Solved: Hi Andy,

Andy Ruiz Inami · ‎08-10-2017

Hello everyone,

I'm facing this issue with one client: I have implemented Wired 802.1x with EAP-TLS, Guest access for guests with sponsor, and profiling.

First, the client didn't accept the use of anyconnect for 802.1x because of the delay it carries while starting Windows, so we moved to the native supplicant of Windows. He has accepted the fact that eap-chaining is not possible with native supplicants, but now he is telling me that is not acceptable that users (i.e. managers) bring their laptops to their homes and manually disable 802.1x in their ethernet cards, that there must be a way for the wired ethernet adapter to detect that it's on a different network and disable 802.1x.

Of course, he didn't use all the technical babble I used on the previous paragraph, he just said "managers should bring their laptops to their homes and continue working without doing nothing at all, they won't disable 802.1x in their ethernet cards manually, that's unacceptable!"

I don't know if it's possible in a Windows machine, and I don't know if it's possible with anyconnect either, without any interaction from the user.

I would greatly appreciate any help on this

Andy Ruiz Inami · ‎08-10-2017

Thanks for the answer. I don't remenber what is the default configuration for 802.1x in Windows Wired Ethernet Card when you enable 802.1x service, but I found the solution: I have to enable the following: "fallback to unauthorized network access"

This option was disabled, it solved the issue.

https://faq.icto.umac.mo/wp-content/uploads/2015/08/Wired-network-on-Windows-10_e9.jpg

The option is self-explanatory in english but since the OS is in spanish the option is not so clear:

"Retroceso de acceso de red no autorizado"

It should say "Acceso de red no autorizado como ultimo recurso"

Well, I'll let this here so it might help others.

View solution in original post

Andy Ruiz Inami · ‎08-10-2017

I've already found the answer for anyconnect on Cisco documentation:

"You can configure a single authenticating wired connection to work with both open and authenticating networks by carefully setting the startPeriod and maxStart such that the total time spent trying to initiate authentication is less than the network connection timer (startPeriod x maxStart < Network Connection Timer). Note: In this scenario, you should increase the network connection timer by (startPeriod x maxStart) seconds to give the client enough time to acquire a DHCP address and finish the network connection. Conversely, administrators who want to allow data traffic if and only after authentication succeeds should make sure that the startPeriod and maxStart is such that the total time spent trying to initiate authentication is greater than the network connection timer (start Period x maxStart > Network Connection Timer)."

Unfortunately, the customer doesn't want anyconnect. Is it possible to achieve a similar behavior with the native supplicant of Windows?

Rob Ingram · ‎08-10-2017

Hi Andy,

If a laptop connects to a network that doesn't use 802.1x it should still work ok when using the native supplicant. You shouldn't need to disable 802.1x.

Even with AnyConnect you can define multiple networks, the first can require 802.1x if that fails it could, if configured attempt to connect to an open network. You can use the profile editor to define the networks, the order etc.

Andy Ruiz Inami · ‎08-10-2017