Hello! we have a doutb regarding our ISE installation. We have created a new SSID with EAP Chaninng validation (user + machine validation using Anyconnect client) through ISE, and NAC posture.
The problem is that when a user has never logged in a PC and tries to log for the first time through this wireless, is not working. The facts are like this:
- User introduces user/pass for the first time to computer
- Computer needs to contact AD to download the profile
- Computer associates with the network
- ISE puts the user "on-hold" until it's NAC compliant
- Computer never launches NAC process, so it's never compliant
- ISE doesn't give access to network
- User cannot login to computer.
This only happens the first time a user tries to access the network because it needs to download the profile, if the user has logged in before, this is not a problem. Do you think there is any solution for this problem?
Use EAP Chaining with EAP-FAST v2. In the auth attempt, the supplicant provides the authentication server (ISE) both the machine and user credentials for each auth attempt. Supported by the Cisco AnyConnect 3.1 client/supplicant . In ISE to enable its support (Policy->Policy Elements->Results->Authentication->Allowed Protocols->Default Network Access <for example>->Allow EAP-FAST).