Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3308
Views
1
Helpful
3
Replies

Cisco Anyconnect NAM connection before user logon

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎09-07-2020 02:39 AM

Hi,

We have installed anyconnect nam on our user machines and have started testing the wireless access. One thing the users are complaining is that when a new user tries login to a PC which he has never logged on, he is getting "no domain available" error which means that he is not connected to the network. In such scenarios do we need to use the start before logon module or we have some other setting in the NAM profile itself so that it can run even before user logs in to the PC (using machine authentication)?. Kindly help.

 

Regards

Shabeeb

 

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Colby LeMaire
VIP Alumni
VIP Alumni

‎09-07-2020 07:16 AM

You would need to do machine authentication for the wireless side so that the computer authenticates before the user attempts to login.  Assuming your computers are configured to connect to the SSID automatically.  Or the user may have to select the wireless connection before attempting to login.  For the wired side, you should do machine authentication as well; however, you could also adjust the default/pre-auth ACL to allow AD connectivity even when 802.1x authentication hasn't happen or has failed.

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Colby LeMaire

‎09-08-2020 12:07 AM

Hi Colby,

 

Thanks for the reply. I have configured machine authentication and it works properly. But what happens is that when a PC is restarted and a completely new user is trying to login (the user profile is not there in the PC) then the network is not available and user is getting error "domain not available. I am using NAM with the custom connection profile. In the NAM profile I found the "connection attempt before user logon" (please check the attached screenshot). Currently the setting is to start the connection attempt after the user logon. I will check if "connection attempt before user logon" will resolve my issue.

 

Thanks

Shabeeb

 

 

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to SHABEEB KUNHIPOCKER

‎09-08-2020 03:41 PM

If you're using EAP-TLS user authentication, you should also be aware that you could run into issues with the order of operations Windows uses for when 802.1x kicks in and when the user GPO starts to issue a new user cert.

See this post for more info. The post talks about the native supplicant, but the same order of operations applies to NAM.

From my experience, most of the loading of a new User profile happens in the Computer state. The problem is usually when the User state kicks in and there is no User certificate enrolled.

0 Helpful
Customers Also Viewed These Support Documents