09-17-2013 12:00 PM - edited 03-10-2019 08:54 PM
I installed AnyConnect 3.1.04063 on a win7 box. It's set up with two admin-defined wired network profiles: One for EAP-TLS machine auth and one for unauthenticated access.
The EAP-TLS autheticated just fine when connected to a corporate-owned switch, but when I connect to another network (test beds, home net), it still uses the EAP-TLS profile. How do I get it to fail over to the other profile?
04-22-2014 07:37 PM
Edit: Found it.
Connection timeout for the 802.1X wired network must be less than startPeriod * maxStart if the intended behavior is to fail to another netowrk in the list.
Hooray for RTFM!
07-28-2014 06:54 AM
Hello,
I am in the early stages of pushing out wired NAC to locations. I have the same two profiles, one that is doing EAP-Chaining and one open authentication. I have tested these two profiles for pre-deployment, switches aren't configure to do 802.1x with ISE will be doing open authentication. Switches that are configure to do 802.1x will do EAP-Chaining, but have you run into situations where the PC is doing EAP-Chaining with Machine authentication (no user logged in) at a branch site. The site loses WAN connection back to the ISE node at hub location, machine switches profile to open authentication and allows user to login based on being logged in before. Once the WAN link is back up, profile is stuck on open authentication and wont re authentication (user+machine) with EAP-chaining for full network access unless the port bounce or the machine is restarted. Thanks for the great info and help!
07-29-2014 01:14 AM
What is your switchport config look like?
07-29-2014 06:13 AM
interface FastEthernet0/1
description Data Port
switchport access vlan 116
switchport mode access
ip access-group ACL-DEFAULT in
speed 10
duplex full
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
no mdix auto
spanning-tree portfast
spanning-tree bpduguard enable
07-31-2014 06:45 AM
Is there a setting that I am missing to re-authenticate when the WAN links are up
07-29-2014 01:17 AM
Good job on figuring out the solution to your problem and for taking the time to share it everyone here (+5 from me) :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide