AnyConnect Secure Mobility Client 3.0: Network Access Manager & Profile Editor on Windows

Document

Mar 1, 2012 4:46 PM
Mar 1st, 2012

Introduction

AnyConnect Secure Mobility Client 3.0: Network Access Manager & Profile Editor on Windows

Summary


Use the Cisco AnyConnect Network Access Manager Profile Editor to build custom profiles for the AnyConnect Secure Mobility Client. Applies to version 3.0.x.

Overview


The AnyConnect Secure Mobility Client 3.0 has a nice module for managing wireless (and wired) networks in Windows. This module is called the Network Access Manager. For a wireless administrator who wants to have a ubiquitous supplicant and end-user interface experience on a range of Windows client machines (XP, Vista, 7), this little connection management utility fits in nicely.

Installing the AnyConnect client with the Network Access Manager module is relatively painless. What's not as easy (at least it wasn't for me) is figuring out how to create and deploy pre-configured .XML profiles* instead of using the default profile included with a bare-bones AnyConnect NAM install.

The profile determines the degree of control the end-user has over their network configurations, which authentication and encryption types they can use, if there are required (non-removable) networks in the list, the order of preferred networks, if they can add their own networks, etc. The degree of restriction an administrator applies with the configured profile is a matter of organizational policy or administrative preference, but the default is a wide open policy.

The first thing to realize is that profiles are deployed at AnyConnect Client install time. Each time you want to update a profile, you need to essentially re-install the client or redeploy the package through enterprise software distribution methods. This isn't a big deal, and the benefit to this is that it makes it difficult for end-users to tamper with or accidentally remove installed profiles because there is no in-application way to switch profiles. The result is a clean, well-designed and intuitive interface with intentionally and appropriately scoped options, and one that should be easy for most administrators and helpdesk technitians to support.

anyconnect.PNG

The default profile wasn't working for me on my lab laptop because I needed to remove the Wired interface so I could access the machine over RDP and still connect to wireless networks for testing and demonstrations. Here's what I did to create my own NAM profile and deploy it onto my lab laptop:

Steps

NOTE: Before proceeding, if you already have NAM installed, uninstall it first and follow prompts to reboot your system. After the reboot, delete the following folder from your system to remove the previous configuration files:

Windows 7:

C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager

Windows XP:

C:\Documents and Settings\All Users\Application Data\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager

If you do not manually delete the previous configuration, the custom configuration you create in the following steps will not be applied.

This process needs two separate downloads from CCO. Both are available under the AnyConnect section:

    • predeployment .iso (contains the installers for all of the modules): e.g., anyconnect-win-3.0.5080-pre-deploy-k9.iso
    • standalone profile editor (used for creating and editing .XML profiles): e.g., anyconnect-profileeditor-win-3.0.5080-k9.exe

1. Unpack the downloaded pre-deployment .ISO file (your first download) to a folder on your Desktop, e.g., unpackedAnyConnectIsoFolder; all of the component module .MSIs (NAM, VPN, Posture, etc.) and the main setup.exe will be there along with a few folders. You can use 7Zip or a similar program to access the .ISO as you would a .zip or .tar file (i.e., you don't need to burn the image to CD).

2. Install and run the standalone profile editor (your second download); you only need the Network Access Manager component

     a. Once installed, open the profile editor and configure a new profile, e.g. allow EAP types, disable Wired port management, etc.

     b. File / Save as...

     c. Name the file configuration.xml. This naming convention is required

     d. Save the configuration file to the /<unpackedAnyConnectIsoFolder>/Profiles/nam folder

3. Run the main Secure Mobility Client setup installer (setup.exe) from <unpackedAnyConnectIsoFolder>. This installs the AnyConnect framework and modules. Select the Network Access Manager modules. No other modules are necessary or required for managing wireless networks

4. When the AnyConnect client next launches, you should be able to see your profile configurations integrated into the AnyConnect window.

Further Reading

This is a rough guide, but hopefully it will save others some time figuring out the rather mysterious process of deploying NAM profiles. I didn't find this specific series of steps outlined in any one document online, but if anyone has better information or a clearer set of steps, I'll be happy to link them here.

