cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
314
Views
0
Helpful
2
Replies

Dynamic Selection of Doscovery Host in NAC Agent

We have a deployment with multiple PSN nodes.

When the primary PSN is made down, NAC agent doesn't behave as expected.

Both PSN nodes are added in the radius configurations of SW / WLC.

Redirect ACL are symmetrical for both PSN nodes.

Any clue on how to get the dynamic selection of discovery host, if one PSN is out ?

Thanks in advance.

2 Replies 2

jan.nielsen
Level 7
Level 7

Just to clarify :

Discovery host is supposed to be set to something that gets redirected to the PSN that authenticated your PC. This means that if a PSN is down, then the switch/wlc will use the other PSN to authenticate, which will result in ise redirecting to that PSN, so that shouldn't be an issue. You should NOT set discovery host to any of your ISE servers.

Maybe show us some ise logs from where the redirect rule is hit, and try to point a browser to the discovery host you entered into the NAC agent on port 80, and see what server you are redirected to.

Hi Jan,

Thanks for the response.

As of now we haven't mentioned any discovery host manually in the posture agent profile, and things are working as expected.

But when we make PSN-1 unreachable for that switch, the machine authentication happens, then posture pending status also comes. But after that even though the log shows as compliant, it doesn't show any authorization profile.

What we want to achieve is, the NAC agent properties should show PSN name/IP address dynamically.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: