Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1971
Views
10
Helpful
6
Replies

NAC Agent and NSP provisioning with ISE 1.1.1

Go to solution
geniesis
Level 1
Level 1

‎09-05-2012 07:23 PM - edited ‎03-10-2019 07:30 PM

I am trying to get all workstations (OSX and Windows) to install both the Native Supplicant Wizard and NAC Agent during the On-boarding process.

I am currently using the default guest portal in ISE.

The environment has been setup using a Dual SSID design.

At the moment, devices can connect to the provisioning SSID and get CWA. Device registration works, the portal runs the NSP setup which correctly sets up the network adapter.

The problem is the portal never attempts to install the NAC Agent.

The client provisioning policy has a separate policies for wireless/wired as well as OS. Each policy applies both a NSP and NAC Agent configuration. It appears the guest portal only checks the NSP configuration and not the NAC Agent config.

Any ideas?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎09-05-2012 07:45 PM

Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.

With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.

Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.

Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access

Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.

Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal

Hope that helps,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎09-05-2012 07:45 PM

Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.

With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.

Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.

Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access

Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.

Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal

Hope that helps,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
geniesis
Level 1
Level 1
In response to Tarik Admani

‎09-05-2012 08:46 PM

No, I am currently using a single portal.

From your response, it appears that I will need to use two portals and have the user go through the provisioning process twice, once for the NSP and another for the NAC agent.

I was hoping that both NSP and the Agent could be deployed in a single process.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to geniesis

‎09-05-2012 10:01 PM

That is correct, and it does make more sense to do it your way but I am sure that the action=nsp and action=cpp in the authorization profile is the key indicator as to how the client is provisioned.

thanks,

Tarik Admani
*Please rate helpful posts*

Go to solution
geniesis
Level 1
Level 1
In response to Tarik Admani

‎09-06-2012 12:17 AM

Thanks.

I've tried implementing it using the two stage setup as you proposed. It works well, the NSP is deployed first, then the user reconnects and gets redirected to install the Agent.

The issue is now with iPADs which don't support the NAC Agent. Because Rule0 doesn't match as the iPAD has an Unknown compliance.

In the ISE "Posture General Settings" section I have set the default posture status to compliant. But this doesn't appear to do anything.

iPADs/mobile devices need to be registered, but don't require the NAC agent.

Thanks.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎09-06-2012 01:51 AM

Add a built in condition which states endpoint:posturecapable not equals NO to your agent based policies. Or above rule 0 place a rule that has the condition that has the condition of endpoint:posturecapable equals no then permit access in addition to the other conditions that confirm a provisioned client

Go to solution
geniesis
Level 1
Level 1
In response to Tarik Admani

‎09-06-2012 11:56 PM

All works well.

Combination of your first post and "Posture Applicable" allowed the iDevices to connect without needing to go through Agent provisioning.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents