Instructions for External Consultants to use Cisco AnyConnect 4 November, 2021 Version 3.0 Introduction In order to enforce the protection of corporate networks, we are implementing Network Access Control infrastructure (NAC): a security solution which verifies the presence of an updated anti-virus on your PC. On the occasion of this new company tool and to ensure the normal use of network connection, all external consultants owner of a non-Corporate PC must install the Cisco AnyConnect Secure software. To download the software and to read the setup instructions, please visit ICT Self Care portal: a procedure will guide you through the first registration to the network and software installation. This installation requires administrative rights. If the windows user itself is not a local admin user, but the setup is launched with another admin credentials, then the certificate is installed under the certificate store of the local admin user. This is not the correct operating mode for installing certificates from the on-boarding procedure: Cisco suggest elevating your user credential to local admin, before proceeding with the setup of the Network Assistant. The goal of this guide is to support the solving the most common problems during the use of Cisco AnyConnect software on external user laptops. Following these instructions, you will be able to solve some problems on your own. You don’t want install Cisco AnyConnect Secure Agent, is it mandatory? Yes, the use of the permanent agent AnyConnect Secure is mandatory if you want access to both the wired and wireless network. As an alternative, if you don’t want install Cisco AnyConnect, you can use a temporary executable file that runs once during connection and then uninstalls when the compliant processing is completed. It does not require admin privileges to use but guarantees limited access to the Wi-Fi network only (please refer to Temporal Agent: Setup Instructions for External Users). You should execute the temporal agent every day at the first connection to the network. Although the use of temporal agent you can have a limited access to the wireless network, it is strongly suggested to use the Cisco AnyConnect Secure agent. If you need any further assistance, please contact the ICT Customer Service Desk. 2 TABLE OF CONTENTS Introduction........................................................................................................................................... 2 Cisco AnyConnect Mobile Security: Setup Instructions for External Users ................................................ 4 How to get the AnyConnect client packet ..................................................................................................... 5 Cisco AnyConnect Secure installation (Offline Mode)................................................................................... 6 Temporal Agent: Setup Instructions for External Users .......................................................................... 16 Frequently Asked Questions ................................................................................................................. 21 3 Cisco AnyConnect Mobile Security: Setup Instructions for External Consultants 4 How to get the AnyConnect client packet Go to the ICT Self Care portal, enter your credentials and click “Login” : Once logged in, you may find the AnyConnect Secure Mobility packet in the “Utility Kit” section: Select the link “Cisco-AnyConnect-NAC_FOR_EXTERNAL_USERS.zip” and extract the ZIP file into a temporary folder (i.e. Desktop, Downloads folder, etc.): 5 Cisco AnyConnect Secure installation (Offline Mode) IMPORTANT NOTE: Right click on the “AnyConnectCustomSetup.exe” and Run as administrator: NOTE: if you are already using Cisco AnyConnect for your company's VPN service, please use “AnyConnectCustomSetup_v3-with-CISCO-VPN-ONLY.EXE”: Click on “Yes” when the User Account Control window is prompted: A new command prompt window will open and will silently install the necessary packets, it will take about 3 minutes: 6 When the setup process is completed the command prompt window will automatically close and the following popup will be shown. Click on “OK” button, a new window will open, you will be asked to reboot your laptop: After rebooting your PC, you can find the Cisco AnyConnect Secure Mobility Client in the start menu. The program will be available to run in the usual program list as shown below. Click on the shortcut to open application. Once clicked a new window will appear on the bottom-right corner of your screen. 7 Self-registration procedure The following procedure will guide you through the first registration to the network (only where NAC functionalities are enabled). If the windows user itself is not a local admin user, but the setup is launched with another admin credentials, then the certificate is installed under the certificate store of the local admin user. This is not the correct operating mode for installing certificates from the on-boarding procedure: Cisco suggest elevating your user credential to local admin, before proceeding with the setup of the Network Assistant. Turn on Wi-Fi connection. Connect to: • • CNHI-Onboarding if you are in CNH Industrial premises, or Onboarding-WiFi if you are in Iveco Group premises. Open your browser (i.e. Internet Explorer, Chrome) and digit a generic URL page (i.e. 1.1.1.1) on the ADDRESS BAR. You will be automatically redirected on the Cisco Client Provisioning Portal: 8 Insert your credentials (domain\userID and password), accept the agreement terms and conditions, then click “Sign On” button to connect: v Click on “Start” button: Insert the “Device Name” (your name and surname) and in the description field your laptop model (i.e. Dell, HP, ACER, etc.), then click on “Continue”. 