Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1507
Views
0
Helpful
2
Replies

EAP-Chaining With AnyConnect No Valid Certificate

Go to solution
Augustine Okojie
Cisco Employee
Cisco Employee

‎08-03-2016 10:29 AM

Hello,

Would appreciate any feedback with the below

Working with a Customer with EAP-Chaining using AD-issued certificates for both Machine and User authentication.  (NAM conf attached). The challenge we are facing is when a user signs-on to a machine for the first time AnyConnect reports a “no valid certificate found”, this is because the User is signing on for the first time and has not requested and registered a certificate. However since you have no network access the certificate request process will fail.

We have configured ISE to grant access if the machine pass and user fails, this does not work since AnyConnect does not report user authentication fail but a no valid certificate found. The Dot1x process times-out and restarts with same outcome.

The interim solution is to use an OOB method (port with not ISe configuration) to request a user certificate after which everything works fine.

My question is if anyone else has encountered this problem and if there is a way around it. One option is to not use certificate for user authentication and use AD credentials with PEAP or MSCHAPv2, customer’s preference is to use certificates.

Would appreciate any feedback.

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-04-2016 01:53 PM

I would suggest to put in an enhancement request. Meanwhile, AnyConnect NAM may have multiple profiles so you could try configure a lower priority one to either use machine auth only or machine cert auth + user password auth.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-04-2016 01:53 PM

I would suggest to put in an enhancement request. Meanwhile, AnyConnect NAM may have multiple profiles so you could try configure a lower priority one to either use machine auth only or machine cert auth + user password auth.

0 Helpful

Go to solution
tommy182
Level 1
Level 1

‎10-27-2018 10:07 AM

We have the same challenge now..
Hope we can configure win2016 based CA to autoenroll certificate during first time login to system.
But I'm not sure if it's actually possible..

Hope there is some good method to solve this caveat...

Regards,
Tom
0 Helpful
Customers Also Viewed These Support Documents