cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7854
Views
10
Helpful
33
Replies

ISE 1.1.1 Windows NAC client posture checking loop

Stephen McBride
Level 1
Level 1

Hi all,

Just upgraded Cisco ISE to 1.1.1 in my lab/demo environment and am now having problems with a basic posture implementation. In short I connect to a wireless SSID and check posture based on the presence of a file. The NAC agent is declaring my host as compliant and granting full network access however about 5 seconds later it it checks for requirements again while placing my host in the temporary network access. At this point it states I am compliant again and 5 seconds later scans again. This behaivour does not stop and continues endlessly until I close the wireless connection. I had no problems with this setup on 1.1.

All logs indicate successful compliance and no errors in terms of compliance. ANy ideas would be appreciated.

33 Replies 33

Agent has been removed and installed numerous times. The compliance rules work perfect on 1.1. My compliant rule is matching a certificate subject and equals compliant. My non compilant provisioning rule matches the same certificate and equals not compliant. Put simply I am very confident in my configuration having spent the past 5-6 weeks straight working on this product and the fact that the identical config on 1.1 does not present the issue. Unit has been rebooted many times and has also been rebuilt from scratch on a fresh vm.

Thanks for your assistance and suggestions on this task. I would understand completely if you give up on this one until a patch or new build is released. I am utilising 1.1 as it is more stable than 1.1.1 - but only just.

Check your private messages.

Sent from Cisco Technical Support iPad App

PM received and replied to. I have also tested the compliant policy with the equal compliant removed - the client matches the policy and connects successfully. It is definately posture/CoA related.

hi , is that problem solved ?, i have the same problem , but it only happens with eap tls , the same configuration , but using peap , works fine , any sugestions?

Last week I tested on a number of machines and had the same issue yet at the same time other machines would work fine. I have no exact reason what is wrong with those builds that don't work but essentially it appears to be incompatibility. I have many issues related to client provisioning and posture with ISE in general mainly on mobile devices - for me deploying posture related services especially on wireless is at your own risk.

one thing i noticed is that only happens with eap tls , i change for peap and everything works fime , ...can you try to use peap in the same machine that nac loops to seee what happens?

Eduardo,AP-

I have conducted some tests and so far my results match with yours. I am having the loop issue with EAP-TLS only. The way my policies are structured means that both PEAP and EAP-TLS utilise the same Authentication rules but different authorization rules. PEAP works every time while TLS appears to work then loops.

Stephen , take a look at this , it looks like is really a bug and there s nothing we can do ...workaround , chose another authen method , pathetic..

lets wait for a patch

CSCua79768            Bug Details

EAP Chaining + Posture lost Compliant Session:PostureStatus in reauth
Symptom:
NAC Agent appears to continually posture endpoint in a continuous loop


Conditions:
EAP-TLS Machine Authentication + Posture

- OR -

EAP-Chaining + Posture

Workaround:
Use different authentication method.

Where did you find the bug listing out of interest, I searched and searched but never found it. Either way it was apparent it was a bug, shame there is no fix for such a critical aspect of this technology. I have a similar looping issue for CWA guest auth on mobile devices that seems totally busted. Same policies work fine for a windows machine just not mobiles. Never mind though thanks a lot for the bug listing.

Stephen , you can search for Cisco bug toolkit ,

one thing i notice , when you have one autho policy for those who authenticates machine and user and then get compliant status , if you dont authenticate machine , but authenticate user and gets the compliant , nac agent loops same way , i tried to use anyconnect for 802.1x but there a long delay for mach authentication  , if the users log off and then log on , you probably will not have the time to authenticate machine. windows supplicant is fine..

remember please to post if you find a solution for the CWA , im not using ISE for wireless , but i dont know about the future ..

n.lavender
Level 1
Level 1

Hi Steve,

It would appear that I am now experiencing the same issue as yourself...

Security Method: EAP-PEAP(MsChapV2)

Encryption: WPA2

Machine & User Auth (with MAR)

Posture: AV & AS

Agent: 4.9.0.42

ISE 1.1.1

Clients: Windows XP SP3

We found when we setup the appliance and tested using 2 manually configured test laptops all was working fine (machauth > clientauth > preposture> permit access). However, now the policy has been rolled out through GPO certain client machines are running infinite posture validations despite coming through on the ISE as compliant.

The clients will connect, machine auth, user auth and then enter posture-remediation. The nac agent runs, grants full network access and then does this process repeatedly.

Did you have any luck resolving yours or is it still an issue?

Cheers,

Nick

It is interesting that your issue is occurring on PEAP. My issue revolved purely around EAP-TLS further up this post there is a Cisco bug pertaing to EAP-TLS and posture loop. My other issue with BYOD CWA, which is similar but different, is also covered under a bug. Without the benefit of your exact configs I am unable to suggest whether it is a bug or a config issue. As stated however my issue is soley with EAP-TLS. One test I used a lot with these things was utilising the webagent instead of the nac agent. Some of my issues were related to the NAC agent software not so much the ISE itself.

On another note it is worth mentioning that I have over all experienced a fair bit of randomness in both performance and actual functionality. My latest issue was to do with the nac agent updating the signatures/policy I have also encountered a number of issues that were related to the host devices where one would work and another wouldn't. FOr example I had an issue with CoA vlan changes where the windows/intel native supplicant is unable to release an IP address- I had to use the Cisco agent instead.

Cheers for the response, I must have misread above.

I have also notived some strange issues whereby certain clients react differently to others. For instance, i've seen a client perform posture having only done machine authentication when it should be both, a client stuck in posture loop where it runs over and over despite being compliant and full access granted and lastly i've seen a perfect run whereby the machine auths, the user auths, posture runs and is then compliant prior to full network access.

I'm leaning toward a client machine / xp problem at the moment. Not had to deploy BYOD yet but we're using the central webauth for 2 wlans and had good results.

Hey Stephen

I have exactly the same problem as you. As soon as I upgraded to 1.1.1 the looping started when I was authenticating with EAP-TLS, when I migrated back to PEAP the issue went away.

CISCO: Can we please get an offical response from Cisco on this bug, its kind of a big deal for my currect customers running ISE 1.1.0 as they are keen leverage SCEP for BYOD. Also my new deployments for 1.1.1 are now in jepody as majority of my client base dont want peap if they are installing 802.1x. This needs to be actioned asap.

Regards

Dale