Hello,
We're deploying ISE, and i am busy with deploying a portal that Domain users can install they own NAC client.
however, we are facing issues with that.
When i am using a ise configured laptop, they cannot access the ISE Server by hostname.
When i using a non ise configured laptop, i can access the Server. and download the NAC agent. After installation the NAC agent get's an timeout and stops.
Also when the agent is installed, they will try to install it again.
See below for the switchconfig and the dACL
DACL:
permit udp any any eq 53
permit tcp any any eq 53
permit udp any eq bootpc any eq bootps
permit tcp any host 10.23.14.12 eq 8443
permit tcp any host 10.23.14.12 eq 8905
permit udp any host 10.23.14.12 eq 8905
permit tcp any host 10.23.14.12 eq 8906
permit udp any host 10.23.14.12 eq 8906
permit tcp any host 10.23.14.12 eq 8909
permit udp any host 10.23.14.12 eq 8909
permit ip any host 10.23.14.12
permit ip any host 10.22.40.1
deny ip any any
SWITCHCONFIG
aaa group server radius ISE
server name ISE
!
aaa authentication login default group nps-radius local
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
client 10.23.14.12 server-key
dot1x system-auth-control
interface FastEthernet0/1
switchport mode access
switchport voice vlan 319
ip access-group permitany in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface Vlan113
ip address 10.22.2.240 255.255.255.0
ip default-gateway 10.22.2.1
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
ip access-list extended REDIRECT
deny udp any any eq domain
deny tcp any any eq domain
deny udp any eq bootpc any eq bootps
deny tcp any host 10.23.14.12 eq 8443
deny tcp any host 10.23.14.12 eq 8905
deny udp any host 10.23.14.12 eq 8905
deny udp any host 10.23.14.12 eq 8906
deny tcp any host 10.23.14.12 eq 8906
deny tcp any host 10.23.14.12 eq 8909
deny udp any host 10.23.14.12 eq 8909
deny ip any host 10.23.14.12
permit ip any any
ip access-list extended permitany
permit ip any any
ip radius source-interface Vlan113
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server ISE
address ipv4 10.23.14.12 auth-port 1812 acct-port 1813
key