cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11613
Views
3
Helpful
11
Replies

Windows 10 AnyConnect 4.3 NAM Questions

scamarda
Cisco Employee
Cisco Employee

I am testing Windows 10 with AC NAM 4.3.  All works good except I am seeing two different issues. 

1) When the user logs off the machine, the wireless disconnects.  I have the extend connection after user log off enabled in the NAM.  The result is I get no logon servers available if I am not using cached credentials.

2)  Even though I log in as one user,  the NAM actually sends the credentials of another user to ISE.  If I log into the machine as user A, the NAME sends the credentials of user B.  User B logged on at one time but not recently.  The NAM is not set up for single sign on. ISE version is 2.1.  Using  PEAP as the EAP protocol.

Any ideas on the issues I am seeing?

1 Accepted Solution

Accepted Solutions

vibobrov
Cisco Employee
Cisco Employee

On Windows 8 and above, you have to set this registry key in order for NAM to be able to retrieve the Machine password: Fix EAP-Chaining UserPassedMachineFailed Issue With Windows 8 - GlobalConfig.net -

View solution in original post

11 Replies 11

Oliver Laue
Level 4
Level 4

I would suggest to use Machine and User Authentication. If a user logs off the Windows the Machine Authentication kicks in and the Client is connected to the Network.

On the AC 3.0 Guide there is a note:

For Vista or Windows 7, when a user logs in, whether locally or remotely, the Network Access Manager authenticates only the first user session, ignoring subsequent logon sessions while the first session persists.

Thanks for the response.  I am doing machine and user auth.  When logged out, I see the domain computer name on both  the ISE and the WLC.  Still when I log in with user A credentials (cached I'm assuming), the credentials presented to the ISE are from User B.  This happens after a reboot as well.  Also, I am not switching users, but actually logging of the machine.

since i'm normally using the Windows Supplicant on my deployments if never seen a problem like this.

Did you tried to switch off the Setting "extend user connection beyond logoff"

After removing AnyConnect, the user connectivity worked OK with the Microsoft native supplicant. The single sign on works fine without Anyconnect installed. With AnyConnect installed I see the wireless connection disconnect upon logout. I believe that is the reason why I am seeing the incorrect user with AnyConnect. With the wireless disconnected, I am using cached credentials to get into the machine. Once logged in, the Win10 machine connects wireless and then forwards the last-successful wireless credentials to login to ISE.

Sam

Please either write to AnyConnect team yourself or share a copy of your DART with me offline so I may ask the AnyConnect team to take a look.

I've not tried NAM with wireless recently myself, but it did auth machine and user correctly for me before.

vibobrov
Cisco Employee
Cisco Employee

On Windows 8 and above, you have to set this registry key in order for NAM to be able to retrieve the Machine password: Fix EAP-Chaining UserPassedMachineFailed Issue With Windows 8 - GlobalConfig.net -

Does this workaround open up any vulnerabilities using the LsaAllowReturningUnencryptedSecrets?

Using the registry edit worked for me on Windows 10, same question as Travis though, and is this something due to be fixed in a future AnyConnect release?

pcarco
Cisco Employee
Cisco Employee

Please let me know if Viktors suggestion doesnt work After digging in a bit further this sounds like an old bug we had CSCun61437

Symptom

User is authenticated with incorrect credentials to the network.

Conditions:

This issue can occur if you are using EAP-FAST and PACS. When the first user logs off of Windows and the second user logs in, the user Authorization PAC that is sent for the first user will be validated by ISE for authentication, when the tunnel PAC for the new user should actually be validated.

Jeffrey Jones
Level 5
Level 5

Well the issue I am seeing on windows 10, anyconnect saids anonymous for the user instead of the user logged in to the machine. Which keeps the machine from getting an IP address. Happens on HP switches, does not happen on cisco or wireless.

Hi jjonessec1969,

I just had a similar issue but with a Cisco Wireless connection.

The Microsoft NPS radius server was showing host/anonymous in the logs.

I changed the credentials in the profile for Unprotected Identity Pattern to be host/[username]

That was for machine only login, but it worked for me, might help with your issue too.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: