06-25-2012 12:13 PM - edited 03-10-2019 07:14 PM
Dears,
I have two ISE appliances installed in a distributed deployment (primary "ISE1" and secondary "ISE2"), each node has the three personas installed on it. The servers are registered together and the replication is working properly between the nodes.
When we are working on the first node everything is fine, if I try to disconnect ISE1 and do my tests on ISE2, the cisco NAC agent doesn't popup, unless I uninstall it and reinstall it again from the ISE2. Then it will work properly.
Note: the NAC agent version is the following: nacagent-4.9.0.37.
Any idea?
Regards
Zahi
Solved! Go to Solution.
07-28-2012 10:32 AM
I don't have access to an ISE at the moment to find it, but try this:
Policy > Policy Elements > Results > Client Provisioning > Resources
edit the profile and there should be a discovery host box.
Apologies, I'm guessing a little without access to the box, but it is definitely configurable, you don't have to add manually.
06-25-2012 07:47 PM
Zahi,
Can you please post the contents of your pre-auth ACL? I wonder how the redirection is set for the swiss packets. Are you redirecting all traffic destined to port 8905,8906?
Also when you are performing the failover scenario are you shutting the port? How are you triggering the reauthentication?
Thanks,
Tarik Admani
06-25-2012 11:27 PM
Hi Tarik,
Thanks for your reply.
If you mean the ACL redirection, plz find it below:
ip access-list extended ACL-POSTURE-REDIRECT
deny ip any host 10.10.10.238 >>> IP address of ISE1
deny ip any host 10.10.10.239 >>> IP address of ISE2
deny udp any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
To perform the failover I disconnect the ISE1 from the network, and apply the shut and no shut command on the port of the testing machine or sometimes I unplug and plug again the cable of that workstation.
Regards
Zahi
06-26-2012 08:17 AM
Can you also post the contents of your dACL? When you open a web browser do you get redirected to the nac agent download page?
Can you please post the show authentication session interface
Also it may be best to take a pcap of the client machine to see if ISE2 is responding.
Thanks,
Tarik Admani
07-04-2012 06:15 AM
Hi Tarik,
below are my answers:
1- The content of the dACL:
ip access-list extended POSTURE-REMEDIATION
permit udp any any eq domain
permit ip any host 10.10.10.125 >>>> antivirus server
permit ip any 10.10.240.0 0.0.0.255 >>>> voice subnet
permit ip any 10.10.31.0 0.0.0.255 >>>> quarantine vlan subnet
permit ip any host 10.10.10.238 >>>> ip add of ISE1
permit ip any host 10.10.10.239 >>>> ip add of ISE2
permit ip any host 10.10.10.206 >>>> wsus server
permit ip any host 10.10.10.10 >>>> domain 1
permit ip any host 10.10.10.100 >>>> domain 2
2- When I open a web browser, yes I get redirected to the nac agent download page
3- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:
sw#sho authentication sessions int fast 0/12
Interface: FastEthernet0/12
MAC Address: b8ac.6fc9.b26f
IP Address: 10.10.31.2
User-Name: RJ\15592
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 31
ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://RJ-ISE-1.rj.com:8443/guestportal/gateway?session
Id=0A0A0C86000000186ADBBD8B&action=cpp
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0C86000000186ADBBD8B
Acct Session ID: 0x00000023
Handle: 0x31000018
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
sw#sho authentication sessions int fast 0/12
Interface: FastEthernet0/12
MAC Address: b8ac.6fc9.b26f
IP Address: 10.10.30.12
User-Name: RJ\15592
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 30
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0C86000000186ADBBD8B
Acct Session ID: 0x00000023
Handle: 0x31000018
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE2:
sw#sho auth sessions int fast 0/12
Interface: FastEthernet0/12
MAC Address: 0025.6458.8409
IP Address: 10.10.31.8
User-Name: RJ\15946
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 31
ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://RJ-ISE-2.rj.com:8443/guestportal/gateway?session
Id=0A0A0C86000000206AF3FAC1&action=cpp
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0C86000000206AF3FAC1
Acct Session ID: 0x0000002B
Handle: 0x2C000020
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
you may find attached also the pcap file of the client machine when it is authenticating with the ISE2.
Thank you in advance
Zahi
Message was edited by: ZAHI BOU KHALIL
07-04-2012 12:30 PM
Zahi,
I dont understand your latest response, are you saying the agent is popping up with ISE2 or it is not popping up with ISE2?
Just so I understand this correctly the first client, authenticates on vlan 31, postures, and then is compliant and then set to vlan 30 with the permit ip any acl assigned.
In your ACL you sent me a different ACL which is defined on the switch, the ISE is referencing - "ACL-POSTURE-REDIRECT", please send the contents of this ACL.
I see that you are using two different machines, client 0025.6458.8409 is being redirected to ISE2 agent download page but does it have the client installed? If so, in the pcap the agent doesnt seem to be sending any discovery packets.
Please test with only one client, and reproduce the issue with the show authenticaiton sessions like you did previously.
