Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1140
Views
1
Helpful
6
Replies

Authentication failing after first reboot, works after second on initial ISE module deployment

wwaltz@donlen.com
Level 1
Level 1

‎05-14-2018 03:03 PM

Good afternoon!  We are deploying Cisco ISE in our environment utilizing SCCM.  In the deployment is AnyConnect 4.6 with NAM, Posture, and compliance modules.  The package installs, then reboots the machine.  We're noticing behavior where when the end user logs in for the first time the NAM states "Authentication Failed" and will eventually bring up a prompt for Username and Password stating "Please enter your username and password for the network."  When a user logs off and logs back in (or simply reboots) everything works as normal.  Any solution to make this work on only one reboot?  We've noticed this behavior on Windows 7 and Windows 8.1 clients.  Thanks!

Labels:
6 Replies 6

Jason Kunst
Cisco Employee
Cisco Employee

‎05-14-2018 03:24 PM

moving to the anyconnect community as it doesn't seem like an ISE issue.

0 Helpful

wwaltz@donlen.com
Level 1
Level 1
In response to Jason Kunst

‎05-14-2018 09:53 PM

Thanks for the reply.  Digging into the logs further it almost looks like an issue with EAP authentication, if you have any thoughts from this:

206: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-6-INFO_MSG: %[tid=1688]: Sending unprotected identity = host/TEST-PC.ABCCorp.com.

207: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-6-INFO_MSG: %[tid=1688]: EAP: Identity sent

208: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: identity sent: sync=2

209: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: credential request 2: state transition: PENDING -> RESPONDED

210: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: Auth[ABCCorp Wired:machine-auth]: Authentication state transition: AUTH_STATE_STARTED -> AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION

211: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: credential request completed, response sent: sync=2

212: TEST-PC: May 10 2018 14:17:20.321 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: credential request 2: state transition: RESPONDED -> COMPLETED

213: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1716]: EAP-CB: credential requested: sync=3, session-id=1, handle=026B00A4, type=AC_CRED_EAP_METHODS

214: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1716]: EAP: credential request deferred: sync=3

215: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1716]: EAP-CB: sending EapCredentialRequestEvent...

216: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: ...received EapCredentialRequestEvent.

217: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: processing credential request: sync=3, session-id=1, eap-handle=026B00A4, eap-level=0, auth-level=0, protected=0, type=CRED_REQ_EAP_METHODS

218: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-6-INFO_MSG: %[tid=1688]: EAP: EAP suggested by server: eapTls

219: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-6-INFO_MSG: %[tid=1688]: EAP: EAP requested by client:  eapTls

220: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: EAP methods sent: sync=3

221: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: EAP: credential request 3: state transition: PENDING -> RESPONDED

222: TEST-PC: May 10 2018 14:17:20.331 +0600: %NAM-7-DEBUG_MSG: %[tid=1688]: Auth[ABCCorp Wired:machine-auth]: Authentication state transition: AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION -> AUTH_STATE_UNPROTECTED_IDENTITY_ACCEPTED

Versus what looks like one of the failures:

206: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-6-INFO_MSG: %[tid=1700]: Sending unprotected identity = host/TEST-PC.ABCCorp.com.

207: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-6-INFO_MSG: %[tid=1700]: EAP: Identity sent

208: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: identity sent: sync=2

209: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: credential request 2: state transition: PENDING -> RESPONDED

210: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: Auth[ABCCorp Wired:machine-auth]: Authentication state transition: AUTH_STATE_STARTED -> AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION

211: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: credential request completed, response sent: sync=2

212: TEST-PC: May 10 2018 13:53:59.988 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: credential request 2: state transition: RESPONDED -> COMPLETED

213: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1732]: EAP-CB: EAP status notification: session-id=1, handle=022D9AAC, status=AC_EAP_STATUS_EAP_FAILURE

214: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1732]: EAP-CB: sending EapStatusEvent...

215: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1732]: EAP-CB: EAP status notification: session-id=1, handle=022D9AAC, status=AC_EAP_STATUS_ERR_CLIENT_IDENTITY_REJECTED

216: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: ...received EapStatusEvent: session-id=1, EAP handle=022D9AAC, status=AC_EAP_STATUS_EAP_FAILURE

217: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1732]: EAP-CB: sending EapStatusEvent...

218: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-6-INFO_MSG: %[tid=1700]: EAP: Eap status AC_EAP_STATUS_EAP_FAILURE.

219: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: EAP: processing EapStatusEvent in the subscriber

220: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-6-INFO_MSG: %[tid=1732][mac=1,6,f8:b1:56:12:34:56]: {294B1B0E-21DC-4857-AECC-1234567890}: Port State UNAUTHENTICATED and status EAP_FAILURE

221: TEST-PC: May 10 2018 13:53:59.998 +0600: %NAM-7-DEBUG_MSG: %[tid=1700]: Auth[ABCCorp Wired:machine-auth]: Unprotected identity rejected, authentication failed.

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to wwaltz@donlen.com

‎05-15-2018 05:13 AM

Perhaps your authorization rules are not setup to allow AD communication when machine is first connecting?

0 Helpful

wwaltz@donlen.com
Level 1
Level 1
In response to Jason Kunst

‎05-15-2018 05:15 AM

I'll check this out.  Would this be within ISE, specifically where?  Thanks!

0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to wwaltz@donlen.com

‎05-15-2018 05:28 AM

This would be your default port acl and any acl used in your authorization profiles

https://communities.cisco.com/docs/DOC-68171

0 Helpful

kvenkata1
Cisco Employee
Cisco Employee

‎05-14-2018 03:34 PM

I would look at the Windows 7/Windows 8 guidelines mentioned in the AnyConnect 4.6 RN & confirm if they are followed/helpful.

Release Notes for Cisco AnyConnect Secure Mobility Client, Release 4.6 - Cisco

Else please open a TAC case to debug further.

- Krish

0 Helpful
Customers Also Viewed These Support Documents