cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2404
Views
0
Helpful
9
Replies
Highlighted
Cisco Employee

AnyConnect NAM Machine Authentication

Hi there,

I am testing ISE 2.1 with AC 4.3.1095 for Windows Machine authentication using certificate.

EAP method is EAP-FAST with EAP-TLS as inner method.

Authentication failed with error "5440 Endpoint abandoned EAP session and started new."

I have also tested User auth with the same AC profile as machine and it works. Certificate can be detected by AC and I am seeing hostname is corrected identified with CN.

Any idea?

Thanks

Wing Churn

Everyone's tags (4)
9 REPLIES 9
Contributor

Re: AnyConnect NAM Machine Authentication

We use 802.1x authentication and I use EAP-Chaining to do the machine/user authentication. Here is a doc, but a little different for ISE 2.1 (I also use ISE 2.1)

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pd…

If this is what you are trying to do, I can try to show some of my settings if it helps.

Cisco Employee

Re: AnyConnect NAM Machine Authentication

I was referring to the same document and it works for "password" inner method Machine Auth. What I am trying to achieve here is Certificate as inner method.

Are you using certificate in your lab?

Thanks

Contributor

Re: AnyConnect NAM Machine Authentication

For inner method we use EAP-MSCHAPv2 since the users log in.

What we do is machine joins and sits on a restricted network, then when the user logs in it re-checks and send them to whatever network they are assigned/have permissions to.

So your users join with a cert?

Cisco Employee

Re: AnyConnect NAM Machine Authentication

I am trying certificate for either Machine and User.

User Certificate works too but my customer is looking at Machine auth using certificate.

Contributor

Re: AnyConnect NAM Machine Authentication

windows 8, 8.1, or 10?

There is an issue that windows will not pass the cert unencrypted to AnyConnect. Usually you will see in the failure bad credentials. This is fixed be adding the below reg key.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"LsaAllowReturningUnencryptedSecrets"=dword:00000001

As for Machine/user cert login, I have not done it, so not sure if it's much different from password.

Cisco Employee

Re: AnyConnect NAM Machine Authentication

Does it work if EAP-TLS auth by itself but not as an inner method of EAP-FAST? What are the auth protocol settings for the matched authentication policy?

Cisco Employee

Re: AnyConnect NAM Machine Authentication

Same error even with EAP-TLS. I only have 1 authentication policy default with certificate profile.

From ISE log AnyConnect is getting the correct certificate where CN is logged for username.

Cisco Employee

Re: AnyConnect NAM Machine Authentication

Try using the eventvwr to look at the AnyConnect log entries.

eventvwrNAM.PNG

The user certificate might have some problem or even the AC profile because it has different sections for user auth and machine auth. If you need further help on this, try the Cisco internal alias on AnyConnect with a copy of your DART file.

Cisco Employee

Re: AnyConnect NAM Machine Authentication

Hi Hsing,

Thanks for the tip. Apparently, the certificate installed without private key even it showed "Certificate has associated private key" while we double clicked the certificate. EAP-TLS for machine works for Windows 7 after importing the same certificate again.

I will try out Windows 8.1 and Windows 10 using latest AC 4.3.02039 next week.

Thanks

Wing Churn