topic Re: Anyconnect NAM EAPoL logoff messages in Network Access Control

Anyconnect NAM EAPoL logoff messages

tommy182 — Fri, 24 Aug 2018 10:49:41 GMT

Hello Friends!

We implemented dot1x in our test environment with Anyconnect NAM 4.6 as a supplicant.

But I don`t understand why NAM doesn`t send EAPoL logoff messages when the user logging off the system.

NAM just doing nothing. And technically machine staying with previous authorization profile until someone loging in(in this moment NAM initiate new EAP session)

Is there some configuration regard this feature that I need to enble for EAPoL logoff?

Does EAPoL logoff not requred anymore?

Tom.

Re: Anyconnect NAM EAPoL logoff messages

RichardAtkin — Fri, 24 Aug 2018 11:07:30 GMT

Probably one for TAC?..

Re: Anyconnect NAM EAPoL logoff messages

paul — Fri, 24 Aug 2018 11:50:44 GMT

Are you sure you don't have the "Extend User connection beyond log off" option checked under User Auth in your NAM profile? If you do then what you are seeing is the expected behavior.

Re: Anyconnect NAM EAPoL logoff messages

tommy182 — Fri, 24 Aug 2018 13:32:56 GMT

Hi Paul,

Yep, I`ve already uncheked this option in profile..

I tryed to reinstall nam, clear register etc.

For some reason it doesn`t work, anyconnect or PC doesn`t send eap logoff to switch((

But it nessesary for me, I need to refresh User-Role in switch cache..(it refreshes when eap logoff comes up)

My test PC on win7x64, maybe there is some bug..

Thanks,

Tom

Re: Anyconnect NAM EAPoL logoff messages

paul — Fri, 24 Aug 2018 13:40:33 GMT

Do you have a computer based option setup in your NAM profile? For example, I usually would set it up for Computer certificates or User certificates. When the user logs off there should be a fresh authentication with the computer cert.

Re: Anyconnect NAM EAPoL logoff messages

tommy182 — Fri, 24 Aug 2018 14:26:44 GMT

Thanks Paul,

I`m really missed machine auth parameters(no cert or static pass), I just put dummy password for static machine auth.

So it helped in some way) When user is doing logoff anyconnect is starting machine authentication(with dummy password).

But it`s still not sending eapol logoff message at this moment. In switch access-session cache doesn`t refresh((

Maybe eapol logoff it`s some kind of deprecated feature on anyconnect and we need to utilize machine auth only..

Now it works like workaround, I can now send new User-role in authz profile when PC initiate machine authentication after user logoff.

But It would be great if there will be no need to invoke ISE to just refresh cached attributes under acces-session.

Thanks,

Tom

Re: Anyconnect NAM EAPoL logoff messages

tommy182 — Fri, 24 Aug 2018 16:22:58 GMT

So, I was doing some testing.

I found that anyconnect sends EAPoL Logoff when we use only User authentication without Machine in nam-profile.

In fact it use eapol logoff when there is no methods left to authenticate endpoint.

But accordingly to guide Deploying ISE for Wired Network Access switch needs to get eapol-logoff for access-session cache clearing.(or reboot :))

In guide we can see

Role Based Critical Authorization
One of the many advantages of using IBNS 2.0 is that it can handle failure scenarios efficiently. With a few additional tweaks to
the previously configured IBNS 2.0 configuration, endpoints that have been authorized previously by ISE can be given the same
level of network access even when the server is not reachable next time. The idea is to grant role-based access during critical
condition, instead of applying a common critical authorization.

NOTE !!!

The access-session cache is cleared either when switch reloads or the endpoint does EAPOL-Logoff.
EAPOL-Logoff typically happens in most of the operating systems when user logs off the
system.

But I found another problem))

Looks like there is some bug on 16.9.1 version, even if supplicant sends EAPoL-logoff the switch doesn`t refresh access-session cache and RoleBased critical auth can be security vulnerability.

But it for TAC I think))

Thanks,

Tom