Hello,
Would appreciate any feedback with the below
Working with a Customer with EAP-Chaining using AD-issued certificates for both Machine and User authentication. (NAM conf attached). The challenge we are facing is when a user signs-on to a machine for the first time AnyConnect reports a “no valid certificate found”, this is because the User is signing on for the first time and has not requested and registered a certificate. However since you have no network access the certificate request process will fail.
We have configured ISE to grant access if the machine pass and user fails, this does not work since AnyConnect does not report user authentication fail but a no valid certificate found. The Dot1x process times-out and restarts with same outcome.
The interim solution is to use an OOB method (port with not ISe configuration) to request a user certificate after which everything works fine.
My question is if anyone else has encountered this problem and if there is a way around it. One option is to not use certificate for user authentication and use AD credentials with PEAP or MSCHAPv2, customer’s preference is to use certificates.
Would appreciate any feedback.
