cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

854
Views
0
Helpful
2
Replies
Highlighted
Cisco Employee

Coexistence of NAC Agent and AnyConnect Posture agent

Team,

I am working with customer where ISE 1.2 and ISE 1.3 are running in parallel. Customer is using AAA+posture. Gradually everything will be moved to ISE 1.3. But during deployment phase, few users will be pointed to ISE 1.2 and few users to ISE 1.3. Customer is currently running with AnyConnect 3.x version and NAC agent 4.9.0.1013 and will get upgraded to AnyConnect 4.x with NAM and posture module.

There will be scenarios where endpoint will have both NAC agent and AnyConnect posture agent installed and radius server will be ISE 1.2. I tested the scenario in my LAB and found that, NAC agent pops up but throws an error " Access to Network is blocked by Administrator, please contact your system administrator". If I tried it multiple times, I get success and NAC agent does complete the posture assessment. I tried with couple of versions of NAC agent like 4.9.4.3, 4.9.5.8 but the same behavior.  I am still using ISE 1.2 as radius server.

Is it the expected behavior when NAC agent and AnyConnect agent coexists? Do I need to disable posture during migration phase and enable it when users are completely  migrated to ISE 1.3 and upgraded to AnyConnect modules?

Thanks,

Neelesh Marathe

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Coexistence of NAC Agent and AnyConnect Posture agent

Our ISE posture lead TME recommended NAC agent 4.9.5 because of back-off algorithm support.

I would suggest to try isolating if the agent contacting an incorrect ISE node by blocking TCP-8443, TCP-8905 and UDP-8905 to the ISE 1.3 deployment.

If this post-sale, please also engage TAC. If you prefer troubleshooting it yourself, you may first enable DEBUG on swiss and posture and then check ISE debug logs after a recreate.

2 REPLIES 2
Cisco Employee

Re: Coexistence of NAC Agent and AnyConnect Posture agent

Our ISE posture lead TME recommended NAC agent 4.9.5 because of back-off algorithm support.

I would suggest to try isolating if the agent contacting an incorrect ISE node by blocking TCP-8443, TCP-8905 and UDP-8905 to the ISE 1.3 deployment.

If this post-sale, please also engage TAC. If you prefer troubleshooting it yourself, you may first enable DEBUG on swiss and posture and then check ISE debug logs after a recreate.

Cisco Employee

Re: Coexistence of NAC Agent and AnyConnect Posture agent

Hello Hsing,

I apologies for delay in response.

Thanks for your inputs. Let me troubleshoot it myself and if required I will involve TAC

Thanks,

Neelesh Marathe