Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
832
Views
0
Helpful
6
Replies

Remote Desktop with AnyConnect VPN client to a corporate LAN with ISE

inaiate87
Level 1
Level 1

‎09-06-2016 03:34 AM - edited ‎02-21-2020 08:58 PM

Hi folks,

i have a VPN to our corporate LAN, which uses Anyconnect client. Since we deployed ISE in our LAN, we are not able to use remote desktop in our VPN.

Users can connect the VPN. can even ping the remote hosts, but can´t use remote desktop.

Searching around the web, it seems like a known-issue, that is solvable using Cisco NAM (Network Access Manager), but i can´t configure it, because it looks like something directed to wireless networks. When i connect to VPN, i can´t select the wired network in Cisco NAM; only appears wireless networks.

Can anyone help me configuring the NAM?

Thanks in Advance

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-06-2016 05:25 AM

You can use NAM with the stand alone AnyConnect profile editor. It's available from the AnyConnect download page on cisco.com (AnyConnect license required).

https://software.cisco.com/download/release.html?mdfid=286281283&flowid=72322&softwareid=282364313

Your VPN issue sounds odd though - I'm not convinced its the root of your issue. We'd need some further information on that.

0 Helpful

inaiate87
Level 1
Level 1
In response to Marvin Rhoads

‎09-06-2016 05:39 AM

Hi Marvin,

What information you need in addition?

The problem, as i was searching the web, is because the remote desktop uses Machine Authentication, when in our scenario, we have user and machine authentication. So we have two separate vlans, one that grants access for the machine to authenticate, and the other (user authentication) is to filter the permissions for the users.

So the remote desktop, and that i can see in the switch port, tries to authenticate the user with machine authentication, instead of using user authentication. It have something to do with the native Windows supplicant.

The problem i´m having is using the NAM. The majority of our users access the VPN through 3g wwan, but it seems the Cisco NAM can´t recognize this connection as it only finds wireless connections.

Im having problems configuring the Cisco NAM.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to inaiate87

‎09-06-2016 05:46 AM

So are you trying to do EAP chaining? That is, first authenticate machine and then user?

If so then, yes, that requires AnyConnect NAM.

I haven't used it with them; but NAM should support 3G adapters - what version of NAM are you using?

0 Helpful

inaiate87
Level 1
Level 1
In response to Marvin Rhoads

‎09-06-2016 06:20 AM

Yes i believe the correct term is EAP-Chaining. But i´m using EAP-TLS, a document i found states that EAP Chaining must be used with EAP-FAST.

AnyConnect version is 4.3.02039

AnyConnect gives me the ability to manage the mobile broadband network at "Client Policy" field, but at "Networks" field it does not gives the possibility to set up a profile for Mobile Broadband media, only wired and wireless.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to inaiate87

‎09-06-2016 06:32 AM

Yes - EAP-FAST must be your outer method. You can use EAP-TLS as the inner method.

Lots more details on there in this document (if you haven't already seen it):

https://communities.cisco.com/docs/DOC-68163

The mobile broadband bit is outside my expertise - perhaps another member can chime in.

0 Helpful

inaiate87
Level 1
Level 1
In response to Marvin Rhoads

‎09-06-2016 06:44 AM

I will check the document for more info.

Thanks Marvin for your help.

0 Helpful
Customers Also Viewed These Support Documents