Solved: Re: NAC agent failing to popup via the wired network on Windows 10

MeuzKing · ‎11-27-2018

Hello all,

I have a ISE appliance installed in a STANDALONE deployment, the node has the three personas installed on it (Administration, Monitoring, Policy)

When I try to do my tests via the câble, the cisco NAC agent doesn't popup for the verification of the posture to know if the equipment complies with the policy defined in order to be able to access the Internet or not.

I need your help to solve the problem.

Note: the NAC agent version is the following: 4.9.5.8, the Cisco ISE version is 2.0.0.306

ACLs defined in Cisco ISE :

permit udp any host x.x.x.z eq domain (AD server)
permit tcp any host x.x.x.y eq 8443 (ISE server)
permit tcp any host x.x.x.y eq 8905
permit udp any host x.x.x.y eq 8905
permit udp any host x.x.x.y eq 8906
permit udp any host x.x.x.y eq 8909
permit tcp any host x.x.x.y eq 8909
deny tcp any host x.x.x.z eq 3389
deny ip any any

ACLs defined in Cisco Switch :

deny udp any host x.x.x.z eq domain
deny tcp any host x.x.x.y eq 8443
deny tcp any host x.x.x.y eq 8905
deny udp any host x.x.x.y eq 8905
deny udp any host x.x.x.y eq 8906
deny udp any host x.x.x.y eq 8909
deny tcp any host x.x.x.y eq 8909
deny tcp any host x.x.x.z eq 3389
permit ip any any

Regards.

Jason Kunst · ‎11-29-2018

You will need to work through TAC and possibly the account team who sold you the product to straighten it out if you have support

View solution in original post

Nidhi · ‎11-27-2018

Better to work through TAC. NAC agent is EOL now.

Thanks,

Nidhi

MeuzKing · ‎11-27-2018

Hello Nidhi,

Thank you for your reply. But I need it to work with the NAC agent that was already installed on all user machines.

Regards.

Surendra · ‎11-28-2018

One thing that i can notice is that there is no DHCP allowed in the dACL. If PC does not get an IP, NAC Agent will definitely not pop up. However, this a candidate for a TAC case as this involves lot of things including but not limited to a problem in the network, switch configuration/capability to redirect, connectivity to the ISE, client issue etc.

MeuzKing · ‎11-28-2018

Hello Surendra,

Thank you for you reply. When I plug the cable I get an IP adresse but the NAC client Can't Pop up.

When I try to open a Case on Cisco TAC I get this error message : "Contract Not Associated

This serial number FCH1945V0T3 is covered under a service contract not linked to your account. Would you like to add this contract now? "

.

Regards.

Surendra · ‎11-28-2018

Please call in the TAC front line using the phone numbers @ http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html . They will help you create a case with TAC.

Cheers.

MeuzKing · ‎11-29-2018

Hello Surendra,

I can not open a ticket on the Cisco site. I get the error message when I try to open a Case on Cisco TAC :

The message is the following :"Contract Not Associated

This serial number FCH1945V0T3 is covered under a service contract not linked to your account. Would you like to add this contract now? "

Regards.

Jason Kunst · ‎11-29-2018

You will need to work through TAC and possibly the account team who sold you the product to straighten it out if you have support

MeuzKing · ‎12-03-2018

Good afternoon all,

After a complete review of the configuration of the ISE and the switch, I think my problem is at the certificate level. I have the following error message at the certificate level in ISE "Certificate trust chain is incomplete".

Who can help me solve the problem.

Regards.

MeuzKing · ‎11-28-2018

Hello Surendra,

Thank you for you reply. When I plug the cable I get an IP adresse but the NAC client Can't Pop up.

When I try to open a Case on Cisco TAC I get this error message : "Contract Not Associated

This serial number is covered under a service contract not linked to your account. Would you like to add this contract now? "

.

Regards.