ISE 2.0 NAC agent stuck in loop

deyster94 · ‎02-02-2016

I am doing a greenfield install of ISE 2.0 for a client. Using EAP-TLS for machine and user auth, but the client wants posture assessment as well. I can get the laptop to install the NAC agent. I only have the NAC agent installing on the unknown device and not checking for anything. This was to be sure it would install and then move from unknown to compliant. However, this isn't working. The laptop doesn't go back through authorization to the compliant AuthZ policy.

Any ideas on what would be causing this issue? Let me know what other information you need.

I am using NAC agent 4.9.0.52. I did have the newest one running 4.9.5.10 and was trying other options.

TIA,

-Dan

jj27 · ‎02-03-2016

I would recommend against using the NAC agent if at all possible and use the AnyConnect ISE Posture module. You do need any Anyconnect Apex license per user but there is no check on ISE for it, just to be legit with Cisco auditing purposes.

Is this wired or wireless? Is the NAC agent popping at all?

deyster94 · ‎02-04-2016

The client didn't buy the Anyconnect license, so I can't use it for this deployment. We are going to talk to them about it as they are using using MAR, which is a pain point as well.

As for the issue, the NAC agent does pop up and confirms the endpoint passes all the security checks. It just doesn't allow it to go back through the authorization policies to hit the one for compliant.

I have a TAC case open and we are doing a webex this morning to hopefully get this resolved.