Uncategorized

[solved] Troubleshooting Cisco ISE Fast User Switching in Cisco AnyConnect NAM Module/no logon server is available

“Problem”

Cisco AnyConnect does not support fast user switching which means Cisco NAM module only allows a single user to be logged in versus like Microsoft you can login with one user and choose switch user and log in with other username while the first one is still logged in.

Microsoft Windows allows multiple users to be logged on concurrently, but AnyConnect Network Access Manager restricts network authentication to a single user. AnyConnect Network Access Manager can only be active for one user per desktop/server, regardless of how many users are logged on.
For configuring multiple sign-on it is required to change the registry key in Windows

This is also useful when the user is not able to login to the laptop using the cached credentials.

The exact error message is ”There are no logon server available to service the logon request””

Below is the article that supports the argument of fast user switching not supported as o 9/24/2015 and is a feature request to be added to the newer Cisco AnyConnect Clients

https://community.cisco.com/t5/vpn/since-installing-anyconnect-cannot-switch-users-quot-only-one/td-p/2727350

Below is the error message you would get when logon is denied

“Workaround”

There is a workaround by modifying the registry keys in Windows, but then it beats the purpose of have DOT1x authentication in the first place – high level on what happens when the registry workaround is in place is that when the first user logs in then he is authenticated against Cisco  ISE and when the second user logs then credentials from the first users are sent to ISE which is not ideal and can only be used as a workaround in other words, a separate dot1x process is not going to happen when the second user logs in at the windows lock screen. The second user will use the access provided based on the first user authentication

Below is the registry key for the fix

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{B12744B8-5BB7-463a-B85E-BB7627E73002}REG_DWORD EnforceSingleLogon needs to be set to 0

Thanks for reading this and I hope it has helped.

Leave a Reply

Your email address will not be published.

Back to top button