cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1569
Views
1
Helpful
6
Replies

Authentication Open on switch Vs EAP chaining with user and machine certificate

sadashivpalde
Level 1
Level 1

Hi Team,

I am deploying ISE 2.2 patch 6in production at one my customers and having a query regarding monitor mode and eap chaining.

Components used:

ISE 2.2 P6

AnyConnect NAM 4.5.x

Dot1x Authentication - user and machine certificate authentication

Switch Deployment - Monitor mode

EAP Chaining (certificate authentication) is working fine with following scenarios:

  • user and machine both succeeded: observed the expected behavior as per the policies configured in ISE.
  • user succeeded and machine failed: Machine certificate is not present on endpoint, only user certificate is present. However in this scenario the endpoint is getting access as per ISE policies.

But EAP chaining (certificate authentication) is not working with following scenario:

  • user failed and machine succeeded: In this scenario user certificate is not present in this endpoint. AnyConnect NAM is popping up a dialogue for selecting a user certificate, we are not able to select anything as there is no user certificate present on endpoint and hence we are not getting network access, even if switch port is in authentication open mode

Please let me know if this is the expected behavior of AnyConnect NAM.

Thanks in advance!

regards,

Sadashiv

1 Accepted Solution

Accepted Solutions

stsargen
Cisco Employee
Cisco Employee

Hi Sadashiv,

This is expected behavior for NAM.  If NAM cannot find a credential, username/password, or certificate we will prompt the user for this credential.  When no credential is provide we will not respond to the request from ISE and the connection will timeout.  In you case ISE is probably reporting Endpoint abandoned EAP session.... 

You may be able to use the port exception policy in NAM to help get around this.   I am not sure in this case if ISE is sending an authentication failure.  If it is you could allow access in NM after a failed auth, or you can also allow before any authentication is performed. 

Hope this helps,

Steve S.

View solution in original post

6 Replies 6

paul
Level 10
Level 10

I usually don't do EAP chaining, but you should be able to setup a secondary wired profile that just does EAP-TLS Computer authentication.  If I am doing certificate authentication, I don't do EAP chaining and setup 3 NAM wired profiles:

Priority #1- User or Computer EAP-TLS

Priority #2- Computer EAP-TLS

Priority #3- no authentication

Priority #2 is there to handle the issue you are seeing, i.e. first time user logon to a machine and the user certificate hasn't autoenrolled yet.

Hi Paul,

Thanks for your reply and workaround.

However, this workaround would not be feasible in our case. My original query is related to behavior of NAM if user certificate is not present on endpoint and switch is configured in authentication open mode.

From the test results, it looks like endpoint / user doesn't get network access if user certificate is not present.

Is this the expected behavior if we are using NAM??

stsargen
Cisco Employee
Cisco Employee

Hi Sadashiv,

This is expected behavior for NAM.  If NAM cannot find a credential, username/password, or certificate we will prompt the user for this credential.  When no credential is provide we will not respond to the request from ISE and the connection will timeout.  In you case ISE is probably reporting Endpoint abandoned EAP session.... 

You may be able to use the port exception policy in NAM to help get around this.   I am not sure in this case if ISE is sending an authentication failure.  If it is you could allow access in NM after a failed auth, or you can also allow before any authentication is performed. 

Hope this helps,

Steve S.

Hi Steven,

Thanks for your inputs and we also has the same observartion.

So one more query comes in my mind is, if user certificate is present and machine certificate is not present i.e, User Succeeded and Machine failed then the endpoint gets the network access in our scenario.

Does this mean that NAM checks user credentials before the machine credentials??

Thanks in advance!!

Hi Sadashiv,

NAM will provide credentials in the order that they are requested by ISE.  Is ISE actually hitting a user pass machine failed policy, or user only policy.  This would explain why you have access.

Thanks,

Steve S.

thomas
Cisco Employee
Cisco Employee

I assume you followed the instructions in How To: Deploy EAP Chaining with AnyConnect NAM and ISE ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: