cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1744
Views
4
Helpful
10
Replies

Hide NAM at login

nkingsbury
Beginner
Beginner

Hello,

I am working on implementing user+machine auth via AnyConnect NAM and ISE 2.3. Everything is pretty much working, except I would like to hide the NAM connection that pops up on login when a user logs in. I think seeing that pop up will scare some people, and also, make them think it is slowing down their login (I know it is, but I would rather then not know it).

I have not been able to find an answer to this anywhere, which is surprising because I would think that everyone would want to get ride of this.

I would also be OK with just doing the connect connect after logon, but when I set that option, it takes up to 10 minutes before it will connect.

Any help is always appreciated.

1 Accepted Solution

Accepted Solutions

stsargen
Cisco Employee
Cisco Employee

Hi Nathan,

Unfortunately this dialog cannot be hidden from the end user.  Anytime you have "Before User Logon" enabled in the Client Policy you will see this.

As for the 10 minute delay, we would need to see logs to see what might be going on. 

Thanks,

Steve S.

View solution in original post

10 Replies 10

howon
Cisco Employee
Cisco Employee

Moving to AnyConnect space for proper attention.

stsargen
Cisco Employee
Cisco Employee

Hi Nathan,

Unfortunately this dialog cannot be hidden from the end user.  Anytime you have "Before User Logon" enabled in the Client Policy you will see this.

As for the 10 minute delay, we would need to see logs to see what might be going on. 

Thanks,

Steve S.

Hey Steve,

Thanks for the reply. It is a bummer that the dialog can not be hidden, but I guess it is what it is. Is it common to use Before User Logon? I was wanting to enable it so that network storage devices would connect on logon.

As far as the long connect time, I am not sure if it is an issue with my ISE setup or something with anyconnect. I notice that once I have established a connection, I can disconnect from the network, or join a different one, then reconnecting back to the original is almost immediate. its just during login that it takes so long.

I noticed during my last attempt that during "associating", I saw about a dozen of failed connection attempts in my RADIUS logs on ISE with it only passing the host/machinename. after 3 and a half minutes it passed user.name,machinename and succeeded.

howon
Cisco Employee
Cisco Employee

Regarding the 10 minute delay. Are you allowing access to the AD related services for machine authentication? If already providing access to AD resources and authentication taking 10 minutes, then it could be IP fragmentation issue. Simply add 'permit ip any any fragments' to the machine auth ACL.

I am not entirely sure what you mean. I have both ACL's on the wireless controller and DACL on ISE. would I need to add the fragments line on the controller? When I try to add it to the DACL, ISE tells me its an invalid argument.

Hello Nathan,

From what I read (syntax bug)  the message you received is a warning only and you should be able to proceed .  is that not the case.

Best regards,

Paul

AC TME

Hi Paul,

I suppose it does let me continue with warring that it failed syntax check. Ill test it out. attached is a picture of what I am seeing. Capture.PNG

Looks to be a match.    let us know. 

Good find. my google fu did not produce that bug. I have it added to the DACL but it did not help. I think the rest of this issue is something more ISE related rather than Anyconnect, so I posted a new topic over in ISE discussion. the computer seems to only pass the machine credentials on login rather than both user and machine.

Ok. very good  good luck

Best regards,

Paul

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers