topic Re: Self Provisioning - Supplicant then NAC in Network Access Control

Self Provisioning - Supplicant then NAC

David Boos — Mon, 11 Mar 2019 03:46:16 GMT

I'm trying to setup a scenario such as -

Laptop brought on network - joins open wireless network - through open wireless network it registers with ISE using the supplicant wizard - once the supplicant wizard completes it joins a secure SSID - after navigating to another webpage NAC is delivered and client is postured.

I've gotten all the way to the last part. It runs through the supplicant wizard, successfully registers, and joins the 802.1x network without a problem.

When I go to any other webpage it redirects me to "Unable to verify credentials required to access the network." page. The only way to stop it is to remove it from the clients page on the WLC - once it's removed and rejoins the 802.1x network the NAC agent install comes up, installs, and postures according to the posture policies.

It seems like everything is where it should be but it doesn't install at the proper time without being removed from the network.

Re:Self Provisioning - Supplicant then NAC

Tarik Admani — Wed, 14 Aug 2013 13:17:11 GMT

Is this for wireless? What version of contoller code are you on?

Sent from Cisco Technical Support Android App

Self Provisioning - Supplicant then NAC

David Boos — Wed, 14 Aug 2013 13:36:09 GMT

I have a Cisco 5508 running 7.5.102.0 - I was on 7.4 and had the same issue.

Self Provisioning - Supplicant then NAC

Tarik Admani — Fri, 16 Aug 2013 04:04:15 GMT

I am testing this same scenario also. When the client connects to the SSID after the onboarding provisioning is completed what do you see as far as the client entry? Is it in a RUN state. Also does the state change when you remove the user from the client database?

Sorry i didnt read through your first post, I see now that you are on wireless.

Tarik Admani
*Please rate helpful posts*

Self Provisioning - Supplicant then NAC

David Boos — Fri, 16 Aug 2013 04:34:23 GMT

No problem. I've attached screenshots from the WLC. These are the only differences between when the client is on the controller after the supplicant has been installed and after I have removed the client from the controller and it has authenticated. It seems the only difference is the session ID.

In the authentication logs you can see where the session changes and I've forced the client to reconnect.

1st redirect URL

/guestportal/gateway?sessionId=ac1e104500000c73520da9cc&action=cpp

2nd redirect URL

/guestportal/gateway?sessionId=ac1e104500000c74520daa40&action=cpp

I've attached authentication logs as well.

Before

After

ISE Authentication log screenshot.

Self Provisioning - Supplicant then NAC

David Boos — Sun, 18 Aug 2013 01:20:56 GMT

These are my provisioning policies.

Re: Self Provisioning - Supplicant then NAC

Tarik Admani — Sun, 18 Aug 2013 02:28:01 GMT

David,

I am trying to follow the authorization logs, however in my scenario on version 1.1.4 patch 3 the below is sequence of my use case, it looks like you are on 1.2...

Client authenticates with CWA

Client is redirected to the native supplication provisioning portal

clients connects with 802.1x

Client is redirected to posture

Finally posture status determines fate of connection

In the logs you provided I see the following in your sequence...

Client authenticates with CWA

----I do not see the client redirected to the NSP phase---

Client authenticates with eap-tls

Then after the delay you are hitting it connects and is compliant

Can you delete the endpoint entry, and the wireless network profile and run through the entire process. From what I can tell your policies look fine and you are using the nac agent. Also when you get redirected to the page not available message, can you verify that the sessionid in the url matches the session id in the ise logs?

Are you using the default ip value or are you customizing the hostname that is sent in the authorization profile?

Thanks,

Tarik Admani
*Please rate helpful posts*

Self Provisioning - Supplicant then NAC

David Boos — Sun, 18 Aug 2013 02:43:12 GMT

You are correct, sorry I didn't mention it - I'm on ISE 1.2.

No customization and the supplicant hits right after the login which is how it arrives at the EAP-TLS phase.

