https://community.cisco.com/t5/network-access-control/eap-fast-unprotected-identity/m-p/3598152#M536584 <HTML><HEAD></HEAD><BODY><P>Hi community!</P><P></P><P>I was wondering, I'm using eap-fast with the unprotected identity as anonymous but I see that there are many failed authentications with this user in every authentication</P><P></P><P><IMG alt="anonymous.jpg" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/103475_anonymous.jpg" style="height: 168px; width: 620px;" /></P><P></P><P>Reading documentation it says that I need to append the domain in the nam config file, but I don't see the benefit for this. In this config file I'm not validating server identity.</P><P>The thing is that I believe it's failing because PAC expired, but then when user logs in to windows the auth succeeds. I do have some cases that this is not working and anonymous always fails.</P><P>Is this normla behaviour? Do I have to create an anonymous named account in AD? </P><P></P><P>Thank you</P></BODY></HTML> Thu, 05 Jan 2017 15:50:59 GMT ahurtadove 2017-01-05T15:50:59Z https://community.cisco.com/t5/network-access-control/eap-fast-unprotected-identity/m-p/3598152#M536584 <HTML><HEAD></HEAD><BODY><P>Hi community!</P><P></P><P>I was wondering, I'm using eap-fast with the unprotected identity as anonymous but I see that there are many failed authentications with this user in every authentication</P><P></P><P><IMG alt="anonymous.jpg" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/103475_anonymous.jpg" style="height: 168px; width: 620px;" /></P><P></P><P>Reading documentation it says that I need to append the domain in the nam config file, but I don't see the benefit for this. In this config file I'm not validating server identity.</P><P>The thing is that I believe it's failing because PAC expired, but then when user logs in to windows the auth succeeds. I do have some cases that this is not working and anonymous always fails.</P><P>Is this normla behaviour? Do I have to create an anonymous named account in AD? </P><P></P><P>Thank you</P></BODY></HTML> Thu, 05 Jan 2017 15:50:59 GMT https://community.cisco.com/t5/network-access-control/eap-fast-unprotected-identity/m-p/3598152#M536584 ahurtadove 2017-01-05T15:50:59Z https://community.cisco.com/t5/network-access-control/eap-fast-unprotected-identity/m-p/3598153#M536585 <HTML><HEAD></HEAD><BODY><P>Hi Antonio,</P><P></P><P>EAP-FAST uses anonymous as outer identity. AFAIK this can be configured via Anyconnect NAM profile editor.</P><P>In ISE authencation policy, you have conditions that includes NAS port: Ethernet and Service type: Framed attribute. Usually this is enough for dot1x. Please look at the NAM logs from Windows logging to see what NAM is sending as outer and inner identity.</P><P></P><P>Finally please check in your NAM profile if service identity is configured. TLS happens within EAP-FAST as you might know.</P><P>Also check if the right inner protocol is selected in ISE UI from policy--&gt;policy elements --&gt;results--&gt;allowed protocols.</P><P></P><P>Hope it helps.</P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Thu, 05 Jan 2017 18:50:23 GMT https://community.cisco.com/t5/network-access-control/eap-fast-unprotected-identity/m-p/3598153#M536585 kthiruve 2017-01-05T18:50:23Z https://community.cisco.com/t5/network-access-control/eap-fast-unprotected-identity/m-p/3598154#M536586 <HTML><HEAD></HEAD><BODY><P>Thank you Krishnan but I believe I did not explain myself clearly.</P><P></P><P>I do have configured an outer identity and I know where to configure it. The thing that I don't understand is that "anonymous" is always a failed authentication as I don't have this user configured in any external or internal identity source. Outer identity is sent in clear text and I don't want to replace anonymous with [username] because I believe it will expose password.</P><P></P><P>So I wanted to know if this (anonymous failed auth) was normal behaviour or not. Also because in many devices I cannot see a domain computer authentication when user logs off windows, I wanted to know if this in any way was related.</P></BODY></HTML> Fri, 06 Jan 2017 12:58:59 GMT https://community.cisco.com/t5/network-access-control/eap-fast-unprotected-identity/m-p/3598154#M536586 ahurtadove 2017-01-06T12:58:59Z https://community.cisco.com/t5/network-access-control/eap-fast-unprotected-identity/m-p/3598155#M536587 <HTML><HEAD></HEAD><BODY><P>Yes you are correct. You dont want to expose the credential. To circumvent, you can configure host/anomymous to be part of authentication policy condition using RADIUS IETF attributes that will take care of it.</P><P></P><P>-Krishnan</P></BODY></HTML> Fri, 06 Jan 2017 17:41:18 GMT https://community.cisco.com/t5/network-access-control/eap-fast-unprotected-identity/m-p/3598155#M536587 kthiruve 2017-01-06T17:41:18Z https://community.cisco.com/t5/network-access-control/eap-fast-unprotected-identity/m-p/3682332#M536588 <P>Hello,</P> <P>&nbsp;</P> <P>We also have this issue, ISE tried to authenticate the outer identity instead on the inside one.</P> <P>&nbsp;</P> <P>We have also something weird, when authentication failed once, somethine Anyconnect or Switch keep the result of this authentication in cache and when we clear the authentication on the switch dot1x authentication failed instantly (The switch doesn't send a Radius authentication request).</P> <P>&nbsp;</P> <P>Any idea about that ?</P> <P>&nbsp;</P> <P>Thank you</P> Mon, 06 Aug 2018 16:40:28 GMT https://community.cisco.com/t5/network-access-control/eap-fast-unprotected-identity/m-p/3682332#M536588 Elbrabra 2018-08-06T16:40:28Z