08-03-2016 10:29 AM
Hello,
Would appreciate any feedback with the below
Working with a Customer with EAP-Chaining using AD-issued certificates for both Machine and User authentication. (NAM conf attached). The challenge we are facing is when a user signs-on to a machine for the first time AnyConnect reports a “no valid certificate found”, this is because the User is signing on for the first time and has not requested and registered a certificate. However since you have no network access the certificate request process will fail.
We have configured ISE to grant access if the machine pass and user fails, this does not work since AnyConnect does not report user authentication fail but a no valid certificate found. The Dot1x process times-out and restarts with same outcome.
The interim solution is to use an OOB method (port with not ISe configuration) to request a user certificate after which everything works fine.
My question is if anyone else has encountered this problem and if there is a way around it. One option is to not use certificate for user authentication and use AD credentials with PEAP or MSCHAPv2, customer’s preference is to use certificates.
Would appreciate any feedback.
Solved! Go to Solution.
08-04-2016 01:53 PM
I would suggest to put in an enhancement request. Meanwhile, AnyConnect NAM may have multiple profiles so you could try configure a lower priority one to either use machine auth only or machine cert auth + user password auth.
08-04-2016 01:53 PM
I would suggest to put in an enhancement request. Meanwhile, AnyConnect NAM may have multiple profiles so you could try configure a lower priority one to either use machine auth only or machine cert auth + user password auth.
10-27-2018 10:07 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide