cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

736
Views
2
Helpful
3
Replies
Highlighted
Beginner

ISE - Unable to resolve ISE portal page for downloading NAC.

Hi Everyone,

We are testing a Microsoft endpoint which belongs to the customer's domain network to authenticate via ISE. The authentication work fine but during the posture analysis the endpoint doesn't redirect to the ISE portal for downloading the NAC.( Note: An MS endpoint which is not in domain i.e not part of AD does't have this problem).

After contacting TAC and running several packet captures we found that the Microsoft direct access is causing the problem. Because of it we are not able to resolve the intranet DNS queries.

Please find the below link for reference:

https://technet.microsoft.com/en-us/library/ee844142(v=ws.10).aspx

The option of disabling the Microsoft direct access is ruled out for now. Would be great if someone could give me a solution .

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: ISE - Unable to resolve ISE portal page for downloading NAC.

This issue was resolved when we added the Microsoft Direct Access server's IP to the permit IP address of DACL.

Since the endpoint was not able to reach the  MDA server during the initial phase of posturing it assumes that it's outside the corporate network and tries to connect to the network when it is actually inside. When we allowed the MDA's IP address in DACL everything started  to work fine.

View solution in original post

3 REPLIES 3
Cisco Employee

Re: ISE - Unable to resolve ISE portal page for downloading NAC.

I'm glad the TAC was able to troubleshoot and find the problem.

ISE cannot control/override the endpoints' DNS behavior if the Microsoft Admin has provisioned it not to resolve certain DNS queries.

Cisco Employee

Re: ISE - Unable to resolve ISE portal page for downloading NAC.

to expand, would recommend Microsoft DA is disabled from auto start. Let client do its thing needed and then can then launch DA. 

Keep in mind anytime the device is required to posture then DA will need to be stopped so it can talk to ISE. Unless allowed through the tunnel?

Or perhaps static DNS entries on the devices for each ISE node

ISE 2.2 with the removal of the need for URL redirection might help as well. Anyconnect posture can talk to

You could push out the agent through a management tool or force them to go to static PSN URL (such as getpostureagent.domain.com)

Anyways will need valuation in the lab to understand how to approach

Beginner

Re: ISE - Unable to resolve ISE portal page for downloading NAC.

This issue was resolved when we added the Microsoft Direct Access server's IP to the permit IP address of DACL.

Since the endpoint was not able to reach the  MDA server during the initial phase of posturing it assumes that it's outside the corporate network and tries to connect to the network when it is actually inside. When we allowed the MDA's IP address in DACL everything started  to work fine.

View solution in original post