topic Hi Mohan,I have done the in Network Access Control

ISE 1.2.0 - Issue with Posture

Prasan Venky — Mon, 11 Mar 2019 04:58:41 GMT

Hi Experts,

I installed ISE 1.2.0.899 Patch 3. While testing, we found the below.

1) Authentication Suceeded

2) Redirection to NAC Agent Page is happening

3) NAC Version 4.9.4.3 (latest) is getting downloaded.

4) Status in ISE is shown as 'Pending' and stays the same.

Even i tried changing the NAC agent version to 4.9.0.42. But stuck in Pending status only.

Is there any solution for this..? do i need to apply patch or version..?

Thanks in advance.

ISE posture dropped via CoA

mohanak — Thu, 28 Aug 2014 08:04:51 GMT

CSCul66272

Description

Symptom:
The NAC Agent gets suck in a posture loop. The sequence of events seen for the agent is:
1) An authentication entry is seen for the host and posture is set to pending.
2) A CoA is sent for the host with the posture status matching the globally set default posture status.
3) An authentication is again seen for the host with the posture status set to pending.

Conditions:
ISE 1.2.0.899
An application is installed on the end host that sends an HTTP or HTTPS packet with an unknown user-agent.
Posture is configured and in use.

Last Modified:

Jun 9,2014

Status:

Fixed

Severity:

3 Moderate

Product:

Cisco Identity Services Engine (ISE) 3300 Series Appliances

Known Affected Releases:

(1)

1.2(0.899)

Known Fixed Releases:

(2)

1.2(0.907)

1.2(1.198)

Thank you so much for the

Prasan Venky — Thu, 28 Aug 2014 09:43:37 GMT

Thank you so much for the response.

Now i am planning to upgrade it to 1.2.1 from 1.2.0.899. Can you please help me how to upgrade and what are the procedure.

Instructions for Upgrading to

mohanak — Thu, 28 Aug 2014 10:43:34 GMT

Instructions for Upgrading to Cisco ISE, Release 1.2.1

You can upgrade to Cisco ISE, Release 1.2.1 directly from any of the following releases:

Cisco ISE, Release 1.1.0.665 with patch 5 or later
Cisco ISE, Release 1.1.1.268 with patch 7 or later
Cisco ISE, Release 1.1.2 with patch 10 or later
Cisco ISE, Release 1.1.3 with patch 11 or later
Cisco ISE, Release 1.1.4 with patch 11 or later
Cisco ISE, Release 1.2.0.899 with patch 8 or later

The process for upgrading to Release 1.2.1 is the same as upgrading to Release 1.2. The system reboots twice when you upgrade from Release 1.1.x to 1.2.1 because it involves a 32-bit to 64-bit system upgrade, but only once when you upgrade from Release 1.2.x to 1.2.1 because Release 1.2 is a 64-bit system.

The application upgrade command is enhanced and includes the cleanup, prepare, and proceed options. You can use:

Cleanup—To clean a previously prepared upgrade bundle on a node locally. You can use this option if:
- The application upgrade prepare command was interrupted for some reason
- The application upgrade prepare command was run with an incorrect upgrade bundle
- The upgrade failed for some reason
Prepare—To download and extract an upgrade bundle locally. You can use this command followed by the application upgrade proceed command.
Proceed—To upgrade Cisco ISE using the upgrade bundle you extracted with the prepare option. You can use this option after preparing an upgrade bundle instead of using the application upgrade ise-upgradebundle-1.2-to-1.2.1.xxx.i386.tar.gz remote-repository command.
- If upgrade is successful, this option removes the upgrade bundle.
- If upgrade fails for any reason, this option retains the upgrade bundle.
- http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/upgrade_guide/b_ise_upgrade_guide/b_ise_upgrade_guide_chapter_01.html#reference_4FF9C8C761A0456E8A94A7B307A603F5

Thanks for the Response. I

Prasan Venky — Mon, 08 Sep 2014 07:29:57 GMT

Thanks for the Response. I upgraded them now.

My doubt is AD should be integrated with Admin or PSN's ..?

if i'm understanding our

MMstre — Mon, 08 Sep 2014 16:41:23 GMT

if i'm understanding our question correctly... The PSNs get their database from the admin node. So AD would integrate with the admin node.

a couple thing...1. on the

MMstre — Mon, 08 Sep 2014 16:44:58 GMT

a couple thing...

1. on the switch where the PC is plugged in while it is pending state, enter the command "clear authentication session interface <x/x>"

Does it then launch the NAC agent?

2. Are your redirect ACLs properly configured?

3. Is DNS and PSN allowed in the preauth and pre-posture ACL?

4. are you doing machine auth or just user?

5. what switch code are you using?

Thank you so much Mr. Michael

Prasan Venky — Tue, 09 Sep 2014 10:53:26 GMT

Thank you so much Mr. Michael.

I have integrated with Primary Admin Node and also PSN. But i was able to retrieve groups only on Admin. As you say, PSN gets DB from Admin, it won't be a problem think 🙂 thank you....

Hi Mohan,I have done the

Prasan Venky — Mon, 06 Oct 2014 10:39:35 GMT

Hi Mohan,

I have done the upgradation of ISE to the 1.2.1 but still i am facing the same error 😞