Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2201
Views
0
Helpful
3
Replies

AnyConnect 3.1 NAM machine + user authentication fails when switching between wired and wireless networks

it
Level 1
Level 1

‎11-02-2012 03:17 PM - edited ‎03-10-2019 07:44 PM

I'm using Secure ACS 5.3 and a WLC (WLC is running software version 7.3.101.0) to authenticate wireless clients (authenticating via PEAP).

The client machines are running Windows7 and AnyConnect 3.1 NAM.

The authentication is configured for machine and user authentication.  In the user authentication rule I have the "Was Machine Authenticated = True" paramter set.  So the user will not be able to successfully authenticate unless the machine was first authenticated.  This works just fine on the wireless network.

The problem arrises when the client (a laptop in this case) is connected to the wired network, but then disconnects from the wired network and switches over to wireless.  The NAM pops up a dialog asking for user credentials.  Upon entering the user credentials, ACS rejects the authentication attempt because the machine hasn't been authenticated.  So I setup wired authentication.  Now the client connects to the wired network and authenticates both machine and user successfully.  But then disconnecting from the wired network and trying to connect via wireless renders the same result: a dialog box asking for credentials.  ACS again rejects the authentication attempt because it says the machine was not authenticated.  I was hoping that since the machine had already successfully authenticated over the wire, that ACS would not requre another machine authentication on the wireless.  But since the MAC address changes, the authentication that happend over the wire isn't considered valid for wireless connectivity.

I contacted TAC about this issue and they found a feature request which pretty much exactly describes my circumstances:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtq11470

They are not planning to support it in Secure ACS, but said a variation will be supported in ISE.  Ug. 

It appears the only way NAM will attempt re-authenticating the machine is by rebooting.

I tried restarting the AnyConnect services but that only triggered user authentication.

So is there a trick to get NAM to trigger machine re-authentication without having to reboot?

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎11-04-2012 02:24 PM

Hello Luke-

I have faced the same issue with MAR (Machine Access Restriction) in the past. It all worked great while we had wireless authentication only but things went out of control once we started to roll out wired

I have been working with ISE for a little bit now and I can tell you that the same issue is still present. It would be pretty nice if they can "fix" this but as of right now you would face the same exact issue. So if you want to do user+machine authentication, you have a couple of options that were recently discussed in this thread:

https://supportforums.cisco.com/message/3775027#3775027

To answer your other question:

So is there a trick to get NAM to trigger machine re-authentication without having to reboot?

Back when I had this issue I was able to "trick" the native windows client to perform machine authentication again by going to "Start Menu > Shut Down > Switch User." In the new window it is important not to click on the already logged user but to select "New/Different User." There you can still type the same credentials for the already logged user. This seemed to force the machine to pass its machine credentials again without having to reboot the machine which is till not ideal and not user friendly at all but that is all I have Also, do keep in mind that I have not tested this with the AnyConnect client so results may vary.

Thank you for rating!

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to nspasov

‎11-04-2012 07:05 PM

Can you check the xml profile on the NAM supplicant to see if the machine authentication is enabled for the SSID you are authenticating against? I havent tested the NAM supplicant as deep as I should, but I was under the impression that if you select machine authentication for the wireless ssid that they will be sent when associated to the network.

Also keep in mind that the MAR feature is tied into the MAC address of the interface that is connecting to the network. I would double check the client profile with NAM profile editor and see if it is selected for wireless.

Thanks,

Sent from Cisco Technical Support iPad App

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Tarik Admani

‎11-28-2012 03:36 PM

Unfortunately that bug/enhacement was not approved and was recently closed by TAC

  • This status of this bug is Closed. The Bug report is valid, but a conscious decision has been made not to fix it at all or in all releases. Normally a development engineering manager moves a bug report to this state.
    • 0 Helpful
    Customers Also Viewed These Support Documents