AnyConnect Secure Mobility Client 3.0: Network Access Manager & Profile Editor on Windows
Use the Cisco AnyConnect Network Access Manager Profile Editor to build custom profiles for the AnyConnect Secure Mobility Client. Applies to version 3.0.x.
The AnyConnect Secure Mobility Client 3.0 has a nice module for managing wireless (and wired) networks in Windows. This module is called the Network Access Manager. For a wireless administrator who wants to have a ubiquitous supplicant and end-user interface experience on a range of Windows client machines (XP, Vista, 7), this little connection management utility fits in nicely.
Installing the AnyConnect client with the Network Access Manager module is relatively painless. What's not as easy (at least it wasn't for me) is figuring out how to create and deploy pre-configured .XML profiles* instead of using the default profile included with a bare-bones AnyConnect NAM install.
The profile determines the degree of control the end-user has over their network configurations, which authentication and encryption types they can use, if there are required (non-removable) networks in the list, the order of preferred networks, if they can add their own networks, etc. The degree of restriction an administrator applies with the configured profile is a matter of organizational policy or administrative preference, but the default is a wide open policy.
The first thing to realize is that profiles are deployed at AnyConnect Client install time. Each time you want to update a profile, you need to essentially re-install the client or redeploy the package through enterprise software distribution methods. This isn't a big deal, and the benefit to this is that it makes it difficult for end-users to tamper with or accidentally remove installed profiles because there is no in-application way to switch profiles. The result is a clean, well-designed and intuitive interface with intentionally and appropriately scoped options, and one that should be easy for most administrators and helpdesk technitians to support.
The default profile wasn't working for me on my lab laptop because I needed to remove the Wired interface so I could access the machine over RDP and still connect to wireless networks for testing and demonstrations. Here's what I did to create my own NAM profile and deploy it onto my lab laptop:
NOTE: Before proceeding, if you already have NAM installed, uninstall it first and follow prompts to reboot your system. After the reboot, delete the following folder from your system to remove the previous configuration files:
C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager
C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager
If you do not manually delete the previous configuration, the custom configuration you create in the following steps will not be applied.
This process needs two separate downloads from CCO. Both are available under the AnyConnect section:
- predeployment .iso (contains the installers for all of the modules): e.g., anyconnect-win-3.0.5080-pre-deploy-k9.iso
- standalone profile editor (used for creating and editing .XML profiles): e.g., anyconnect-profileeditor-win-3.0.5080-k9.exe
1. Unpack the downloaded pre-deployment .ISO file (your first download) to a folder on your Desktop, e.g., unpackedAnyConnectIsoFolder; all of the component module .MSIs (NAM, VPN, Posture, etc.) and the main setup.exe will be there along with a few folders. You can use 7Zip or a similar program to access the .ISO as you would a .zip or .tar file (i.e., you don't need to burn the image to CD).
2. Install and run the standalone profile editor (your second download); you only need the Network Access Manager component
a. Once installed, open the profile editor and configure a new profile, e.g. allow EAP types, disable Wired port management, etc.
b. File / Save as...
c. Name the file configuration.xml. This naming convention is required
d. Save the configuration file to the /<unpackedAnyConnectIsoFolder>/Profiles/nam folder
3. Run the main Secure Mobility Client setup installer (setup.exe) from <unpackedAnyConnectIsoFolder>. This installs the AnyConnect framework and modules. Select the Network Access Manager modules. No other modules are necessary or required for managing wireless networks
4. When the AnyConnect client next launches, you should be able to see your profile configurations integrated into the AnyConnect window.
This is a rough guide, but hopefully it will save others some time figuring out the rather mysterious process of deploying NAM profiles. I didn't find this specific series of steps outlined in any one document online, but if anyone has better information or a clearer set of steps, I'll be happy to link them here.
Here are some additional resources that should help with more granular configuration details:
* The term "profiles" here does not refer to an individual wireless network profile (SSID). In this document, it refers to the collective set of policies and permissions that enable/disable functionality within the AnyConnect NAM module.