Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
651
Views
0
Helpful
2
Replies

ISE - Wireless Anyconnect

Go to solution
Oscar Cardiel
Level 1
Level 1

‎07-29-2014 07:59 AM - edited ‎02-21-2020 05:15 AM

Hello! we have a doutb regarding our ISE installation. We have created a new SSID with EAP Chaninng validation (user + machine validation using Anyconnect client) through ISE, and NAC posture. 

The problem is that when a user has never logged in a PC and tries to log for the first time through this wireless, is not working. The facts are like this:

 

- User introduces user/pass for the first time to computer

- Computer needs to contact AD to download the profile

- Computer associates with the network

- ISE puts the user "on-hold" until it's NAC compliant

- Computer never launches NAC process, so it's never compliant

- ISE doesn't give access to network

- User cannot login to computer.

 

This only happens the first time a user tries to access the network because it needs to download the profile, if the user has logged in before, this is not a problem. Do you think there is any solution for this problem?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Saurav Lodh
Level 7
Level 7

‎09-11-2014 03:42 PM

Use EAP Chaining with EAP-FAST v2. In the auth attempt, the supplicant provides the authentication server (ISE) both the machine and user credentials for each auth attempt.  Supported by the Cisco AnyConnect 3.1 client/supplicant . In ISE to enable its support (Policy->Policy Elements->Results->Authentication->Allowed Protocols->Default Network Access <for example>->Allow EAP-FAST).

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Saurav Lodh
Level 7
Level 7

‎09-11-2014 03:42 PM

Use EAP Chaining with EAP-FAST v2. In the auth attempt, the supplicant provides the authentication server (ISE) both the machine and user credentials for each auth attempt.  Supported by the Cisco AnyConnect 3.1 client/supplicant . In ISE to enable its support (Policy->Policy Elements->Results->Authentication->Allowed Protocols->Default Network Access <for example>->Allow EAP-FAST).

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7

‎09-28-2014 09:07 PM

Well i guess you would need a wired port with no dot1x for first time logins, or you could give the pc access to the AD servers it needs when the machine is authenticated, but not compliant yet.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card