ISE Agent download problems

kassabziad · ‎10-12-2012

Dears,

i have Cisco ISE 1.1.1 with patch installed, i am having a problem with downloading the CIsco NAC agent.

when i click on Install Agent, it is giving the attached message. and sometimes activex failed retrying with applet.

The Web agent is running fine, if i install the NAC agent manualy on my laptop, it is working fine, i have tried 3 laptops with different browser with sames problem.

BR,

Tarik Admani · ‎10-12-2012

Hi,

In your client provisioning policy, try selecting another version of the nac agent and see if that fixes your issue, also try to download the offline agent from cisco.com and upload that agent into the ISE resources section and see if that fixes the issue.

Thanks,

Tarik Admani
*Please rate helpful posts*

Christopher Calhoun · ‎10-12-2012

I am also having the same issue. I have modified my dACL to make it work I am just missing something in my Posture remediation ACL.

-CC

kassabziad · ‎10-13-2012

Dears,

Actually i tried many NAC agent version, same problem. The offline agent is used to download it directly on the workstation without downloading it from the ISE right?

Christopher, can you please share your DACL, i used the one from the ISE Posture guide.

BR,

Christopher Calhoun · ‎10-15-2012

I am going to try and work on narrowing down what it is actually accessing. I also used the gold lab material and it does not work with the downloadable ACL provided. I simply did a PERMTI IP ANY ANY at the end of my dACL and it downloaded the client without issues from my Policy server.

Something is missing.

-CC

Christopher Calhoun · ‎10-16-2012

Here is the downloadable ACL for posture I used to get it to work. It needs TCP 8909 to the Posturing nodes.

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any host eq 8443

permit tcp any host eq 8905

permit tcp any host eq 8909

permit tcp any host eq 8443

permit tcp any host eq 8905

permit tcp any host eq 8909

permit udp any any eq domain

permit udp any host eq 8905

permit udp any host eq 8906

permit udp any host eq 8905

permit udp any host eq 8906

permit icmp any any

Original LAB ACL

permit udp any any eq domain

permit icmp any any

permit tcp any host 10.1.100.21 eq 8443

permit tcp any any eq 80

permit tcp any any eq 443

permit tcp any host 10.1.100.21 eq 8905

permit udp any host 10.1.100.21 eq 8905

permit udp any host 10.1.100.21 eq 8906

Venkatesh Attuluri · ‎07-15-2013

Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the

policy identity group, conditions, and type of agent(s) defined in the policy.

(Also ensure whether or not there is any agent profile configured under Policy >

Policy Elements > Results > Client Provisioning > Resources > Add > ISE

Posture Agent Profile, even a profile with all default values.)

• Try reauthenticating the client machine by bouncing the port on the access

switch.

Remember that the client provisioning agent installer download requires the following:

• The user must allow the ActiveX installer in the browser session the first time an agent is installed

on the client machine. (The client provisioning download page prompts for this.)

• The client machine must have Internet access.