cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
898
Views
0
Helpful
0
Replies

ISE 2.3 and NAC Agent issue

omidkatouzian
Level 1
Level 1

I have cisco ISE version 2.3 and I installed NAC agent on the clients. On the client I want deploy Posture scenario. My Clients is authenticated by wired dot1x (AD user and computer). when the client provisioning scenario run with NAC agent, it seems the ISE could not find the NAC agent that installed on the machine. because it is triggered an unknown compliance posture policy set. On the Client-side, NAC agent popup certificate alarms continuously (more than two times) and it can not trigger after posture policy set. below is my dACL on the client provisioning state after user and machine is authenticated by dot1x.  

deny tcp any host <ip-telephony-ip-address> eq 23
deny tcp any host <ip-telephony-ip-address> eq 23
deny tcp any host <ip-telephony-ip-address> eq 22
deny tcp any host <ip-telephony-ip-address> eq 22
deny tcp any host <ip-telephony-ip-address> eq www
deny tcp any host <ip-telephony-ip-address> eq www
deny tcp any host <ip-telephony-ip-address> eq 443
deny tcp any host <ip-telephony-ip-address> eq 443
permit tcp any  host <DC-DNS-ip-address> eq 88
permit udp any host <DC-DNS-ip-address> eq 88
permit tcp any  host <DC-DNS-ip-address> eq 389
permit tcp any  host <DC-DNS-ip-address> eq 636
permit ip any host <ip-telephony-ip-address>
permit udp any host <ISE-ip> eq 8905
permit tcp any host <ISE-ip> eq 8905
permit tcp any host <ISE-ip> eq 8909
permit udp any host <ISE-ip> eq 8909
permit tcp any host <ISE-ip> eq 8443 log
deny ip any any

The 8905 and 8909 ports are opened. On the switch-side, redirect URL to CPP portal to install NAC agent it was appeared. On the Client web browser CPP URL redirect happend. Could anybody help me out. Is my dACL wrong?
Thank you in adv.

0 Replies 0