The logs I've posted are of a client that has not been registered and has been removed from the WLC before the attempt (it's my test Win7 client). I've tried clients that have never been registered to ISE with the same result just to be sure it's not a problem with the client.

The URLs passed by ISE do match the session ID.

Re: Self Provisioning - Supplicant then NAC

Tarik Admani — Sun, 18 Aug 2013 02:49:27 GMT

David,

What I am trying to see--based on my experience---is the native supplciant provisioning phase. Can you post a screenshot of the Client_unknown authorization policy?

Thanks,

Tarik Admani
*Please rate helpful posts*

Self Provisioning - Supplicant then NAC

David Boos — Sun, 18 Aug 2013 02:53:59 GMT

I've attached screenshots of the policy below.

Self Provisioning - Supplicant then NAC

Tarik Admani — Sun, 18 Aug 2013 03:09:25 GMT

Can you provide the ACL contents of the ACL_Client_Unknown? Are you running multiple PSNs? Also send me the screenshot of the graybox that shows all the attributes for the attributes you sent above?

Thanks,

Tarik Admani
*Please rate helpful posts*

Self Provisioning - Supplicant then NAC

David Boos — Sun, 18 Aug 2013 03:14:21 GMT

I have two ISE nodes, one is primary on all services the other is secondary on all services.

I have two WLC's one with the high availability SKU - it is in hot standby mode during these tests.

ACL for Client Unknown - 172.30.16.70 and .71 are the ISE nodes.

Attribute information -

Self Provisioning - Supplicant then NAC

Tarik Admani — Sun, 18 Aug 2013 06:38:09 GMT

Can you add an entry to deny all traffic to port 80, this will help in failover scenarios if the discovery host is pointing to an ise node that isnt servicing the redirect request. I do not think this will fix your scenario but everything else looks solid.

typically the discovery agent updates at the time the ise is redirected for posturing, so when the nac agent connects it sends a http discovery probe for the discovery host, if ise1 is the discovery host and ise2 is the active psn for the session, then the discovery probe will see the session is redirected to a different psn to prevent this scenario.

I also allowing dhcp traffic in the ACL which I recommend disabling so the client is forced to re-ip during the CWA to 802.1x transition. When you reproduce the issue where the client is unable to view the page, check the ip address and make sure that the client still doesnt have the old ip address, if so then the dhcp entries in the ACL may be the issue.

It would be best to run a packet capture on the test client to see if dns resolution is failing or if ISE sending back the error.

Thanks,

Tarik Admani
*Please rate helpful posts*

Re:Self Provisioning - Supplicant then NAC

David Boos — Fri, 30 Aug 2013 02:16:39 GMT

Disabling fast ssid switching in the wireless lan controller fixed the issue.

Sent from Cisco Technical Support Android App

Self Provisioning - Supplicant then NAC

andikamulya — Tue, 22 Oct 2013 06:23:14 GMT

I had this problem too and as David did, disabling fast ssid solved the issue.

Is there any drawback for this? I read somewhere this setting help Apple IOS to move between SSID.

Self Provisioning - Supplicant then NAC

blenka — Fri, 25 Oct 2013 23:36:33 GMT

Symptoms or Issue

Client machine browser displays a "no policy matched" error message after user authentication and authorization.

Conditions

This issue applies to user sessions during the client provisioning phase of authentication.

Possible Causes

The client provisioning resource policy could be missing required settings.

Resolution

•Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the policy identity group, conditions, and type of agent(s) defined in the policy. (Also ensure whether or not there is any agent profile configured under Policy > Policy Elements > Results > Client Provisioning > Resources > Add > ISE Posture Agent Profile, even a profile with all default values.)

•Try reauthenticating the client machine by bouncing the port on the access switch.

I had the same issue but with

Ramon Thomas — Tue, 13 May 2014 17:56:41 GMT

I had the same issue but with wired 802.1x authentication/PEAP, but the resolution was extremely similar. Simply disabling Fast Reconnect under the PEAP settings fixed my problem.