Cisco Cisco AnyConnect Secure Mobility Client v2.x Troubleshooting Guide
machine authentication.
Explanation: RADIUS server sends an Extensible Authentication Protocol-Transport Layer
Security (EAP-TLS) frame without any content. Its purpose is to negotiate EAP-TLS protocol with
the client.
Security (EAP-TLS) frame without any content. Its purpose is to negotiate EAP-TLS protocol with
the client.
Explanation: NAM recognizes server's request to use EAP-TLS but the client is configured to use
Protected Extensible Authentication Protocol (PEAP). This is the reason that NAM sends back a
counter-offer for PEAP.
Protected Extensible Authentication Protocol (PEAP). This is the reason that NAM sends back a
counter-offer for PEAP.
Explanation: RADIUS server accepts the outter/unprotected identity.
Explanation: The Protected portion of PEAP (to establish a secure tunnel to exchange inner
credentials) starts, after client receives a confirmation from RADIUS server to continue the use of
PEAP.
credentials) starts, after client receives a confirmation from RADIUS server to continue the use of
PEAP.
Explanation: NAM sends a client hello encapsulated in EAP message and waits for server hello to
come. The server's hello contains ISE certificate, so it takes some time to finish transferring.
come. The server's hello contains ISE certificate, so it takes some time to finish transferring.
Explanation: NAM extracted the subject name of the ISE server from server certificate. Since it
doesn't have server certificate installed in the trust store, you do not find it there.
doesn't have server certificate installed in the trust store, you do not find it there.
Explanation: NAM looks for the inner/protected identity to be sent to RADIUS server after tunnel
is established. In this case, "Automatically use my Windows logon name and password"
option has been enabled on the wired adapter, so NAM uses windows logon credentials instead of
asking the user for it.
is established. In this case, "Automatically use my Windows logon name and password"
option has been enabled on the wired adapter, so NAM uses windows logon credentials instead of
asking the user for it.
Explanation: NAM sent client key and cipher spec to server and received confirmation. SSL
negotation is successful and a tunnel is established.
negotation is successful and a tunnel is established.
Explanation: Protected identity is sent to the server, who accepts the identity. Now server requests
password.
password.
Explanation: NAM receives password request and sends password to server.
Explanation: Server receives the password, verifies it and sends EAP-Success. Authentication is
successful at this point, and client proceeds as it gets the IP address from DHCP.
successful at this point, and client proceeds as it gets the IP address from DHCP.