cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1363
Views
0
Helpful
6
Replies

Anyconnect NAM EAPoL logoff messages

tommy182
Level 1
Level 1

Hello Friends!

 

We implemented dot1x in our test environment with Anyconnect NAM 4.6 as a supplicant.

But I don`t understand why NAM doesn`t send EAPoL logoff messages when the user logging off the system.

NAM just doing nothing. And technically machine staying with previous authorization profile until someone loging in(in this moment NAM initiate new EAP session)

 

Is there some configuration regard this feature that I need to enble for EAPoL logoff?

Does EAPoL logoff not requred anymore?

 

Tom.

1 Accepted Solution

Accepted Solutions

So, I was doing some testing.

 

I found that anyconnect sends EAPoL Logoff when we use only User authentication without Machine in nam-profile.

In fact it use eapol logoff when there is no methods left to authenticate endpoint.

 

But accordingly to guide Deploying ISE for Wired Network Access switch needs to get eapol-logoff for access-session cache clearing.(or reboot :))

In guide we can see

 

Role Based Critical Authorization
One of the many advantages of using IBNS 2.0 is that it can handle failure scenarios efficiently. With a few additional tweaks to
the previously configured IBNS 2.0 configuration, endpoints that have been authorized previously by ISE can be given the same
level of network access even when the server is not reachable next time. The idea is to grant role-based access during critical
condition, instead of applying a common critical authorization.

 

NOTE !!!

The access-session cache is cleared either when switch reloads or the endpoint does EAPOL-Logoff.
EAPOL-Logoff typically happens in most of the operating systems when user logs off the
system.

ROLE_BASED_CRITICAL_AUTH.JPG

 

 

But I found another problem))

Looks like there is some bug on 16.9.1 version, even if supplicant sends EAPoL-logoff the switch doesn`t refresh access-session cache and RoleBased critical auth can be security vulnerability.

But it for TAC I think))

 

Thanks,

Tom

 

View solution in original post

6 Replies 6

RichardAtkin
Level 3
Level 3
Probably one for TAC?..

paul
Level 10
Level 10

Are you sure you don't have the "Extend User connection beyond log off" option checked under User Auth in your NAM profile?  If you do then what you are seeing is the expected behavior.

Hi Paul,

 

Yep, I`ve already uncheked this option in profile..

I tryed to reinstall nam, clear register etc.

 

For some reason it doesn`t work, anyconnect or PC doesn`t send eap logoff to switch((

But it nessesary for me, I need to refresh  User-Role in switch cache..(it refreshes when eap logoff comes up)

 

My test PC on win7x64, maybe there is some bug..

 

Thanks,

Tom

Do you have a computer based option setup in your NAM profile? For example, I usually would set it up for Computer certificates or User certificates. When the user logs off there should be a fresh authentication with the computer cert.


Thanks Paul,

 

I`m really missed machine auth parameters(no cert or static pass), I just put dummy password for static machine auth.

So it helped in some way) When user is doing logoff anyconnect is starting machine authentication(with dummy password).

But it`s still not sending eapol logoff message at this moment. In switch access-session cache doesn`t refresh((

Maybe eapol logoff it`s some kind of deprecated feature on anyconnect and we need to utilize machine auth only..

 

Now it works like workaround, I can now send new User-role in authz profile when PC initiate machine authentication after user logoff.

But It would be great if there will be no need to invoke ISE to just refresh cached attributes under acces-session.

 

Thanks,

Tom

 

So, I was doing some testing.

 

I found that anyconnect sends EAPoL Logoff when we use only User authentication without Machine in nam-profile.

In fact it use eapol logoff when there is no methods left to authenticate endpoint.

 

But accordingly to guide Deploying ISE for Wired Network Access switch needs to get eapol-logoff for access-session cache clearing.(or reboot :))

In guide we can see

 

Role Based Critical Authorization
One of the many advantages of using IBNS 2.0 is that it can handle failure scenarios efficiently. With a few additional tweaks to
the previously configured IBNS 2.0 configuration, endpoints that have been authorized previously by ISE can be given the same
level of network access even when the server is not reachable next time. The idea is to grant role-based access during critical
condition, instead of applying a common critical authorization.

 

NOTE !!!

The access-session cache is cleared either when switch reloads or the endpoint does EAPOL-Logoff.
EAPOL-Logoff typically happens in most of the operating systems when user logs off the
system.

ROLE_BASED_CRITICAL_AUTH.JPG

 

 

But I found another problem))

Looks like there is some bug on 16.9.1 version, even if supplicant sends EAPoL-logoff the switch doesn`t refresh access-session cache and RoleBased critical auth can be security vulnerability.

But it for TAC I think))

 

Thanks,

Tom

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: