Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Solved: Anyconnect 3.1 NAM and wired 802.1x auth failover

I installed AnyConnect 3.1.04063 on a win7 box. It's set up with two admin-defined wired network profiles: One for EAP-TLS machine auth and one for unauthenticated access.


The EAP-TLS autheticated just fine when connected to a corporate-owned switch, but when I connect to another network (test beds, home net), it still uses the EAP-TLS profile. How do I get it to fail over to the other profile?

Everyone's tags (4)
New Member

Still seeing the same thing

Edit: Found it.


Connection timeout for the 802.1X wired network must be less than startPeriod * maxStart if the intended behavior is to fail to another netowrk in the list.


Hooray for RTFM!

New Member

Hello,I am in the early


I am in the early stages of pushing out wired NAC to locations. I have the same two profiles, one that is doing EAP-Chaining and one open authentication. I have tested these two profiles for pre-deployment, switches aren't configure to do 802.1x with ISE will be doing open authentication. Switches that are configure to do 802.1x will do EAP-Chaining, but have you run into situations where the PC is doing EAP-Chaining with Machine authentication (no user logged in) at a branch site. The site loses WAN connection back to the ISE node at hub location, machine switches profile to open authentication and allows user to login based on being logged in before. Once the WAN link is back up, profile is stuck on open authentication and wont re authentication (user+machine) with EAP-chaining for full network access unless the port bounce or the machine is restarted. Thanks for the great info and help!  

Cisco Employee

What is your switchport

What is your switchport config look like?

Thank you for rating helpful posts!
New Member

interface FastEthernet0/1

interface FastEthernet0/1
 description Data Port
 switchport access vlan 116
 switchport mode access
 ip access-group ACL-DEFAULT in
 speed 10
 duplex full
 authentication event fail action next-method
 authentication event server dead action authorize
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 authentication timer inactivity 180
 authentication violation restrict
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout tx-period 10
 no mdix auto
 spanning-tree portfast
 spanning-tree bpduguard enable


New Member

Is there a setting that I am

Is there a setting that I am missing to re-authenticate when the WAN links are up


Cisco Employee

Good job on figuring out the

Good job on figuring out the solution to your problem and for taking the time to share it everyone here (+5 from me) :)

Thank you for rating helpful posts!