topic Re: AnyConnect NAM Machine Authentication in Network Access Control

AnyConnect NAM Machine Authentication

wileong — Thu, 11 Aug 2016 11:54:53 GMT

Hi there,

I am testing ISE 2.1 with AC 4.3.1095 for Windows Machine authentication using certificate.

EAP method is EAP-FAST with EAP-TLS as inner method.

Authentication failed with error "5440 Endpoint abandoned EAP session and started new."

I have also tested User auth with the same AC profile as machine and it works. Certificate can be detected by AC and I am seeing hostname is corrected identified with CN.

Any idea?

Thanks

Wing Churn

Re: AnyConnect NAM Machine Authentication

Dustin Anderson — Fri, 12 Aug 2016 15:29:44 GMT

We use 802.1x authentication and I use EAP-Chaining to do the machine/user authentication. Here is a doc, but a little different for ISE 2.1 (I also use ISE 2.1)

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pd…

If this is what you are trying to do, I can try to show some of my settings if it helps.

Re: AnyConnect NAM Machine Authentication

wileong — Fri, 12 Aug 2016 15:36:53 GMT

I was referring to the same document and it works for "password" inner method Machine Auth. What I am trying to achieve here is Certificate as inner method.

Are you using certificate in your lab?

Thanks

Re: AnyConnect NAM Machine Authentication

Dustin Anderson — Fri, 12 Aug 2016 15:43:08 GMT

For inner method we use EAP-MSCHAPv2 since the users log in.

What we do is machine joins and sits on a restricted network, then when the user logs in it re-checks and send them to whatever network they are assigned/have permissions to.

So your users join with a cert?

Re: AnyConnect NAM Machine Authentication

wileong — Fri, 12 Aug 2016 15:48:01 GMT

I am trying certificate for either Machine and User.

User Certificate works too but my customer is looking at Machine auth using certificate.

Re: AnyConnect NAM Machine Authentication

Dustin Anderson — Fri, 12 Aug 2016 16:01:58 GMT

windows 8, 8.1, or 10?

There is an issue that windows will not pass the cert unencrypted to AnyConnect. Usually you will see in the failure bad credentials. This is fixed be adding the below reg key.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"LsaAllowReturningUnencryptedSecrets"=dword:00000001

As for Machine/user cert login, I have not done it, so not sure if it's much different from password.

Re: AnyConnect NAM Machine Authentication

hslai — Sat, 13 Aug 2016 02:26:18 GMT

Does it work if EAP-TLS auth by itself but not as an inner method of EAP-FAST? What are the auth protocol settings for the matched authentication policy?

Re: AnyConnect NAM Machine Authentication

wileong — Sat, 13 Aug 2016 02:38:59 GMT

Same error even with EAP-TLS. I only have 1 authentication policy default with certificate profile.

From ISE log AnyConnect is getting the correct certificate where CN is logged for username.

Re: AnyConnect NAM Machine Authentication

hslai — Wed, 17 Aug 2016 15:34:39 GMT

Try using the eventvwr to look at the AnyConnect log entries.

The user certificate might have some problem or even the AC profile because it has different sections for user auth and machine auth. If you need further help on this, try the Cisco internal alias on AnyConnect with a copy of your DART file.

Re: AnyConnect NAM Machine Authentication

wileong — Sat, 20 Aug 2016 06:36:17 GMT

Hi Hsing,

Thanks for the tip. Apparently, the certificate installed without private key even it showed "Certificate has associated private key" while we double clicked the certificate. EAP-TLS for machine works for Windows 7 after importing the same certificate again.

I will try out Windows 8.1 and Windows 10 using latest AC 4.3.02039 next week.

Thanks

Wing Churn