07-18-2012 07:54 PM - edited 03-10-2019 07:19 PM
Hi all,
Just upgraded Cisco ISE to 1.1.1 in my lab/demo environment and am now having problems with a basic posture implementation. In short I connect to a wireless SSID and check posture based on the presence of a file. The NAC agent is declaring my host as compliant and granting full network access however about 5 seconds later it it checks for requirements again while placing my host in the temporary network access. At this point it states I am compliant again and 5 seconds later scans again. This behaivour does not stop and continues endlessly until I close the wireless connection. I had no problems with this setup on 1.1.
All logs indicate successful compliance and no errors in terms of compliance. ANy ideas would be appreciated.
Solved! Go to Solution.
07-31-2012 11:01 PM
Agent has been removed and installed numerous times. The compliance rules work perfect on 1.1. My compliant rule is matching a certificate subject and equals compliant. My non compilant provisioning rule matches the same certificate and equals not compliant. Put simply I am very confident in my configuration having spent the past 5-6 weeks straight working on this product and the fact that the identical config on 1.1 does not present the issue. Unit has been rebooted many times and has also been rebuilt from scratch on a fresh vm.
Thanks for your assistance and suggestions on this task. I would understand completely if you give up on this one until a patch or new build is released. I am utilising 1.1 as it is more stable than 1.1.1 - but only just.
07-31-2012 11:06 PM
Check your private messages.
Sent from Cisco Technical Support iPad App
07-31-2012 11:21 PM
PM received and replied to. I have also tested the compliant policy with the equal compliant removed - the client matches the policy and connects successfully. It is definately posture/CoA related.
08-17-2012 12:34 PM
hi , is that problem solved ?, i have the same problem , but it only happens with eap tls , the same configuration , but using peap , works fine , any sugestions?
08-19-2012 03:39 PM
Last week I tested on a number of machines and had the same issue yet at the same time other machines would work fine. I have no exact reason what is wrong with those builds that don't work but essentially it appears to be incompatibility. I have many issues related to client provisioning and posture with ISE in general mainly on mobile devices - for me deploying posture related services especially on wireless is at your own risk.
08-20-2012 12:08 PM
one thing i noticed is that only happens with eap tls , i change for peap and everything works fime , ...can you try to use peap in the same machine that nac loops to seee what happens?
08-20-2012 08:21 PM
Eduardo,AP-
I have conducted some tests and so far my results match with yours. I am having the loop issue with EAP-TLS only. The way my policies are structured means that both PEAP and EAP-TLS utilise the same Authentication rules but different authorization rules. PEAP works every time while TLS appears to work then loops.
08-27-2012 04:45 PM
Stephen , take a look at this , it looks like is really a bug and there s nothing we can do ...workaround , chose another authen method , pathetic..
lets wait for a patch
CSCua79768 Bug Details
EAP Chaining + Posture lost Compliant Session:PostureStatus in reauth | |
Symptom: NAC Agent appears to continually posture endpoint in a continuous loop Conditions: EAP-TLS Machine Authentication + Posture- OR -EAP-Chaining + Posture Workaround: Use different authentication method. |
08-27-2012 06:07 PM
Where did you find the bug listing out of interest, I searched and searched but never found it. Either way it was apparent it was a bug, shame there is no fix for such a critical aspect of this technology. I have a similar looping issue for CWA guest auth on mobile devices that seems totally busted. Same policies work fine for a windows machine just not mobiles. Never mind though thanks a lot for the bug listing.
08-27-2012 06:35 PM
Stephen , you can search for Cisco bug toolkit ,
one thing i notice , when you have one autho policy for those who authenticates machine and user and then get compliant status , if you dont authenticate machine , but authenticate user and gets the compliant , nac agent loops same way , i tried to use anyconnect for 802.1x but there a long delay for mach authentication , if the users log off and then log on , you probably will not have the time to authenticate machine. windows supplicant is fine..
remember please to post if you find a solution for the CWA , im not using ISE for wireless , but i dont know about the future ..
08-27-2012 06:42 PM
08-31-2012 08:41 AM
Hi Steve,
It would appear that I am now experiencing the same issue as yourself...
Security Method: EAP-PEAP(MsChapV2)
Encryption: WPA2
Machine & User Auth (with MAR)
Posture: AV & AS
Agent: 4.9.0.42
ISE 1.1.1
Clients: Windows XP SP3
We found when we setup the appliance and tested using 2 manually configured test laptops all was working fine (machauth > clientauth > preposture> permit access). However, now the policy has been rolled out through GPO certain client machines are running infinite posture validations despite coming through on the ISE as compliant.
The clients will connect, machine auth, user auth and then enter posture-remediation. The nac agent runs, grants full network access and then does this process repeatedly.
Did you have any luck resolving yours or is it still an issue?
Cheers,
Nick
09-03-2012 06:39 PM
It is interesting that your issue is occurring on PEAP. My issue revolved purely around EAP-TLS further up this post there is a Cisco bug pertaing to EAP-TLS and posture loop. My other issue with BYOD CWA, which is similar but different, is also covered under a bug. Without the benefit of your exact configs I am unable to suggest whether it is a bug or a config issue. As stated however my issue is soley with EAP-TLS. One test I used a lot with these things was utilising the webagent instead of the nac agent. Some of my issues were related to the NAC agent software not so much the ISE itself.
On another note it is worth mentioning that I have over all experienced a fair bit of randomness in both performance and actual functionality. My latest issue was to do with the nac agent updating the signatures/policy I have also encountered a number of issues that were related to the host devices where one would work and another wouldn't. FOr example I had an issue with CoA vlan changes where the windows/intel native supplicant is unable to release an IP address- I had to use the Cisco agent instead.
09-04-2012 05:21 AM
Cheers for the response, I must have misread above.
I have also notived some strange issues whereby certain clients react differently to others. For instance, i've seen a client perform posture having only done machine authentication when it should be both, a client stuck in posture loop where it runs over and over despite being compliant and full access granted and lastly i've seen a perfect run whereby the machine auths, the user auths, posture runs and is then compliant prior to full network access.
I'm leaning toward a client machine / xp problem at the moment. Not had to deploy BYOD yet but we're using the central webauth for 2 wlans and had good results.
09-07-2012 12:08 AM
Hey Stephen
I have exactly the same problem as you. As soon as I upgraded to 1.1.1 the looping started when I was authenticating with EAP-TLS, when I migrated back to PEAP the issue went away.
CISCO: Can we please get an offical response from Cisco on this bug, its kind of a big deal for my currect customers running ISE 1.1.0 as they are keen leverage SCEP for BYOD. Also my new deployments for 1.1.1 are now in jepody as majority of my client base dont want peap if they are installing 802.1x. This needs to be actioned asap.
Regards
Dale
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide