Automated AnyConnect NAM Installation with Profile Conversion via Batch File Script

Introduction

This document describes in detail the steps required to install the Cisco Anyconnect NAM agent with the profiles conversion via batch file(.bat). The batch file can then be executed locally on the system or remotely to all the machines through the SCCM server in a large scale deployment. Cisco ISE can provision this software but it requires end user's interaction and installation privileges.

Usage of Batch file script serves several benefits :

• All the wireless Profile conversion.
• VPN Module can be disabled if it is not desired.
• Reduce the manual implementation time and cost by executing the batch file and installing the AnyConnect modules all at once.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Windows Operating System. Network Access Manager is not supported on Mac OS X or Linux. 
• The system should have minimum storage of 50 MB for the AnyConnect packages.
• The WLAN service (WLAN AutoConfig) must be running in the systems.

Note: Conversion is not done if a Network Access Manager XML configuration file already exists (userConfiguration.xml).

Components Used

The information in this document is based on these software and hardware versions:

• Windows 7
• AnyConnect 4.6.0.3.049

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

1. The entire Cisco Anyconnect package should be downloaded from the Cisco site and extracted. The required msi files and configuration.xml file should be present in the location from where the batch file is executed.

      These files have to be copied in the location C:\cisco  :

      anyconnect-win-4.6.03049-core-vpn-predeploy-k9.msi

      anyconnect-win-4.6.03049-nam-predeploy-k9.msi

      configuration.xml

   2. The Network Access Manager module can be configured to convert some existing Windows 7 or later wireless profiles to the Network Access Manager profile format when the module is installed on the client system for the first time. Infrastructure networks that match these criteria that can be converted:

• Open

• Static WEP

• WPA/WPA2 Personal

• Only non-GPO native Wi-Fi user network profiles are converted.
  
  

  Note: For WPA2 Enterprise profiles, a profile with the same name must be created through Network Access Manager Profile Editor in the configuration.xml file

  3.  The system is restarted after the installation and this should be notified to the users already.

Configure

Creation of Batch file

In this document, the assumed location of the Anyconnect msi, configuration.xml files is C:\cisco. These commands or the batch file with these commands must be executed from the same location.

• cd C:\cisco

Installation of the core VPN module is required for the NAM module to be installed. This command installs the core VPN module and hides the VPN module tile.

• msiexec /package anyconnect-win-4.6.04054-core-vpn-predeploy-k9.msi /norestart /passive PRE_DEPLOY_DISABLE_VPN=1  

A timeout is required for the installation of the module to complete. This command induces a timeout of 15 minutes.

• timeout /t 15  

This command installs the NAM module with profile conversion enabled.

• msiexec /i anyconnect-win-4.6.04054-nam-predeploy-k9.msi PROFILE_CONVERSION=1 /norestart /passive

A timeout is required for the installation of the module to complete. This command induces a timeout of 15 minutes.

• timeout /t 15

This command copies the configuration.xml profile which is created with the NAM Profile editor, to the required location.

• xcopy configuration.xml C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\newConfigFiles

This command indicates that the required installation and conversion is complete and notifies that a reboot is initiated in 2 minutes.

• echo "Your machine will reboot in 2 minutes. Please save your work" 

This command initiates a restart the Windows Operating System in 2 minutes

• shutdown -r -t 120

Note: All these commands or the batch file with these commands must be executed with administrative privileges and in the same order.

Anyconnect User-End Procedure

1. Once the Anyconnect agent is installed on the machine when the machine restarts, the Anyconnect icon pops up and the user is connected to preferred SSID in the list.

2.  One can connect to other SSIDs from the drop-down menu provided in the AnyConnect NAM Module UI.

3. In order to view the saved networks, click on the list icon provided in the NAM module UI and then click Manage Networks, as shown in the image.

4. Connections to any network provided by the adapters managed by the AnyConnect NAM module must be made from AnyConnect NAM.

Example: In order to connect to a new wifi connection Mnason-mob-new, select the network, a pop-up screen is thrown for the key. Enter the wifi password in the Key field to connect to the new network.

Additional Information

Native Supplicant tray icon may confuse the users to connect to a network as NAM must be used and not the Native Supplicant. These changes can be made to the Windows registry to hide the network connectivity tray icon:

1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer.
2. Edit the value of the REG_DWORD named HideSCANetwork to 1 (hexadecimal) if present or create one if it is not present.
3. Restart the system.

Note: This change to the registry was tested with Windows 7 and Windows 10.

Verify

Use this section to confirm that your configuration works properly.

After the changes to the registry and the reboot, the network connectivity tray should be hidden.