08-29-2016 10:14 AM
Hi guys
I have AnyConnect on some PC in my lab and I setup new wired network named "test" with 802.1x EAP-FAST with using password for authentication,
If I try to connect using "test" network it doesn't asks for the username and password, and it just
Did I missed something? that I need to configure?
The service Wired AutoConfig in disable state.
Solved! Go to Solution.
08-30-2016 08:43 AM
According to your log, the client is rejecting the ISE certificate. Have you installed ISE server certificate to the AC NAM? Other option is to trust any Root CA for the purpose of testing. Please see AnyConnect guide for more information:
When the Validate Server Identity option is configured for the EAP method, the Certificate panel is enabled to allow you to configure validation rules for certificate server or authority. The outcome of the validation determines whether the certificate server or the authority is trusted.
To define certificate server validation rules, follow these steps:
Procedure
08-29-2016 10:26 AM
Guy, I will need more information about the issue to provide better answer. But for the supplicant like AC NAM to present login window, there needs to be a switch that is enabled with 802.1x on the interface. Have you configured that part already?
08-29-2016 11:01 AM
Hi howon
The interface configure as follow:
interface FastEthernet2/0/7
switchport mode access
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
08-29-2016 11:24 AM
OK, interface configuration looks good. Was this working before possibly with native supplicant? Are you seeing any events on the switch regarding the authentication requests?
08-29-2016 08:22 PM
With native supplicate it work great!
I restart the PC and the switch and now the AnyConnect prompt me the username and password and I typed the user "bob" but on the switch I see (in debug radius) that the username is "anonymous"...
08-29-2016 08:36 PM
OK, so it looks like you are getting prompted now. What you are seeing is expected for tunneled EAP methods such as PEAP, EAP-TTLS, and EAP-FAST. It is typical for supplicant to use anonymous for outer identity and use real username for internal identity. Now that the supplicant and the switch looks to be working, what do you see on the ISE live log?
08-30-2016 01:46 AM
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12101 Extracted EAP-Response/NAK requesting to use EAP-FAST instead
12100 Prepared EAP-Request proposing EAP-FAST with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12815 Extracted TLS Alert message
12153 EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
5434 Endpoint conducted several failed authentications of the same scenario
08-30-2016 08:43 AM
According to your log, the client is rejecting the ISE certificate. Have you installed ISE server certificate to the AC NAM? Other option is to trust any Root CA for the purpose of testing. Please see AnyConnect guide for more information:
When the Validate Server Identity option is configured for the EAP method, the Certificate panel is enabled to allow you to configure validation rules for certificate server or authority. The outcome of the validation determines whether the certificate server or the authority is trusted.
To define certificate server validation rules, follow these steps:
Procedure
Step 1 | When the optional settings appear for the Certificate Field and the Match columns, click the drop-down arrows and select the desired settings. | ||
Step 2 | Enter a value in the Value field. | ||
Step 3 | Under Rule, click Add. | ||
Step 4 | In the Certificate Trusted Authority pane, choose one of the following options:
|
08-31-2016 08:18 AM
Hi howon,
The AnyConnect doesn't prompt me the "trust certification" message, and I see the access reject on my swicth:
What I need to do to force him to prompt this message?
my live log:
08-31-2016 01:27 PM
Guy, since you are manually configuring the access profile for the user, you need to follow the instructions in the previous post to add the certificate or make AC-NAM bypass the certificate verification.
06-07-2017 12:37 AM
yes, it work great with naive supplicates, It is typical for applicant to use anonymous for outer identity and use real username for internal identity.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: