cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2333
Views
1
Helpful
13
Replies

Secure Client 5.1.1.42 with NAM and tethering to iPhone iOS 17.2.1

PeterLMSD
Level 1
Level 1

We have tried upgrading from Cisco AnyConnect 4.10.07073 to Secure Client 5.1.1.42 with NAM connecting to wired and wireless networks.

After the upgrade NAM fails to acquire the IP address from the phone.

PeterLMSD_0-1705523729989.png

Connecting to enterprise EAP SSIDs and other user specified WPA2-PSK wireless networks still work fine, it's just tethering to iPhones that doesn't work. 

Un-installing Secure Client 5.1.1.42 and doing a reboot, then re-installing AnyConnect 4.10.07073 with NAM then everything starts working again. A TAC case has been raised but thought I would ask if anyone else is having the same problem.

13 Replies 13

stsargen
Cisco Employee
Cisco Employee

Try installing 4.10.08052.  It has some fixes for WPA2/WPA3 and PMF that are not yet included in the 5.x release train.  You could also test setting the hotspot to WPA2 only, not WPA2/WPA3.

Also, read the new features section in the release notes for this 4.10.08052.

-- We have implemented a Network Access Manager addition to disable the setting of PMF IGTK until a Windows fix becomes available. Microsoft estimates that fixes for Windows 10 2004 and Windows 11 22H2 will be available in early 2024, which will allow you to set the IGTK from the Network Access Manager. Until then, you can disable the setting of PMF IGTK and allow a connection to a network configured to provide Protection of Management Frames (PMF). If the Windows fix is not yet available, and you can't avoid connecting to a network with PMF enabled, you need to modify the Windows registry editor by adding the following registry key as a DWORD and setting it as described to disable the use of IGTK by the Network Access Manager:

HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\Cisco AnyConnect Network Access Manager\DisableIGTK set to 1

 

I could try upgrading to AnyConnect .8052, but I don't have a problem with AnyConnect .7073 so there isn't a need to ugprade.

The issue is with Secure Client 5.1.1.42 not working. And we noticed it when upgrading from AnyConnect 7073 so we downgraded again and it started working.

Understood.  If you are looking to go to 5.x I would suggest you wait until 5.1.2.x is released.  This will have equivalent fixes that went into 4.10.08052 related to WPA2/WPA3 and PMF. 

Daniel G.
Level 1
Level 1

We have same problem after upgrading to 4.10.08025 or 5.1.1.42. After upgrade is not possible connect to HotSpot on iPhone iOS.

Also from version 4.10.07061 some number of users report problems with connection to their home WiFi with WPA2-PSK or WPA2/WPA3-PSK hybrid  with our corporate NTBs with Intel AX210/211 WIFI card (driver is actual but it doesn´t matter). 

I dont know if this specific problem of Intel card and Anyconnect or Anyconnect from some version has some unknown problems to operate with various WiFI routers. Do you experience same issue with some users?

BTW Cisco released new version of Secure Client - 5.1.2.42 so i am going to try it and also with the REG key DisableIGTK. I will report back.

We have clients on 5.1.2.42 still experiencing this issue. how did the registry workaround work out for you? I'm curious if is it worth a try .   TAC advised MFST will be releasing a patch but has no new ETA other is was supposed to be January 2024

stsargen
Cisco Employee
Cisco Employee

I noticed that we have recently updated the release notes that the IGTK workaround would only apply to networks configured for 802.1x, and NOT PSK.  You might be hitting a new issue (CSCwj50019) where when selecting the network from the NAM scanlist you are unable to connect.  Please try adding the same network using WPA3 from the "Add" option in the NAM UI. 

https://bst.cisco.com/quickview/bug/CSCwj50019

Thank you we will give it a try. The issue we were tracking was related CSCwi27062 and the registry key has worked for 50% of the users. 

@stsargen trying to follow work around #1 however I don't have an option for WPA 3 in the GUI. I verified MY XML file has it included. See attached. Any advice?

we had a similar issue, got it fixed by editing the NAM xml using 5.1.2.42 profile editor. Check mark will not be enabled for WPA3 in Authentication policy.

 

PeterLMSD
Level 1
Level 1

We still have the problem and down / upgraded back to AnyConnect 4.10.07073 and tethering to my iPhone over wireless works again. So we are back working with AnyConnect vs Secure Client. Since AnyConnect (in theory) is EOL now we will see if any further releases of AnyConnect occur.
Edit: Just tested Windows 10 + AnyConnect 4.10.08029 + iPhone 11 running 17.4.1 and it didn't work. I thought it was working but I re-tested and confirmed it isn't.

I am also exploring removing NAM and moving to the native Windows 802.1x client and pushing down Intune 802.1x Wired and Wireless profiles using TEAP with User and Machine certificates as that achieves the same outcome and doesn't have the complexity and annoyance of using NAM. Rolling TEAP out to the whole device fleet will take some careful management so it will take some time.

In my case, Secure Client 5.1.2.42 with NAM failed to connect to the PSK SSID on EWC on Catalyst 9105AX (version 17.13.1) and hotspot on Google Pixel 7 Pro (Android 14).

The issue was resolved by disabling IGTK in the registry.

Thanks for the reply . We are have some luck with the reg key but its only working about 30% of the time. 

Daniel G.
Level 1
Level 1

Try install new Secure client version 5.1.3.62 and apply Windows patch as is described in release note for specific OS:

Win10 22H2 - KB5036979

Win11 22H2/23H2  - KB5036980

  • The Microsoft issue that was preventing the connections to networks with PMF enabled has been corrected and verified. As a result of the Windows update, the implementation to disable the setting of PMF IGTK within Network Access Manager or to modify the Windows registry is no longer necessary in the fixed versions of Windows, listed below. The Microsoft IGTK fix for WPA2/WPA3 Enterprise networks has been addressed for Windows 10 22H2 KB5036979, Windows 11 22H2 KB5036980, and Windows 11 23H2 KB5036980. Microsoft estimates that the fix for Windows 11 21H2 will be available in May 2024.