Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2422
Views
0
Helpful
3
Replies

ISE Posture Not Working

rick505d3
Level 1
Level 1

‎02-12-2017 10:33 PM - edited ‎03-11-2019 12:27 AM

Hi, 

I have an ISE 2.2 VM based deployment (4 nodes - PAN/SMN, SAN/PMN, PSN, PSN) . Posture redirection works in the browser and Client Provisioning Portal prompts to download the NAC Agent (in future, it will be pushed through GPO). NAC Agent is installed and starts running. However, NAC agent doesn't seem to be doing anything after installation. Any new browser session will still prompt for NAC Agent installation.

Ping and Telnet to the PSN nodes work fine both using domain name or IP address of the host, indicating the port TCP/8905 is open and there is no firewall in the middle blocking access. However, I don't seen the PSN FQDN returned on visiting "https://ise-03:8905/auth/discovery". Nothing is returned on visiting this URL. Wireshark capture on the client can see TCP session getting established. 

Any idea why the "/auth/discovery" page is not bringing back the ISE FQDN? How do I troubleshoot this?

Regards, 

Rick.

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-13-2017 04:40 AM

Are you using Wired or Wireless deployment for this? What does your redirect ACL look like for this.

There are a few things to consider for redirection to work, especially in a Wired environment. This guide has most of the redirect failure scenarios that you could hit in Wired, but some of them apply to Wireless also:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/117278-troubleshoot-ise-00.html

0 Helpful

rick505d3
Level 1
Level 1
In response to Rahul Govindan

‎02-13-2017 05:12 AM

Hi Rahul,

This is for the wired deployment. The Posture Redirect ACL, defined locally on the switch, looks like this:

ip access-list extended Posture-Redirect
  deny udp any any eq bootps
  deny udp any any eq domain
  deny tcp any host <ise-psn-node1>
  deny tcp any host <ise-psn-node2> 
  permit ip any any

When the Posture Authz policy is hit in ISE, on the switch "show auth session int <intf>" correctly shows the redirect ACL "Posture-Redirect" and also the redirect URL. The authz policy does not override the VLAN.  The client has IP address throughout and able to resolve domain names.

Opening up a browser redirects a url say "msn.com" to the client provisioning portal. The portal shows up and asks to install NAC Agent. On successful installation, the portal page says that NAC Agent is installed and running and the user should now open the NAC Agent itself to see the compliance status. This is where nothing happens after that. The browser page remains like this (tried IE and Firefox). The NAC Agent doesn't seem to do anything. Typed the discovery host address (PSN node) manually into the NAC Agent, still nothing. 

Opening a new browser session redirects to client provisioning portal again, unable to detect NAC Agent, it again asks to download and install the NAC Agent. 

Regards, 

Rick.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to rick505d3

‎02-14-2017 07:02 PM

Ok so the redirect happens successfully every time but your posture discovery does not work. What versions of the NAC agent are you using? You should be having 4.9.5.3 or later with ISE 2.2

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/compatibility/ise_sdt.html#pgfId-123696

Also, not sure if you have already seen this but this is a good guide to troubleshoot such issues:

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/118724-technote-ise-00.html#anc10

0 Helpful
Customers Also Viewed These Support Documents