03-23-2015 12:09 PM - edited 03-10-2019 10:34 PM
Hello readers,
Is it possible to set up Cisco ISE with posture without Client Provisioning?
My customer deploys the NAC Agent via MS SCCM. We prefer a access accept + DACL during the pending state instead of redirecting to client provisioning. But the NAC Agent will only communicate when we redirect to client provisioning.
Regards,
Dennis
10-07-2015 11:01 PM
10-08-2015 10:00 AM
The NAC agent needs to be redirected to find the PSN node that is servicing the session that was created when the switch/wlc tried to authenticate the user/machine, this is why you can't hardcode an ise server into the nac agent. However if you configure a discovery host in your nac client, then that is the only ip address you need to create a redirect for in your acl, everything else can be allowed. So just pick an unused ip address thats routeable, and use that as discovery host, then make sure that you redirect to provisioning when the agent makes it's http request on port 80 to that ip.
10-08-2015 04:28 PM
Hi Jan
Thanks for the feedback.
If we don't use the discovery host and in the case of pre-deployed agent just wondering how does the agent will try to discover a PSN . Assuming there can be more than one PSN's in a distributed setup and since the browser method is not used no session is created initially and agent is unaware which PSN to connect to?
Thanks
G
10-08-2015 04:36 PM
The Agent will run through different probes to detect the redirect with the session in the url, to find the psn. If there is no redirect, it will never find the psn, this is required to make it work. This is a good guide for technical info on the swiss protocol : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118724-technote-ise-00.html#anc2
10-09-2015 05:11 AM
Thanks Jan
10-08-2015 10:22 PM
I indeed solved it without hardcoding the ISE server in the NAC-agent. The problem we had was that when not using GigE0 Cisco ISE returned a IP-adres of the interface instead of a hostname. We resolved this using the ip host command on the PSN cli.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#pgfId-2567879
10-09-2015 05:10 AM
Thanks Dennis
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide