02-05-2019 11:53 PM
Hello,
We are testing AnyConnect as a 802.1x supplicant and the switchports are in monitor mode. However, if the credentials are not correctly introduced or the NAM module is not configured properly, the PC can't get access to the network. Is there any way to allow access to the network during the initial deployment in monitor mode even if the previous situations occur?
On the other hand, is it possible to remove or disable the pop-up every time the supplicant connects to the network successfully?
Regards.
02-06-2019 05:24 AM
What does the config look like on the switch ports? If you are configured for monitor mode it should allow network access no matter what the supplicant does.
In order to remove the pop-ups (in windows) just right click the AnyConnect tray icon in the bottom right corner and disable "Show connection notices."
02-06-2019 08:30 AM
Hello Ben,
I've got the "authentication open" command. With the Windows native supplicant network access is granted even when the credentials are not valid.
With regards to the pop-ups I'm looking for a more scalable solution that can be applied at the profile level and then distributed from a centralized tool like SCCM. Sorry I should have been more precise.
02-06-2019 11:03 AM
Can you post your full switch port config please? It is helpful in determining where the issue might be.
As for the pop-up messages I looked through all of the configuration and preference files and none of them make reference to the pop-ups, unless it is a hidden attribute in one of the files that can be added manually.
02-06-2019 07:50 AM
Using NAM Profile Editor you can configure the profile to allow data traffic even when/if EAP fails:
EAP fails—When selected, the supplicant attempts authentication. If authentication fails, the supplicant allows data traffic despite the authentication failure.
For more information please see: https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/administration/guide/b_AnyConnect_Administrator_Guide_4-0/configure-nam.html
02-06-2019 08:33 AM
Hi Mike,
That was the first thing I tried this without success. I test with a different authentication protocol to test the behaviour and I got disconnected from the network. I expected the switchport configuration to preempt the supplicant but seems like this is not the case.
Any other ideas?
02-06-2019 08:45 AM
02-06-2019 11:57 PM
Hello Mike,
This is my port configuration:
interface GigabitEthernet4/0/20
switchport access vlan 144
switchport mode access
switchport voice vlan 167
ip access-group NAC-MONITOR-MODE-ACL in
load-interval 30
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 144
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level pps 500
storm-control unicast level pps 20k
storm-control action trap
spanning-tree portfast edge
spanning-tree bpduguard enable
service-policy input TRAFFIC-CLASSIFICATION
ip dhcp snooping limit rate 5
end
Regards.
02-07-2019 05:32 AM
A couple of things so I better understand what exactly you are trying to accomplish:
You mentioned this: I test with a different authentication protocol to test the behaviour and I got disconnected from the network.
What protocol/s have you attempted to use? Are you trying to implement & utilize eap-chaining for machine + user auth? If so, you need to setup the NAM profile to use EAP-FAST.
Can you post your ACL that is applied to the interface please.
Are you using ISE as your AAA server? If so, what are you policies setup like?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide