https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594889#M517317 <HTML><HEAD></HEAD><BODY><P>I usually don't do EAP chaining, but you should be able to setup a secondary wired profile that just does EAP-TLS Computer authentication.&nbsp; If I am doing certificate authentication, I don't do EAP chaining and setup 3 NAM wired profiles:</P><P></P><P>Priority #1- User or Computer EAP-TLS</P><P>Priority #2- Computer EAP-TLS</P><P>Priority #3- no authentication</P><P></P><P>Priority #2 is there to handle the issue you are seeing, i.e. first time user logon to a machine and the user certificate hasn't autoenrolled yet.</P></BODY></HTML> Fri, 13 Apr 2018 15:55:56 GMT paul 2018-04-13T15:55:56Z https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594888#M517314 <HTML><HEAD></HEAD><BODY><P>Hi Team,</P><P></P><P>I am deploying ISE 2.2 patch 6in production at one my customers and having a query regarding monitor mode and eap chaining.</P><P></P><P>Components used:</P><P>ISE 2.2 P6</P><P>AnyConnect NAM 4.5.x</P><P>Dot1x Authentication - user and machine certificate authentication</P><P>Switch Deployment - Monitor mode</P><P></P><P>EAP Chaining (certificate authentication) is working fine with following scenarios:</P><UL><LI><STRONG style="text-decoration: underline;">user and machine both succeeded</STRONG>: observed the expected behavior as per the policies configured in ISE.</LI><LI><STRONG style="text-decoration: underline;">user succeeded and machine failed</STRONG>: Machine certificate is not present on endpoint, only user certificate is present. However in this scenario the endpoint is getting access as per ISE policies.</LI></UL><P></P><P>But EAP chaining (certificate authentication) is not working with following scenario:</P><UL><LI><SPAN style="text-decoration: underline;"><STRONG>user failed and machine succeeded</STRONG></SPAN>: In this scenario user certificate is not present in this endpoint. AnyConnect NAM is popping up a dialogue for selecting a user certificate, we are not able to select anything as there is no user certificate present on endpoint and hence we are not getting network access, even if switch port is in authentication open mode</LI></UL><P></P><P>Please let me know if this is the expected behavior of AnyConnect NAM.</P><P></P><P>Thanks in advance!</P><P></P><P>regards,</P><P>Sadashiv</P></BODY></HTML> Fri, 13 Apr 2018 10:49:56 GMT https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594888#M517314 sadashivpalde 2018-04-13T10:49:56Z https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594889#M517317 <HTML><HEAD></HEAD><BODY><P>I usually don't do EAP chaining, but you should be able to setup a secondary wired profile that just does EAP-TLS Computer authentication.&nbsp; If I am doing certificate authentication, I don't do EAP chaining and setup 3 NAM wired profiles:</P><P></P><P>Priority #1- User or Computer EAP-TLS</P><P>Priority #2- Computer EAP-TLS</P><P>Priority #3- no authentication</P><P></P><P>Priority #2 is there to handle the issue you are seeing, i.e. first time user logon to a machine and the user certificate hasn't autoenrolled yet.</P></BODY></HTML> Fri, 13 Apr 2018 15:55:56 GMT https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594889#M517317 paul 2018-04-13T15:55:56Z https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594890#M517320 <HTML><HEAD></HEAD><BODY><P>Hi Paul,</P><P></P><P>Thanks for your reply and workaround.</P><P></P><P>However, this workaround would not be feasible in our case. My original query is related to behavior of NAM if user certificate is not present on endpoint and switch is configured in authentication open mode.</P><P>From the test results, it looks like endpoint / user doesn't get network access if user certificate is not present.</P><P></P><P>Is this the expected behavior if we are using NAM??</P></BODY></HTML> Wed, 18 Apr 2018 05:40:55 GMT https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594890#M517320 sadashivpalde 2018-04-18T05:40:55Z https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594891#M517323 <HTML><HEAD></HEAD><BODY><P>Hi Sadashiv,</P><P></P><P>This is expected behavior for NAM.&nbsp; If NAM cannot find a credential, username/password, or certificate we will prompt the user for this credential.&nbsp; When no credential is provide we will not respond to the request from ISE and the connection will timeout.&nbsp; In you case ISE is probably reporting Endpoint abandoned EAP session....&nbsp; </P><P></P><P>You may be able to use the port exception policy in NAM to help get around this.&nbsp;&nbsp; I am not sure in this case if ISE is sending an authentication failure.&nbsp; If it is you could allow access in NM after a failed auth, or you can also allow before any authentication is performed.&nbsp; </P><P></P><P>Hope this helps,</P><P>Steve S.</P></BODY></HTML> Wed, 18 Apr 2018 15:04:36 GMT https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594891#M517323 stsargen 2018-04-18T15:04:36Z https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594892#M517325 <HTML><HEAD></HEAD><BODY><P>Hi Steven,</P><P></P><P>Thanks for your inputs and we also has the same observartion.</P><P></P><P>So one more query comes in my mind is, if user certificate is present and machine certificate is not present i.e, User Succeeded and Machine failed then the endpoint gets the network access in our scenario.</P><P></P><P>Does this mean that NAM checks user credentials before the machine credentials?? </P><P></P><P>Thanks in advance!!</P></BODY></HTML> Thu, 19 Apr 2018 06:05:55 GMT https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594892#M517325 sadashivpalde 2018-04-19T06:05:55Z https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594893#M517326 <HTML><HEAD></HEAD><BODY><P>Hi Sadashiv,</P><P></P><P>NAM will provide credentials in the order that they are requested by ISE.&nbsp; Is ISE actually hitting a user pass machine failed policy, or user only policy.&nbsp; This would explain why you have access.</P><P></P><P></P><P>Thanks,</P><P>Steve S.</P></BODY></HTML> Thu, 19 Apr 2018 13:49:56 GMT https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594893#M517326 stsargen 2018-04-19T13:49:56Z https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594894#M517328 <HTML><HEAD></HEAD><BODY><P>I assume you followed the instructions in <A href="https://community.cisco.com/docs/DOC-68163">How To: Deploy EAP Chaining with AnyConnect NAM and ISE</A> ?</P></BODY></HTML> Thu, 19 Apr 2018 21:04:42 GMT https://community.cisco.com/t5/network-access-control/authentication-open-on-switch-vs-eap-chaining-with-user-and/m-p/3594894#M517328 thomas 2018-04-19T21:04:42Z