cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6681
Views
3
Helpful
11
Replies
Highlighted
Cisco Employee

Windows 10 AnyConnect 4.3 NAM Questions

I am testing Windows 10 with AC NAM 4.3.  All works good except I am seeing two different issues. 

1) When the user logs off the machine, the wireless disconnects.  I have the extend connection after user log off enabled in the NAM.  The result is I get no logon servers available if I am not using cached credentials.

2)  Even though I log in as one user,  the NAM actually sends the credentials of another user to ISE.  If I log into the machine as user A, the NAME sends the credentials of user B.  User B logged on at one time but not recently.  The NAM is not set up for single sign on. ISE version is 2.1.  Using  PEAP as the EAP protocol.

Any ideas on the issues I am seeing?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Windows 10 AnyConnect 4.3 NAM Questions

On Windows 8 and above, you have to set this registry key in order for NAM to be able to retrieve the Machine password: Fix EAP-Chaining UserPassedMachineFailed Issue With Windows 8 - GlobalConfig.net -

11 REPLIES 11
Enthusiast

Re: Windows 10 AnyConnect 4.3 NAM Questions

I would suggest to use Machine and User Authentication. If a user logs off the Windows the Machine Authentication kicks in and the Client is connected to the Network.

On the AC 3.0 Guide there is a note:

For Vista or Windows 7, when a user logs in, whether locally or remotely, the Network Access Manager authenticates only the first user session, ignoring subsequent logon sessions while the first session persists.

Cisco Employee

Re: Windows 10 AnyConnect 4.3 NAM Questions

Thanks for the response.  I am doing machine and user auth.  When logged out, I see the domain computer name on both  the ISE and the WLC.  Still when I log in with user A credentials (cached I'm assuming), the credentials presented to the ISE are from User B.  This happens after a reboot as well.  Also, I am not switching users, but actually logging of the machine.

Enthusiast

Re: Windows 10 AnyConnect 4.3 NAM Questions

since i'm normally using the Windows Supplicant on my deployments if never seen a problem like this.

Did you tried to switch off the Setting "extend user connection beyond logoff"

Cisco Employee

Re: Windows 10 AnyConnect 4.3 NAM Questions

After removing AnyConnect, the user connectivity worked OK with the Microsoft native supplicant. The single sign on works fine without Anyconnect installed. With AnyConnect installed I see the wireless connection disconnect upon logout. I believe that is the reason why I am seeing the incorrect user with AnyConnect. With the wireless disconnected, I am using cached credentials to get into the machine. Once logged in, the Win10 machine connects wireless and then forwards the last-successful wireless credentials to login to ISE.

Sam

Cisco Employee

Re: Windows 10 AnyConnect 4.3 NAM Questions

Please either write to AnyConnect team yourself or share a copy of your DART with me offline so I may ask the AnyConnect team to take a look.

I've not tried NAM with wireless recently myself, but it did auth machine and user correctly for me before.

Cisco Employee

Re: Windows 10 AnyConnect 4.3 NAM Questions

On Windows 8 and above, you have to set this registry key in order for NAM to be able to retrieve the Machine password: Fix EAP-Chaining UserPassedMachineFailed Issue With Windows 8 - GlobalConfig.net -

Beginner

Re: Windows 10 AnyConnect 4.3 NAM Questions

Does this workaround open up any vulnerabilities using the LsaAllowReturningUnencryptedSecrets?

Re: Windows 10 AnyConnect 4.3 NAM Questions

Using the registry edit worked for me on Windows 10, same question as Travis though, and is this something due to be fixed in a future AnyConnect release?

Cisco Employee

Re: Windows 10 AnyConnect 4.3 NAM Questions

Please let me know if Viktors suggestion doesnt work After digging in a bit further this sounds like an old bug we had CSCun61437

Symptom

User is authenticated with incorrect credentials to the network.

Conditions:

This issue can occur if you are using EAP-FAST and PACS. When the first user logs off of Windows and the second user logs in, the user Authorization PAC that is sent for the first user will be validated by ISE for authentication, when the tunnel PAC for the new user should actually be validated.

Contributor

Re: Windows 10 AnyConnect 4.3 NAM Questions

Well the issue I am seeing on windows 10, anyconnect saids anonymous for the user instead of the user logged in to the machine. Which keeps the machine from getting an IP address. Happens on HP switches, does not happen on cisco or wireless.

Re: Windows 10 AnyConnect 4.3 NAM Questions

Hi jjonessec1969,

I just had a similar issue but with a Cisco Wireless connection.

The Microsoft NPS radius server was showing host/anonymous in the logs.

I changed the credentials in the profile for Unprotected Identity Pattern to be host/[username]

That was for machine only login, but it worked for me, might help with your issue too.