About Network Access Manager
Network Access Manager is client software that provides a secure Layer 2 network in accordance with its policies. It detects and selects the optimal Layer 2 access network and performs device authentication for access to both wired and wireless networks. Network Access Manager manages user and device identity and the network access protocols required for secure access. It works intelligently to prevent end users from making connections that are in violation of administrator-defined policies.
The Network Access Manager is designed to be single homed, allowing only one network connection at a time. Also, wired connections have higher priority than wireless so that if you are plugged into the network with a wired connection, the wireless adapter becomes disabled with no IP address.
If your wired or wireless network settings or specific SSIDs are pushed from a group policy, they can conflict with the proper operation of the Network Access Manager. With the Network Access Manager installed, a group policy for wireless settings is not supported.
Note |
Network Access Manager is not supported on macOS or Linux. |
Note |
If you are using ISE posture on a Windows OS, Network Access Manager must be installed prior to starting AnyConnect ISE posture. |
The Network Access Manager component of the Cisco AnyConnect Secure Mobility Client supports the following main features:
-
Wired (IEEE 802.3) and wireless (IEEE 802.11) network adapters.
-
Some Mobile Broadband (3G) network adapters with Windows 7 or later. (Requires a WAN adapter that supports Microsoft Mobile Broadband APIs.)
-
Pre-login authentication using Windows machine credentials.
-
Single sign-on user authentication using Windows logon credentials.
-
Simplified IEEE 802.1X configuration.
-
IEEE MACsec wired encryption and enterprise policy control.
-
EAP methods:
-
EAP-FAST, PEAP, EAP-TTLS, EAP-TLS, and LEAP (EAP-MD5, EAP-GTC, and EAP-MSCHAPv2 for IEEE 802.3 wired only).
-
-
Inner EAP methods:
-
PEAP—EAP-GTC, EAP-MSCHAPv2, and EAP-TLS.
-
EAP-TTLS—EAP-MD5 and EAP-MSCHAPv2 and legacy methods (PAP, CHAP, MSCHAP, and MSCHAPv2).
-
EAP-FAST—GTC, EAP-MSCHAPv2, and EAP-TLS.
-
-
Encryption modes—Static WEP (Open or Shared), dynamic WEP, TKIP, and AES.
-
Key establishment protocols—WPA, WPA2/802.11i.
-
AnyConnect supports smartcard-provided credentials in the following environments: -
Microsoft CAPI 1.0 and CAPI 2.0 (CNG) on Windows.
-
Windows logon does not support ECDSA certificates; therefore, the Network Access Manager Single Sign-On (SSO) does not support ECDSA client certificates.
-
Suite B and FIPS
The following features are FIPS-certified on Windows 7 or later, and any exceptions are listed:
-
ACS and ISE do not support Suite B, but FreeRADIUS 2.x with OpenSSL 1.x does. Microsoft NPS 2008 supports Suite B in part (the NPS certificate still has to be RSA).
-
802.1X/EAP supports the transitional Suite B profile only (as defined in RFC 5430). TLS 1.2 is not supported.
-
MACsec is FIPS-compliant.
-
Elliptic Curve Diffie-Hellman (ECDH) key exchange is supported.
-
ECDSA client certificates are supported.
-
ECDSA CA certificates in the OS store are supported.
-
ECDSA CA certificates in the network profile (PEM encoded) are supported.
-
Server’s ECDSA certificate chain verification is supported.
Single Sign On "Single User" Enforcement
Microsoft Windows allows multiple users to be logged on concurrently, but Cisco AnyConnect Network Access Manager restricts network authentication to a single user. AnyConnect Network Access Manager can be active for one user per desktop or server, regardless of how many users are logged on. Single user login enforcement implies that only one user can be logged in to the system at any one time and that administrators cannot force the currently logged-in user to log off.
When the Network Access Manager client module is installed on Windows desktops, the default behavior is to enforce single user logon. When installed on servers, the default behavior is to relax the single user login enforcement. In either case, you can modify or add a registry to change the default behavior.
Restrictions
-
Windows administrators are restricted from forcing currently logged-on users to log off.
-
RDP to a connected workstation is supported for the same user.
-
To be considered the same user, credentials must be in the same format. For example, user/example is not the same as user@example.com.
-
Smart-card users must also have the same PIN to be considered the same user.
Configure Single Sign-On Single User Enforcement
To change how a Windows workstation or server handles multiple users, change the value of EnforceSingleLogon in the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}
To configure single or multiple user logon, add a DWORD named EnforceSingleLogon, and give it a value of 1 or 0.
For Windows:
-
1 restricts logon to a single user.
-
0 allows multiple users to be logged on.