topic Re: AnyConnect NAM + RSA + Posture in Network Access Control

AnyConnect NAM + RSA + Posture

sampathss — Fri, 16 Feb 2018 18:54:23 GMT

Hello,

One of my customer is using NAM + RSA(EAP Chaining) + Posture.

We tested and it was working like the following earlier:

1) User connects machine to the network

2) User enters username and passcode(RSA) in NAM

3) Posture starts and at 96%, CoA happens and once done, it prompts for passcode again and do the posture again, completes and compliant. I guess it's doing full auth and not silent re-auth

I believe this is the known behavior.

But recently, the behavior changed and the second time where it asks for passcode after CoA, now it asks for both username and passcode, then it does posture and compliant.

Any idea what might be triggering it to ask for the username again?

Re: AnyConnect NAM + RSA + Posture

kthiruve — Fri, 16 Feb 2018 19:41:47 GMT

Hey Sampath,

What version of Anyconnect are you using and RSA version as well.

I have reached out SME for Anyconnect, Paul Carco to answer this.

Thanks

Krishnan

Re: AnyConnect NAM + RSA + Posture

sampathss — Fri, 16 Feb 2018 19:48:44 GMT

Hey Krishnan,

AnyConnect Version is 4.4.04030. Reached out to the customer to find out about the RSA Version. Will let you know.

Thank you.

Re: AnyConnect NAM + RSA + Posture

sampathss — Fri, 16 Feb 2018 20:33:55 GMT

Hey Krishnan,

RSA version is 7.3.3.103

Thanks

Sampath

Re: AnyConnect NAM + RSA + Posture

hslai — Sun, 18 Feb 2018 02:50:13 GMT

Anything in particular (NAM profile or versions of AnyConnect or RSA or ISE or NAD) changed recently? I would suggest to engage Cisco TAC and submit a copy of the DART file to TAC.

Re: AnyConnect NAM + RSA + Posture

sampathss — Mon, 19 Feb 2018 15:02:01 GMT

Hi Hsing,

Nothing changed recently. I will engage TAC as well.

With respect to the endpoint behavior, the above mentioned steps(Step 1 to Step 3) sounds right?

Thanks

Sampath

Re: AnyConnect NAM + RSA + Posture

hslai — Mon, 19 Feb 2018 17:06:29 GMT

The steps look fine. You are correct it expected because of OTP. ISE 2.3 has a passcode caching option that you might want to try.

Re: AnyConnect NAM + RSA + Posture

sampathss — Mon, 19 Feb 2018 17:11:39 GMT

Hsing,

This is available in ISE 2.2. I already tried this and no help out of it.

I understand it asks for passcode the second time because of OTP, but why ask for the the username again? It was not the case earlier when tested and it use to prompt only for the passcode the second time. Could it be NAM not caching the username?

Thanks

Sampath

Re: AnyConnect NAM + RSA + Posture

sampathss — Wed, 28 Feb 2018 16:19:10 GMT

Any update on this?