Solved: ISE 1.1.3 provisioning problem for the first DOT1x connection

vrz rrr · ‎03-28-2013

Hello all,

I am wondering how a wired dot1x client can get the NAC agent downloaded for its very first connection from ISE ?

Should the Agent be installed before the first connection ?

I'have set up ISE 1.1.3 for provisioning (files have been downloaded from cisco website) (upgrade mandatory)

I have an AuthZ rule for a correct posture assessment

and

another AuthZ rule for an unknown posture assessment that triggers a posture remediation (file download)

(in that order)

NAC agent is properly configured ( FQDN...), the users gets and nothing happen !

no NAC upgrade

no NAC assessment.

Any idea ?

Does it take a while for the new agent to be downloaded ?

Best regards.

V.

bhthapa · ‎04-10-2013

In order to troubleshoot the NAC agent problem, we need to check couples of things.like

1.)Ensure that the discovery host address on the Cisco NAC agent or Mac OS X agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,

choose Properties, and check the discovery host.)

2.) Ensure that the access switch allows Swiss communication between Cisco ISE and the end client machine. Limited access ACL applied for the session should allow Swiss ports:

permit tcp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

deny ip any any

3.)If the agent login dialog still does not appear, it could be a certificate issue. Ensure that the certificate that is used for Swiss communication on the end client is in the Cisco ISE certificate trusted list.

4.) Ensure that the default gateway is reachable from the client machine.

As per your confirmation, I am going to close the case for this specific inquiry. We strive to provide you with excellent service. Please feel free to reach out to me or any member of the SAC team if we can be of any further assistance or if you have any other related questions in the future. We value your input and look forward to serving you moving forward.

View solution in original post

vrz rrr · ‎03-29-2013

Nac Agent never pop up, switch is properly configured. redirec URL and ACL seen in "sh authen sess interface"

posture status is pending and nothing more happens

Any idea ?

V.

bhthapa · ‎04-10-2013

In order to troubleshoot the NAC agent problem, we need to check couples of things.like

1.)Ensure that the discovery host address on the Cisco NAC agent or Mac OS X agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,

choose Properties, and check the discovery host.)

2.) Ensure that the access switch allows Swiss communication between Cisco ISE and the end client machine. Limited access ACL applied for the session should allow Swiss ports:

permit tcp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

permit udp any host 80.0.80.2 eq 8905 --> This is for posture

communication between NAC agent and ISE (Swiss ports)

deny ip any any

3.)If the agent login dialog still does not appear, it could be a certificate issue. Ensure that the certificate that is used for Swiss communication on the end client is in the Cisco ISE certificate trusted list.

4.) Ensure that the default gateway is reachable from the client machine.

As per your confirmation, I am going to close the case for this specific inquiry. We strive to provide you with excellent service. Please feel free to reach out to me or any member of the SAC team if we can be of any further assistance or if you have any other related questions in the future. We value your input and look forward to serving you moving forward.