Here are some additional resources that should help with more granular configuration details:

Configuring Network Access Manager

AnyConnect Secure Mobility Client Administrator Guide, Release 3.0

* The term "profiles" here does not refer to an individual wireless network profile (SSID). In this document, it refers to the collective set of policies and permissions that enable/disable functionality within the AnyConnect NAM module.

Justin

Average Rating: 5 (8 ratings)

Comments

it@wavestreamco... Mon, 05/21/2012 - 19:11

Yes this is EXTREMELY helpful.  I was stuck for a couple days trying to figure out why my NAM deployments weren't working.  This provided the answers.  Thanks!!

Aaron Leonard Wed, 07/25/2012 - 15:56

Thanks for the article, Justin.

If you want to run the Profile Editor after installation, and apply it to an installed NAM supplicant, without rerunning setup.exe, you can do this:

  1. Edit the profile with Profile Editor, as described in Step 2 a through c above.  However, save configuration.xml to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\system instead.
  2. Apply the updated profile to the running NAM supplicant by right-clicking the NAM icon in the taskbar and selecting "Network Repair".
  3. The updated profile settings should appear in the NAM supplicant immediately.

One more trick - if the goal is to use NAM as a wireless supplicant, but have it not control the LAN adapter, then you can just go into the adapter properties and uncheck "Cisco AnyConnect Network Access Manger Filter Driver".

LANproperties.png

Cheers,

Aaron

jjonessec1969 Wed, 01/09/2013 - 09:43 (reply to ciscomax)

thats a great write up, question is can you use the connections.xml with the anyconnect install via vpn portal? has anyone tried?

JJ

mtrudel337 Wed, 02/20/2013 - 05:07

Hello

I dont know if I am in the correct forum but I will ask anyway.

I am a consultant that needs to connect to multiple customers in VPN. Each of them has a different brand asn version of VPN servers (Cisco, Open, CheckPoint, etc ...) I have several of these VPN client installed on my machine ... and it is enough, I dont want to install new ones.

I am not the network administrator that configured these VPN (though i used to do that kind of job). I am merely an Power User that has been granted access to these different VPN by the networj administrators of these customers.

That beeing said, several customers use Cisco VPNs (old versions, Cisco AnyConnect Secure Mobility Client 3.1, and lately a new flavor of the mobility client as a Web page. My question is regarding that latest "WEB" version. When I connect to that customer, I can see in the tray the Cisco AnyConnect Secure Mobility Client connecting and staying connected during the session. When I disconnect, the mobility client DOES NOT retain that customer configuration. WHen I access the mobility client agin after the connection is disconnected I only have the choice of client for witch I received an installer file from these customer.

My question is:

Is there a way to create a Cisco AnyConnect Secure Mobility Client configuration fle from that other WEB version so to avoid gooing into Internet Explorer and all the delays it implies. If I could simply add the customer configuration into the Cisco AnyConnect Secure Mobility Client "Ready to connect drop down box" it would allow me to connect directly by accessing the client in the tray instead of going through the web,

That you

Anand_Shankar1 Tue, 09/24/2013 - 21:38

I have a Starnge issue where when i disable NAM wireless works fine so windows wireless is working as designed .

But when we have NAM enabled it dosent let Authenticate to the Wireless network i have .

Any Suggestions ?

Scott.eyles Thu, 10/17/2013 - 22:46

Has anyone else found that by using NAM it dramatically affects Computer Boot Time? My investigations have shown that the NAM service takes ~160 seconds on average to start up!

I wish to use NAM only to control access to WiFi. in the NAM policy I have

Ensured that Manage Wired Media is NOT checked

Unchecked all the options relating to Wired security under Authentication Policy

Not configured any Wired Networks under the network groups area.

Anyone have any ideas of misconfiguration that I may have?

Thanks

Actions

Login or Register to take actions

This Document

Posted March 1, 2012 at 4:46 PM
Stats:

Related Content

Documents Leaderboard