Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1564
Views
10
Helpful
2
Replies

Cisco Anyconnect NAM with Same SSID different Authentication

saxenanitesh8522
Level 4
Level 4

‎01-14-2021 11:58 PM

Hi Guys,

 

I am stuck need help on a solution:-

 

the scenario is as below:-

 

1. Site 1:- Cisco WLC and Clear Pass --> SSID-Users --> PEAP authentication User

2. Site 2:- Cisco WLC and ISE --> SSID-Users --> EAP Authentication (EAP-FAST) user+machine

 

Now if i create 2xSSID profiles in the Cisco NAM will it work and detect which one to connect or i have to do it manually to select which profile i have to connect so the user can connect to the profile and login to the network

 

Thanks

0 Helpful
2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-15-2021 08:42 AM

So there is a setting in the NAM profile editor that will force NAM to connect to the network if in proximity.  The definition to enable this is below:

 

Corporate Network—Forces a connection to a network configured as Corporate first, if one is in proximity. When a corporate network uses a non-broadcasting (hidden) SSID, and is configured as hidden, the Network Access Manager actively probes for hidden SSIDs and establishes the connection when a corporate SSID is in range.

 

AFAIK from my experiences if you do not use that setting then NAM will try to use whichever profile is listed first and eventually failover to the next profile.  Note that my experiences were in an environment where 2 SSIDs were broadcasted and one was used with mab and the other with eap-tls.  I would recommend testing the corporate network setting in your unique environment.  HTH!

Panos Bouras
Level 1
Level 1

‎01-26-2021 09:39 AM

Hi @saxenanitesh8522 

 

I assume that your SSID's are using the same name but the authentication policy changes.

While NAM profile editor doesn't prevent you from creating 2 profiles using the same SSID that doesn't mean that the user experience will be good. I believe that NAM will get confused on which profile it should use and you might get different feedback from different users.

My recommendation is to change the SSID in one installation and create the appropriate policies on NAM, tick the corporate for each profile. My recommendation should work as long as the two SSID are broadcasted in different physical locations so when a client can reach one SSID the other SSID will not be reachable. Follow @Mike.Cifelli recommendation for building the profiles.

I hope I got your point correctly.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
Customers Also Viewed These Support Documents