cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

217
Views
0
Helpful
8
Replies
Highlighted
Beginner

AnyConnect NAM and Monitor mode

Hello,

 

We are testing AnyConnect as a 802.1x supplicant and the switchports are in monitor mode. However, if the credentials are not correctly introduced or the NAM module is not configured properly, the PC can't get access to the network. Is there any way to allow access to the network during the initial deployment in monitor mode even if the previous situations occur?

 

On the other hand, is it possible to remove or disable the pop-up every time the supplicant connects to the network successfully?

 

Regards.

8 REPLIES 8
Participant

Re: AnyConnect NAM and Monitor mode

What does the config look like on the switch ports? If you are configured for monitor mode it should allow network access no matter what the supplicant does. 

 

In order to remove the pop-ups (in windows) just right click the AnyConnect tray icon in the bottom right corner and disable  "Show connection notices."

Beginner

Re: AnyConnect NAM and Monitor mode

Hello Ben,

 

I've got the "authentication open" command. With the Windows native supplicant network access is granted even when the credentials are not valid. 

 

With regards to the pop-ups I'm looking for a more scalable solution that can be applied at the profile level and then distributed from a centralized tool like SCCM. Sorry I should have been more precise.

Everyone's tags (2)
Participant

Re: AnyConnect NAM and Monitor mode

Can you post your full switch port config please? It is helpful in determining where the issue might be. 

 

As for the pop-up messages I looked through all of the configuration and preference files and none of them make reference to the pop-ups, unless it is a hidden attribute in one of the files that can be added manually. 

Rising star

Re: AnyConnect NAM and Monitor mode

Using NAM Profile Editor you can configure the profile to allow data traffic even when/if EAP fails:

 

NAM_prof.PNG

 

EAP fails—When selected, the supplicant attempts authentication. If authentication fails, the supplicant allows data traffic despite the authentication failure.

 

For more information please see: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-nam.html

Beginner

Re: AnyConnect NAM and Monitor mode

Hi Mike,

 

That was the first thing I tried this without success. I test with a different authentication protocol to test the behaviour and I got disconnected from the network. I expected the switchport configuration to preempt the supplicant but seems like this is not the case.

 

Any other ideas?

Rising star

Re: AnyConnect NAM and Monitor mode

Can you show your switchport configs please.
Beginner

Re: AnyConnect NAM and Monitor mode

Hello Mike,

 

This is my port configuration:

 

interface GigabitEthernet4/0/20
switchport access vlan 144
switchport mode access
switchport voice vlan 167
ip access-group NAC-MONITOR-MODE-ACL in
load-interval 30
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 144
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level pps 500
storm-control unicast level pps 20k
storm-control action trap
spanning-tree portfast edge
spanning-tree bpduguard enable
service-policy input TRAFFIC-CLASSIFICATION
ip dhcp snooping limit rate 5
end

 

Regards.

Rising star

Re: AnyConnect NAM and Monitor mode

A couple of things so I better understand what exactly you are trying to accomplish:

 

You mentioned this: I test with a different authentication protocol to test the behaviour and I got disconnected from the network.

 

What protocol/s have you attempted to use? Are you trying to implement & utilize eap-chaining for machine + user auth? If so, you need to setup the NAM profile to use EAP-FAST.  

 

Can you post your ACL that is applied to the interface please.

 

Are you using ISE as your AAA server? If so, what are you policies setup like?