Hi,

I have anyconnect NAM configured for wireless authentication using EAP Chaining, problem is if you try to login with a new user (a user that never logged into the machine before) it gives and error stating that no authentication server can be reached.

Also if the user password expired, he can't set a new one (because the ADs are not reachable) while any logged in user can change his password with no issues.

I think this happens because all communications to the network are blocked until the user logs into windows and anyconnect NAM authenticates him.

Is that the normal behavior of EAP Chaining or am I missing something over here?

Thanks,

Hi MC,

Yes I figured that out yesterday, but the change password is working too. I tried with 2 different users on 2 different PCs and it's working fine. See below the RADIUS Authentication steps....

Thanks,

11001  Received RADIUS Access-Request 
  11017  RADIUS created a new session 
  15049  Evaluating Policy Group 
  15008  Evaluating Service Selection Policy 
  15048  Queried PIP 
  15048  Queried PIP 
  15048  Queried PIP 
  15004  Matched rule 
  15048  Queried PIP 
  15048  Queried PIP 
  15048  Queried PIP 
  15004  Matched rule 
  11507  Extracted EAP-Response/Identity 
  12500  Prepared EAP-Request proposing EAP-TLS with challenge 
  12625  Valid EAP-Key-Name attribute received 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12101  Extracted EAP-Response/NAK requesting to use EAP-FAST instead 
  12100  Prepared EAP-Request proposing EAP-FAST with challenge 
  12625  Valid EAP-Key-Name attribute received 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12102  Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated 
  12800  Extracted first TLS record; TLS handshake started 
  12805  Extracted TLS ClientHello message 
  12806  Prepared TLS ServerHello message 
  12807  Prepared TLS Certificate message 
  12810  Prepared TLS ServerDone message 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12812  Extracted TLS ClientKeyExchange message 
  12804  Extracted TLS Finished message 
  12801  Prepared TLS ChangeCipherSpec message 
  12802  Prepared TLS Finished message 
  12816  TLS handshake succeeded 
  12149  EAP-FAST built authenticated tunnel for purpose of PAC provisioning 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12209  Starting EAP chaining 
  12218  Selected identity type 'User' 
  12125  EAP-FAST inner method started 
  11521  Prepared EAP-Request/Identity for inner EAP method 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12212  Identity type provided by client is equal to requested 
  11522  Extracted EAP-Response/Identity for inner EAP method 
  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated 
  15041  Evaluating Identity Policy 
  15006  Matched Default Rule 
  15013  Selected Identity Source - AD1 
  24430  Authenticating user against Active Directory 
  24402  User authentication against Active Directory succeeded 
  22037  Authentication Passed 
  11824  EAP-MSCHAP authentication attempt passed 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response 
  11814  Inner EAP-MSCHAP authentication succeeded 
  11519  Prepared EAP-Success for inner EAP method 
  12128  EAP-FAST inner method finished successfully 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12126  EAP-FAST cryptobinding verification passed 
  12200  Approved EAP-FAST client Tunnel PAC request 
  12202  Approved EAP-FAST client Authorization PAC request 
  12219  Selected identity type 'Machine' 
  12125  EAP-FAST inner method started 
  11521  Prepared EAP-Request/Identity for inner EAP method 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12212  Identity type provided by client is equal to requested 
  11522  Extracted EAP-Response/Identity for inner EAP method 
  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated 
  15041  Evaluating Identity Policy 
  15006  Matched Default Rule 
  15013  Selected Identity Source - AD1 
  24431  Authenticating machine against Active Directory 
  24470  Machine authentication against Active Directory is successful 
  22037  Authentication Passed 
  11824  EAP-MSCHAP authentication attempt passed 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response 
  11814  Inner EAP-MSCHAP authentication succeeded 
  11519  Prepared EAP-Success for inner EAP method 
  12128  EAP-FAST inner method finished successfully 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12126  EAP-FAST cryptobinding verification passed 
  12201  Approved EAP-FAST client Machine PAC request 
  15036  Evaluating Authorization Policy 
  11055  User name change detected for the session. Attributes for the session will be removed from the cache 
  24432  Looking up user in Active Directory - test.user1,host/MT13L032 
  24416  User's Groups retrieval from Active Directory succeeded 
  24433  Looking up machine in Active Directory - test.user1,host/MT13L032 
  24435  Machine Groups retrieval from Active Directory succeeded 
  15004  Matched rule 
  15048  Queried PIP 
  15048  Queried PIP 
  15048  Queried PIP 
  15048  Queried PIP 
  15048  Queried PIP 
  15048  Queried PIP 
  15016  Selected Authorization Profile - Wireless IT-Admins 
  12169  Successfully finished EAP-FAST tunnel PAC provisioning/update 
  12171  Successfully finished EAP-FAST user authorization PAC provisioning/update 
  12170  Successfully finished EAP-FAST machine PAC provisioning/update 
  12105  Prepared EAP-Request with another EAP-FAST challenge 
  11006  Returned RADIUS Access-Challenge 
  11001  Received RADIUS Access-Request 
  11018  RADIUS is re-using an existing session 
  12104  Extracted EAP-Response containing EAP-FAST challenge-response 
  12651  Accept client on authenticated provisioning 
  12107  EAP-FAST provisioning phase finished successfully 
  11503  Prepared EAP-Success 
  11002  Returned RADIUS Access-Accept

Hi MC,

Sorry for the late replay, Yesterday and the day before were one of those lovely working days for me

So, yes it's for wireless, and I'm using 3850 as WLC with IOS-XE Version 03.03.05SE

For wired I didn't face this issue because I'm doing Low Impact mode and the Pre-Auth ACL is allowing AD traffic

Will do... Thanks a lot

What is the exact issue you are having?