Field Notice: FN - 72499 - AnyConnect Network Access Manager 4.9.x and 4.10.x Fails to Authenticate with ISE Release 3.1.x - Software Upgrade Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.2 |
04-Aug-23 |
Updated the Workaround/Solution Section |
1.1 |
13-Feb-23 |
Updated the Workaround/Solution Section |
1.0 |
04-Nov-22 |
Initial Release |
Products Affected
| Affected OS Type | Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|---|
NON-IOS |
AnyConnect VPN Client Software |
4.10 |
4.10.00093, 4.10.01075, 4.10.02086, 4.10.03104, 4.10.04065 |
Only affects devices that use Windows 10 or Windows 11 |
NON-IOS |
AnyConnect VPN Client Software |
4.9 |
4.9.00086, 4.9.01095, 4.9.02028, 4.9.03047, 4.9.04043, 4.9.04053, 4.9.05042, 4.9.06037 |
Only affects devices that use Windows 10 or Windows 11 |
Defect Information
| Defect ID | Headline |
|---|---|
| CSCvz90541 | NAM: AnyConnect NAM 4.9.x/4.10.x fails auth w/ISE 3.1, but is successful with previous ISE versions |
Problem Description
For the affected AnyConnect versions, AnyConnect Network Access Manager (NAM) on devices that use Windows 10 or Windows 11 fails to authenticate with Identity Services Engine (ISE) running Release 3.1.x.
Background
AnyConnect NAM is an 802.1x supplicant that provides secure Layer 2 network access in accordance with its configured policies. It manages device authentication for both wired and wireless networks, user and device identity, in addition to the network access protocols required for secure access.
Problem Symptom
End users that run the affected AnyConnect versions on Windows 10 or Windows 11 might observe an authentication failed error message when connecting to ISE Release 3.1.x.
Workaround/Solution
Solution
In order to resolve this issue, Cisco recommends to upgrade to AnyConnect 4.10.04071 or later.
Workarounds
It is highly recommended to apply the solution in this section. However, if an upgrade to the AnyConnect software is not immediately possible, complete one of these actions:
- For ISE 3.2 Patch 1 or later - set the environment variable to disable RSA-PSS signatures via the CLI with the
application configure isecommand. Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 3.2 for further information. - For ISE 3.1 Patch 6 or later - set the environment variable to disable RSA-PSS signatures via the CLI with the
application configure isecommand. Refer to the Cisco Identity Services Engine CLI Reference Guide, Release 3.1 for further information. - For ISE 3.2 (no patch) and ISE 3.1 Patch 4 or Patch 5 - set the environment variable to disable RSA-PSS signatures via root access (must contact the Cisco Technical Assistance Center (TAC) for root access).
- Use Microsoft Native Supplicant.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
Unleash the Power of TAC's Virtual Assistance