Add to collection(s) Add to saved
  1. No category
Uploaded by falso

Handbook and FAQ - Cisco AnyConnect for external users - v3.0

advertisement 
Instructions for External Consultants
to use Cisco AnyConnect
4 November, 2021
Version 3.0
Introduction
In order to enforce the protection of corporate networks, we are implementing Network Access Control
infrastructure (NAC): a security solution which verifies the presence of an updated anti-virus on your PC.
On the occasion of this new company tool and to ensure the normal use of network connection, all
external consultants owner of a non-Corporate PC must install the Cisco AnyConnect Secure software.
To download the software and to read the setup instructions, please visit ICT Self Care portal: a
procedure will guide you through the first registration to the network and software installation.
This installation requires administrative rights.
If the windows user itself is not a local admin user, but the setup is launched with another admin
credentials, then the certificate is installed under the certificate store of the local admin user. This is not
the correct operating mode for installing certificates from the on-boarding procedure: Cisco suggest
elevating your user credential to local admin, before proceeding with the setup of the Network
Assistant.
The goal of this guide is to support the solving the most common problems during the use of Cisco
AnyConnect software on external user laptops. Following these instructions, you will be able to solve
some problems on your own.
You don’t want install Cisco AnyConnect Secure Agent, is it mandatory?
Yes, the use of the permanent agent AnyConnect Secure is mandatory if you want access to both the
wired and wireless network.
As an alternative, if you don’t want install Cisco AnyConnect, you can use a temporary executable file
that runs once during connection and then uninstalls when the compliant processing is completed. It
does not require admin privileges to use but guarantees limited access to the Wi-Fi network only
(please refer to Temporal Agent: Setup Instructions for External Users).
You should execute the temporal agent every day at the first connection to the network.
Although the use of temporal agent you can have a limited access to the wireless network, it is strongly
suggested to use the Cisco AnyConnect Secure agent.
If you need any further assistance, please contact the ICT Customer Service Desk.
2
TABLE OF CONTENTS
Introduction........................................................................................................................................... 2
Cisco AnyConnect Mobile Security: Setup Instructions for External Users ................................................ 4
How to get the AnyConnect client packet ..................................................................................................... 5
Cisco AnyConnect Secure installation (Offline Mode)................................................................................... 6
Temporal Agent: Setup Instructions for External Users .......................................................................... 16
Frequently Asked Questions ................................................................................................................. 21
3
Cisco AnyConnect Mobile Security:
Setup Instructions for External
Consultants
4
How to get the AnyConnect client packet
Go to the ICT Self Care portal, enter your credentials and click “Login” :
Once logged in, you may find the AnyConnect Secure Mobility packet in the “Utility Kit” section:
Select the link “Cisco-AnyConnect-NAC_FOR_EXTERNAL_USERS.zip” and extract the ZIP file into a
temporary folder (i.e. Desktop, Downloads folder, etc.):
5
Cisco AnyConnect Secure installation (Offline Mode)
IMPORTANT NOTE: Right click on the “AnyConnectCustomSetup.exe” and Run as administrator:
NOTE: if you are already using Cisco AnyConnect for your company's VPN service, please use
“AnyConnectCustomSetup_v3-with-CISCO-VPN-ONLY.EXE”:
Click on “Yes” when the User Account Control window is prompted:
A new command prompt window will open and will silently install the necessary packets, it will take
about 3 minutes:
6
When the setup process is completed the command prompt window will automatically close and the
following popup will be shown.
Click on “OK” button, a new window will open, you will be asked to reboot your laptop:
After rebooting your PC, you can find the Cisco AnyConnect Secure Mobility Client in the start menu.
The program will be available to run in the usual program list as shown below.
Click on the shortcut to open application.
Once clicked a new window will appear on the bottom-right corner of your screen.
7
Self-registration procedure
The following procedure will guide you through the first registration to the network (only where NAC
functionalities are enabled).
If the windows user itself is not a local admin user, but the setup is launched with another admin credentials,
then the certificate is installed under the certificate store of the local admin user. This is not the correct
operating mode for installing certificates from the on-boarding procedure: Cisco suggest elevating your user
credential to local admin, before proceeding with the setup of the Network Assistant.
Turn on Wi-Fi connection. Connect to:
•
•
CNHI-Onboarding if you are in CNH Industrial premises, or
Onboarding-WiFi if you are in Iveco Group premises.
Open your browser (i.e. Internet Explorer, Chrome) and digit a generic URL page (i.e. 1.1.1.1) on the
ADDRESS BAR. You will be automatically redirected on the Cisco Client Provisioning Portal:
8
Insert your credentials (domain\userID and password), accept the agreement terms and conditions, then
click “Sign On” button to connect:
v
Click on “Start” button:
Insert the “Device Name” (your name and surname) and in the description field your laptop model
(i.e. Dell, HP, ACER, etc.), then click on “Continue”.
9
Accept the file download named: NetworkSetupAssistant.exe and open it (the options that you can see
depend on your browser):
Click on “Run” button:
When the administrative “User Account Control” window appears click on “Yes”:
10
Click on the “Start” button:
When the Security Alert message appears, click on “Yes” button:
Click on “Yes” button again:
11
Click on “Exit” button:
Well done you have completed the self-registration procedure!
12
How can you connect to network?
You are able now to connect to the network using Wireless or Wired cable (if NAC is available on wired).
Every day, at the first connection, Cisco AnyConnect will perform some security compliance checks, i.e.
if your anti-virus and anti-malware is updated. The scan takes about 10 seconds. The following pictures
show the typical behaviour of the software that you can see clicking on the icon bar.
Wireless connection
Turn on Wi-Fi and connect to the:
• CNHI-Consultant if you are in CNH Industrial premises, or
• Consultant-WiFi if you are in Iveco Group premises.
by selecting the certificate that shows your credentials and clicking on “OK” button:
When you are connected, AnyConnect begins to scan the system:
13
Clicking on the icon bar, you can see the status of the scanning. Wait until the Cisco AnyConnect
Secure Mobility Client completes the system scan (10 seconds).
Your PC is compliant and allowed to access the corporate network!
Ethernet cable connection (if available)
Plug the Ethernet cable in your laptop.
If a new window will appear on the left side of Cisco AnyConnect Secure Mobility Client, select your
credentials from the drop-down menu, then click “OK” button. AnyConnect begins to scan the system:
Clicking on the icon bar, you can see the status of the scanning. Wait until the Cisco AnyConnect Secure
Mobility Client completes the system scan (10 seconds).
14
Once your laptop completed the scanning process, you will be able to access to the corporate network.
If you get the not compliant message, please check your anti-virus status and make sure it is updated.
15
Temporal Agent: Setup Instructions for
External Users
16
You should execute the temporal agent every day during connection to the corporate network.
Turn on Wi-Fi, select:
•
•
CNHI-Consultant if you are in CNH Industrial premises, or
Consultant-WiFi if you are in Iveco Group premises,
and insert your credentials (domain\userID and password), then click “OK” button to connect.
Open your browser (i.e. Internet Explorer, Chrome) and open a generic URL page (i.e. 1.1.1.1). You will
be automatically redirected on the Cisco Client Provisioning Portal, then click on “Start” to begin the
process.
Click on the first choice button:
17
Click here to download Cisco Temporal Agent:
Run the downloaded application:
Click on “Run” when the SmartScreen windows is prompted
18
When the Cisco Temporal Agent windows is prompted click on “Connect Anyway” button:
You have now access to the corporate network and successfully completed the Cisco Temporal Agent
profiling procedure.
19
If you get the not compliant message, please check your anti-virus status and make sure it is updated.
20
Frequently Asked Questions
21
FAQ Index
Wired Connection ................................................................................................................................ 23
How to connect the client ........................................................................................................................... 23
How to choose the certificate ..................................................................................................................... 23
How to solve the “Authentication Failed” issue.......................................................................................... 23
How to setup external network adapter ..................................................................................................... 24
How to setup external “VCI” device ............................................................................................................ 25
How to restart AnyConnect ......................................................................................................................... 25
Wi-Fi Connection.................................................................................................................................. 26
How to connect the client ........................................................................................................................... 26
How to choose the certificate ..................................................................................................................... 26
General Recommendations .................................................................................................................. 28
How to deal with the Change Password...................................................................................................... 28
How to stop AnyConnect notices ................................................................................................................ 28
How to uninstall/reinstall AnyConnect software ........................................................................................ 29
22
Wired Connection
How to connect the client
Suggestion: wait to plug LAN cable until user login is completed, and shutdown the Wi-Fi connection
How to choose the certificate
Make sure to check the correct user certificate when connect the cable:
The highlighted menu may provide different certificates based on laptop (Skype certificate, MS certificate
and so on). The only certificate for AnyConnect is the one provided by Onboarding, and it can be shown in
different views:
•
domain\user
•
domain\user@
•
user@domain
How to solve the “Authentication Failed” issue
If the AnyConnect shows “Authentication Failed”, the reasons could be different:
1. If both connections (wired and wireless) don’t work, maybe the user account is locked out; wait for
15 minutes and continue to the next point.
2. Disconnect your cable and connect only to Wi-Fi network (“CNHI-Consultant” or “Consultant-WiFi”);
if the authentication is successful, try reconnecting to the cable (by disabling Wi-Fi connection).
If the problem persists, the issue might be the authentication 802.1x enabled on Ethernet connection.
23
Right click on Ethernet connection and uncheck “Enable 802.1x Authentication” under Authentication tab:
In alternative, if you have administrative right you can stop the process “Wired AutoConfig” (ENG) or
“Configurazione automatica reti cablate” (ITA) under “services.msc”, and reboot laptop.
How to setup external network adapter
If you use an external network adapter (connected to laptop via USB), you must be careful about the
configuration of the Cisco AnyConnect NAM Driver:
24
How to setup external “VCI” device
Connecting an external device with network adapter integrated (for example, VCI, EoL devices), a secondary
virtual Ethernet card is created: in these cases Cisco AnyConnect NAM Driver should not be flagged on the
virtual Ethernet card property.
How to restart AnyConnect
In case of any further issues, restart AnyConnect with “Network Repair” (right click on AnyConnect icon):
25
Wi-Fi Connection
How to connect the client
Suggestion: when you use Wi-Fi connection, be aware to not connect any LAN cable to your laptop.
How to choose the certificate
At the end of Onboarding procedure (see “Self-registration procedure”), you need to force CNHI-Consultant
or Consultant-WiFi connection with your certificate. If for any reason the Wi-Fi connection doesn’t work
anymore, please follow these steps:
1. Restart AnyConnect with “Network Repair” (right click on AnyConnect icon):
2. Forget the network from your laptop (right click on SSID network and forget it)
26
3. Shutdown Wi-Fi connection, wait a few seconds and try again to reconnect to CNHI-Consultant or
Consultant-WiFi (in this way, you need to force the certificate twice again)
27
General Recommendations
How to deal with the Change Password
When your password is expired, you need to change it from ICT Self Care. After changing it, follow these steps
to avoid the user account locked out:
1. Delete all credentials memorized in your pc: in cmd window digit
rundll32.exe keymgr.dll, KRShowKeyMgr
2. Reboot the laptop;
3. Before opening any browser or applications (like Skype, Teams and so on), connect the laptop to the
network (wired or Wi-Fi, indifferently);
4. If the AnyConnect Authentication is successful then you can continue normally; if not, you need to
solve first the issue with the authentication (i.e. wait for 15 minutes)
How to stop AnyConnect notices
If the AnyConnect shows many popups during your connection, you can disable “Show Connection Notices”
(right click on AnyConnect icon):
28
How to uninstall/reinstall AnyConnect software
If you need to uninstall (and reinstall) the AnyConnect software from your laptop, this is the correct
procedure:
1. Uninstall “Cisco AnyConnect Secure Mobility Client”:
2. Uninstall “Cisco AnyConnect Diagnostic and Reporting Tool”:
3. Delete the folder “C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client” (you
need first to enable hidden folders)
4. Delete the folder “C:\Users\xxx\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client”
(you need first to enable hidden folders)
5. Reboot the laptop
6. Reinstall the software (see “Handbook - Cisco AnyConnect for external users”).
29
Related documents
Remote Access VPN- MAC OS
Remote Access VPN- MAC OS
Download
advertisement