Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1356
Views
15
Helpful
8
Replies

ISE 1.2.0 - Issue with Posture

Prasan Venky
Level 3
Level 3

‎08-28-2014 12:27 AM - edited ‎03-10-2019 09:58 PM

Hi Experts,

I installed ISE 1.2.0.899 Patch 3. While testing, we found the below.

1) Authentication Suceeded

2) Redirection to NAC Agent Page is happening

3) NAC Version 4.9.4.3 (latest) is getting downloaded.

4) Status in ISE is shown as 'Pending' and stays the same.

Even i tried changing the NAC agent version to 4.9.0.42. But stuck in Pending status only.

Is there any solution for this..? do i need to apply patch or version..?

Thanks in advance.

1 person had this problem
Labels:
0 Helpful
8 Replies 8

mohanak
Cisco Employee
Cisco Employee

‎08-28-2014 01:04 AM

CSCul66272
 
Description

Symptom:
The NAC Agent gets suck in a posture loop. The sequence of events seen for the agent is:
1) An authentication entry is seen for the host and posture is set to pending.
2) A CoA is sent for the host with the posture status matching the globally set default posture status.
3) An authentication is again seen for the host with the posture status set to pending.

Conditions:
ISE 1.2.0.899
An application is installed on the end host that sends an HTTP or HTTPS packet with an unknown user-agent.
Posture is configured and in use.

Last Modified:
Jun 9,2014
Status:
Fixed
Severity:
3 Moderate
Product:
Cisco Identity Services Engine (ISE) 3300 Series Appliances
Known Affected Releases:
(1)
1.2(0.899)
Known Fixed Releases:
(2)
1.2(0.907)
1.2(1.198)

Prasan Venky
Level 3
Level 3
In response to mohanak

‎08-28-2014 02:43 AM

 

Thank you so much for the response.

Now i am planning to upgrade it to 1.2.1 from 1.2.0.899. Can you please help me how to upgrade and what are the procedure.

 

0 Helpful

mohanak
Cisco Employee
Cisco Employee
In response to Prasan Venky

‎08-28-2014 03:43 AM

Instructions for Upgrading to Cisco ISE, Release 1.2.1

You can upgrade to Cisco ISE, Release 1.2.1 directly from any of the following releases:

  • Cisco ISE, Release 1.1.0.665 with patch 5 or later
  • Cisco ISE, Release 1.1.1.268 with patch 7 or later
  • Cisco ISE, Release 1.1.2 with patch 10 or later
  • Cisco ISE, Release 1.1.3 with patch 11 or later
  • Cisco ISE, Release 1.1.4 with patch 11 or later
  • Cisco ISE, Release 1.2.0.899 with patch 8 or later

The process for upgrading to Release 1.2.1 is the same as upgrading to Release 1.2. The system reboots twice when you upgrade from Release 1.1.x to 1.2.1 because it involves a 32-bit to 64-bit system upgrade, but only once when you upgrade from Release 1.2.x to 1.2.1 because Release 1.2 is a 64-bit system.

The application upgrade command is enhanced and includes the cleanup, prepare, and proceed options. You can use:

  • Cleanup—To clean a previously prepared upgrade bundle on a node locally. You can use this option if:
    • The application upgrade prepare command was interrupted for some reason
    • The application upgrade prepare command was run with an incorrect upgrade bundle
    • The upgrade failed for some reason
  • Prepare—To download and extract an upgrade bundle locally. You can use this command followed by the application upgrade proceed command.
  • Proceed—To upgrade Cisco ISE using the upgrade bundle you extracted with the prepare option. You can use this option after preparing an upgrade bundle instead of using the application upgrade ise-upgradebundle-1.2-to-1.2.1.xxx.i386.tar.gz remote-repository command.

Prasan Venky
Level 3
Level 3
In response to mohanak

‎09-08-2014 12:29 AM

Thanks for the Response. I upgraded them now.

My doubt is AD should be integrated with Admin or PSN's ..?

0 Helpful

MMstre
Level 3
Level 3
In response to Prasan Venky

‎09-08-2014 09:41 AM

if i'm understanding our question correctly... The PSNs get their database from the admin node. So AD would integrate with the admin node.

Prasan Venky
Level 3
Level 3
In response to MMstre

‎09-09-2014 03:53 AM

Thank you so much Mr. Michael.

I have integrated with Primary Admin Node and also PSN. But i was able to retrieve groups only on Admin. As you say, PSN gets DB from Admin, it won't be a problem think :) thank you....

0 Helpful

Prasan Venky
Level 3
Level 3
In response to mohanak

‎10-06-2014 03:39 AM

 

Hi Mohan,

I have done the upgradation of ISE to the 1.2.1 but still i am facing the same error :(

0 Helpful

MMstre
Level 3
Level 3

‎09-08-2014 09:44 AM

a couple thing...

1. on the switch where the PC is plugged in while it is pending state, enter the command "clear authentication session interface <x/x>"

Does it then launch the NAC agent?

2. Are your redirect ACLs properly configured?

3. Is DNS and PSN allowed in the preauth and pre-posture ACL?

4. are you doing machine auth or just user?

5. what switch code are you using?

0 Helpful
Top