Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1195
Views
0
Helpful
2
Replies

domain user login failed because endpoint not authenticated yet

Go to solution
mikeyasg
Level 1
Level 1

‎04-15-2022 11:38 PM

we have installed Cisco any connect NAM and posture modules and enpoints are bieng authenticated with EAP FAST using domain credentials single sign on. but when a new domain user trys to log into this endpoints the authentication will fail because there is no netwrok connection to the domain server. the connection to the domain server will not be established because in order for the endpoint to get network access it needs to be authenticated. endpoint authentication will only start after the user logs in with their credential.  so how can i make this work for any domain account ot log in but still doing endpoint authentication?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-16-2022 12:07 AM - edited ‎04-16-2022 12:30 AM

@mikeyasg not sure exactly what authentication methods you are using, but configure both machine and user authentication. Therefore the machine will have network connectivity when no user is logged on.

 

If the user has never logged on to the endpoint before, you might be best using EAP-FAST with MSCHAPv2 as the inner method instead of EAP-TLS, as the user will not have the certificate in time to authenticate and would fail.

 

Refer to this post for more information on AnyConnect NAM and EAP Chaining

https://integratingit.wordpress.com/2018/06/19/eap-chaining-on-cisco-ise/

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎04-16-2022 12:07 AM - edited ‎04-16-2022 12:30 AM

@mikeyasg not sure exactly what authentication methods you are using, but configure both machine and user authentication. Therefore the machine will have network connectivity when no user is logged on.

 

If the user has never logged on to the endpoint before, you might be best using EAP-FAST with MSCHAPv2 as the inner method instead of EAP-TLS, as the user will not have the certificate in time to authenticate and would fail.

 

Refer to this post for more information on AnyConnect NAM and EAP Chaining

https://integratingit.wordpress.com/2018/06/19/eap-chaining-on-cisco-ise/

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-17-2022 05:39 PM

Rob Ingram is correct. You need allow the endpoint to connect to Active Directory before the domain user login.

0 Helpful
Customers Also Viewed These Support Documents