https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629511#M73908 <P>Hi <SPAN class="fullname" itemprop="author"><A class="username" href="https://supportforums.cisco.com/users/dennisnieuwenhuyzen" title="View user profile.">Dennis</A></SPAN></P><P>I got a similar scenario. Were you able to find a solution?</P><P>&nbsp;</P><P>Thanks</P><P>G</P> Thu, 08 Oct 2015 06:01:13 GMT Gaj Ana 2015-10-08T06:01:13Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629510#M73907 <P>Hello readers,</P><P>&nbsp;</P><P>Is it possible to set up Cisco ISE with posture <B>without&nbsp;</B>Client Provisioning?</P><P>&nbsp;</P><P>My customer deploys the NAC Agent via MS SCCM. We prefer a access accept + DACL during the pending state instead of redirecting to client provisioning. But the NAC Agent will only communicate when we redirect to client provisioning.</P><P>&nbsp;</P><P>Regards,</P><P>Dennis</P><P>&nbsp;</P> Mon, 11 Mar 2019 05:34:30 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629510#M73907 dennisnieuwenhuyzen 2019-03-11T05:34:30Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629511#M73908 <P>Hi <SPAN class="fullname" itemprop="author"><A class="username" href="https://supportforums.cisco.com/users/dennisnieuwenhuyzen" title="View user profile.">Dennis</A></SPAN></P><P>I got a similar scenario. Were you able to find a solution?</P><P>&nbsp;</P><P>Thanks</P><P>G</P> Thu, 08 Oct 2015 06:01:13 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629511#M73908 Gaj Ana 2015-10-08T06:01:13Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629512#M73909 <P>The NAC agent needs to be redirected to find the PSN node that is servicing the session that was created when the switch/wlc tried to authenticate the user/machine, this is why you can't hardcode an ise server into the nac agent. However if you configure a discovery host in your nac client, then that is the only ip address you need to create a redirect for in your acl, everything else can be allowed. So just pick an unused ip address thats routeable, and use that as discovery host, then make sure that you redirect to provisioning when the agent makes it's http request on port 80 to that ip.</P> Thu, 08 Oct 2015 17:00:39 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629512#M73909 jan.nielsen 2015-10-08T17:00:39Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629513#M73910 <P>Hi Jan</P><P>Thanks for the feedback.</P><P>If we don't use the discovery host and in the case of pre-deployed agent just wondering how does the agent will try to discover a PSN . Assuming there can be more than one PSN's in a distributed setup and since the browser method is not used no session is created initially and agent is unaware which PSN to connect to?</P><P>Thanks</P><P>G</P> Thu, 08 Oct 2015 23:28:12 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629513#M73910 Gaj Ana 2015-10-08T23:28:12Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629514#M73911 <P>The Agent will run through different probes to detect the redirect with the session in the url, to find the psn. If there is no redirect, it will never find the psn, this is required to make it work. This is a good guide for technical info on the swiss protocol : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118724-technote-ise-00.html#anc2</P> Thu, 08 Oct 2015 23:36:27 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629514#M73911 jan.nielsen 2015-10-08T23:36:27Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629515#M73912 <P>I indeed solved it without hardcoding the ISE server in the NAC-agent. The problem we had was that when not using GigE0 Cisco ISE returned a IP-adres of the interface instead of a hostname. We resolved this using the ip host command on the PSN cli.</P><P>http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#pgfId-2567879</P> Fri, 09 Oct 2015 05:22:48 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629515#M73912 dennisnieuwenhuyzen 2015-10-09T05:22:48Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629516#M73913 <P>Thanks Dennis</P> Fri, 09 Oct 2015 12:10:36 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629516#M73913 Gaj Ana 2015-10-09T12:10:36Z https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629517#M73915 <P>Thanks Jan</P> Fri, 09 Oct 2015 12:11:34 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-1-3-posture-without-client-provisioning/m-p/2629517#M73915 Gaj Ana 2015-10-09T12:11:34Z