AnyConnect NAM 802.1x supplicant question

Similar Messages

• Anyconnect 4 as 802.1x supplicant replacement for Windows - where to put config xml file?

  I want to try out Anyconnect NAM as a 802.1x supplicant replacement in Windows 8.1
  And I have made myself a fine little config xml file that I want to test.
  But where do I put that config file?
  Should I rename it to something special, or should Anyconnect NAM have some extra startup parameters?
  Thank you.

  The file must be called "configuration.xml" and if you already installed NAM, then put the file in \Users\All Users\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\newConfigfiles\ and restart the anyconnect service
  If instead you are creating an install package for deploying, you can put the configuration in a directory named Profiles/NAM/  together with the msi package, the installation will import the config itself.when you run the msi file.

• Anyconnect NAM, does not disable windows wireless supplicant

  I am having some issues with anyconnect nam for wireless. When i install nam with a profile, my wireless works fine, and authenticates as it should, no problem there. I can however not figure out how to get nam to remove the built-in windows supplicant in the tray, which shows me a tray icon, where a user can browse the list of SSID's currently broadcasted, i only want the nam supplicant's own list of ssid's to be shown. Any suggestion on how to accomplish this ?

  Jan,
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html
  Windows Network Status Task Tray Icon
  Network Access Manager overrides Windows network management. After  installing Network Access Manager,  the Windows networking icon in the  task bar may confuse users, because the user can no longer use the  network status icon to connect to networks.
  You can remove the Windows network icon from the task bar by setting  'Remove the networking icon' in a Windows group policy. This setting  only affects the tray icon, the user can still create native wireless  networks using  the Control Panel.
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• Login scripts not running with AnyConnect NAM and ISE 1.2

  I am using AnyConnect 3.1 NAM as my 802.1x supplicant for ISE 1.2.  When users log in with EAP Chaining (User and Machine Auth), the login script seems hit or miss on if it runs to map their drives.  If I uninstall the NAM client, they map drives every time.  I would think that running a login script to map drives is a common scenario and I was wondering if anyone else using AnyConnect NAM was having similar issues or how they were dealing with it.

  I have the same issue and I solve the issue with change these parameters.
  1.- You must change on configuration profile "before user logon". I have 5 seconds
  2.- You must change on configuration profile  "port authentication Exception policy" and you must enable checkbox "enable port exceptions" and select "allow data traffic before authentication"
  3.- You must enable in the option of interface Ethernet Intel on PC "Wait for link" this option It's in "configured advanced of Intel. You must select "on" in this option.
  4.- (this recommendation it was by Cisco) 
  Active Direct GPO has a setting "Computer Configuration\Administrative
  Templates\System\Logon\ Always wait for the network at computer startup and logon" that
  can be enabled to make the logon scripts wait till 802.1x authentication is completed.
  With those changes the logon script run fine.
  Regards
  David.

• Anyconnect NAM in VM host

  (X-posting as I mistakenly posted in the wrong forum)
  We are in the middle of an 802.1x deployment with Cisco ISE as the backend. We have been using Anyconnect NAM as supplicant.
  Everything is working famously on physical hosts, but we apparently have a significant number of users that have VMs on their workstations for a variety of reasons (most use Virtualbox, but there is also some Hyper-V in there.) Most of those VMs are actually provided by our Desktop Support department and follow corporate policy, and thus have Anyconnect NAM installed. All of those VMs are also configured in bridge mode so that they receive real IPs and connect to all the services and management that are available for regular physical hosts.
  Problem is, it doesn't look like the bridged adapter is forwarding EAP messages between the supplicant and the switch. That's fine in Open mode, but when I go to close mode all of these host won't connect to the network.
  Anybody have seen this issue? Any idea how to fix it?
  So far my only ideas are:
  -Create a custom profile for the Virtualbox MACs (and figure out what Hyper-V uses) and whitelist them.
  -Keep those ports open
  Both of which doesn't really accomplish the goal of authenticating the host.

  I am using a complete OEM GC environment (OMS, OMR and OMA) in a single VMWare Machine running OEL.
  This is however for training/demo purposes.
  It runs without any problems.
  I would not use this setup for production however.
  Make sure you check MOS Note: *VMWare Certification for Oracle Products [ID 942852.1]*
  I think you will be better of using OracleVM
  Regards
  Rob
  http://oemgc.wordpress.com

• Alerting or logging from AnyConnect NAM

  We are planning to use Cisco AnyConnect Network Access Manager as a 802.1x supplicant for our wired network as we ran into issues with  Microsoft
  native supplicant. There are certain advantages in using inbuilt supplicant on Windows as one can get desired information from event log about the dot1x events and use them to alert in case of failures. I however don't see a similar logging available in Cisco AnyConnect NAM. We can of course use DART bundle, but we would like to have a detailed dynamic logs from the client to build automation to alert NOC on any dot1x failure in the network.
  Thanks,
  Vijay

