Solved: Re: Migration from windows native supplicant+NAC agent to Anyconnect agent

dngore · ‎03-25-2019

Hi,

Customer wants to migrate from windows native supplicant(802.1x authentication) + NAC agent (for posture) to Anyconnect agent (NAM + ISE Posture module).

They want recommended option (with less effort & support intervention) for migration. I can think of below:

Deploy Anyconnect agent with configured NAM and ISE posture module (with "uninstall NAC agent" option enabled)
This will enable NAM module takes precedence over windows native network adaptor settings (802.1x configuration)
And will remove NAC agent and install ISE posture module

This way, user system will able to authenticate and get postured using Anyconnect agent in one step migration process.

Let me know if this works and also any risk.

Mike.Cifelli · ‎03-26-2019

Your understanding is correct. When I was testing both I actually left the native supplicant configs for rollback purposes so if you needed to uninstall NAM/Anyconnect you could still 8021x authenticate via the native supplicant. Just keep in mind that as soon as you install NAM and reboot your host will use NAM to manage your adatper/s.

View solution in original post

Mike.Cifelli · ‎03-25-2019

I recently went through the process of testing out NAM with no posture module to utilize eap-chaining so we could drive network policy based on the user & computer. Some things you may want to consider:

How often will the customer require re-authentication? Without the use of PACs re-authentication and no user present can present issues such as 8021x process termination and fallback to mab. The fix I used was via profiling based on AD-Host-Exists to true. This will allow MACs to be stored in an endpoint group that could be authorized as you wish if the dot1x process is terminated.

Will you be using smart cards? Will your customer require the ability to perform a "switch user" on a single workstation? If so, here is the fix:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}

To configure single or multiple user logon, add a DWORD named EnforceSingleLogon (this should already be there), and give it a value of 1 or 0.

1 restricts logon to a single user.

0 allows multiple users to be logged on.

I have noticed that on a system reboot, or complete user logoff that eap-chaining works beautifully and gives you the ability to drive policy based on eap-chaining result. If the customer has users who lock their box and you use a short re-auth timer I strongly recommend a lot of testing.

HTH!

dngore · ‎03-26-2019

Thanks for your inputs Mike.

I just wanted to confirm my approach of migration. By installing Anyconnect agent (NAM+ISE Posture module) on system will over-ride native supplicant configuration and remove NAC agent in one step.

I need not to remove first native supplicant configuration & NAC agent and then deploy Anyconnect agent. It will be automatically take care by deploying Anyconnect agent. Is it correct understanding?

Mike.Cifelli · ‎03-26-2019

Your understanding is correct. When I was testing both I actually left the native supplicant configs for rollback purposes so if you needed to uninstall NAM/Anyconnect you could still 8021x authenticate via the native supplicant. Just keep in mind that as soon as you install NAM and reboot your host will use NAM to manage your adatper/s.