if you want to roll that way.

Enforcing policy on your firewall is fine for as far as it goes but what about policy within your network? Having the user identity of the current session enables a lot more granularity and dynamic authorization. It also opens the door for you to be able to do things like Trustsec Security Group Tags (SGTs).

And then there's the ISE Posture Module... (and the brand new Network Visibility Module)