topic Well i guess you would need a in Network Security

ISE - Wireless Anyconnect

Oscar Cardiel — Fri, 21 Feb 2020 13:15:02 GMT

Hello! we have a doutb regarding our ISE installation. We have created a new SSID with EAP Chaninng validation (user + machine validation using Anyconnect client) through ISE, and NAC posture.

The problem is that when a user has never logged in a PC and tries to log for the first time through this wireless, is not working. The facts are like this:

- User introduces user/pass for the first time to computer

- Computer needs to contact AD to download the profile

- Computer associates with the network

- ISE puts the user "on-hold" until it's NAC compliant

- Computer never launches NAC process, so it's never compliant

- ISE doesn't give access to network

- User cannot login to computer.

This only happens the first time a user tries to access the network because it needs to download the profile, if the user has logged in before, this is not a problem. Do you think there is any solution for this problem?

Use EAP Chaining with EAP

Saurav Lodh — Thu, 11 Sep 2014 22:42:32 GMT

Use EAP Chaining with EAP-FAST v2. In the auth attempt, the supplicant provides the authentication server (ISE) both the machine and user credentials for each auth attempt. Supported by the Cisco AnyConnect 3.1 client/supplicant . In ISE to enable its support (Policy->Policy Elements->Results->Authentication->Allowed Protocols->Default Network Access <for example>->Allow EAP-FAST).

Well i guess you would need a

jan.nielsen — Mon, 29 Sep 2014 04:07:11 GMT

Well i guess you would need a wired port with no dot1x for first time logins, or you could give the pc access to the AD servers it needs when the machine is authenticated, but not compliant yet.