Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2690
Views
1
Helpful
13
Replies

Secure Client 5.1.1.42 with NAM and tethering to iPhone iOS 17.2.1

PeterLMSD
Level 1
Level 1

‎01-17-2024 12:40 PM - edited ‎01-17-2024 12:42 PM

We have tried upgrading from Cisco AnyConnect 4.10.07073 to Secure Client 5.1.1.42 with NAM connecting to wired and wireless networks.

After the upgrade NAM fails to acquire the IP address from the phone.

PeterLMSD_0-1705523729989.png

Connecting to enterprise EAP SSIDs and other user specified WPA2-PSK wireless networks still work fine, it's just tethering to iPhones that doesn't work. 

Un-installing Secure Client 5.1.1.42 and doing a reboot, then re-installing AnyConnect 4.10.07073 with NAM then everything starts working again. A TAC case has been raised but thought I would ask if anyone else is having the same problem.

2 people had this problem
Labels:
0 Helpful
13 Replies 13

stsargen
Cisco Employee
Cisco Employee

‎01-17-2024 01:31 PM

Try installing 4.10.08052.  It has some fixes for WPA2/WPA3 and PMF that are not yet included in the 5.x release train.  You could also test setting the hotspot to WPA2 only, not WPA2/WPA3.

Also, read the new features section in the release notes for this 4.10.08052.

-- We have implemented a Network Access Manager addition to disable the setting of PMF IGTK until a Windows fix becomes available. Microsoft estimates that fixes for Windows 10 2004 and Windows 11 22H2 will be available in early 2024, which will allow you to set the IGTK from the Network Access Manager. Until then, you can disable the setting of PMF IGTK and allow a connection to a network configured to provide Protection of Management Frames (PMF). If the Windows fix is not yet available, and you can't avoid connecting to a network with PMF enabled, you need to modify the Windows registry editor by adding the following registry key as a DWORD and setting it as described to disable the use of IGTK by the Network Access Manager:

HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Cisco AnyConnect Network Access Manager\DisableIGTK set to 1

 

0 Helpful

PeterLMSD
Level 1
Level 1
In response to stsargen

‎01-17-2024 01:51 PM

I could try upgrading to AnyConnect .8052, but I don't have a problem with AnyConnect .7073 so there isn't a need to ugprade.

The issue is with Secure Client 5.1.1.42 not working. And we noticed it when upgrading from AnyConnect 7073 so we downgraded again and it started working.

0 Helpful

stsargen
Cisco Employee
Cisco Employee
In response to PeterLMSD

‎01-17-2024 02:07 PM

Understood.  If you are looking to go to 5.x I would suggest you wait until 5.1.2.x is released.  This will have equivalent fixes that went into 4.10.08052 related to WPA2/WPA3 and PMF. 

0 Helpful

Daniel G.
Level 1
Level 1

‎02-08-2024 10:39 AM

We have same problem after upgrading to 4.10.08025 or 5.1.1.42. After upgrade is not possible connect to HotSpot on iPhone iOS.

Also from version 4.10.07061 some number of users report problems with connection to their home WiFi with WPA2-PSK or WPA2/WPA3-PSK hybrid  with our corporate NTBs with Intel AX210/211 WIFI card (driver is actual but it doesn´t matter). 

I dont know if this specific problem of Intel card and Anyconnect or Anyconnect from some version has some unknown problems to operate with various WiFI routers. Do you experience same issue with some users?

BTW Cisco released new version of Secure Client - 5.1.2.42 so i am going to try it and also with the REG key DisableIGTK. I will report back.

0 Helpful

JimmyB22
Level 1
Level 1
In response to Daniel G.

‎04-04-2024 11:37 AM

We have clients on 5.1.2.42 still experiencing this issue. how did the registry workaround work out for you? I'm curious if is it worth a try .   TAC advised MFST will be releasing a patch but has no new ETA other is was supposed to be January 2024

0 Helpful

stsargen
Cisco Employee
Cisco Employee

‎04-05-2024 05:24 AM

I noticed that we have recently updated the release notes that the IGTK workaround would only apply to networks configured for 802.1x, and NOT PSK.  You might be hitting a new issue (CSCwj50019) where when selecting the network from the NAM scanlist you are unable to connect.  Please try adding the same network using WPA3 from the "Add" option in the NAM UI. 

https://bst.cisco.com/quickview/bug/CSCwj50019

0 Helpful

JimmyB22
Level 1
Level 1
In response to stsargen

‎04-05-2024 02:37 PM

Thank you we will give it a try. The issue we were tracking was related CSCwi27062 and the registry key has worked for 50% of the users. 

0 Helpful

JimmyB22
Level 1
Level 1
In response to stsargen

‎04-05-2024 05:47 PM

@stsargen trying to follow work around #1 however I don't have an option for WPA 3 in the GUI. I verified MY XML file has it included. See attached. Any advice?

Preview file
25 KB
Preview file
32 KB
0 Helpful

AbyLauranceCherian0059
Level 1
Level 1
In response to JimmyB22

‎04-14-2024 02:02 AM

we had a similar issue, got it fixed by editing the NAM xml using 5.1.2.42 profile editor. Check mark will not be enabled for WPA3 in Authentication policy.

 

0 Helpful

PeterLMSD
Level 1
Level 1

‎04-07-2024 01:54 PM - edited ‎04-07-2024 02:32 PM

We still have the problem and down / upgraded back to AnyConnect 4.10.07073 and tethering to my iPhone over wireless works again. So we are back working with AnyConnect vs Secure Client. Since AnyConnect (in theory) is EOL now we will see if any further releases of AnyConnect occur.
Edit: Just tested Windows 10 + AnyConnect 4.10.08029 + iPhone 11 running 17.4.1 and it didn't work. I thought it was working but I re-tested and confirmed it isn't.

I am also exploring removing NAM and moving to the native Windows 802.1x client and pushing down Intune 802.1x Wired and Wireless profiles using TEAP with User and Machine certificates as that achieves the same outcome and doesn't have the complexity and annoyance of using NAM. Rolling TEAP out to the whole device fleet will take some careful management so it will take some time.

0 Helpful

TymurPetrenko28532
Level 1
Level 1

‎04-18-2024 11:44 AM

In my case, Secure Client 5.1.2.42 with NAM failed to connect to the PSK SSID on EWC on Catalyst 9105AX (version 17.13.1) and hotspot on Google Pixel 7 Pro (Android 14).

The issue was resolved by disabling IGTK in the registry.

JimmyB22
Level 1
Level 1
In response to TymurPetrenko28532

‎04-18-2024 02:58 PM

Thanks for the reply . We are have some luck with the reg key but its only working about 30% of the time. 

0 Helpful

Daniel G.
Level 1
Level 1

‎05-21-2024 03:18 AM

Try install new Secure client version 5.1.3.62 and apply Windows patch as is described in release note for specific OS:

Win10 22H2 - KB5036979

Win11 22H2/23H2  - KB5036980

  • The Microsoft issue that was preventing the connections to networks with PMF enabled has been corrected and verified. As a result of the Windows update, the implementation to disable the setting of PMF IGTK within Network Access Manager or to modify the Windows registry is no longer necessary in the fixed versions of Windows, listed below. The Microsoft IGTK fix for WPA2/WPA3 Enterprise networks has been addressed for Windows 10 22H2 KB5036979, Windows 11 22H2 KB5036980, and Windows 11 23H2 KB5036980. Microsoft estimates that the fix for Windows 11 21H2 will be available in May 2024.

0 Helpful
Customers Also Viewed These Support Documents