NAM to WNS migration / EAP-TLS with EAP-Chaining discussion

dropped_packetz · ‎09-17-2025

I am looking for experiences from others who have done a migration from Cisco NAM to Windows Native Supplicant. Especially if you use it for wired devices doing EAP-Chaining with EAP-TLS for both machine and user. I acquired an ISE environment that uses Cisco NAM with EAP-FAST and EAP-TLS to authenticate both machine and user. And as you can guess, it does not work at all for new users who log in to a workstation for the first time due to the device not have a user cert to authenticate the user and NAM completely shuts down the network interface. Which forces us to have to remove the authentication port-control auto from the device's switchport config to allow the user network access to receive a user cert from our CA server before we can lock it back down. I have setup a limited access dACL and Authorization Policy for machine pass/user fail, and a device in that condition will hit the policy, but due to NAM completely shutting down the network interface, what ISE does doesn't matter. I am trying to convince management to let me test moving to WNS with TEAP & EAP-TLS for EAP-Chaining. I am just looking for anyone who has done this before and can they confirm that WNS works more gracefully with the workstation than NAM does. I would assume WNS isn't going to go full N*zi and completely shut down the network interface which would allow my limited-access policy to do its thing and allow them to get their user cert to re-authenticate for full access. Or will I need to set up the limited access policy with EAP-TLS for machine and EAP-MSCHAPv2 for user? I don't have a lab environment to test this out on my own, so just looking for others experiences. Any input is appreciated.

Greg Gibbs · ‎09-17-2025

I'm not sure this is a specific issue with NAM. My guess would be that you're getting an ACCESS-REJECT response due to failed authentication since there is no User certificate to present when Windows transitions to the user state.

You can use the EAP Chaining result of 'User failed and computer succeeded' to provide initial access until the GPO can enroll the User certificate.
See a similar discussion here:
https://community.cisco.com/t5/network-access-control/eap-teap-first-time-user-login-chicken-amp-egg-scenario/td-p/4475351

dropped_packetz · ‎09-30-2025

Hi Greg. I put in my original post that I do have a test switch setup with limited-access Authorization Policies that only my test switch can hit and they do hit it in this situation and ISE and the policies do what they are supposed to do. I will make a general reply with more context.

Aref Alsouqi · ‎09-18-2025

I think that is a NAD action rather than NAM. When ISE gets back to the NAD with an ACCESS-REJECT, the NAD will not allow the user traffic over that port. This behaviour won't change between NAM and the native supplicant. As you and @Greg Gibbs mentioned, setting up a rule with limited accesses would be the way to go.

dropped_packetz · ‎09-30-2025

Sorry i am just now getting back to replying. I mentioned in my original post that I do have a limited access Authorization Policy set up that only my test switch can hit and said it does hit it. To be more precise I have one for when the system is sitting at the login in screen (machine pass/user fail) and I have one for when NAM isnt installed at all for the machine to hit a MAB EPP and hit another limited access policy. Both work perfectly as designed/configured on the ISE side. I will make a general reply with more information.

dropped_packetz · ‎09-30-2025

To add more context, I am attaching the two error that pop up from NAM when a new user logs in. They basically just toggle back and forth, you hit ok on one, and the next message pops up, hit ok on that one then the next message pops up. Then the cycle continues. Like I said in my original post. I do have limited-access Authorization Policies in place that only my test switch can hit. I set one up for when a system is sitting at the login screen (machien pass/user fail) and I have one setup for when NAM isnt installed or not working at all so the machine will hit a EPP via MAB and hit the "NoEAP" limited-access policy. Both are working perfectly all the time. Even when a new user logs in and the machine has no network access, the switchport is still hitting the NoEAP policy and applying the dACL. The same dACL I have network access with when the system is sitting at the login screen or doesnt have NAM install on it at all. I had a TAC case open for over a month where we were attempting to figure out some way to put a delay in NAM authenticating and give auto-enrollment time to retrieve a cert from our CA server, but they never could figure out a way. they verified that NAM was shutting down the network interface from DART bundles I gathered. WE had this issue ever since we upgraded to Ver2.7 and implemented EAP-Chaining, but it was not an issue that received much attention because we also ran the posture and isecompliance modules to check the version of AnyConnect on the system and while that was scanning, NAM waited until it was done until it would attempt to authenticate, but in Secure Client, NAM does not behave the same way. It attempts to authenticate right away, so we have lost that delay we had before.