cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1339
Views
10
Helpful
6
Replies
Highlighted
Beginner

NAC Agent and NSP provisioning with ISE 1.1.1

I am trying to get all workstations (OSX and Windows) to install both the Native Supplicant Wizard and NAC Agent during the On-boarding process.

I am currently using the default guest portal in ISE.

The environment has been setup using a Dual SSID design.

At the moment, devices can connect to the provisioning SSID and get CWA. Device registration works, the portal runs the NSP setup which correctly sets up the network adapter.

The problem is the portal never attempts to install the NAC Agent.

The client provisioning policy has a separate policies for wireless/wired as well as OS. Each policy applies both a NSP and NAC Agent configuration. It appears the guest portal only checks the NSP configuration and not the NAC Agent config.

Any ideas?

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

NAC Agent and NSP provisioning with ISE 1.1.1

Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.

With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.

Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.

Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access

Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.

Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal

Hope that helps,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

View solution in original post

6 REPLIES 6
Highlighted
Advocate

NAC Agent and NSP provisioning with ISE 1.1.1

Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.

With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.

Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.

Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access

Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.

Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal

Hope that helps,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

View solution in original post

Highlighted
Beginner

NAC Agent and NSP provisioning with ISE 1.1.1

No, I am currently using a single portal.

From your response, it appears that I will need to use two portals and have the user go through the provisioning process twice, once for the NSP and another for the NAC agent.

I was hoping that both NSP and the Agent could be deployed in a single process.

Highlighted
Advocate

NAC Agent and NSP provisioning with ISE 1.1.1

That is correct, and it does make more sense to do it your way but I am sure that the action=nsp and action=cpp in the authorization profile is the key indicator as to how the client is provisioned.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

NAC Agent and NSP provisioning with ISE 1.1.1

Thanks.

I've tried implementing it using the two stage setup as you proposed. It works well, the NSP is deployed first, then the user reconnects and gets redirected to install the Agent.

The issue is now with iPADs which don't support the NAC Agent. Because Rule0 doesn't match as the iPAD has an Unknown compliance.

In the ISE "Posture General Settings" section I have set the default posture status to compliant. But this doesn't appear to do anything.

iPADs/mobile devices need to be registered, but don't require the NAC agent.

Thanks.

Highlighted
Advocate

NAC Agent and NSP provisioning with ISE 1.1.1

Add a built in condition which states endpoint:posturecapable not equals NO to your agent based policies. Or above rule 0 place a rule that has the condition that has the condition of endpoint:posturecapable equals no then permit access in addition to the other conditions that confirm a provisioned client

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

NAC Agent and NSP provisioning with ISE 1.1.1

All works well.

Combination of your first post and "Posture Applicable" allowed the iDevices to connect without needing to go through Agent provisioning.