9 Accept the file download named: NetworkSetupAssistant.exe and open it (the options that you can see depend on your browser): Click on “Run” button: When the administrative “User Account Control” window appears click on “Yes”: 10 Click on the “Start” button: When the Security Alert message appears, click on “Yes” button: Click on “Yes” button again: 11 Click on “Exit” button: Well done you have completed the self-registration procedure! 12 How can you connect to network? You are able now to connect to the network using Wireless or Wired cable (if NAC is available on wired). Every day, at the first connection, Cisco AnyConnect will perform some security compliance checks, i.e. if your anti-virus and anti-malware is updated. The scan takes about 10 seconds. The following pictures show the typical behaviour of the software that you can see clicking on the icon bar. Wireless connection Turn on Wi-Fi and connect to the: • CNHI-Consultant if you are in CNH Industrial premises, or • Consultant-WiFi if you are in Iveco Group premises. by selecting the certificate that shows your credentials and clicking on “OK” button: When you are connected, AnyConnect begins to scan the system: 13 Clicking on the icon bar, you can see the status of the scanning. Wait until the Cisco AnyConnect Secure Mobility Client completes the system scan (10 seconds). Your PC is compliant and allowed to access the corporate network! Ethernet cable connection (if available) Plug the Ethernet cable in your laptop. If a new window will appear on the left side of Cisco AnyConnect Secure Mobility Client, select your credentials from the drop-down menu, then click “OK” button. AnyConnect begins to scan the system: Clicking on the icon bar, you can see the status of the scanning. Wait until the Cisco AnyConnect Secure Mobility Client completes the system scan (10 seconds). 14 Once your laptop completed the scanning process, you will be able to access to the corporate network. If you get the not compliant message, please check your anti-virus status and make sure it is updated. 15 Temporal Agent: Setup Instructions for External Users 16 You should execute the temporal agent every day during connection to the corporate network. Turn on Wi-Fi, select: • • CNHI-Consultant if you are in CNH Industrial premises, or Consultant-WiFi if you are in Iveco Group premises, and insert your credentials (domain\userID and password), then click “OK” button to connect. Open your browser (i.e. Internet Explorer, Chrome) and open a generic URL page (i.e. 1.1.1.1). You will be automatically redirected on the Cisco Client Provisioning Portal, then click on “Start” to begin the process. Click on the first choice button: 17 Click here to download Cisco Temporal Agent: Run the downloaded application: Click on “Run” when the SmartScreen windows is prompted 18 When the Cisco Temporal Agent windows is prompted click on “Connect Anyway” button: You have now access to the corporate network and successfully completed the Cisco Temporal Agent profiling procedure. 19 If you get the not compliant message, please check your anti-virus status and make sure it is updated. 20 Frequently Asked Questions 21 FAQ Index Wired Connection ................................................................................................................................ 23 How to connect the client ........................................................................................................................... 23 How to choose the certificate ..................................................................................................................... 23 How to solve the “Authentication Failed” issue.......................................................................................... 23 How to setup external network adapter ..................................................................................................... 24 How to setup external “VCI” device ............................................................................................................ 25 How to restart AnyConnect ......................................................................................................................... 25 Wi-Fi Connection.................................................................................................................................. 26 How to connect the client ........................................................................................................................... 