03-23-2015 12:09 PM - edited 03-10-2019 10:34 PM
Is it possible to set up Cisco ISE with posture without Client Provisioning?
My customer deploys the NAC Agent via MS SCCM. We prefer a access accept + DACL during the pending state instead of redirecting to client provisioning. But the NAC Agent will only communicate when we redirect to client provisioning.
10-07-2015 11:01 PM
10-08-2015 10:00 AM
The NAC agent needs to be redirected to find the PSN node that is servicing the session that was created when the switch/wlc tried to authenticate the user/machine, this is why you can't hardcode an ise server into the nac agent. However if you configure a discovery host in your nac client, then that is the only ip address you need to create a redirect for in your acl, everything else can be allowed. So just pick an unused ip address thats routeable, and use that as discovery host, then make sure that you redirect to provisioning when the agent makes it's http request on port 80 to that ip.
10-08-2015 04:28 PM
Thanks for the feedback.
If we don't use the discovery host and in the case of pre-deployed agent just wondering how does the agent will try to discover a PSN . Assuming there can be more than one PSN's in a distributed setup and since the browser method is not used no session is created initially and agent is unaware which PSN to connect to?
10-08-2015 04:36 PM
The Agent will run through different probes to detect the redirect with the session in the url, to find the psn. If there is no redirect, it will never find the psn, this is required to make it work. This is a good guide for technical info on the swiss protocol : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118724-technote-ise-00.html#anc2
10-09-2015 05:11 AM
10-08-2015 10:22 PM
I indeed solved it without hardcoding the ISE server in the NAC-agent. The problem we had was that when not using GigE0 Cisco ISE returned a IP-adres of the interface instead of a hostname. We resolved this using the ip host command on the PSN cli.
10-09-2015 05:10 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: