cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31072
Views
66
Helpful
18
Replies

Anyconnect NAM vs windows native client

wkw.domain1
Level 1
Level 1

Hi all,

I would like to get your expert opinion on anyconnect NAM vs windows native client

We are planning to deploy CISCO ISE with anyconnect NAM as the supplicant. Proposed method of authentication is EAP-FAST with both machine and user authentication. A custom ACL will be applied to each port after successful authentication.

However there is another option which seems to be much simpler than the above, which is to use the windows native supplicant. I understand that windows client does not have same features as anyconnect but following is what I am planning to configure.

• Use the windows client to authenticate only the machine using EAP-TLS
(Each windows machine has a certificate issued by internal CA)
• Offload the user authentication to the next generation firewall that we already have


Offloading user access control to firewall is much more secure as the switch is not a proper security device. Also, I notice that its much more easier to get the native client working than the anyconnect.
It may be due to native client and the OS understand each other well.

However one of my concerns is that CISCO strongly recommends to use the anyconnect client due its rich feature set and convenience in troubleshooting. But in our network, we dont really need the features like EAP-chaining, MACsec.

What are your thoughts on this?
I am interested to know about the native client behavior in production networks ?

18 Replies 18


@kaizen wrote:

...However I am wondering regarding ISE posture -  is the NAM module required for Posture? Also if I want to do 802.1x machine authentication for users connecting via anyconnect is it possible to be done with the windows native supplicant?


Here actually what I meant is if it is possible to do machine authentication (by checking membership of the AD domain) with the Posture module when connecting with Anyconnect VPN. Apparently at the moment it is not possible. I found a forum thread for a registry check but it seems not very secure. I suppose if a machine authentication is required Anyconnect vpn with certificate authentication is the right option.

 

IMO AnyConnect is the better option of the two. 

Disadvantage of AnyConnect NAM pushing out the software and maintaining the configuration.xml files is a big knowledge curve for the entire IT from SCCM admins to Service Desk. There can be extreme one off in random issues if AnyConnect was installed while Antivirus/malware services are running. However BP says to have AV/AM turned off. I typically have to make 2 registry edits to have RDP behave the same prior to AnyConnect. You cannot use the native windows network which is usually a common issues with users, but there is a 3rd registry edit you can do to hide this. 

 

Disadvantages of win10 native suppliant machine authentication does not provide the security requirements due to the fact it only happens when a user is not logged into the machine. Most users, more so for desktops, do not log off/restart their machines at the end of the day. For laptops when going from Wired to Wireless or vice versa Single Sign on does not work. Microsoft breaks this way more than cisco breaks AnyConnect. Also Microsoft introduces more vulnerabilities requiring patching than Cisco AC NAM which leads to the reason they break this more. No fault to Microsoft because they are dealing with an entire OS while Cisco AC NAM is just an application doing a specific job. There are more one off issues that arise due to certain models coupled with patches. You are limited to what authentication frameworks you can use. It requires you to configure the Wired and Wireless separately. 

 

Benefits of Windows 10 native supplicant are that it's easier to convince a customer to go this route. You do not have to install an application. Lastly users are more familiar with it. 

 

Benefits of AC NAM added security through the use of corporate wireless. You can configured both wired and wireless settings through one configuration.xml file. Eap chaining is the only true user and machine auth out there where machine auth happens every time. Single-sign on works perfectly from wired to wireless. You can control what format the username and hostname comes in as. With DART installed you have all the Shoot files you'll ever need to diagnose a problem. Though the use of configuration.xml files you maintain a change version.

 

Small AC NAM benefits are you can order all your wireless networks in terms of preference, you can update the settings without having to forget the network or fail a login. It displays your IP address on the NAM window which is great for service desk when working with a user. Lastly NAM has logs in its settings that are great for basic troubleshooting.  

paul_dmitri
Level 1
Level 1

You can automate the config.xml files distribution and anyconnect updates from the ASA. Also integrate windows radius server with the ASA to automate and link everything. 

felipe.bsilva
Level 1
Level 1

In this material there is a simple comparison, but it can help to understand the main differences. But recently, with the improvement of OSs, there are few differences.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-2430.pdf

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-2660.pdf