I am working on implementing user+machine auth via AnyConnect NAM and ISE 2.3. Everything is pretty much working, except I would like to hide the NAM connection that pops up on login when a user logs in. I think seeing that pop up will scare some people, and also, make them think it is slowing down their login (I know it is, but I would rather then not know it).
I have not been able to find an answer to this anywhere, which is surprising because I would think that everyone would want to get ride of this.
I would also be OK with just doing the connect connect after logon, but when I set that option, it takes up to 10 minutes before it will connect.
Any help is always appreciated.
Solved! Go to Solution.
Thanks for the reply. It is a bummer that the dialog can not be hidden, but I guess it is what it is. Is it common to use Before User Logon? I was wanting to enable it so that network storage devices would connect on logon.
As far as the long connect time, I am not sure if it is an issue with my ISE setup or something with anyconnect. I notice that once I have established a connection, I can disconnect from the network, or join a different one, then reconnecting back to the original is almost immediate. its just during login that it takes so long.
I noticed during my last attempt that during "associating", I saw about a dozen of failed connection attempts in my RADIUS logs on ISE with it only passing the host/machinename. after 3 and a half minutes it passed user.name,machinename and succeeded.
Regarding the 10 minute delay. Are you allowing access to the AD related services for machine authentication? If already providing access to AD resources and authentication taking 10 minutes, then it could be IP fragmentation issue. Simply add 'permit ip any any fragments' to the machine auth ACL.
Good find. my google fu did not produce that bug. I have it added to the DACL but it did not help. I think the rest of this issue is something more ISE related rather than Anyconnect, so I posted a new topic over in ISE discussion. the computer seems to only pass the machine credentials on login rather than both user and machine.