Thanks,
Tarik admani
07-05-2012 06:56 AM
Hi Tarik,
In the second test I meant that this is the output after authenticating with the ISE2 but the agent didn't popup, sorry for any
Inconvenience. It's giving that the authentication is successful but the agent is not popping up.
As per the client machine, I'm doing this test remotely as the client is abroad, you're right it seems that he used different machine.
I will redo the test and unsure using same client machine.
I'll get back to you with the result.
Regards
Zahi
07-10-2012 06:22 AM
Hi Tarik,
Kindly find below the outputs of the test:
1- The content of the dACL:
ip access-list extended ACL-POSTURE-REDIRECT
deny ip any host 10.10.10.238
deny ip any host 10.10.10.239
deny udp any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443
2- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:
SW#sho auth sess int fast 0/12
Interface: FastEthernet0/12
MAC Address: 0021.7070.87be
IP Address: 10.10.31.4
User-Name: 15919
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 31
ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://RJ-ISE-1.rj.com:8443/guestportal/gateway?sessionId=0A0A0C860000002A89B45A9A&action=cpp
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0C860000002A89B45A9A
Acct Session ID: 0x00000039
Handle: 0xC500002A
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
SW#sho auth sess int fast 0/12
Interface: FastEthernet0/12
MAC Address: 0021.7070.87be
IP Address: 10.10.30.3
User-Name: 15919
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 30
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0C860000002A89B45A9A
Acct Session ID: 0x00000039
Handle: 0xC500002A
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
3- outputs of the show authentication session interface fast 0/12, when the agent fails to popup with ISE2:
SW#sho auth sess int fast 0/12
Interface: FastEthernet0/12
MAC Address: 0021.7070.87be
IP Address: 10.10.31.4
User-Name: 15919
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 31
ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://RJ-ISE-2.rj.com:8443/guestportal/gateway?sessionId=0A0A0C860000002C89C063BE&action=cpp
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0C860000002C89C063BE
Acct Session ID: 0x0000003B
Handle: 0xBD00002C
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
SW#sho ip access-lists int fast 0/12
permit udp any any eq domain (13 matches)
permit ip any host 10.10.10.125
permit ip any 10.10.240.0 0.0.0.255
permit ip any 10.10.31.0 0.0.0.255 (42 matches)
permit ip any host 10.10.10.238 (15 matches)
permit ip any host 10.10.10.239
permit ip any host 10.10.10.206
permit ip any host 10.10.10.10 (8 matches)
permit ip any host 10.10.10.100
You may find attached also to log files ISE2-1 and ISE2-2 retrieved when we were testing the client machine with the ISE2 (scenario repeated 2 times that's why I retrieved 2 log files).
Regards
Zahi
07-10-2012 06:45 AM
Can you post show run aaa, and show run interface fa 0/12.
Thanks,
Tarik Admani
Sent from Cisco Technical Support iPad App
07-10-2012 07:15 AM
below are the outputs:
SW#sh run | in aaa
aaa new-model
aaa authentication login default local
aaa authentication login TEST group radius local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
aaa session-id common
SW#sh run int fas 0/12
Building configuration...
Current configuration : 200 bytes
!
interface FastEthernet0/12
switchport access vlan 22
switchport mode access
switchport voice vlan 110
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
end
Regards
Zahi
07-10-2012 08:27 AM
Zahi,
Please use the following guide for reference, you need look into using an port based ACL which affects the way traffic is redirected.
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sw_cnfg.html
Thanks,
Tarik Admani
11-12-2015 11:06 AM
Hi Tarik,
Currently we are using ISE 1.4 with dot1x (machine & user authentication) and posturing.
We are using Cisco NAC agent 4.9.5.8 for all windows machines.
This works all well with windows 7 after authentication nac agent pops up properly and checks for the posture. But in windows 10 machine its stucking in machine authentication only it’s not going forward for Posture check and NAC agent not popping for the same.
Can anyone face this issue with Windows 10 machine?
Thanks in advance
07-13-2012 02:52 PM
When your NAC agent DOES pop up, what discovery nodes are listed in the pop up window? Are both of your ISE's in there?
Both ISE's need to be in there otherwise it won't recognise the second one.
Or you can use a wildcard such as *.mydomain.com
I don't have access to a box to steer you to the page that is configured on at the moment, but I'm sure you'll be able to find it if that is the problem.
Gaz
07-13-2012 03:42 PM
Gaz,
That is not the proper way to configure the switch port and redirect urls, depending on your configuration and configuring the redirection profiles correctly the switch port should redirect all http, https and discovery agent traffic to the url that the ISE hands to the switchport. Similar to when you go to www.google.com and get redirected to download the nac agent, the same behavior must apply for tcp and udp traffic destined for the discovery ports.
Thanks,
Tarik Admani
07-14-2012 02:53 PM
Think you've misunderstood my reply, I haven't suggested a method of configuring redirection. I've stated that if the redirection is working properly and you don't configure both discovery nodes to be authenticated i.e. both discovery nodes needs to be listed, then you won't get pop ups, the NAC client won't recognise the ISE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide