cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1200
Views
0
Helpful
2
Replies
Augustine Okojie
Cisco Employee

EAP-Chaining With AnyConnect No Valid Certificate

Hello,

Would appreciate any feedback with the below

Working with a Customer with EAP-Chaining using AD-issued certificates for both Machine and User authentication.  (NAM conf attached). The challenge we are facing is when a user signs-on to a machine for the first time AnyConnect reports a “no valid certificate found”, this is because the User is signing on for the first time and has not requested and registered a certificate. However since you have no network access the certificate request process will fail.

We have configured ISE to grant access if the machine pass and user fails, this does not work since AnyConnect does not report user authentication fail but a no valid certificate found. The Dot1x process times-out and restarts with same outcome.

The interim solution is to use an OOB method (port with not ISe configuration) to request a user certificate after which everything works fine.

My question is if anyone else has encountered this problem and if there is a way around it. One option is to not use certificate for user authentication and use AD credentials with PEAP or MSCHAPv2, customer’s preference is to use certificates.

Would appreciate any feedback.

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

I would suggest to put in an enhancement request. Meanwhile, AnyConnect NAM may have multiple profiles so you could try configure a lower priority one to either use machine auth only or machine cert auth + user password auth.

View solution in original post

2 REPLIES 2
hslai
Cisco Employee

I would suggest to put in an enhancement request. Meanwhile, AnyConnect NAM may have multiple profiles so you could try configure a lower priority one to either use machine auth only or machine cert auth + user password auth.

tommy182
Beginner

We have the same challenge now..
Hope we can configure win2016 based CA to autoenroll certificate during first time login to system.
But I'm not sure if it's actually possible..

Hope there is some good method to solve this caveat...

Regards,
Tom
Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube