Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE - Wireless Anyconnect

Hello! we have a doutb regarding our ISE installation. We have created a new SSID with EAP Chaninng validation (user + machine validation using Anyconnect client) through ISE, and NAC posture. 

The problem is that when a user has never logged in a PC and tries to log for the first time through this wireless, is not working. The facts are like this:

 

- User introduces user/pass for the first time to computer

- Computer needs to contact AD to download the profile

- Computer associates with the network

- ISE puts the user "on-hold" until it's NAC compliant

- Computer never launches NAC process, so it's never compliant

- ISE doesn't give access to network

- User cannot login to computer.

 

This only happens the first time a user tries to access the network because it needs to download the profile, if the user has logged in before, this is not a problem. Do you think there is any solution for this problem?

1 ACCEPTED SOLUTION

Accepted Solutions

Use EAP Chaining with EAP

Use EAP Chaining with EAP-FAST v2. In the auth attempt, the supplicant provides the authentication server (ISE) both the machine and user credentials for each auth attempt.  Supported by the Cisco AnyConnect 3.1 client/supplicant . In ISE to enable its support (Policy->Policy Elements->Results->Authentication->Allowed Protocols->Default Network Access <for example>->Allow EAP-FAST).

2 REPLIES

Use EAP Chaining with EAP

Use EAP Chaining with EAP-FAST v2. In the auth attempt, the supplicant provides the authentication server (ISE) both the machine and user credentials for each auth attempt.  Supported by the Cisco AnyConnect 3.1 client/supplicant . In ISE to enable its support (Policy->Policy Elements->Results->Authentication->Allowed Protocols->Default Network Access <for example>->Allow EAP-FAST).

Well i guess you would need a

Well i guess you would need a wired port with no dot1x for first time logins, or you could give the pc access to the AD servers it needs when the machine is authenticated, but not compliant yet.

76
Views
0
Helpful
2
Replies
CreatePlease to create content