cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4970
Views
10
Helpful
33
Replies
Stephen McBride
Beginner

ISE 1.1.1 Windows NAC client posture checking loop

Hi all,

Just upgraded Cisco ISE to 1.1.1 in my lab/demo environment and am now having problems with a basic posture implementation. In short I connect to a wireless SSID and check posture based on the presence of a file. The NAC agent is declaring my host as compliant and granting full network access however about 5 seconds later it it checks for requirements again while placing my host in the temporary network access. At this point it states I am compliant again and 5 seconds later scans again. This behaivour does not stop and continues endlessly until I close the wireless connection. I had no problems with this setup on 1.1.

All logs indicate successful compliance and no errors in terms of compliance. ANy ideas would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

Stephen , take a look at this , it looks like is really a bug and there s nothing we can do ...workaround , chose another authen method , pathetic..

lets wait for a patch

CSCua79768            Bug Details

EAP Chaining + Posture lost Compliant Session:PostureStatus in reauth
Symptom:
NAC Agent appears to continually posture endpoint in a continuous loop


Conditions:
EAP-TLS Machine Authentication + Posture

- OR -

EAP-Chaining + Posture

Workaround:
Use different authentication method.

View solution in original post

33 REPLIES 33
Tarik Admani
Advocate

Stephen,

Can you check to see if the reassessment might be enabled:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1919629

thanks,

Tarik Admani
*Please rate helpful posts*

I have tried with and without a PRA. Exact same issue. I have also tried the older NAC client, newer NAC client, different posture requirements all with the exact same looping result.

OK as an update - this problem still exists for me. I have installed the previous 1.1 and run up the identical configuration in terms of authentication, authorisation, profiling, posturing and provisioning. The results are that my configuration works perfectly fine on 1.1 but with the same config on 1.1.1 posturing is severely broken. As described no matter what I do the NAC process completes deems the client compliant then proceeds to check compliance again.

Your best bet is to open a tac case to see what could be wrong with the policies and why the clients keep being re-postured. Also if you dont mind can you post the following debugs on the switch. "debug radius authentication" I am curious to see if there is a "session-timeout" attribute being set which is causing the switch to bounce the connection.

Also please send the running configuratoin of your port too.

Thanks,

Tarik Admani
*Please rate helpful posts*

Heh, I probably should have mentioned that this is over wireless using EAP-TLS or PEAP. I also have CWA running for guests. Please also note that I have two ISE deployments side by side running the exact same policies - 1.1 works fine 1.1.1 does not. I am in contact with Cisco at present and am trying to arrange some assistance.

Sounds good are you running them through the same controller using different SSIDs or are you using different controllers. Just out of curiosity can you send me the client information for a user that just passes posture? Also you are on the latest code for the wlc? Also have you had a chance to run a tcpdump from the ISE monitoring tool on both ise nodes in order to compare the radius traffic between them?

Thanks,

Tarik Admani
*Please rate helpful posts*

What output are you looking for with a user that passes - just the standard live auth output? Essentially all the  users pass posture and authentication but  instantly reinitiates posture discovery upon been granted full network access. I am on  the latest 7.2.110 code for my 5508. Furthermore my deployment is  standalone not distributed due to the demonstration nature of the  implementation. I am running a single SSID for EAP-TLS and PEAP using CoA to shift vlans and dACLs upon successful posture discovery/remediation.

I wanted to see the radius access-accept message that is sent from the running 1.1 vs the message that is sent from 1.1.1, in the access-accept packet i am interested to see if there is a change in the session-timeout attribute. I am also curious to see if there is a coa message being sent from the ise 1.1.1 immediatly after posture. There has to be some difference in the radius dialogue for this to occur and this will help point a finger as to where the bug lies.

Tarik Admani
*Please rate helpful posts*

Sorry not entirely sure what exact dump to provide and where to retrievfe it from - as you know there are a tonne of logs associated with the process.

Sure no problem, ISE has a built in tcpdump utility from the GUI once you get done reproducing the issue you can stop the capture (using raw ....format), then you can download and open in wireshark. Please post the results from both boxes after you reproduce the issue on both the working vs not working 1.1.1. Also you can enter the filter on the bottom as 'ip host x.x.x.x' where x.x.x.x is the ip address the wlc uses to source the radius requests.

http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_mnt.html#wp1240485

Tarik Admani
*Please rate helpful posts*

Please find attached.

The difference I can see is the Access-Accept after the CoA (Line 46 for Fail, line 20 for Success). The live authentication log confirms that host is compliant in both tests and the NAC client indicates it is refreshing the IP address on CoA. It is almost as if the 1.1.1 ISE does not match on the correct authorization after the CoA. When looking at these logs bear in mind that the configurations are identical

Stephen,

I see that also and that is what I wanted to confirm in the packet capture. I wanted to know a few things:

  • on the 1.1.1 unit has it been updated to the perfigo servers? (I assume it has if you are able to deploy the agent and perform the checks but figured I would ask anyways)
  • since the status is set to confirm can you compare the two posture reports (when you click on compliant it should take you to the posture report)
  • The authorization policy that you have configured for compliant machines, can you please remove it and then readd it and see if that fixes the issue?

Here is the reference for the following:

Having the ise node perform the updates - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1093078

Here is where you can pull the posture report from both machines - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1919498

Hope this helps!

Tarik Admani
*Please rate helpful posts*

  • Not sure what the perfigo servers are however it was able to download all of the resources required for this configuration. 1.1.1 is currently configured with the following:https://www.cisco.com/web/secure/pmbu/provisioning-update.xml
  • The two posture reports are identical and compliant. My basic check for file and AV installation was successful.
  • I have deleted the policy and readded it with no change whatsoever.

I will also clarify that my deployments are standalone but this should not matter. ANother observation I can add is that on 1.1.1 when the posture process appears to be successful and the CoA is apparently occurring the NAC agent displays the text that the window will close in 30second or click this box to close. When I click the box the window will not close. I am using the same NAC client on both deployments with the same profile and compliance modules

Did you remove the agent from this machine and have the 1.1.1 install the agent? Also is the compliant rule that you need to match configure properly? How did you set the condition for the redirection. Does the rule specify "NOT compliant" and the permit all rule specify "compliant".

If that all checks out and still no luck I would try to reload the unit and see if that will straighten things out.

thanks,

Tarik Admani
*Please rate helpful posts*

Content for Community-Ad