Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1603
Views
0
Helpful
2
Replies

Coexistence of NAC Agent and AnyConnect Posture agent

Go to solution
Neelesh Marathe
Cisco Employee
Cisco Employee

‎02-22-2016 05:34 AM

Team,

I am working with customer where ISE 1.2 and ISE 1.3 are running in parallel. Customer is using AAA+posture. Gradually everything will be moved to ISE 1.3. But during deployment phase, few users will be pointed to ISE 1.2 and few users to ISE 1.3. Customer is currently running with AnyConnect 3.x version and NAC agent 4.9.0.1013 and will get upgraded to AnyConnect 4.x with NAM and posture module.

There will be scenarios where endpoint will have both NAC agent and AnyConnect posture agent installed and radius server will be ISE 1.2. I tested the scenario in my LAB and found that, NAC agent pops up but throws an error " Access to Network is blocked by Administrator, please contact your system administrator". If I tried it multiple times, I get success and NAC agent does complete the posture assessment. I tried with couple of versions of NAC agent like 4.9.4.3, 4.9.5.8 but the same behavior.  I am still using ISE 1.2 as radius server.

Is it the expected behavior when NAC agent and AnyConnect agent coexists? Do I need to disable posture during migration phase and enable it when users are completely  migrated to ISE 1.3 and upgraded to AnyConnect modules?

Thanks,

Neelesh Marathe

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-22-2016 08:09 AM

Our ISE posture lead TME recommended NAC agent 4.9.5 because of back-off algorithm support.

I would suggest to try isolating if the agent contacting an incorrect ISE node by blocking TCP-8443, TCP-8905 and UDP-8905 to the ISE 1.3 deployment.

If this post-sale, please also engage TAC. If you prefer troubleshooting it yourself, you may first enable DEBUG on swiss and posture and then check ISE debug logs after a recreate.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-22-2016 08:09 AM

Our ISE posture lead TME recommended NAC agent 4.9.5 because of back-off algorithm support.

I would suggest to try isolating if the agent contacting an incorrect ISE node by blocking TCP-8443, TCP-8905 and UDP-8905 to the ISE 1.3 deployment.

If this post-sale, please also engage TAC. If you prefer troubleshooting it yourself, you may first enable DEBUG on swiss and posture and then check ISE debug logs after a recreate.

0 Helpful

Go to solution
Neelesh Marathe
Cisco Employee
Cisco Employee
In response to hslai

‎03-02-2016 02:17 AM

Hello Hsing,

I apologies for delay in response.

Thanks for your inputs. Let me troubleshoot it myself and if required I will involve TAC

Thanks,

Neelesh Marathe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents