Solved: Re: Anyconnect 802.1x machine certificate

asimk · ‎08-14-2018

Hi guys

I have a problem with the anyconnect NAM module and our 802.1x setup (Windows NPS server doing the auth. PEAP using a machine certificate)

On a windows machine without Anyconnect installed (using the native suplicant) everything works well.

When I install Anyconnect with the NAM module, and create a NAM profile with PEAP and inner methods eap-tls using a cert. I get failed authentications with the error "No credentials are available in the security package"

I'm thinking that this must be something to do with Anyconnect being able to access the machine certificate and not reading it properly?

How can I tell which cert Anyconnect is looking at?

Any ideas would be very helpful.

Thanks

AK

stsargen · ‎08-17-2018

Hi,

Based on your screenshot "Screen Shot 08-15-18 at 12.25 PM 001.PNG" you have the "Enforce Network Access Protection" (NAP) enabled on the policy that NAM is connecting to. If this is enabled for the PEAP authentication policy Windows NPS will propose and EAP type of "33" (MS-Authentication-TLV) to be used with (NAP) instead of "25" (PEAP) see IANA EAP types document. https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml NAM does not support EAP Type 33. Can you try to uncheck the option and retest with PEAP-TLS.

We can also probably see this EAP type being proposed in the NAM logs if you enable extended logging and provide a DART bundle.

Thanks,

Steve S.

View solution in original post

Rob Ingram · ‎08-14-2018

Hi,
Any reason why you do not just use EAP-TLS as the EAP Method, rather than PEAP/EAP-TLS?
Are you doing Machine AND User authentication? Or just machine authentication?

If you upload you xml file, I can have a look

HTH

asimk · ‎08-14-2018

Hi HTS

Thanks for the quick response.

I used PEAP/EAP-TLS as the method as thats how its set up on the NPS server.

i didnt think to use just EAP-TLS, i can give that a test though.

I cant seem to upload XML files here.

AK

asimk · ‎08-14-2018

screenshots attached

asimk · ‎08-14-2018

forgot to add , im using just machine auth

asimk · ‎08-15-2018

Just tried using EAP-TLS only and the NPS server is now giving me the following error:
The client could not be authenticated because the Extensible Auhentication Protocol (EAP) type cannot be processed by the server

Rob Ingram · ‎08-15-2018

Ok, can you provide a screenshot of the NPS configuration in regard to authentication methods and a screenshot of the configure AC profile, I assume you changed this from PEAP?

asimk · ‎08-15-2018

All attached.

Rob Ingram · ‎08-15-2018

Ok, looks like NPS is still using PEAP. In the configuration on NPS you'd need to change the EAP Type from PEAP to (I think) Microsoft: Smart card or other certificate.

asimk · ‎08-15-2018

Hi RJI

Thanks for your time on this so far. On the attached screenshot you can see that we are already using PEAP & smart card or cert.

I dont think this is a config issue on the NPS side as without Anyconnect installed everything works fine using the native Windows supplicant.

Im wondering if my version of anyconnect might be the issue (4.6.00362). Im just having a read of the release notes.

Can anyone confirm that they have got machine auth to work using Anyconnect NAM?

Thanks

Rob Ingram · ‎08-15-2018

In my first response I just made an observation and I was querying as to why you were using PEAP/EAP-TLS rather than just EAP-TLS as the EAP Method. In a later response you said you'd tried using just EAP-TLS and received an error on NPS, my last response was to rectify that issue by changing the EAP Type on the NPS server, which you'd only have to do because you'd change the EAP method being sent by the client.

I agree that changing NPS probably wouldn't be required to fix you original issue, unless you were going to changing the EAP type used by the client.

I have previously succesfully authenticated machines using EAP-TLS or PEAP/MSCHAPv2 using AC NAM 4.5/4.6, using ISE as the RADIUS server however. I could probably lab this at weekend if you haven't resolved the issue by then.

stsargen · ‎08-17-2018

Hi,

Based on your screenshot "Screen Shot 08-15-18 at 12.25 PM 001.PNG" you have the "Enforce Network Access Protection" (NAP) enabled on the policy that NAM is connecting to. If this is enabled for the PEAP authentication policy Windows NPS will propose and EAP type of "33" (MS-Authentication-TLV) to be used with (NAP) instead of "25" (PEAP) see IANA EAP types document. https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml NAM does not support EAP Type 33. Can you try to uncheck the option and retest with PEAP-TLS.

We can also probably see this EAP type being proposed in the NAM logs if you enable extended logging and provide a DART bundle.

Thanks,

Steve S.

asimk · ‎09-06-2018

Steve ,

Many thanks for your response on this.

It was the "Enforce Network Access Protection" setting that was causing my issues.

I turned it off and it all worked ok!

Regards

AK