04-13-2018 03:49 AM
Hi Team,
I am deploying ISE 2.2 patch 6in production at one my customers and having a query regarding monitor mode and eap chaining.
Components used:
ISE 2.2 P6
AnyConnect NAM 4.5.x
Dot1x Authentication - user and machine certificate authentication
Switch Deployment - Monitor mode
EAP Chaining (certificate authentication) is working fine with following scenarios:
But EAP chaining (certificate authentication) is not working with following scenario:
Please let me know if this is the expected behavior of AnyConnect NAM.
Thanks in advance!
regards,
Sadashiv
Solved! Go to Solution.
04-18-2018 08:04 AM
Hi Sadashiv,
This is expected behavior for NAM. If NAM cannot find a credential, username/password, or certificate we will prompt the user for this credential. When no credential is provide we will not respond to the request from ISE and the connection will timeout. In you case ISE is probably reporting Endpoint abandoned EAP session....
You may be able to use the port exception policy in NAM to help get around this. I am not sure in this case if ISE is sending an authentication failure. If it is you could allow access in NM after a failed auth, or you can also allow before any authentication is performed.
Hope this helps,
Steve S.
04-13-2018 08:55 AM
I usually don't do EAP chaining, but you should be able to setup a secondary wired profile that just does EAP-TLS Computer authentication. If I am doing certificate authentication, I don't do EAP chaining and setup 3 NAM wired profiles:
Priority #1- User or Computer EAP-TLS
Priority #2- Computer EAP-TLS
Priority #3- no authentication
Priority #2 is there to handle the issue you are seeing, i.e. first time user logon to a machine and the user certificate hasn't autoenrolled yet.
04-17-2018 10:40 PM
Hi Paul,
Thanks for your reply and workaround.
However, this workaround would not be feasible in our case. My original query is related to behavior of NAM if user certificate is not present on endpoint and switch is configured in authentication open mode.
From the test results, it looks like endpoint / user doesn't get network access if user certificate is not present.
Is this the expected behavior if we are using NAM??
04-18-2018 08:04 AM
Hi Sadashiv,
This is expected behavior for NAM. If NAM cannot find a credential, username/password, or certificate we will prompt the user for this credential. When no credential is provide we will not respond to the request from ISE and the connection will timeout. In you case ISE is probably reporting Endpoint abandoned EAP session....
You may be able to use the port exception policy in NAM to help get around this. I am not sure in this case if ISE is sending an authentication failure. If it is you could allow access in NM after a failed auth, or you can also allow before any authentication is performed.
Hope this helps,
Steve S.
04-18-2018 11:05 PM
Hi Steven,
Thanks for your inputs and we also has the same observartion.
So one more query comes in my mind is, if user certificate is present and machine certificate is not present i.e, User Succeeded and Machine failed then the endpoint gets the network access in our scenario.
Does this mean that NAM checks user credentials before the machine credentials??
Thanks in advance!!
04-19-2018 06:49 AM
Hi Sadashiv,
NAM will provide credentials in the order that they are requested by ISE. Is ISE actually hitting a user pass machine failed policy, or user only policy. This would explain why you have access.
Thanks,
Steve S.
04-19-2018 02:04 PM
I assume you followed the instructions in How To: Deploy EAP Chaining with AnyConnect NAM and ISE ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide