Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2442
Views
0
Helpful
5
Replies

802.1x Anyconnect NAM & RDP Issue

Go to solution
KelvinT
Level 1
Level 1

‎11-16-2020 08:43 AM

Hi,

 

We are deploying EAP-Chaining wired with Anyconnect NAM.  ISE 2.7 patch 2.  We are also using PIV card for the user.  When we login locally it is successful.  When we attempt to RDP into the same machine it appear to login successful but continuously looping to the login page.  ISE shows successful user/machine authc.

 

Any idea what the cause is?  Maybe a setting on Windows 10 like a registry or configuration on Anyconnect to resolve this?

 

Thanks

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
KelvinT
Level 1
Level 1
In response to Mike.Cifelli

‎12-02-2020 08:55 AM

Hi Mike,

 

From what I am told by TAC support it, as you said, not  a supported feature yet.  It was sent to enhancement for consideration.

 

But I'm thinking the better work around is EAP-TEAP since ISE 2.7 support it.  Hence:  No Anyconnect NAM.

 

I'll keep you posted if this works or not.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-16-2020 09:30 AM

A few things to check/consider: When attempting to RDP to a client is the local user completely logged out of the machine?  When installing NAM there is a regkey that enforces single logon.  You can tweak this via:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

To configure single or multiple user logon, add a DWORD named EnforceSingleLogon (this should already be there), and give it a value of 1 or 0.

1 restricts logon to a single user.

0 allows multiple users to be logged on.

Is it possible there is a local client firewall blocking the attempt? Also, what version of AnyConnect are you testing with? I know older versions had bugs that relate to your issue (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo47467/?rfs=iqvred)

HTH!

0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to Mike.Cifelli

‎11-16-2020 11:53 AM

Hi Mike and thanks for the quick reply.

 

Anyconnect 4.8.  Disabling the FW will probably not be an option.  Yes there is no other user logged on.  We attempted right after reboot.

 

Question.....Is there a fix for this bug?

 

Cisco Bug: CSCus48622 - Smart Card redirection support

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-17-2020 07:11 AM - edited ‎11-17-2020 07:19 AM

Question.....Is there a fix for this bug?

-Not that I can see in the link provided.  You could work with TAC to determine that answer and/or check release notes.  I would recommend testing with the latest 4.9.x client, and then generate a DART bundle after the issue occurs to share with TAC.  You can also use the bundle yourself to identify possible anomalies.  

0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to Mike.Cifelli

‎11-17-2020 09:22 AM

Good point.  I will do that.

 

Thanks Mike

0 Helpful

Go to solution
KelvinT
Level 1
Level 1
In response to Mike.Cifelli

‎12-02-2020 08:55 AM

Hi Mike,

 

From what I am told by TAC support it, as you said, not  a supported feature yet.  It was sent to enhancement for consideration.

 

But I'm thinking the better work around is EAP-TEAP since ISE 2.7 support it.  Hence:  No Anyconnect NAM.

 

I'll keep you posted if this works or not.

0 Helpful
Customers Also Viewed These Support Documents