Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1063
Views
1
Helpful
8
Replies

AnyConnect NAM + RSA + Posture

Go to solution
sampathss
Cisco Employee
Cisco Employee

‎02-16-2018 10:54 AM

Hello,


One of my customer is using NAM + RSA(EAP Chaining) + Posture.


We tested and it was working like the following earlier:


1) User connects machine to the network

2) User enters username and passcode(RSA) in NAM

3) Posture starts and at 96%, CoA happens and once done, it prompts for passcode again and do the posture again, completes and compliant. I guess it's doing full auth and not silent re-auth


I believe this is the known behavior.


But recently, the behavior changed and the second time where it asks for passcode after CoA, now it asks for both username and passcode, then it does posture and compliant.


Any idea what might be triggering it to ask for the username again?

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-17-2018 06:50 PM

Anything in particular (NAM profile or versions of AnyConnect or RSA or ISE or NAD) changed recently? I would suggest to engage Cisco TAC and submit a copy of the DART file to TAC.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎02-16-2018 11:41 AM

Hey Sampath,

What version of Anyconnect are you using and RSA version as well.

I have reached out SME for Anyconnect, Paul Carco to answer this.

Thanks

Krishnan

0 Helpful

Go to solution
sampathss
Cisco Employee
Cisco Employee
In response to kthiruve

‎02-16-2018 11:48 AM

Hey Krishnan,

AnyConnect Version is 4.4.04030. Reached out to the customer to find out about the RSA Version. Will let you know.

Thank you.

0 Helpful

Go to solution
sampathss
Cisco Employee
Cisco Employee
In response to sampathss

‎02-16-2018 12:33 PM

Hey Krishnan,


RSA version is 7.3.3.103


Thanks


Sampath

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-17-2018 06:50 PM

Anything in particular (NAM profile or versions of AnyConnect or RSA or ISE or NAD) changed recently? I would suggest to engage Cisco TAC and submit a copy of the DART file to TAC.

0 Helpful

Go to solution
sampathss
Cisco Employee
Cisco Employee
In response to hslai

‎02-19-2018 07:02 AM

Hi Hsing,

Nothing changed recently. I will engage TAC as well.

With respect to the endpoint behavior, the above mentioned steps(Step 1 to Step 3) sounds right?

Thanks

Sampath

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to sampathss

‎02-19-2018 09:06 AM

The steps look fine. You are correct it expected because of OTP. ISE 2.3 has a passcode caching option that you might want to try.Screen Shot 2018-02-19 at 9.05.05 AM.png

0 Helpful

Go to solution
sampathss
Cisco Employee
Cisco Employee
In response to hslai

‎02-19-2018 09:11 AM

Hsing,

This is available in ISE 2.2. I already tried this and no help out of it.

I understand it asks for passcode the second time because of OTP, but why ask for the the username again? It was not the case earlier when tested and it use to prompt only for the passcode the second time. Could it be NAM not caching the username?

Thanks

Sampath

0 Helpful

Go to solution
sampathss
Cisco Employee
Cisco Employee
In response to sampathss

‎02-28-2018 08:19 AM

Any update on this?

0 Helpful
Customers Also Viewed These Support Documents