ISE - Wireless Anyconnect

Answered Question
Jul 29th, 2014
User Badges:

Hello! we have a doutb regarding our ISE installation. We have created a new SSID with EAP Chaninng validation (user + machine validation using Anyconnect client) through ISE, and NAC posture. 

The problem is that when a user has never logged in a PC and tries to log for the first time through this wireless, is not working. The facts are like this:

 

- User introduces user/pass for the first time to computer

- Computer needs to contact AD to download the profile

- Computer associates with the network

- ISE puts the user "on-hold" until it's NAC compliant

- Computer never launches NAC process, so it's never compliant

- ISE doesn't give access to network

- User cannot login to computer.

 

This only happens the first time a user tries to access the network because it needs to download the profile, if the user has logged in before, this is not a problem. Do you think there is any solution for this problem?

Correct Answer by Saurav Lodh about 2 years 11 months ago

Use EAP Chaining with EAP-FAST v2. In the auth attempt, the supplicant provides the authentication server (ISE) both the machine and user credentials for each auth attempt.  Supported by the Cisco AnyConnect 3.1 client/supplicant . In ISE to enable its support (Policy->Policy Elements->Results->Authentication->Allowed Protocols->Default Network Access <for example>->Allow EAP-FAST).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Saurav Lodh Thu, 09/11/2014 - 15:42
User Badges:
  • Gold, 750 points or more

Use EAP Chaining with EAP-FAST v2. In the auth attempt, the supplicant provides the authentication server (ISE) both the machine and user credentials for each auth attempt.  Supported by the Cisco AnyConnect 3.1 client/supplicant . In ISE to enable its support (Policy->Policy Elements->Results->Authentication->Allowed Protocols->Default Network Access <for example>->Allow EAP-FAST).

jan.nielsen Sun, 09/28/2014 - 21:07
User Badges:
  • Gold, 750 points or more

Well i guess you would need a wired port with no dot1x for first time logins, or you could give the pc access to the AD servers it needs when the machine is authenticated, but not compliant yet.

Actions

This Discussion