The NAC agent needs to be redirected to find the PSN node that is servicing the session that was created when the switch/wlc tried to authenticate the user/machine, this is why you can't hardcode an ise server into the nac agent. However if you configure a discovery host in your nac client, then that is the only ip address you need to create a redirect for in your acl, everything else can be allowed. So just pick an unused ip address thats routeable, and use that as discovery host, then make sure that you redirect to provisioning when the agent makes it's http request on port 80 to that ip.

Hi Jan

Thanks for the feedback.

If we don't use the discovery host and in the case of pre-deployed agent just wondering how does the agent will try to discover a PSN . Assuming there can be more than one PSN's in a distributed setup and since the browser method is not used no session is created initially and agent is unaware which PSN to connect to?

Thanks

G

The Agent will run through different probes to detect the redirect with the session in the url, to find the psn. If there is no redirect, it will never find the psn, this is required to make it work. This is a good guide for technical info on the swiss protocol : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118724-technote-ise-00.html#anc2

Thanks Jan

I indeed solved it without hardcoding the ISE server in the NAC-agent. The problem we had was that when not using GigE0 Cisco ISE returned a IP-adres of the interface instead of a hostname. We resolved this using the ip host command on the PSN cli.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#pgfId-2567879

Thanks Dennis