Re: AnyConnect NAM EAP-FAST user certificate issue

fedor.solovev · ‎09-03-2020

Hello, guys.
Did someone face the same issue ? Any hints are appreciated.

I am migrating from Windows Native Supplicant using PEAP to

NAM using EAP-FAST with machine and user cert authentication.

NAM is installed, configuration.xml is uploaded, machine certificate authentication is successful (can see it in ISE logs)
The issue is:
If/When a new user logs into the PC it fails to download it's user certificate and GPO policies
=> which causes a pop up window: No valid certificates available. Please insert a smart card or install a valid certificate.
=> Then NAM blocks network completely.

at that moment no certificate available for user in Personal directory.
gpupdate fails because the PC cannot reach GPO server

I tried using a setting in NAM Profile editor under Client Policy -> connection Settings - Before user logon for 60 seconds but it didn't help.

PC still fails to upload a user profile and fails to connect to network.
- ISE 2.6
- NAM 4.8
- Win 10
- Tested for Wired

The current very bad workaround:
To disable NAM on the driver, authenticate using PEAP native supplicant, download a profile and a user cert, enable NAM back and successfully use EAP-FAST

which only proves that a user profile cannot be downloaded because of NAM.

edwardonelife · ‎10-01-2020

Hi

how did you make the machine auth work? In my case the pop up appears for machine authentication.

fedor.solovev · ‎10-22-2020

If I get it right you may have more that 1 cert for machine auth, so Windows offers a user to pick one.
You can configure configuration.xml to use a specific cert for authentication.

Mike.Cifelli · ‎10-02-2020

Using NAM can be a bit tricky. Here is something you could try to meet your requirement:

-You have the ability to deploy an additional network setup in your configuration.xml file via the NAM profile editor. Perhaps you deploy a secondary network that seeks eap-tls machine cert auth only that you then steer into a restricted network that has limited access to your services that would allow the user to enroll via gpo to pull a user cert. I think this would work, but the catch here is that users would have to then reauthenticate afterwards via the other network profile that uses EAP-Fast for eap-chaining to gain full onboarding to their respective network. So some user education and reauths would be required. The other thing to note here is the proper configuration of network policy to ensure you are steering traffic accordingly.

Something else to note, in this scenario your hosts would never fallback to mab so if that is a desire then test/plan to meet your needs. The reason being is upon reauth if the user cert is not present your eapchaining result would become comp pass/user fail. However, dot1x would eventually terminate and NAM would attempt to connect via the other network profile which would always onboard via 8021x with comp cert via eap-tls. Definitely some things to consider, but I hope this helps at least shed some possibilities. HTH!

fedor.solovev · ‎10-22-2020

Mike,
looks nice, sounds good. Thank you for sharing this workaround.
But only one thing here : as we know sometimes it is hard to explain to users what they need to do, when and especially why.
So this is a workaround for IT stuff but it should be fulfilled by users.

Eventually we had to get rid of the idea using cert auth for users because of it's limitation:
With using NAM with both machine and user cert auth configured
you have to get a user cert first (obviously) in order to pass user auth. Till then NAM doesn't work properly blocking all traffic.
Since you cannot predict what user will be using a PC next day user cert auth doesn't meet our needs.