04-29-2013 06:54 AM - edited 03-10-2019 08:22 PM
Hi all,
I would like some help trying to understand why a client that has not been connected to the network for just over a month was allowed full network access despite the AV definitions being over 28days old.
We have 2 mandatory posture requirements,
1. Symantec Av MUST be installed
2. the AV definitions MUST be LESS THAN 28 days out of date
Currently, the machine I have is showing the AV defs as being 25th March 2013.
When I produce the detailed posture report, it even shows me that the two mandatory requirements as described above were successfully meant meaning the endpoint is posture compliant. Clearly this is not the case though...!
Is there anything else I can check on the ISE to help debug this?
Mario
Solved! Go to Solution.
04-30-2013 06:06 AM
Hi,
You might have two problems:
1. In ISE you have a gobal setting regarding the unsupported NAC Agent clients (Android, etc) that specifies what is their default compliance status. If the default setting is "compliant" and you don't have a provisioning rule for that client or you simply don't have client provisioning rules, any machine that doesn't fit in the provisioning rule (ie ISE thinks that is not supported) will get a compliance status of compliant event though NAC Agent is installed and the rules are not satisfied.
2. NAC Agent version problem?
I've seen in logs that you're using NAC Agent 4.9.1.6 but the latest recommended version of NAC Agent to be used with (the latest) ISE is version 4.9.0.51.
Version 4.9.1.6 is a NAC Appliance release and Cisco offers no guarantee that is 100% compatible with ISE.
Check
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp78131
Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine (ISE)
Cisco supports different versions of the NAC Agent for integration with NAC Appliance and ISE. Current releases are developed to work in either environment, however, interoperability between deployments is not guaranteed. Therefore, there is no explicit interoperability support for a given NAC Agent version intended for one environment that will necessarily work in the other. If you require support for both NAC Appliance and ISE using a single NAC Agent, be sure to test NAC Agent in your specific environment to verify compatibility.
Unless there is a specific defect or feature required for your NAC Appliance deployment, Cisco recommends deploying the most current agent certified for your ISE deployment. If an issue arises, Cisco recommends restricting the NAC Agent's use to its intended environment and contacting Cisco TAC for assistance. Cisco will be addressing this issue through the standard Cisco TAC support escalation process, but NAC Agent interoperability is not guaranteed.
Cisco is working on an approach to address NAC Agent interoperability testing and support in an upcoming release.
04-29-2013 07:06 AM
04-29-2013 08:05 AM
one thing i have noticed is that this particular laptop is not being profiled correctly. Its endpoint group is "Unknown" whereas a majority of all our Windows machines get profiled properly as "WorkStation".
I have compared the RADIUS output on the ISE for a working laptop and this not working laptop and there is no difference in terms of the attributes listed in the output.
I understand that in order to hit the built in profiling rule for windows 7, the User Agent Attribute must contain "Windows NT 6.1".
How can I find out on my windows machine what is contained in the attribute? can the NAC agent help provide me with this information? or the Windows registry perhaps?
thanks
Mario
04-30-2013 06:06 AM
Hi,
You might have two problems:
1. In ISE you have a gobal setting regarding the unsupported NAC Agent clients (Android, etc) that specifies what is their default compliance status. If the default setting is "compliant" and you don't have a provisioning rule for that client or you simply don't have client provisioning rules, any machine that doesn't fit in the provisioning rule (ie ISE thinks that is not supported) will get a compliance status of compliant event though NAC Agent is installed and the rules are not satisfied.
2. NAC Agent version problem?
I've seen in logs that you're using NAC Agent 4.9.1.6 but the latest recommended version of NAC Agent to be used with (the latest) ISE is version 4.9.0.51.
Version 4.9.1.6 is a NAC Appliance release and Cisco offers no guarantee that is 100% compatible with ISE.
Check
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp78131
Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine (ISE)
Cisco supports different versions of the NAC Agent for integration with NAC Appliance and ISE. Current releases are developed to work in either environment, however, interoperability between deployments is not guaranteed. Therefore, there is no explicit interoperability support for a given NAC Agent version intended for one environment that will necessarily work in the other. If you require support for both NAC Appliance and ISE using a single NAC Agent, be sure to test NAC Agent in your specific environment to verify compatibility.
Unless there is a specific defect or feature required for your NAC Appliance deployment, Cisco recommends deploying the most current agent certified for your ISE deployment. If an issue arises, Cisco recommends restricting the NAC Agent's use to its intended environment and contacting Cisco TAC for assistance. Cisco will be addressing this issue through the standard Cisco TAC support escalation process, but NAC Agent interoperability is not guaranteed.
Cisco is working on an approach to address NAC Agent interoperability testing and support in an upcoming release.
04-30-2013 03:20 PM
Thanks mate!!
I think the NAC agent version is the issue. I wonder why that is why our NAC agent customisation packages aren't working too!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide