Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1823
Views
5
Helpful
1
Replies

NAM and "unprotected identity pattern" not working as expected

Lukasz Jalowiecki
Level 1
Level 1

‎10-25-2012 05:36 AM - edited ‎03-10-2019 07:43 PM

Hi,

I'm trying to test such 802.1x wired environment:

windows xp sp3 as supplicant

windows NPS as radius server

2960 as authenticator

latest anyconnect (3.1.01065) + nam and standalone profile editor

I have a question:

Could someone explain me the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses unprotected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in

unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication)

I would be grateful for any clues

Best regards

Lukasz

Labels:
0 Helpful
1 Reply 1

Lukasz Jalowiecki
Level 1
Level 1

‎11-05-2012 07:18 AM

Ok I've solved it... NAM works fine, problem was with NPS config. If you want unprotected identity pattern to work, just configure authentication methods under "connection request policies" not "network policies".

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents