09-06-2016 03:34 AM - edited 02-21-2020 08:58 PM
Hi folks,
i have a VPN to our corporate LAN, which uses Anyconnect client. Since we deployed ISE in our LAN, we are not able to use remote desktop in our VPN.
Users can connect the VPN. can even ping the remote hosts, but can´t use remote desktop.
Searching around the web, it seems like a known-issue, that is solvable using Cisco NAM (Network Access Manager), but i can´t configure it, because it looks like something directed to wireless networks. When i connect to VPN, i can´t select the wired network in Cisco NAM; only appears wireless networks.
Can anyone help me configuring the NAM?
Thanks in Advance
09-06-2016 05:25 AM
You can use NAM with the stand alone AnyConnect profile editor. It's available from the AnyConnect download page on cisco.com (AnyConnect license required).
https://software.cisco.com/download/release.html?mdfid=286281283&flowid=72322&softwareid=282364313
Your VPN issue sounds odd though - I'm not convinced its the root of your issue. We'd need some further information on that.
09-06-2016 05:39 AM
Hi Marvin,
What information you need in addition?
The problem, as i was searching the web, is because the remote desktop uses Machine Authentication, when in our scenario, we have user and machine authentication. So we have two separate vlans, one that grants access for the machine to authenticate, and the other (user authentication) is to filter the permissions for the users.
So the remote desktop, and that i can see in the switch port, tries to authenticate the user with machine authentication, instead of using user authentication. It have something to do with the native Windows supplicant.
The problem i´m having is using the NAM. The majority of our users access the VPN through 3g wwan, but it seems the Cisco NAM can´t recognize this connection as it only finds wireless connections.
Im having problems configuring the Cisco NAM.
09-06-2016 05:46 AM
So are you trying to do EAP chaining? That is, first authenticate machine and then user?
If so then, yes, that requires AnyConnect NAM.
I haven't used it with them; but NAM should support 3G adapters - what version of NAM are you using?
09-06-2016 06:20 AM
Yes i believe the correct term is EAP-Chaining. But i´m using EAP-TLS, a document i found states that EAP Chaining must be used with EAP-FAST.
AnyConnect version is 4.3.02039
AnyConnect gives me the ability to manage the mobile broadband network at "Client Policy" field, but at "Networks" field it does not gives the possibility to set up a profile for Mobile Broadband media, only wired and wireless.
09-06-2016 06:32 AM
Yes - EAP-FAST must be your outer method. You can use EAP-TLS as the inner method.
Lots more details on there in this document (if you haven't already seen it):
https://communities.cisco.com/docs/DOC-68163
The mobile broadband bit is outside my expertise - perhaps another member can chime in.
09-06-2016 06:44 AM
I will check the document for more info.
Thanks Marvin for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide