cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5090
Views
5
Helpful
10
Replies

AnyConnect

guy.zwerdling
Level 1
Level 1

Hi guys

I have AnyConnect on some PC in my lab and I setup new wired network named "test" with 802.1x EAP-FAST with using password for authentication,

If I try to connect using "test" network it doesn't asks for the username and password, and it just

Did I missed something? that I need to configure?

The service Wired AutoConfig in disable state.



1 Accepted Solution

Accepted Solutions

According to your log, the client is rejecting the ISE certificate. Have you installed ISE server certificate to the AC NAM? Other option is to trust any Root CA for the purpose of testing. Please see AnyConnect guide for more information:

Configure Trusted Server Validation Rules

When the Validate Server Identity option is configured for the EAP method, the Certificate panel is enabled to allow you to configure validation rules for certificate server or authority. The outcome of the validation determines whether the certificate server or the authority is trusted.

To define certificate server validation rules, follow these steps:

Procedure


Step 1  When the optional settings appear for the Certificate Field and the Match columns, click the drop-down arrows and select the desired settings.
Step 2  Enter a value in the Value field.
Step 3  Under Rule, click Add.
Step 4  In the Certificate Trusted Authority pane, choose one of the following options:
  • Trust Any Root Certificate Authority (CA) Installed on the OS—If chosen, only the local machine or certificate stores are considered for the server’s certificate chain validation.
  • Include Root Certificate Authority (CA) Certificates.
    Note   If you choose Include Root Certificate Authority (CA) Certificates, you must click Add to import the CA certificate into the configuration. If the certificate being used is being exported from the Windows certificate store, use the "Base 64 encoded X.509 (.cer)" option.

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.2 - Configure Network Access Manager [Cisco AnyC…

View solution in original post

10 Replies 10

howon
Cisco Employee
Cisco Employee

Guy, I will need more information about the issue to provide better answer. But for the supplicant like AC NAM to present login window, there needs to be a switch that is enabled with 802.1x on the interface. Have you configured that part already?

Hi howon

The interface configure as follow:

interface FastEthernet2/0/7

switchport mode access

authentication host-mode multi-auth

authentication open

authentication order mab dot1x

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

dot1x timeout tx-period 10

spanning-tree portfast

OK, interface configuration looks good. Was this working before possibly with native supplicant? Are you seeing any events on the switch regarding the authentication requests?

With native supplicate it work great!

I restart the PC and the switch and now the AnyConnect prompt me the username and password and I typed the user "bob" but on the switch I see (in debug radius) that the username is "anonymous"...

OK, so it looks like you are getting prompted now. What you are seeing is expected for tunneled EAP methods such as PEAP, EAP-TTLS, and EAP-FAST. It is typical for supplicant to use anonymous for outer identity and use real username for internal identity. Now that the supplicant and the switch looks to be working, what do you see on the ISE live log?

Screenshot from 2016-08-30 12:20:43.png11001    Received RADIUS Access-Request

     11017    RADIUS created a new session

     15049    Evaluating Policy Group

     15008    Evaluating Service Selection Policy

     15048    Queried PIP

     15004    Matched rule

     11507    Extracted EAP-Response/Identity

     12500    Prepared EAP-Request proposing EAP-TLS with challenge

     11006    Returned RADIUS Access-Challenge

     11001    Received RADIUS Access-Request

     11018    RADIUS is re-using an existing session

     12101    Extracted EAP-Response/NAK requesting to use EAP-FAST instead

     12100    Prepared EAP-Request proposing EAP-FAST with challenge

     11006    Returned RADIUS Access-Challenge

     11001    Received RADIUS Access-Request

     11018    RADIUS is re-using an existing session

     12102    Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated

     12800    Extracted first TLS record; TLS handshake started

     12805    Extracted TLS ClientHello message

     12806    Prepared TLS ServerHello message

     12807    Prepared TLS Certificate message

     12810    Prepared TLS ServerDone message

     12105    Prepared EAP-Request with another EAP-FAST challenge

     11006    Returned RADIUS Access-Challenge

     11001    Received RADIUS Access-Request

     11018    RADIUS is re-using an existing session

     12104    Extracted EAP-Response containing EAP-FAST challenge-response

     12105    Prepared EAP-Request with another EAP-FAST challenge

     11006    Returned RADIUS Access-Challenge

     11001    Received RADIUS Access-Request

     11018    RADIUS is re-using an existing session

     12104    Extracted EAP-Response containing EAP-FAST challenge-response

     12105    Prepared EAP-Request with another EAP-FAST challenge

     11006    Returned RADIUS Access-Challenge

     11001    Received RADIUS Access-Request

     11018    RADIUS is re-using an existing session

     12104    Extracted EAP-Response containing EAP-FAST challenge-response

     12815    Extracted TLS Alert message

     12153    EAP-FAST failed SSL/TLS handshake because the client rejected the ISE local-certificate

     11504    Prepared EAP-Failure

     11003    Returned RADIUS Access-Reject

     5434    Endpoint conducted several failed authentications of the same scenario

According to your log, the client is rejecting the ISE certificate. Have you installed ISE server certificate to the AC NAM? Other option is to trust any Root CA for the purpose of testing. Please see AnyConnect guide for more information:

Configure Trusted Server Validation Rules

When the Validate Server Identity option is configured for the EAP method, the Certificate panel is enabled to allow you to configure validation rules for certificate server or authority. The outcome of the validation determines whether the certificate server or the authority is trusted.

To define certificate server validation rules, follow these steps:

Procedure


Step 1  When the optional settings appear for the Certificate Field and the Match columns, click the drop-down arrows and select the desired settings.
Step 2  Enter a value in the Value field.
Step 3  Under Rule, click Add.
Step 4  In the Certificate Trusted Authority pane, choose one of the following options:
  • Trust Any Root Certificate Authority (CA) Installed on the OS—If chosen, only the local machine or certificate stores are considered for the server’s certificate chain validation.
  • Include Root Certificate Authority (CA) Certificates.
    Note   If you choose Include Root Certificate Authority (CA) Certificates, you must click Add to import the CA certificate into the configuration. If the certificate being used is being exported from the Windows certificate store, use the "Base 64 encoded X.509 (.cer)" option.

Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 4.2 - Configure Network Access Manager [Cisco AnyC…

Hi howon,

The AnyConnect doesn't prompt me the "trust certification" message, and I see the access reject on my swicth:

Screenshot from 2016-08-31 18:32:55.png

What I need to do to force him to prompt this message?

my live log:

Screenshot from 2016-08-31 18:34:38.png

Guy, since you are manually configuring the access profile for the user, you need to follow the instructions in the previous post to add the certificate or make AC-NAM bypass the certificate verification.

lissacoffey
Level 1
Level 1

yes, it work great with naive supplicates, It is typical for applicant to use anonymous for outer identity and use real username for internal identity.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: