topic Re: AnyConnect in Network Access Control

AnyConnect

guy.zwerdling — Mon, 29 Aug 2016 17:14:48 GMT

Hi guys

I have AnyConnect on some PC in my lab and I setup new wired network named "test" with 802.1x EAP-FAST with using password for authentication,

If I try to connect using "test" network it doesn't asks for the username and password, and it just

Did I missed something? that I need to configure?

The service Wired AutoConfig in disable state.

Re: AnyConnect

howon — Mon, 29 Aug 2016 17:26:50 GMT

Guy, I will need more information about the issue to provide better answer. But for the supplicant like AC NAM to present login window, there needs to be a switch that is enabled with 802.1x on the interface. Have you configured that part already?

Re: AnyConnect

guy.zwerdling — Mon, 29 Aug 2016 18:01:31 GMT

Hi howon

The interface configure as follow:

interface FastEthernet2/0/7

switchport mode access

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

Re: AnyConnect

howon — Mon, 29 Aug 2016 18:24:36 GMT

OK, interface configuration looks good. Was this working before possibly with native supplicant? Are you seeing any events on the switch regarding the authentication requests?

Re: AnyConnect

guy.zwerdling — Tue, 30 Aug 2016 03:22:07 GMT

With native supplicate it work great!

I restart the PC and the switch and now the AnyConnect prompt me the username and password and I typed the user "bob" but on the switch I see (in debug radius) that the username is "anonymous"...

Re: AnyConnect

howon — Tue, 30 Aug 2016 03:36:20 GMT

OK, so it looks like you are getting prompted now. What you are seeing is expected for tunneled EAP methods such as PEAP, EAP-TTLS, and EAP-FAST. It is typical for supplicant to use anonymous for outer identity and use real username for internal identity. Now that the supplicant and the switch looks to be working, what do you see on the ISE live log?

Re: AnyConnect

guy.zwerdling — Tue, 30 Aug 2016 08:46:26 GMT

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

15049 Evaluating Policy Group

15008 Evaluating Service Selection Policy

15048 Queried PIP

15004 Matched rule

11507 Extracted EAP-Response/Identity

12500 Prepared EAP-Request proposing EAP-TLS with challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12101 Extracted EAP-Response/NAK requesting to use EAP-FAST instead

12100 Prepared EAP-Request proposing EAP-FAST with challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated

12800 Extracted first TLS record; TLS handshake started

12805 Extracted TLS ClientHello message

12806 Prepared TLS ServerHello message

12807 Prepared TLS Certificate message

12810 Prepared TLS ServerDone message

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12105 Prepared EAP-Request with another EAP-FAST challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12104 Extracted EAP-Response containing EAP-FAST challenge-response

12815 Extracted TLS Alert message

12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

11504 Prepared EAP-Failure

11003 Returned RADIUS Access-Reject

5434 Endpoint conducted several failed authentications of the same scenario

Re: AnyConnect

howon — Tue, 30 Aug 2016 15:43:06 GMT

According to your log, the client is rejecting the ISE certificate. Have you installed ISE server certificate to the AC NAM? Other option is to trust any Root CA for the purpose of testing. Please see AnyConnect guide for more information:

Configure Trusted Server Validation Rules

When the Validate Server Identity option is configured for the EAP method, the Certificate panel is enabled to allow you to configure validation rules for certificate server or authority. The outcome of the validation determines whether the certificate server or the authority is trusted.

To define certificate server validation rules, follow these steps:

Procedure

Step 1

When the optional settings appear for the Certificate Field and the Match columns, click the drop-down arrows and select the desired settings.

Step 2

Enter a value in the Value field.

Step 3

Under Rule, click Add.

Step 4

In the Certificate Trusted Authority pane, choose one of the following options:

Trust Any Root Certificate Authority (CA) Installed on the OS—If chosen, only the local machine or certificate stores are considered for the server’s certificate chain validation.

Include Root Certificate Authority (CA) Certificates.

Note

If you choose Include Root Certificate Authority (CA) Certificates, you must click Add to import the CA certificate into the configuration. If the certificate being used is being exported from the Windows certificate store, use the "Base 64 encoded X.509 (.cer)" option.

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.2 - Configure Network Access Manager [Cisco AnyC…

Re: AnyConnect

guy.zwerdling — Wed, 31 Aug 2016 15:18:48 GMT

Hi howon,

The AnyConnect doesn't prompt me the "trust certification" message, and I see the access reject on my swicth:

What I need to do to force him to prompt this message?

my live log:

Re: AnyConnect

howon — Wed, 31 Aug 2016 20:27:53 GMT

Guy, since you are manually configuring the access profile for the user, you need to follow the instructions in the previous post to add the certificate or make AC-NAM bypass the certificate verification.

Re: AnyConnect

lissacoffey — Wed, 07 Jun 2017 07:37:42 GMT

yes, it work great with naive supplicates, It is typical for applicant to use anonymous for outer identity and use real username for internal identity.