Hello Tarik, thanks for answering,

this is a lab environement, I gonna try to capture trafic to debug a little bit more.

I have the ISE, a switch and a XP workstation with mcafee 12.x (and nac agent).

The ISE is configured to let the XP workstation come in when mcafee 12.x is installed

Without posture assessment, the XP get connected perfectly.

I'd like to see some log saying which condition lead to a reject.

In the meantime I will try :  "monitor>report> catalog>posture"

thank you Tarik.

V.

Can you provide a screenshot of the authentications portion followed by the authorization rules.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hello Tarik,

I am a little bit upset against Cisco.

Thanks to one of your post around, I discovered that I need both a redirection URL and an ALC to do the job.

All of these is not clearly depicted on the documentation....

I think I am close to the solution.

No problem, let me know if you are able to resolve your issue and please post what you found before and after. I am sure I and alot of people have the same issue you are running into before.

Thanks!

Tarik Admani
*Please rate helpful posts*

Hello Tarik (and others)

Ok my objective is to authorize a user which workstation has McAfee 12.x installed. (NAC Agent installed)

As I said previously, I do need an authorisation profile like this one :

I'm a little bit upset because it is not clearly depicted in the documentation (or hard to find)

Thankfully, You Tarik mentionned it on the forum somewhere

This authorization policy works, but as you can see, the second contidion is posture status =  unknown

Once the password is entered, NAC agent reacts, and grants the user successfully !

Just take a log at the live authentication window : the status is pending first, and after a while, a "red" line is added above saying that the posture is now compliant. (confirmed by NAC agent that has been upgraded in the meanwhile)

Why do I need to set the posture status to unknown ?

Regards.

V.

Do you want compliant devices to get the profile VLAN-10?

In your Authorization Policy it say (Tarik can correct me if I am wrong):

IF

a user from the group Users-1

AND

the device is connected to network device R1

AND

the posture status is Unknown

THEN

add device profile VLAN-10

But according to the authentication log the posture status is Compliant. So I am guessing that you are never hitting that authorization rule since the posture status is Compliant and not Unknown.

What happens if you set the third condition to Compliant instad of Unknown?

hi Philip,

for the time being, it is the way I get it to work

it's a bit weird I know

The workstation is compliant but I need to set the condition to unknown for the NAC agent to parse the configuration and says that the AV has the right version. (in that case)

The the workstation is then compliant, and the network access is granted !

I have to work a little more on that, but Cisco documentation doest help that much.

Thank you for answering my friend.

V.

Hi,

The red error is a dynamic authorization error message. Please check the change authorization settings on your device (if this is a wireless controller make sure the radius nac is enabled. If this is a wired device make sure the following command is entered and the shared secret is correct:

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.html#wp1073129

This boils down to ISE not being able to change force the client re authenticate for the new compliant policy.
Thanks,

Sent from Cisco Technical Support iPad App

Hello Tarik,

Yes, the command is in the config since the beginning.

This morning I upgraded to version 1.1.2 and applied the latest patch.

regards.

Vincent.

Now Tarik,  my question is :

what happen when a "non compliant" rule is hit( giving me an VLAN along with  an ACL)  and the corrective action took place successfully ?

Do I stay in the same VLAN, or is the ISE push me the result from the "compliant" rule ?

Am I clear enough ?

:-)

This is the live auth windows :

Bottom to top :

- posture unknown

- remediation done

- disable/enable of the workstation NIC and posture now compliant.

When remediation OK, the workstation still under the VLAN-10 authorization profile

V.

If you are non compliant the nac agent should still appear with the "Re-Scan" appear. When the user remediates or remediation is done automatically, the nac agent should rescan and send the posture report over to ISE. ISE then flips the session over to compliant and then issues the COA to reauthorize the user.

So you should dynamically get placed on the correct vlan, and the nac agent should referesh your ip (if you have enabled the vlan detect feature on the agent profile settings).

Thanks,

Tarik Admani
*Please rate helpful posts*

hello Tarik,

Yes it should, but it does not work....

I think that COA is only related to inline posture, isn't it ?

V.

Hi,

COA is a feature used by ISE to dynamically change a user's policy within the network. The Inline node is needed in order bridge this limitiation with the ASA. Without this device you will not be able to posture users that connect through an ASA.

Essentially the flow should follow this path:

Client authenticates (authorized with limitied connectivity)

Client provide posture report (endpoint changes from pending to compliant)

ISE issues COA to NAD

NAD reauthorized the user

Client now has full connectivity.

Please check the dynamic authorization settings, you have to enter a key which is the same value as the shared secret.

Tarik Admani
*Please rate helpful posts*