topic Re: NAC agent failing to popup in Network Access Control

NAC agent failing to popup

ZAHI BOU KHALIL — Mon, 11 Mar 2019 02:14:13 GMT

Dears,

I have two ISE appliances installed in a distributed deployment (primary "ISE1" and secondary "ISE2"), each node has the three personas installed on it. The servers are registered together and the replication is working properly between the nodes.

When we are working on the first node everything is fine, if I try to disconnect ISE1 and do my tests on ISE2, the cisco NAC agent doesn't popup, unless I uninstall it and reinstall it again from the ISE2. Then it will work properly.

Note: the NAC agent version is the following: nacagent-4.9.0.37.

Any idea?

Regards

Zahi

NAC agent failing to popup

Tarik Admani — Tue, 26 Jun 2012 02:47:09 GMT

Zahi,

Can you please post the contents of your pre-auth ACL? I wonder how the redirection is set for the swiss packets. Are you redirecting all traffic destined to port 8905,8906?

Also when you are performing the failover scenario are you shutting the port? How are you triggering the reauthentication?

Thanks,

Tarik Admani

NAC agent failing to popup

ZAHI BOU KHALIL — Tue, 26 Jun 2012 06:27:16 GMT

Hi Tarik,

Thanks for your reply.

If you mean the ACL redirection, plz find it below:

ip access-list extended ACL-POSTURE-REDIRECT

deny ip any host 10.10.10.238 >>> IP address of ISE1

deny ip any host 10.10.10.239 >>> IP address of ISE2

deny udp any any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8443

To perform the failover I disconnect the ISE1 from the network, and apply the shut and no shut command on the port of the testing machine or sometimes I unplug and plug again the cable of that workstation.

Regards

Zahi

NAC agent failing to popup

Tarik Admani — Tue, 26 Jun 2012 15:17:22 GMT

Can you also post the contents of your dACL? When you open a web browser do you get redirected to the nac agent download page?

Can you please post the show authentication session interface x/y, when the agent pops up with ISE1 and then again with ISE2.

Also it may be best to take a pcap of the client machine to see if ISE2 is responding.

Thanks,

Tarik Admani

Re: NAC agent failing to popup

ZAHI BOU KHALIL — Wed, 04 Jul 2012 13:15:48 GMT

Hi Tarik,

below are my answers:

1- The content of the dACL:

ip access-list extended POSTURE-REMEDIATION

permit udp any any eq domain

permit ip any host 10.10.10.125 >>>> antivirus server

permit ip any 10.10.240.0 0.0.0.255 >>>> voice subnet

permit ip any 10.10.31.0 0.0.0.255 >>>> quarantine vlan subnet

permit ip any host 10.10.10.238 >>>> ip add of ISE1

permit ip any host 10.10.10.239 >>>> ip add of ISE2

permit ip any host 10.10.10.206 >>>> wsus server

permit ip any host 10.10.10.10 >>>> domain 1

permit ip any host 10.10.10.100 >>>> domain 2

2- When I open a web browser, yes I get redirected to the nac agent download page

3- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:

sw#sho authentication sessions int fast 0/12
            Interface: FastEthernet0/12
          MAC Address: b8ac.6fc9.b26f
           IP Address: 10.10.31.2
            User-Name: RJ\15592
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 31
              ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
     URL Redirect ACL: ACL-POSTURE-REDIRECT
         URL Redirect: https://RJ-ISE-1.rj.com:8443/guestportal/gateway?session
Id=0A0A0C86000000186ADBBD8B&action=cpp
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0C86000000186ADBBD8B
      Acct Session ID: 0x00000023
               Handle: 0x31000018

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

sw#sho authentication sessions int fast 0/12
            Interface: FastEthernet0/12
          MAC Address: b8ac.6fc9.b26f
           IP Address: 10.10.30.12
            User-Name: RJ\15592
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 30
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0C86000000186ADBBD8B
      Acct Session ID: 0x00000023
               Handle: 0x31000018

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE2:

sw#sho auth sessions int fast 0/12
            Interface: FastEthernet0/12
          MAC Address: 0025.6458.8409
           IP Address: 10.10.31.8
            User-Name: RJ\15946
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 31
              ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
     URL Redirect ACL: ACL-POSTURE-REDIRECT
         URL Redirect: https://RJ-ISE-2.rj.com:8443/guestportal/gateway?session
Id=0A0A0C86000000206AF3FAC1&action=cpp
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0C86000000206AF3FAC1
      Acct Session ID: 0x0000002B
               Handle: 0x2C000020

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

you may find attached also the pcap file of the client machine when it is authenticating with the ISE2.

Thank you in advance

Zahi

Message was edited by: ZAHI BOU KHALIL

Re: NAC agent failing to popup

Tarik Admani — Wed, 04 Jul 2012 19:30:11 GMT

Zahi,

I dont understand your latest response, are you saying the agent is popping up with ISE2 or it is not popping up with ISE2?

Just so I understand this correctly the first client, authenticates on vlan 31, postures, and then is compliant and then set to vlan 30 with the permit ip any acl assigned.

In your ACL you sent me a different ACL which is defined on the switch, the ISE is referencing - "ACL-POSTURE-REDIRECT", please send the contents of this ACL.

I see that you are using two different machines, client 0025.6458.8409 is being redirected to ISE2 agent download page but does it have the client installed? If so, in the pcap the agent doesnt seem to be sending any discovery packets.

Please test with only one client, and reproduce the issue with the show authenticaiton sessions like you did previously.

Thanks,

Tarik admani

NAC agent failing to popup

ZAHI BOU KHALIL — Thu, 05 Jul 2012 13:56:10 GMT

Hi Tarik,

In the second test I meant that this is the output after authenticating with the ISE2 but the agent didn't popup, sorry for any

Inconvenience. It's giving that the authentication is successful but the agent is not popping up.

As per the client machine, I'm doing this test remotely as the client is abroad, you're right it seems that he used different machine.

I will redo the test and unsure using same client machine.

I'll get back to you with the result.

Regards

Zahi

Re: NAC agent failing to popup

ZAHI BOU KHALIL — Tue, 10 Jul 2012 13:22:21 GMT

Hi Tarik,

Kindly find below the outputs of the test:

1- The content of the dACL:

ip access-list extended ACL-POSTURE-REDIRECT

deny ip any host 10.10.10.238

deny ip any host 10.10.10.239

deny udp any any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8443

2- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:

SW#sho auth sess int fast 0/12
            Interface: FastEthernet0/12
          MAC Address: 0021.7070.87be
           IP Address: 10.10.31.4
            User-Name: 15919
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 31
              ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
     URL Redirect ACL: ACL-POSTURE-REDIRECT
         URL Redirect: https://RJ-ISE-1.rj.com:8443/guestportal/gateway?sessionId=0A0A0C860000002A89B45A9A&action=cpp
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0C860000002A89B45A9A
      Acct Session ID: 0x00000039
               Handle: 0xC500002A

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

SW#sho auth sess int fast 0/12
            Interface: FastEthernet0/12
          MAC Address: 0021.7070.87be
           IP Address: 10.10.30.3
            User-Name: 15919
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 30
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0C860000002A89B45A9A
      Acct Session ID: 0x00000039
               Handle: 0xC500002A

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

3- outputs of the show authentication session interface fast 0/12, when the agent fails to popup with ISE2:

SW#sho auth sess int fast 0/12
            Interface: FastEthernet0/12
          MAC Address: 0021.7070.87be
           IP Address: 10.10.31.4
            User-Name: 15919
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 31
              ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
     URL Redirect ACL: ACL-POSTURE-REDIRECT
         URL Redirect: https://RJ-ISE-2.rj.com:8443/guestportal/gateway?sessionId=0A0A0C860000002C89C063BE&action=cpp
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0C860000002C89C063BE
      Acct Session ID: 0x0000003B
               Handle: 0xBD00002C

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

SW#sho ip access-lists int fast 0/12
     permit udp any any eq domain (13 matches)
     permit ip any host 10.10.10.125
     permit ip any 10.10.240.0 0.0.0.255
     permit ip any 10.10.31.0 0.0.0.255 (42 matches)
     permit ip any host 10.10.10.238 (15 matches)
     permit ip any host 10.10.10.239
     permit ip any host 10.10.10.206
     permit ip any host 10.10.10.10 (8 matches)
     permit ip any host 10.10.10.100

You may find attached also to log files ISE2-1 and ISE2-2 retrieved when we were testing the client machine with the ISE2 (scenario repeated 2 times that's why I retrieved 2 log files).

Regards

Zahi

Re: NAC agent failing to popup

Tarik Admani — Tue, 10 Jul 2012 13:45:38 GMT

Can you post show run aaa, and show run interface fa 0/12.

Thanks,

Tarik Admani

Sent from Cisco Technical Support iPad App

Re: NAC agent failing to popup

ZAHI BOU KHALIL — Tue, 10 Jul 2012 14:15:16 GMT

below are the outputs:

SW#sh run | in aaa
aaa new-model
aaa authentication login default local
aaa authentication login TEST group radius local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
aaa session-id common

SW#sh run int fas 0/12
Building configuration...

Current configuration : 200 bytes
!
interface FastEthernet0/12
switchport access vlan 22
switchport mode access
switchport voice vlan 110
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
end

Regards

Zahi

NAC agent failing to popup

Tarik Admani — Tue, 10 Jul 2012 15:27:05 GMT

Zahi,

Please use the following guide for reference, you need look into using an port based ACL which affects the way traffic is redirected.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sw_cnfg.html

Thanks,

Tarik Admani

NAC agent failing to popup

bikespace — Fri, 13 Jul 2012 21:52:14 GMT

When your NAC agent DOES pop up, what discovery nodes are listed in the pop up window? Are both of your ISE's in there?

Both ISE's need to be in there otherwise it won't recognise the second one.

Or you can use a wildcard such as *.mydomain.com

I don't have access to a box to steer you to the page that is configured on at the moment, but I'm sure you'll be able to find it if that is the problem.

Gaz

NAC agent failing to popup

Tarik Admani — Fri, 13 Jul 2012 22:42:03 GMT

Gaz,

That is not the proper way to configure the switch port and redirect urls, depending on your configuration and configuring the redirection profiles correctly the switch port should redirect all http, https and discovery agent traffic to the url that the ISE hands to the switchport. Similar to when you go to www.google.com and get redirected to download the nac agent, the same behavior must apply for tcp and udp traffic destined for the discovery ports.

Thanks,

Tarik Admani

NAC agent failing to popup

bikespace — Sat, 14 Jul 2012 21:53:34 GMT

Think you've misunderstood my reply, I haven't suggested a method of configuring redirection. I've stated that if the redirection is working properly and you don't configure both discovery nodes to be authenticated i.e. both discovery nodes needs to be listed, then you won't get pop ups, the NAC client won't recognise the ISE.

NAC agent failing to popup

Tarik Admani — Mon, 16 Jul 2012 22:57:46 GMT

Zahi,

I wanted to know if you were able to get this issue resolved?

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: NAC agent failing to popup

ZAHI BOU KHALIL — Tue, 24 Jul 2012 11:51:29 GMT

Dear Tarik/Bikespace,

I have added in the discovery host the name of the second ISE as per the below picture and it worked properly the agent is now able to pop up. but is there a way to do this for all user without going to the agent on each machine and adding the name of the second ISE2 manually?

Noting that at the beginning the only node listed in the discovery host was the ISE1.

Regards

Zahi

Re: NAC agent failing to popup

bikespace — Sat, 28 Jul 2012 17:32:39 GMT

I don't have access to an ISE at the moment to find it, but try this:

Policy > Policy Elements > Results > Client Provisioning > Resources

edit the profile and there should be a discovery host box.

Apologies, I'm guessing a little without access to the box, but it is definitely configurable, you don't have to add manually.

Re: NAC agent failing to popup

ZAHI BOU KHALIL — Fri, 17 Aug 2012 06:07:25 GMT

Hi Bikespace,

Thank you for your help, I have used this procedure and it is working now .

Much appreciated.

Zahi Boukhalil

Re: NAC agent failing to popup

pemasirid — Tue, 25 Dec 2012 14:06:06 GMT

Hi,

Could you please let us know what host name that you configured when you have two ISE appliance. In my ISE discovery host is configured with FQDN of primary ISE. So in the case of primary ISE down what name should I configured there..? so should we use any common name representing both ISE appliances or should we manually change the discovery host of 2nd ISE when primary is down.?

thanks in advance.

Re: NAC agent failing to popup

pemasirid — Wed, 02 Jan 2013 20:06:23 GMT

Hello Experts,

Can some one please give any resolution to the above.?