cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

297
Views
0
Helpful
6
Replies
Highlighted
Beginner

Anyconnect NAM EAPoL logoff messages

Hello Friends!

 

We implemented dot1x in our test environment with Anyconnect NAM 4.6 as a supplicant.

But I don`t understand why NAM doesn`t send EAPoL logoff messages when the user logging off the system.

NAM just doing nothing. And technically machine staying with previous authorization profile until someone loging in(in this moment NAM initiate new EAP session)

 

Is there some configuration regard this feature that I need to enble for EAPoL logoff?

Does EAPoL logoff not requred anymore?

 

Tom.

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Anyconnect NAM EAPoL logoff messages

So, I was doing some testing.

 

I found that anyconnect sends EAPoL Logoff when we use only User authentication without Machine in nam-profile.

In fact it use eapol logoff when there is no methods left to authenticate endpoint.

 

But accordingly to guide Deploying ISE for Wired Network Access switch needs to get eapol-logoff for access-session cache clearing.(or reboot :))

In guide we can see

 

Role Based Critical Authorization
One of the many advantages of using IBNS 2.0 is that it can handle failure scenarios efficiently. With a few additional tweaks to
the previously configured IBNS 2.0 configuration, endpoints that have been authorized previously by ISE can be given the same
level of network access even when the server is not reachable next time. The idea is to grant role-based access during critical
condition, instead of applying a common critical authorization.

 

NOTE !!!

The access-session cache is cleared either when switch reloads or the endpoint does EAPOL-Logoff.
EAPOL-Logoff typically happens in most of the operating systems when user logs off the
system.

ROLE_BASED_CRITICAL_AUTH.JPG

 

 

But I found another problem))

Looks like there is some bug on 16.9.1 version, even if supplicant sends EAPoL-logoff the switch doesn`t refresh access-session cache and RoleBased critical auth can be security vulnerability.

But it for TAC I think))

 

Thanks,

Tom

 

6 REPLIES 6
Participant

Re: Anyconnect NAM EAPoL logoff messages

Probably one for TAC?..
VIP Engager

Re: Anyconnect NAM EAPoL logoff messages

Are you sure you don't have the "Extend User connection beyond log off" option checked under User Auth in your NAM profile?  If you do then what you are seeing is the expected behavior.

Beginner

Re: Anyconnect NAM EAPoL logoff messages

Hi Paul,

 

Yep, I`ve already uncheked this option in profile..

I tryed to reinstall nam, clear register etc.

 

For some reason it doesn`t work, anyconnect or PC doesn`t send eap logoff to switch((

But it nessesary for me, I need to refresh  User-Role in switch cache..(it refreshes when eap logoff comes up)

 

My test PC on win7x64, maybe there is some bug..

 

Thanks,

Tom

VIP Engager

Re: Anyconnect NAM EAPoL logoff messages

Do you have a computer based option setup in your NAM profile? For example, I usually would set it up for Computer certificates or User certificates. When the user logs off there should be a fresh authentication with the computer cert.


Beginner

Re: Anyconnect NAM EAPoL logoff messages

Thanks Paul,

 

I`m really missed machine auth parameters(no cert or static pass), I just put dummy password for static machine auth.

So it helped in some way) When user is doing logoff anyconnect is starting machine authentication(with dummy password).

But it`s still not sending eapol logoff message at this moment. In switch access-session cache doesn`t refresh((

Maybe eapol logoff it`s some kind of deprecated feature on anyconnect and we need to utilize machine auth only..

 

Now it works like workaround, I can now send new User-role in authz profile when PC initiate machine authentication after user logoff.

But It would be great if there will be no need to invoke ISE to just refresh cached attributes under acces-session.

 

Thanks,

Tom

 

Beginner

Re: Anyconnect NAM EAPoL logoff messages

So, I was doing some testing.

 

I found that anyconnect sends EAPoL Logoff when we use only User authentication without Machine in nam-profile.

In fact it use eapol logoff when there is no methods left to authenticate endpoint.

 

But accordingly to guide Deploying ISE for Wired Network Access switch needs to get eapol-logoff for access-session cache clearing.(or reboot :))

In guide we can see

 

Role Based Critical Authorization
One of the many advantages of using IBNS 2.0 is that it can handle failure scenarios efficiently. With a few additional tweaks to
the previously configured IBNS 2.0 configuration, endpoints that have been authorized previously by ISE can be given the same
level of network access even when the server is not reachable next time. The idea is to grant role-based access during critical
condition, instead of applying a common critical authorization.

 

NOTE !!!

The access-session cache is cleared either when switch reloads or the endpoint does EAPOL-Logoff.
EAPOL-Logoff typically happens in most of the operating systems when user logs off the
system.

ROLE_BASED_CRITICAL_AUTH.JPG

 

 

But I found another problem))

Looks like there is some bug on 16.9.1 version, even if supplicant sends EAPoL-logoff the switch doesn`t refresh access-session cache and RoleBased critical auth can be security vulnerability.

But it for TAC I think))

 

Thanks,

Tom