07-18-2012 07:54 PM - edited 03-10-2019 07:19 PM
Hi all,
Just upgraded Cisco ISE to 1.1.1 in my lab/demo environment and am now having problems with a basic posture implementation. In short I connect to a wireless SSID and check posture based on the presence of a file. The NAC agent is declaring my host as compliant and granting full network access however about 5 seconds later it it checks for requirements again while placing my host in the temporary network access. At this point it states I am compliant again and 5 seconds later scans again. This behaivour does not stop and continues endlessly until I close the wireless connection. I had no problems with this setup on 1.1.
All logs indicate successful compliance and no errors in terms of compliance. ANy ideas would be appreciated.
Solved! Go to Solution.
08-27-2012 04:45 PM
Stephen , take a look at this , it looks like is really a bug and there s nothing we can do ...workaround , chose another authen method , pathetic..
lets wait for a patch
CSCua79768 Bug Details
EAP Chaining + Posture lost Compliant Session:PostureStatus in reauth | |
Symptom: NAC Agent appears to continually posture endpoint in a continuous loop Conditions: EAP-TLS Machine Authentication + Posture- OR -EAP-Chaining + Posture Workaround: Use different authentication method. |
07-18-2012 08:05 PM
Stephen,
Can you check to see if the reassessment might be enabled:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1919629
thanks,
Tarik Admani
*Please rate helpful posts*
07-18-2012 08:55 PM
I have tried with and without a PRA. Exact same issue. I have also tried the older NAC client, newer NAC client, different posture requirements all with the exact same looping result.
07-30-2012 08:48 PM
OK as an update - this problem still exists for me. I have installed the previous 1.1 and run up the identical configuration in terms of authentication, authorisation, profiling, posturing and provisioning. The results are that my configuration works perfectly fine on 1.1 but with the same config on 1.1.1 posturing is severely broken. As described no matter what I do the NAC process completes deems the client compliant then proceeds to check compliance again.
07-30-2012 08:56 PM
Your best bet is to open a tac case to see what could be wrong with the policies and why the clients keep being re-postured. Also if you dont mind can you post the following debugs on the switch. "debug radius authentication" I am curious to see if there is a "session-timeout" attribute being set which is causing the switch to bounce the connection.
Also please send the running configuratoin of your port too.
Thanks,
Tarik Admani
*Please rate helpful posts*
07-30-2012 09:57 PM
Heh, I probably should have mentioned that this is over wireless using EAP-TLS or PEAP. I also have CWA running for guests. Please also note that I have two ISE deployments side by side running the exact same policies - 1.1 works fine 1.1.1 does not. I am in contact with Cisco at present and am trying to arrange some assistance.
07-30-2012 10:30 PM
Sounds good are you running them through the same controller using different SSIDs or are you using different controllers. Just out of curiosity can you send me the client information for a user that just passes posture? Also you are on the latest code for the wlc? Also have you had a chance to run a tcpdump from the ISE monitoring tool on both ise nodes in order to compare the radius traffic between them?
Thanks,
Tarik Admani
*Please rate helpful posts*
07-30-2012 10:35 PM
What output are you looking for with a user that passes - just the standard live auth output? Essentially all the users pass posture and authentication but instantly reinitiates posture discovery upon been granted full network access. I am on the latest 7.2.110 code for my 5508. Furthermore my deployment is standalone not distributed due to the demonstration nature of the implementation. I am running a single SSID for EAP-TLS and PEAP using CoA to shift vlans and dACLs upon successful posture discovery/remediation.
07-30-2012 10:39 PM
I wanted to see the radius access-accept message that is sent from the running 1.1 vs the message that is sent from 1.1.1, in the access-accept packet i am interested to see if there is a change in the session-timeout attribute. I am also curious to see if there is a coa message being sent from the ise 1.1.1 immediatly after posture. There has to be some difference in the radius dialogue for this to occur and this will help point a finger as to where the bug lies.
Tarik Admani
*Please rate helpful posts*
07-30-2012 10:55 PM
Sorry not entirely sure what exact dump to provide and where to retrievfe it from - as you know there are a tonne of logs associated with the process.
07-30-2012 10:58 PM
Sure no problem, ISE has a built in tcpdump utility from the GUI once you get done reproducing the issue you can stop the capture (using raw ....format), then you can download and open in wireshark. Please post the results from both boxes after you reproduce the issue on both the working vs not working 1.1.1. Also you can enter the filter on the bottom as 'ip host x.x.x.x' where x.x.x.x is the ip address the wlc uses to source the radius requests.
http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_mnt.html#wp1240485
Tarik Admani
*Please rate helpful posts*
07-31-2012 09:56 PM
Please find attached.
The difference I can see is the Access-Accept after the CoA (Line 46 for Fail, line 20 for Success). The live authentication log confirms that host is compliant in both tests and the NAC client indicates it is refreshing the IP address on CoA. It is almost as if the 1.1.1 ISE does not match on the correct authorization after the CoA. When looking at these logs bear in mind that the configurations are identical
07-31-2012 10:18 PM
Stephen,
I see that also and that is what I wanted to confirm in the packet capture. I wanted to know a few things:
Here is the reference for the following:
Having the ise node perform the updates - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1093078
Here is where you can pull the posture report from both machines - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1919498
Hope this helps!
Tarik Admani
*Please rate helpful posts*
07-31-2012 10:35 PM
I will also clarify that my deployments are standalone but this should not matter. ANother observation I can add is that on 1.1.1 when the posture process appears to be successful and the CoA is apparently occurring the NAC agent displays the text that the window will close in 30second or click this box to close. When I click the box the window will not close. I am using the same NAC client on both deployments with the same profile and compliance modules
07-31-2012 10:43 PM
Did you remove the agent from this machine and have the 1.1.1 install the agent? Also is the compliant rule that you need to match configure properly? How did you set the condition for the redirection. Does the rule specify "NOT compliant" and the permit all rule specify "compliant".
If that all checks out and still no luck I would try to reload the unit and see if that will straighten things out.
thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide