cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

660
Views
5
Helpful
5
Replies
ahmed_saleh
Beginner

ISE version 3 and AnyConnect NAM user and machine authentication Eap-chain with 2 user login to same machine

Hello all

 

i have deployment ISE version 3 and AnyConnect NAM user and machine authentication (Certificate )Eap-chain with 2 user login to same windows Machin 

 

first user able to connect but second user he got no valid certificate how i can solve this issue

5 REPLIES 5
Mohammed al Baqari
VIP Advisor

Hi,

Do you have all required certificates in the trusted store for all users? I
am referring to the certificate used for EAP as per your ISE config. Verify
that it exists for the error user.


***** please remember to rate useful posts

yes first user when he login in MMC personal certificate certificate is there

but second user he can login but no certificate ,then ISE is blocking all traffic 

i use work around ,changed user Auth EAP-FAST ->Authenticate using a password EAP-MSCHAPV2

 

Hi,

Is the certificate imported as machine certificate or user certificate.? It
should be user.

Also, try to reinstall NAM on the user machine as I have seen similar cases
before.

**** please remember to rate useful posts

Assuming what Mike.Cifelli brought up not an issue for you, I would suggest you to check the event logs for certificate auto-enrollment, if that is what you are using, and ensure to provide connectivity for that. Still, I myself ran into some timing issues and ended up manual invoking the certificate enrollment. 

Mike.Cifelli
VIP Advocate

When you install NAM it restricts logon to a single user.  You should be able to tweak a reg key to allow multiple users to be logged on.  See below:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

To configure single or multiple user logon, add a DWORD named EnforceSingleLogon (this should already be there), and give it a value of 1 or 0.

1 restricts logon to a single user.

0 allows multiple users to be logged on.

 

HTH!

Content for Community-Ad