Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


AnyConnect NAM and Monitor mode



We are testing AnyConnect as a 802.1x supplicant and the switchports are in monitor mode. However, if the credentials are not correctly introduced or the NAM module is not configured properly, the PC can't get access to the network. Is there any way to allow access to the network during the initial deployment in monitor mode even if the previous situations occur?


On the other hand, is it possible to remove or disable the pop-up every time the supplicant connects to the network successfully?




What does the config look like on the switch ports? If you are configured for monitor mode it should allow network access no matter what the supplicant does. 


In order to remove the pop-ups (in windows) just right click the AnyConnect tray icon in the bottom right corner and disable  "Show connection notices."


Hello Ben,


I've got the "authentication open" command. With the Windows native supplicant network access is granted even when the credentials are not valid. 


With regards to the pop-ups I'm looking for a more scalable solution that can be applied at the profile level and then distributed from a centralized tool like SCCM. Sorry I should have been more precise.


Can you post your full switch port config please? It is helpful in determining where the issue might be. 


As for the pop-up messages I looked through all of the configuration and preference files and none of them make reference to the pop-ups, unless it is a hidden attribute in one of the files that can be added manually. 

VIP Engager

Using NAM Profile Editor you can configure the profile to allow data traffic even when/if EAP fails:




EAP fails—When selected, the supplicant attempts authentication. If authentication fails, the supplicant allows data traffic despite the authentication failure.


For more information please see:


Hi Mike,


That was the first thing I tried this without success. I test with a different authentication protocol to test the behaviour and I got disconnected from the network. I expected the switchport configuration to preempt the supplicant but seems like this is not the case.


Any other ideas?


Can you show your switchport configs please.

Hello Mike,


This is my port configuration:


interface GigabitEthernet4/0/20
switchport access vlan 144
switchport mode access
switchport voice vlan 167
ip access-group NAC-MONITOR-MODE-ACL in
load-interval 30
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 144
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication violation restrict
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level pps 500
storm-control unicast level pps 20k
storm-control action trap
spanning-tree portfast edge
spanning-tree bpduguard enable
service-policy input TRAFFIC-CLASSIFICATION
ip dhcp snooping limit rate 5




A couple of things so I better understand what exactly you are trying to accomplish:


You mentioned this: I test with a different authentication protocol to test the behaviour and I got disconnected from the network.


What protocol/s have you attempted to use? Are you trying to implement & utilize eap-chaining for machine + user auth? If so, you need to setup the NAM profile to use EAP-FAST.  


Can you post your ACL that is applied to the interface please.


Are you using ISE as your AAA server? If so, what are you policies setup like?



Content for Community-Ad