“Problem”
Cisco AnyConnect does not support fast user switching which means the Cisco NAM module only allows a single user to be logged in versus Microsoft you can log in with one user and choose switch user and log in with another username while the first one is still logged in.
Microsoft Windows allows multiple users to be logged on concurrently, but AnyConnect Network Access Manager restricts network authentication to a single user. AnyConnect Network Access Manager can only be active for one user per desktop/server, regardless of how many users are logged on. For configuring multiple sign-on it is required to change the registry key in Windows
This is also useful when the user is not able to log in to the laptop using the cached credentials.
The exact error message is ”There are no logon servers available to service the logon request””
Below is the article that supports the argument of fast user switching not being supported as o 9/24/2015 and is a feature request to be added to the newer Cisco AnyConnect Clients
Below is the error message you would get when logon is denied
“Workaround”
There is a workaround by modifying the registry keys in Windows. Still, then it beats the purpose of having DOT1x authentication in the first place – a high level of what happens when the registry workaround is in place is that when the first user logs in then he is authenticated against Cisco ISE, and when the second user logs then credentials from the first users are sent to ISE which is not ideal and can only be used as a workaround in other words, a separate dot1x process is not going to happen when the second user logs in at the windows lock screen. The second user will use the access provided based on the first user’s authentication
Below is the registry key for the fix
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}REG_DWORD EnforceSingleLogon needs to be set to 0
Thanks for reading this and I hope it has helped.
