cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
913
Views
0
Helpful
8
Replies

AnyConnect NAM and Monitor mode

Antonio Macia
Level 3
Level 3

Hello,

 

We are testing AnyConnect as a 802.1x supplicant and the switchports are in monitor mode. However, if the credentials are not correctly introduced or the NAM module is not configured properly, the PC can't get access to the network. Is there any way to allow access to the network during the initial deployment in monitor mode even if the previous situations occur?

 

On the other hand, is it possible to remove or disable the pop-up every time the supplicant connects to the network successfully?

 

Regards.

8 Replies 8

Ben Walters
Level 3
Level 3

What does the config look like on the switch ports? If you are configured for monitor mode it should allow network access no matter what the supplicant does. 

 

In order to remove the pop-ups (in windows) just right click the AnyConnect tray icon in the bottom right corner and disable  "Show connection notices."

Hello Ben,

 

I've got the "authentication open" command. With the Windows native supplicant network access is granted even when the credentials are not valid. 

 

With regards to the pop-ups I'm looking for a more scalable solution that can be applied at the profile level and then distributed from a centralized tool like SCCM. Sorry I should have been more precise.

Can you post your full switch port config please? It is helpful in determining where the issue might be. 

 

As for the pop-up messages I looked through all of the configuration and preference files and none of them make reference to the pop-ups, unless it is a hidden attribute in one of the files that can be added manually. 

Mike.Cifelli
VIP Alumni
VIP Alumni

Using NAM Profile Editor you can configure the profile to allow data traffic even when/if EAP fails:

 

NAM_prof.PNG

 

EAP fails—When selected, the supplicant attempts authentication. If authentication fails, the supplicant allows data traffic despite the authentication failure.

 

For more information please see: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-nam.html

Hi Mike,

 

That was the first thing I tried this without success. I test with a different authentication protocol to test the behaviour and I got disconnected from the network. I expected the switchport configuration to preempt the supplicant but seems like this is not the case.

 

Any other ideas?

Can you show your switchport configs please.

Hello Mike,

 

This is my port configuration:

 

interface GigabitEthernet4/0/20
switchport access vlan 144
switchport mode access
switchport voice vlan 167
ip access-group NAC-MONITOR-MODE-ACL in
load-interval 30
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 144
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level pps 500
storm-control unicast level pps 20k
storm-control action trap
spanning-tree portfast edge
spanning-tree bpduguard enable
service-policy input TRAFFIC-CLASSIFICATION
ip dhcp snooping limit rate 5
end

 

Regards.

A couple of things so I better understand what exactly you are trying to accomplish:

 

You mentioned this: I test with a different authentication protocol to test the behaviour and I got disconnected from the network.

 

What protocol/s have you attempted to use? Are you trying to implement & utilize eap-chaining for machine + user auth? If so, you need to setup the NAM profile to use EAP-FAST.  

 

Can you post your ACL that is applied to the interface please.

 

Are you using ISE as your AAA server? If so, what are you policies setup like?

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: