cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4263
Views
0
Helpful
9
Replies

AnyConnect NAM Machine Authentication

wileong
Cisco Employee
Cisco Employee

Hi there,

I am testing ISE 2.1 with AC 4.3.1095 for Windows Machine authentication using certificate.

EAP method is EAP-FAST with EAP-TLS as inner method.

Authentication failed with error "5440 Endpoint abandoned EAP session and started new."

I have also tested User auth with the same AC profile as machine and it works. Certificate can be detected by AC and I am seeing hostname is corrected identified with CN.

Any idea?

Thanks

Wing Churn

9 Replies 9

We use 802.1x authentication and I use EAP-Chaining to do the machine/user authentication. Here is a doc, but a little different for ISE 2.1 (I also use ISE 2.1)

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pd…

If this is what you are trying to do, I can try to show some of my settings if it helps.

I was referring to the same document and it works for "password" inner method Machine Auth. What I am trying to achieve here is Certificate as inner method.

Are you using certificate in your lab?

Thanks

For inner method we use EAP-MSCHAPv2 since the users log in.

What we do is machine joins and sits on a restricted network, then when the user logs in it re-checks and send them to whatever network they are assigned/have permissions to.

So your users join with a cert?

I am trying certificate for either Machine and User.

User Certificate works too but my customer is looking at Machine auth using certificate.

windows 8, 8.1, or 10?

There is an issue that windows will not pass the cert unencrypted to AnyConnect. Usually you will see in the failure bad credentials. This is fixed be adding the below reg key.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"LsaAllowReturningUnencryptedSecrets"=dword:00000001

As for Machine/user cert login, I have not done it, so not sure if it's much different from password.

hslai
Cisco Employee
Cisco Employee

Does it work if EAP-TLS auth by itself but not as an inner method of EAP-FAST? What are the auth protocol settings for the matched authentication policy?

wileong
Cisco Employee
Cisco Employee

Same error even with EAP-TLS. I only have 1 authentication policy default with certificate profile.

From ISE log AnyConnect is getting the correct certificate where CN is logged for username.

hslai
Cisco Employee
Cisco Employee

Try using the eventvwr to look at the AnyConnect log entries.

eventvwrNAM.PNG

The user certificate might have some problem or even the AC profile because it has different sections for user auth and machine auth. If you need further help on this, try the Cisco internal alias on AnyConnect with a copy of your DART file.

wileong
Cisco Employee
Cisco Employee

Hi Hsing,

Thanks for the tip. Apparently, the certificate installed without private key even it showed "Certificate has associated private key" while we double clicked the certificate. EAP-TLS for machine works for Windows 7 after importing the same certificate again.

I will try out Windows 8.1 and Windows 10 using latest AC 4.3.02039 next week.

Thanks

Wing Churn

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: