09-05-2018 07:37 AM
Hello,
We're deploying ISE, and i am busy with deploying a portal that Domain users can install they own NAC client.
however, we are facing issues with that.
When i am using a ise configured laptop, they cannot access the ISE Server by hostname.
When i using a non ise configured laptop, i can access the Server. and download the NAC agent. After installation the NAC agent get's an timeout and stops.
Also when the agent is installed, they will try to install it again.
See below for the switchconfig and the dACL
DACL:
permit udp any any eq 53
permit tcp any any eq 53
permit udp any eq bootpc any eq bootps
permit tcp any host 10.23.14.12 eq 8443
permit tcp any host 10.23.14.12 eq 8905
permit udp any host 10.23.14.12 eq 8905
permit tcp any host 10.23.14.12 eq 8906
permit udp any host 10.23.14.12 eq 8906
permit tcp any host 10.23.14.12 eq 8909
permit udp any host 10.23.14.12 eq 8909
permit ip any host 10.23.14.12
permit ip any host 10.22.40.1
deny ip any any
SWITCHCONFIG
aaa group server radius ISE
server name ISE
!
aaa authentication login default group nps-radius local
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE
aaa server radius dynamic-author
client 10.23.14.12 server-key
dot1x system-auth-control
interface FastEthernet0/1
switchport mode access
switchport voice vlan 319
ip access-group permitany in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
interface Vlan113
ip address 10.22.2.240 255.255.255.0
ip default-gateway 10.22.2.1
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none
ip access-list extended REDIRECT
deny udp any any eq domain
deny tcp any any eq domain
deny udp any eq bootpc any eq bootps
deny tcp any host 10.23.14.12 eq 8443
deny tcp any host 10.23.14.12 eq 8905
deny udp any host 10.23.14.12 eq 8905
deny udp any host 10.23.14.12 eq 8906
deny tcp any host 10.23.14.12 eq 8906
deny tcp any host 10.23.14.12 eq 8909
deny udp any host 10.23.14.12 eq 8909
deny ip any host 10.23.14.12
permit ip any any
ip access-list extended permitany
permit ip any any
ip radius source-interface Vlan113
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server ISE
address ipv4 10.23.14.12 auth-port 1812 acct-port 1813
key
Solved! Go to Solution.
09-05-2018 09:30 AM
Please follow the posture service guide, specifically the troubleshooting section to isolate/identify your issue.
- Krish
09-05-2018 09:30 AM
Please follow the posture service guide, specifically the troubleshooting section to isolate/identify your issue.
- Krish
09-05-2018 10:42 AM
Why are you using the client provisioning portal to install the posture module/NAC agent? You should be using SCCM or whatever software management tool you use. Using the client provisioning portal to install is going to cause confusion later and potential issues because of the redirect.
09-05-2018 11:03 PM
Hallo Paul.
Thanks for your reply.
We've doing a Proof of concept. So we checking all the features en what works for our company.
For now we want to do the provisioning portal. But for later production use. W e want to do it by sccm.
Also our thin clients are not domain joined.
That is why we want to use the portal.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide