cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31925
Views
66
Helpful
18
Replies

Anyconnect NAM vs windows native client

wkw.domain1
Level 1
Level 1

Hi all,

I would like to get your expert opinion on anyconnect NAM vs windows native client

We are planning to deploy CISCO ISE with anyconnect NAM as the supplicant. Proposed method of authentication is EAP-FAST with both machine and user authentication. A custom ACL will be applied to each port after successful authentication.

However there is another option which seems to be much simpler than the above, which is to use the windows native supplicant. I understand that windows client does not have same features as anyconnect but following is what I am planning to configure.

• Use the windows client to authenticate only the machine using EAP-TLS
(Each windows machine has a certificate issued by internal CA)
• Offload the user authentication to the next generation firewall that we already have


Offloading user access control to firewall is much more secure as the switch is not a proper security device. Also, I notice that its much more easier to get the native client working than the anyconnect.
It may be due to native client and the OS understand each other well.

However one of my concerns is that CISCO strongly recommends to use the anyconnect client due its rich feature set and convenience in troubleshooting. But in our network, we dont really need the features like EAP-chaining, MACsec.

What are your thoughts on this?
I am interested to know about the native client behavior in production networks ?

4 Accepted Solutions

Accepted Solutions

nspasov
Cisco Employee
Cisco Employee

I have done many ISE deployments and designs and only a handful of them used the AnyConnect NAM over the native supplicant. Here are the issues with it:

1. It is one more piece of software that you need push and keep updated to your workforce machines

2. Bugs. I have seen a fair share of bugs related to the supplicant causing issues

3. Cost. With AnyConnect 4 the cost of the client is no longer free

4. The client is not available for OSX (Not-Cisco's fault but still something to keep in mind)

With that being said, if you do want to use EAP-TEAP aka EAP-Chaining then the only option that you have is to use the AnyConnect supplicant. 

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

Clarifying as you requested:

"Network Access Manager overrides Windows network management. Therefore, after installing the Network Access Manager, you cannot use the network status icon to connect to networks"

(source)

"The AnyConnect Network Access Manager provides superior connectivity features. Administrators can control which networks or resources that endpoints can connect to."

(source)

Hope that helps.

View solution in original post

ISE Posture doesn't require NAM.

You can use the native supplicant for machine certificate authentication. Also for user authentication (certificate or username). You just cannot do both at once, AKA EAP-chaining (currently - Microsoft is supposed to be releasing EAP-TEAP support soon). So you have to trust one or the other for a given authentication session.

View solution in original post

paul_dmitri
Level 1
Level 1

You can automate the config.xml files distribution and anyconnect updates from the ASA. Also integrate windows radius server with the ASA to automate and link everything. 

View solution in original post

18 Replies 18

nspasov
Cisco Employee
Cisco Employee

I have done many ISE deployments and designs and only a handful of them used the AnyConnect NAM over the native supplicant. Here are the issues with it:

1. It is one more piece of software that you need push and keep updated to your workforce machines

2. Bugs. I have seen a fair share of bugs related to the supplicant causing issues

3. Cost. With AnyConnect 4 the cost of the client is no longer free

4. The client is not available for OSX (Not-Cisco's fault but still something to keep in mind)

With that being said, if you do want to use EAP-TEAP aka EAP-Chaining then the only option that you have is to use the AnyConnect supplicant. 

I hope this helps!

Thank you for rating helpful posts!

Hi Neno and Marvin,

Thanks both for your informative responses. Really appreciate it.

Few reasons I am inclined towards the windows client are;
• We don’t really need EAP-chaining in our environment
Because we’ve got a Next Gen firewall with User-ID enabled which inspects the traffic within the corporate network as well. So the firewall will restrict access from client to server based on user ID if required.
• Frequent drive mapping errors at logon
We noticed that windows is unable to connect to network drives at the the logon (shows the pop up message “could not connect to all the drives”). This was not observed with with the native client at all. I think the reason is that the native client is tightly integrated with the OS so windows know exactly when to connect network drives. However this could be a timing thing in anyconnect
• Issues with remote desktop access when user authentication is enabled
• Having to spend time on routine version updates

Marvin,
One thing I am not clear is your remark about enforcing the client to be connected to a single network. Can you please clarify this and provide any reference documents ?

Once again thanks for your valuable feedback.

Clarifying as you requested:

"Network Access Manager overrides Windows network management. Therefore, after installing the Network Access Manager, you cannot use the network status icon to connect to networks"

(source)

"The AnyConnect Network Access Manager provides superior connectivity features. Administrators can control which networks or resources that endpoints can connect to."

(source)

Hope that helps.

The Cisco NAM Supplicant / Posture module is for machines that do not use any other types of CND suites. We found that ActivClient 6.2 and 7 interferes with the NAM client when using EAP-TLS CAC authentication. No Certificate Error Can be reproduced. Also, NAM client does not like multiple CAC readers with CAC's in the reader. My vote - EAP-Chaining is nice...but use the Windows supplicant when possible if you are running CND suites like McAfee HIPS/VSE and ActivClient.

Just remember to lookout for Windows patches breaking DOT1x.

Marvin Rhoads
Hall of Fame
Hall of Fame

I try to use AnyConnect as the supplicant more often than not with my ISE deployments.

Besides the supplicant functionality (Network Access Module) that allows for EAP chaining, it also enforces that a client must be exclusively connected to a single network. It requires a client use one of the configured networks if it is available. Overall it lets you lock down things a bit more. Yes there are other ways to do all of that; but you're more on your own if you want to roll that way.

Enforcing policy on your firewall is fine for as far as it goes but what about policy within your network? Having the user identity of the current session enables a lot more granularity and dynamic authorization. It also opens the door for you to be able to do things like Trustsec Security Group Tags (SGTs).

And then there's the ISE Posture Module... (and the brand new Network Visibility Module)

Sorry to reply in an old post but this topic seems relevant today.

 

Do you think the situation is still the same in 2020 regarding the benefits of Anyconnect NAM vs windows native supplicant?

 

I am doing a small deployment and probably will use the native supplicant as anyconnect NAM requires licensing from what I read.  However I am wondering regarding ISE posture -  is the NAM module required for Posture? Also if I want to do 802.1x machine authentication for users connecting via anyconnect is it possible to be done with the windows native supplicant?

 

Thanks in advance :)

ISE Posture doesn't require NAM.

You can use the native supplicant for machine certificate authentication. Also for user authentication (certificate or username). You just cannot do both at once, AKA EAP-chaining (currently - Microsoft is supposed to be releasing EAP-TEAP support soon). So you have to trust one or the other for a given authentication session.

Hello ,

 

Regarding your statement "ISE Posture doesn't require NAM." do you happen to have any official link or document to refer to this ?? i actually need to show it to higher management in my company as final decision on either to install NAM or go with windows native client, will be theirs.

 

also once we install NAM , there is no way to stop it from controlling windows network manager ?? or can this be achieved with tweaking windows registry ?? 

 

Your prompt response will be highly appreciated.

 

Thanks

Hi,

 

I am using anyconnect client 4.7 without NAM and posture is working fine. 
you can also install NAM if you want and you can allow/deny network settings in profile. It’s easy. 

let me know if you need any help.

Hi, some of our end users will not be using Anyconnect VPN , so will need to push only NAM for them,which is not the ideal case, so it is certain that we can use posture assessment without NAM ?

Hi, 

 

you don’t want to use anyconnect nor NAM so I don’t think posture will work anyway.

 

I think for such cases you can use machine and user authentication only.

without NAM, it will be user OR machine authentication ? right ?
user AND machine authentication will require NAM ??

For now, ISE 2.7 introduces the support for EAP-TEAP, and Microsoft will introduce public windows 10 support for EAP-TEAP at the end of this month (expected 2xxx update release). EAP-TEAP supports both user + machine auth in the same way NAM has until now with EAP chaining functionality.

But back to the question you had here, posture without AnyConnect and NAM is possible. But the posture module is the most robust solution we have.
This document outlines the ISE posture types, agent and agentless.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_010110.html#Posture_Types

As noted in the link that @Damien Miller provided, the temporal agent is available for ISE Posture checking and enforcement without requiring NAM. It's not as full-featured; but it does work fine within the parameters it supports.