Re: NAM 4.6 and Windows 10 not changing auth after user login

DIEHARDave · ‎06-05-2019

I have tried just about everything and can not get the NAM client to cause the workstation to reauth using the user credentials after login.

I am configured to use the following methods in the NAM client.

Machine Auth - EAP-FAST with EAP-TLS for the inner.

User Auth - EAP-FAST with EAP-MSCHAPv2 inner.

I know my policies work and the NAM supplicant is able to provide all the correct info. I know this because all i have to do is clear the auth on the switchport after the user is logged in and the policy changes from "Machine Auth" to "User and Machine Auth" which are the correct policy names meaning my configuration in ISE is working when provided with the correct radius response.

What am I missing to get the client to clear and reauth after logging in? It just seems to work in all the videos and guides i have gone through.

Most of the time, but not all of the time. If i log off it will switch back to "Machine Auth" on it's own but then again will not switch back to "Machine and User Auth" once logged in.

Ideas?

stsargen · ‎06-05-2019

Have you tried the latest 4.7 client. We did have some issues like this that we resolved in 4.7. If this doesn't fix it please upload a DART bundle. Please keep in mind that you are using ISE and will need to make sure that you have the patch installed for CSCvm03681 to properly negotiate TLS 1.2 with NAM.

Thanks,

Steve S.

DIEHARDave · ‎06-06-2019

Went to the latest 4.7 and the issue is the same...

After logging in to the laptop. According to ISE it stays at machine auth unless I forcefully cause a reauth by either clearing it on the switch or sending a CoA reauth from within ISE. Also shut/no shut or disconnecting/reconnecting the network cable causes the correct auth to happen as well.

It feels like the NAM client thinks it did a reauth after logging in but didn't as when looking at the Statistics tab for the NAM module it shows eapFast(eapMschapv2) for the EAP Method which would be the inner user auth which it should be using as I am logged in... But from the ISE perspective, it is still only showing EAP-FAST (EAP-TLS) which would be the Machine auth.. If I do a "Network Repair" in NAM it comes back showing N/A for the EAP Method on the Statistics tab. And ISE never saw a reauth attempt and continues to treat it as if nothing happened and it still is just authed as a machine.

Causing the reauth manually via ISE, the switch, or physically.. the NAM Statistics tab shows eapFast(eapMschapv2) however ISE then shows EAP-FAST (EAP-MSCHAPv2,EAP-TLS) as it should and gives the correct policy results.

BTW I am getting these same results in 2 different ISE environments (One v 2.4.0.357 Patch 6, and the other only at Patch 3 so can't use the new AnyConnect with it yet.), two different domains, using 2 different "clean" (no locked down gpo's enforced on them.. so i am told) laptops.. So i am not sure what else is in common!

I am still digging... I am working on a TAC case for this as well but that is a whole other nightmare due to corporate structure and licensing/support listed under the wrong entities and such!

Any other thoughts or ideas?

stsargen · ‎06-07-2019

stsargen · ‎06-07-2019

You will need to post a dart bundle so we can have a look at the logs. If possible enable extended logging in NAM.

How to enable extended logging in NAM.

1. Open the NAM UI

2. Press <alt><shift><L>

3. Right click on the AnyConnect tray icon

4. Select the "Extended Logging" option

5. Reproduce the issue and collect a DART.

DIEHARDave · ‎06-18-2019

So I don't know what changed while I was a Cisco Live last week but when i got back things where working as expected in terms of it changing between Machine auth when no user logged in and Machine + User when they are!

My new issue is I am able to plug into a guest network that does not do authentication and am able to get access! It even shows connected using my corporate profile in the NAM client yet the profile is setup as an Authenticating Network... I even went so far as to deselect Open wired connections in the Authentication Policy in the NAM yet it still seems to have no trouble connecting...

Any ideas? Should I start a new discussion on the issue? These machines must not be able to connect to any network other than the defined networks in the NAM.