Solved: Problems with Nac Download and checking

jtimmer1 · ‎09-05-2018

Hello,

We're deploying ISE, and i am busy with deploying a portal that Domain users can install they own NAC client.

however, we are facing issues with that.

When i am using a ise configured laptop, they cannot access the ISE Server by hostname.

When i using a non ise configured laptop, i can access the Server. and download the NAC agent. After installation the NAC agent get's an timeout and stops.

Also when the agent is installed, they will try to install it again.

See below for the switchconfig and the dACL

DACL:

permit udp any any eq 53
permit tcp any any eq 53
permit udp any eq bootpc any eq bootps
permit tcp any host 10.23.14.12 eq 8443
permit tcp any host 10.23.14.12 eq 8905
permit udp any host 10.23.14.12 eq 8905
permit tcp any host 10.23.14.12 eq 8906
permit udp any host 10.23.14.12 eq 8906
permit tcp any host 10.23.14.12 eq 8909
permit udp any host 10.23.14.12 eq 8909
permit ip any host 10.23.14.12
permit ip any host 10.22.40.1
deny ip any any

SWITCHCONFIG

aaa group server radius ISE
server name ISE
!
aaa authentication login default group nps-radius local
aaa authentication dot1x default group ISE
aaa authorization network default group ISE
aaa accounting dot1x default start-stop group ISE

aaa server radius dynamic-author
client 10.23.14.12 server-key

dot1x system-auth-control

interface FastEthernet0/1
switchport mode access
switchport voice vlan 319
ip access-group permitany in
authentication host-mode multi-domain
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

interface Vlan113
ip address 10.22.2.240 255.255.255.0

ip default-gateway 10.22.2.1
ip http server
ip http secure-server
ip http secure-active-session-modules none
ip http active-session-modules none

ip access-list extended REDIRECT
deny   udp any any eq domain
deny   tcp any any eq domain
deny   udp any eq bootpc any eq bootps
deny   tcp any host 10.23.14.12 eq 8443
deny   tcp any host 10.23.14.12 eq 8905
deny   udp any host 10.23.14.12 eq 8905
deny   udp any host 10.23.14.12 eq 8906
deny   tcp any host 10.23.14.12 eq 8906
deny   tcp any host 10.23.14.12 eq 8909
deny   udp any host 10.23.14.12 eq 8909
deny   ip any host 10.23.14.12
permit ip any any
ip access-list extended permitany
permit ip any any

ip radius source-interface Vlan113
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server ISE
address ipv4 10.23.14.12 auth-port 1812 acct-port 1813
key

kvenkata1 · ‎09-05-2018

Please follow the posture service guide, specifically the troubleshooting section to isolate/identify your issue.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

- Krish

View solution in original post

kvenkata1 · ‎09-05-2018

Please follow the posture service guide, specifically the troubleshooting section to isolate/identify your issue.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

- Krish

paul · ‎09-05-2018

Why are you using the client provisioning portal to install the posture module/NAC agent? You should be using SCCM or whatever software management tool you use. Using the client provisioning portal to install is going to cause confusion later and potential issues because of the redirect.

jtimmer1 · ‎09-05-2018

Hallo Paul.

Thanks for your reply.

We've doing a Proof of concept. So we checking all the features en what works for our company.

For now we want to do the provisioning portal. But for later production use. W e want to do it by sccm.

Also our thin clients are not domain joined.

That is why we want to use the portal.