26 How to choose the certificate ..................................................................................................................... 26 General Recommendations .................................................................................................................. 28 How to deal with the Change Password...................................................................................................... 28 How to stop AnyConnect notices ................................................................................................................ 28 How to uninstall/reinstall AnyConnect software ........................................................................................ 29 22 Wired Connection How to connect the client Suggestion: wait to plug LAN cable until user login is completed, and shutdown the Wi-Fi connection How to choose the certificate Make sure to check the correct user certificate when connect the cable: The highlighted menu may provide different certificates based on laptop (Skype certificate, MS certificate and so on). The only certificate for AnyConnect is the one provided by Onboarding, and it can be shown in different views: • domain\user • domain\user@ • user@domain How to solve the “Authentication Failed” issue If the AnyConnect shows “Authentication Failed”, the reasons could be different: 1. If both connections (wired and wireless) don’t work, maybe the user account is locked out; wait for 15 minutes and continue to the next point. 2. Disconnect your cable and connect only to Wi-Fi network (“CNHI-Consultant” or “Consultant-WiFi”); if the authentication is successful, try reconnecting to the cable (by disabling Wi-Fi connection). If the problem persists, the issue might be the authentication 802.1x enabled on Ethernet connection. 23 Right click on Ethernet connection and uncheck “Enable 802.1x Authentication” under Authentication tab: In alternative, if you have administrative right you can stop the process “Wired AutoConfig” (ENG) or “Configurazione automatica reti cablate” (ITA) under “services.msc”, and reboot laptop. How to setup external network adapter If you use an external network adapter (connected to laptop via USB), you must be careful about the configuration of the Cisco AnyConnect NAM Driver: 24 How to setup external “VCI” device Connecting an external device with network adapter integrated (for example, VCI, EoL devices), a secondary virtual Ethernet card is created: in these cases Cisco AnyConnect NAM Driver should not be flagged on the virtual Ethernet card property. How to restart AnyConnect In case of any further issues, restart AnyConnect with “Network Repair” (right click on AnyConnect icon): 25 Wi-Fi Connection How to connect the client Suggestion: when you use Wi-Fi connection, be aware to not connect any LAN cable to your laptop. How to choose the certificate At the end of Onboarding procedure (see “Self-registration procedure”), you need to force CNHI-Consultant or Consultant-WiFi connection with your certificate. If for any reason the Wi-Fi connection doesn’t work anymore, please follow these steps: 1. Restart AnyConnect with “Network Repair” (right click on AnyConnect icon): 2. Forget the network from your laptop (right click on SSID network and forget it) 26 3. Shutdown Wi-Fi connection, wait a few seconds and try again to reconnect to CNHI-Consultant or Consultant-WiFi (in this way, you need to force the certificate twice again) 27 General Recommendations How to deal with the Change Password When your password is expired, you need to change it from ICT Self Care. After changing it, follow these steps to avoid the user account locked out: 1. Delete all credentials memorized in your pc: in cmd window digit rundll32.exe keymgr.dll, KRShowKeyMgr 2. Reboot the laptop; 3. Before opening any browser or applications (like Skype, Teams and so on), connect the laptop to the network (wired or Wi-Fi, indifferently); 4. If the AnyConnect Authentication is successful then you can continue normally; if not, you need to solve first the issue with the authentication (i.e. wait for 15 minutes) How to stop AnyConnect notices If the AnyConnect shows many popups during your connection, you can disable “Show Connection Notices” (right click on AnyConnect icon): 28 How to uninstall/reinstall AnyConnect software If you need to uninstall (and reinstall) the AnyConnect software from your laptop, this is the correct procedure: 1. Uninstall “Cisco AnyConnect Secure Mobility Client”: 2. Uninstall “Cisco AnyConnect Diagnostic and Reporting Tool”: 3. Delete the folder “C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client” (you need first to enable hidden folders) 4. Delete the folder “C:\Users\xxx\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client” (you need first to enable hidden folders) 5. Reboot the laptop 6. Reinstall the software (see “Handbook - Cisco AnyConnect for external users”). 29
0
advertisement
Related documents
Download
advertisement
Add this document to collection(s)
You can add this document to your study collection(s)
Sign in Available only to authorized usersAdd this document to saved
You can add this document to your saved list
Sign in Available only to authorized users