What's new

Cisco AnyConnect NAM v3.1.05170 and Microsoft Account Troubles

mcsenerd

Active Member
Sounds crazy I know... But my company generally uses the Cisco AnyConnect NAM Supplicant to provide corporate access to our internal EAP-FAST wireless access. Well, I can certainly get this working well with both my SP1 and my SP2, but I've been unable to associate with our APs using the SP3. One of the things I struggled through with the SP1/2 is that I had great struggles with getting the Windows Store to work. In fact, any time I needed to "verify my account" or any other type of MS Account authentication basically just HUNG. It wouldn't produce an error, wouldn't time out, wouldn't do much of anything but just sit there and do absolutely nothing. I never had any issues on a fresh load and my account always checked out with MS Support, so I always chalked it up to something in my software load. Well, after further testing on the SP3 I can most certainly guarantee that it's some sort of interaction with the Cisco AnyConnect NAM. Even though it wasn't actually "working" with our APs on the SP3, I had it installed and was still trying to get it to function. Well, I wanted to purchase an app from the store and lo and behold, once again I was "hanging" at the account verification/authentication portion of the transaction. I then uninstalled the NAM portion of the AnyConnect tool and everything concerning the MS Account just suddenly worked again.

Does anyone else here use the Cisco AnyConnect NAM on their box? Is this something that affects all Windows 8/8.1 installs or is it specific to the Surface Pros? I'd love to hear from others experiences...
 

ZZATU

New Member
We just ran into issues on the Surface Pro 3 and Cisco NAM 3.1.05170.
We are unable to connect to the network.
We also tried by disabling NAM and connecting via the Windows Client and received the following error:
___________________________________
"Network Security Alert"
Windows can't verify the server's identity: "If you expect to find %1 In this location, go ahead and connect. Otherwise, it may be a different network with the same name"
_____________________________________
This is typically a cert error and you need the cert installed (which it is).
We do use a certificate to ensure that we are connecting to a trusted wireless connection, and this certificate root is installed on the machine. The authentication type is PEAP [WPA2][Auth(802.1X)]. Cisco WLC7.6.120.0

We don't think it's an issue with WLC as the client connects to an open network on the same WLC
Wondering if this is an issue
http://www.winbeta.org/news/surface-pro-3-wifi-connectivity-issues-acknowledged-microsoft-fix-way

On your particular issue, If you disable NAM can you connect, could it be a corporate firewall preventing you from accessing what you are trying to access?
 

Attachments

  • surface3error.png
    surface3error.png
    22.1 KB · Views: 1,289
Last edited:
OP
M

mcsenerd

Active Member
I cannot connect to the protected portion of our corporate wireless at all (as I stated it is EAP-FAST w/WPA2 Ent.), either through the built-in Windows Client or through the NAM. However, we too have an unprotected, hidden SSID guest network that the SP3 does connect to without issue. I want to be clear here, that the exact same same software setup worked without issue (save for the very strange Windows Store/Microsoft Account thing) and there was no certificate that was required for connections to proceed on either the SP1 or SP2.

I don't believe it to be a firewall issue as far as I can tell because the SP3 simply won't authenticate to the access point and therefore never completes a connection at all.

I guess it's good to know that I'm not the only one seeing this issue :)
 
OP
M

mcsenerd

Active Member
Well, not that I expected any actual help anyway, but here's the MS Community forum response:

"Thanks for posting in the Community Forum. I understand that you are unable to connect your Surface Pro 3 to your company's wireless network. I'm here to help you with this.
As this is an issue with your company's wireless network, we recommend that you contact our Support Team for businesses. You should also contact your IT administrator at your company.
Thanks again for posting here. If you have any other questions that we could help you with for your Surface Pro 3, please post here again."

Umm... gee, thanks? What part of: this worked with the SP1 & SP2, but now only works on the non-protected portion with SP3 makes it an issue with my company's wireless network again?
 

ZZATU

New Member
I have talked to Cisco about this. Cisco is working to find a resolution to this, and they have been able to re-create the issue. At this point it looks like an issue with Cisco NAM and the Surface Pro 3. Previous versions of AnyConnect NAM and Surface Pro's have had issues and Cisco and Microsoft have had to come out with fixes.
New Bug ID: https://tools.cisco.com/bugsearch/bug/CSCup69555/?reffering_site=dumpcr
Right now we will need until Cisco or Microsoft comes out with a fix to this issue and the Surface Pro3.

As a work-around for us we were unable to use wireless until we completely uninstalled Cisco NAM and rebooted. We are now using the Windows Wireless Supplicant and able to connect. (simply disabling the client did not resolve the issue)
 
OP
M

mcsenerd

Active Member
Thanks ZZATU. One way to use the built-in Windows Wireless control without uninstalling is to simply disable the filter driver in the wireless adapter properties. I guess...I'll have to drag the USB Ethernet adapter around everywhere with me for now :)
 
OP
M

mcsenerd

Active Member
Well... not encouraging is the fact that they have it marked as fixed and the "fix" is... don't use NAM. Gee... thanks Cisco.
 
OP
M

mcsenerd

Active Member
Update folks... and I haven't tested this yet as I've been out on the road and not in the office to see if it now works or not, but it appears that the most recent update fixes several things that kept me from using the NAM on the Surface Pro 3. Here is the list of items fixed in the latest Cisco release:

Caveats Resolved by AnyConnect 3.1.05182
Identifier
Component
Headline
CSCup97189
posture-asa
Hostscan doesn't detect Trend Micro OfficeScan Client 11
CSCup54966
nam
AnyConnect NAM prevents Microsoft Store Credential request
CSCup69555
nam
NAM: NAM does not work on Surface Pro 3, fails to associate

CSCuq19848
nam
NAM: Unable to use Smart card if the card name contains a "+" sign
CSCuq31511
vpn
DTLS vulnerabilities in OpenSSL
CSCuq12791
vpn
Update 3rd party libraries
CSCuq24666
vpn
SCEP enrollment broken

I've personally suffered through both of the italicized items, so it's very encouraging that they are saying that they are both addressed in the latest update. I'll report back after I upgrade to the new AnyConnect version and give the NAM a go again at the office.
 
Top