  You should use "live authentication" logs from ISE. You can also configure to switch to send the switch logs to ISE, that way when you click the details of ISE "live authentication" you will see in the same screen both the ISE logs and the switch logs.
  If you want alerts, you can go to "Operations > Alarms > Rules" and set alarms. You can configure ISE to send the alarms by email or by using syslog.
  Please rate if this helps

• Auth-Fail Feature and Windows 802.1x Supplicant Compatibility

  As per Cisco IOS design when authentication fails the switch sends a simulated EAP-Success message to the client so that DHCP can be implemented by the client. Taking into consideration the dot1x auth-fail command is configured.
  However we have noticed that when using the built-in Windows XP SP2 802.1x supplicant and authentication fails, the Windows supplicant does not like this Cisco simulated EAP-Success message and drops the packet, therefore never re-initiating the DHCP process.
  I have attached the Microsoft supplicant log indicating the dropped EAP-Success.
  We are using catalyst 3750 with IOS 12.2(25)SEE. We have also tried release 12.2(35)xxx but issue persists.
  Your suggestions would be appreciated.
  Thank You,
  ET

  An EAP-Failure is by design. This occurs on all failures. The session fails rather normally. After the third (default but configurable) successive failure, the port is conditionally enabled (and placed in the auth-fail-vlan) even though 1X is configured and operating.
  At this point, it's up to the supplicant to access the network if it wants to, since the port has been enabled. Without the notion of a controlled port on a supplicant, there's no reason it shouldn't try and access the network ;-).
  Once a workstation is authorized on the network, and then subsequently fails for whatever reason, and put on the auth-fail vlan then it's also up to the machine to renew it's IP if it needs to. Optionally, you can configure the auth-fail-vlan to be the same as your default vlan. I guess it's worth pointing out, that you'd have this problem without 802.1X (changing VLANs on the fly for example). Some supplicants can deal with this though.
  If an EAPOL-Logoff does not come from a supplicant (and it doesn't by default with Windows-XP) then there's nothing to get the port out of the Auth-Fail-VLAN either (short of link down). You can configure this through registry though. So the answer to your earlier question was no .. it shouldn't.
  I'm not sure I understand the "IB" and "OOB" references here though.
  Hope this helps,

• EAP Chaining with Cisco ACS 5.x and the Cisco Anyconnect NAM Client

  Hi Guys,
  Whilst I’m well aware of the limitations of the built in the windows Wireless 802.1x supplicant. Is there a way, using the NAM client to authenticate both a computer and a user simultaneously, when used for authentication to wireless networks?
  As has been posted many times before on this forum, this isn’t possible due to windows not authenticating with the 'computer account' whilst the user is logged in, but with the NAM client it seems possible to do both user and computer authentication based on the options it gives you with EAP-Fast and 'EAP Chaining'.
  Can anyone validate this is possible? I have the design guide for exactly this for Cisco ISE but i need it to work on ACS (5.x).
  Thanks in advance.
  SteveH

  Bobby, I ran into the same issue with the "15015 Could not find ID Store" issue.  It turned out to be an issue with communication between the ACS and AD.  It looked like AD was connected successfully, but until I rebooted ACS, I kept getting the same error.  It was like it couldn't see the AD security groups even though it could scan the AD tree successfully.
  So, try rebooting ACS if you haven't already and see if that resolves the error.

• Specifying Client Auth Cert in Anyconnect NAM

  Hi guys,
  Currently i have set up an SSID which uses EAP-FAST to perform user certificate authentication against an Identity store in ISE connected to AD. On the client devices I have install the Anyconnect NAM to act as the dot1x supplicant and have been in the process of setting up the profile using the Anyconnect Profile Editor.
  The issue that I am having is users on the network have several certs assigned to them from AD. Orindarily it the NAM just prompts the user to select the correct certificate when they attempt to connect, which is not feasible.
  Can I configure the NAM to use a specific user Cert to authenticate to the SSID (without prompting the user on connection)? And if so how?
  Thanks

  Hello Evan,
  Please check the following Cisco doc for specifying client auth cert in anyconnect. Hope it helps!
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect24/administration/guide/ac02asaconfig.html

• Windows XP built-in 802.1x supplicant problem

  Hi, we are deploying PEAP for wireless access, we had no problem to get this working with laptop vendor supplied wireless management software (which includes 802.1x supplicant), but when I switch to Windows Zero configuration and let Windows XP management wireless, the laptop can not associate with wireless SSIDs, back end Radius server (MS IAS) log shows that user (with AD credentials) is successfully authenticated, but Windows XP supplicant seems did not receive authentication successful response from Radius server, and keeps retrying and finally gives up. Any idea what is going on with Windows XP dot1x supplicant? Laptop is running XP SP3.

  Not exactly sure what could be the problem. It should be working - it's definitely supported (I'm currently typing this via a XP SP3 machine using PEAP WPA2/AES via WZC). The only things I can think of to check are:
  - Make sure your wireless drivers are up to date *this is a must*
  - Make sure the other supplicant is completely disabled (uninstall it if you really need to rule it out)
  - Try disabling the server certificate check in the WZC profile for this network (do you know for sure that your laptop trusts the IAS server's certificate)?
  - Are you doing machine or user authentication for PEAP - make sure you have the WZC profile properly configured
  - Are you 100% sure that you've configured everything properly for the network (WPA vs WPA2? AES vs. TKIP? etc.)

• Anyone rolled out 802.1x supplicant in a large Microsoft AD environment?

  Morning all, anyone have any suggestions how I can rollout Microsoft's native 802.1x supplicant to a large number of PC's.  I've got ISE and serveral different versions of Windows (xp, 7) working in a lab, but not being a Microsoft AD guy I'm kind of clueless how to pull this off.  Can it been done via a group policy?  If so has anyone got a good document how to pull this off? 

  It is really simple, you can follow the guide here in the technet kb:
  http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/7220c686-e033-4903-b40e-bf3b7e581d05
  There are other threads that can show you how to do this on the wireless side as well. Make sure the AD guys set the correct eap types (peap or eap-tls) and you should be good to go.
  Tarik Admani
  *Please rate helpful posts*

• LAP 802.1x supplicant and H-REAP

  Hallo,
  is it possible to combine the 802.1x supplicant feature of a LAP with a H-REAP scenario with trunked/tagged uplinks to the switching infrastructure?
  Will the switchport opened via successfull 802.1xauthentication for the native vlan only (management traffic) or does it also be valid for the tagged vlans on trunk?.
  br
  am

  Did you ever figure out a resolution to this? I'm facing the same problem. 802.1x authentication does not work for the system profile and I have to login and manually click the connect button for 802.1x.

• Using AnyConnect NAM for wireless and AD password changes

  Hi,
  I am having a problem with AD password changes and wireless profiles in AnyConnect. Once a user changes their password from their PC and then tries to connect to our WPA2 802.1x wireless it fails to authenticate and I cannot find a way to update the password that works. So we currently delete the wireless profile and create a new one. Is there a way that NAM could pull user/password from login or any other fix. We are also using ACS 4.1. AnyConnect version 3 to 3.0.5080.
  Thanks!                 

  In your anyconnect profile did you set the "use single sign on credentials"? Also did you try the repair option to see if it works after that (I am not suggesting a solution but for troubleshooting). Does logging on and off the machine help resolve the issue? Does this happen on all workstations?
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html#wp1166170
  Even though this is for user authentication this bug seems like a candidate:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx03814&from=summary
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Windows 7 -How to authenticate to WiFi (home or public) with AnyConnect NAM installed

  Hello,
  We are deploying ISE and connecting to the company's WiFi using a "machine" login (active directory laptop) works fine on Windows 7 or 8 - both wired and wireless. But, here is a scenario that I can't seem to find a good answer for. All my searches result in answers for corporate wifi; but not what I need.
  So, an employee checks out a laptop to use on a trip. It has AnyConnect 4.0.x VPN and NAM installed (SBL - GINA needs to be added). Windows 8 allows a user who has never used a Win8 laptop to connect to WiFi and authenticate before attempting to login and get their desktop. If the Win 7 or 8 laptop is connecting to a corporate AP, ISE automatically authenticates the "machine" so when they enter their user credentials, they will be logging into the Windows domain (GPO's, drive mappings, etc.). Once a Windows 7 laptop has been authenticated with ISE, it doesn't matter which user logs in, the device will already have a connection. Essentially, the user does not have to log in while within the corporate network in order to get their profile created (locally cached credentials).
  But, what if the user has no local profile and tries to use a Windows 7 laptop from their home? They need to be able to connect and authenticate to their home WiFi before AnyConnect can automatically bring up the VPN tunnel. The GINA module will do an SBL for a VPN connection but that's not going to work if they don't have a WiFi connection. This scenario is possible in my environment.
  So, can AnyConnect GINA also manage a WiFi login before a user tries to get to a desktop for the first time?
  The perfect scenario would be where we hand out emergency laptops to first time users, they connect to whatever WiFi they have access to (non-corporate), the VPN tunnel comes up and when they login, they login into the Windows domain, not locally.
  Thanks!

  Just so everyone knows...
  Please take note of the specific processor which is included with your HP Pro 3130 MT.
  HP Pro 3130 MT motherboards with specific processors do not have any onboard (integrated) graphics, although they still have the VGA and DVI connectors. This means that although you may remove the PCIe Graphics Card, you will not be able to be able to use a monitor with the onboard VGA or DVI (because there is no integrated graphics).  This also means that you will not be able change your bios to onboard graphics (because there is no integrated graphics).
  "NOTE: HP Pro 3130 with Intel Core i5 750 processor or any Intel i7 processor has no integrated
  graphics."(1)
  (1) Source: http://h18000.www1.hp.com/products/quickspecs/13640_ca/13640_ca.PDF
  If you would like to know why, let me know. Thanks!
  -Dave

• Table for name - User ID --Simple question !

  Which is the table that gives me the ID associated with the complete name of the user ? I tried for example USR02 PA0105 etc ....Iam gettign the names in hex !

  You're looking for USER_ADDR.
  Edit: I'm sure that there are several correct answers to this question.
  Edited by: Martinsh Shaiters on Dec 16, 2008 5:45 PM