cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8937
Views
4
Helpful
41
Replies

Ask the Expert: BYOD with Identity Services Engine

ciscomoderator
Community Manager
Community Manager

Read the biowith Cisco Expert Bernardo Gaspar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Identity Services Engine (ISE) and its various usage scenarios and integrations such as BYOD, Active Directory, profiling, posture and radius authentication with Cisco subject matter expert Bernardo Gaspar.

Bernardo Gaspar is Customer Support Engineer at the Technical Assistance Center at Cisco Europe especialized in wireless and authentication, authorization, and accounting (AAA). He has been troubleshooting wireless networks, wireless management tools, and security products, including Cisco Secure Access Control Server, NAC and Identity Services Engine as part of the escalation TAC team since 2007. He also focuses on filing technical and documentation bugs. Bernardo Gaspar holds a degree from the University of Porto.

Remember to use the rating system to let Bernardo know if you have received an adequate response.

Bernardo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community, AAA, Identity and NAC discussion forum shortly after the event.

This event last through Friday July 12, 2013. Visit the community often to view responses to youe questions of other community members.

41 Replies 41

Octavian Szolga
Level 4
Level 4

Hello Bernardo,

Can you please detail how can one configure posture for remote access users using iPEP and an ASA that is providing RA VPN services, internet connectivity for internal users and resource publishing by using DMZ?

I'm asking this in the context in which the ASA has to send the traffic from RA VPN pool to inside network and only this traffic by the means of iPEP, and ASA does not support Policy Based Routing so that the routing decision to be made using the source IP address.

Any thoughts/ideas? Is there any Cisco tehnical support team /portal for cases like this one?

I've also wrote a fairly long post about this problem, but nobody had the pleasure or willing to answer.

(https://supportforums.cisco.com/thread/2224538)

Hello Octavian,

If I understand correctly, your main challenge is how to separate in ASA the traffic that needs to be sent directly from the traffic that needs to flow through IPEP.

For this, I'd suggest to post your question in an ASA forum. The ASA is out of my area of expertise, I don't know if this is possible to achieve.

Thank you and best regards,

Bernardo

radu.ioncu
Level 1
Level 1

Hello Bernardo,

I am having issues with the Cisco NAC Agent popping up in my current ISE deployment. ISE version is 1.1.3 patch 2, and the deployed NAC agent version is 4.9.0.51.

The Cisco NAC agent has no problem popping - no preconfigured XML file - up with PC's connected via both Wi-Fi (WLC 4400) and wired (CAT4500 15.0.2 - SGA6) on VLANs with DHCP turned on. When I connect the PC - wired - to a VLAN with no DHCP server configured and with a static IP address, the NAC Agent does not pop up, and the PC is stuck in the Posture_Discovery_AuthZ phase.

This happens on the same switch, on the same port with the same configuration - the only difference being the VLAN swap (works with DHCP VLAN, doesn't work with STATIC IP VLAN).

Are there any known caveats for NAC Agent popping up with PC's with Static IP's set?

Thanks!

Hello Radu,

I'm not aware of any caveats for NAC Agent with static IP address.

When the Agent starts, it tries to discover the policy node like like this:

1. HTTP discovery probe on port 80 to discovery host, if one is configured.

2. HTTPS discovery probe on port 8905 to the discovery host, if one is configured.

3. HTTP discovery probe on port 80 to default gateway.

4. HTTPS reconnect probe on 8905 to previously contacted ISE policy node.

5. Repeat from 1.

As you don't have a discovery host configured, the first 2 steps are skipped. Then, the Agent should send the HTTP discovery probe on port 80 to the default gateway. This request should be redirected by the switch, with the redirect URL it receives from ISE.

I suggest checking:

  - client default gateway configuration

  - that the switch interface is getting the redirect URL

  - that the ACL redirects the HTTP traffic towards the ISE

Thank you and best regards,

Bernardo

Hello Bernardo

1) What would you say it's the best practice to configure the "discovery host" in a distributed deployment. Will it be to put the ip addresses of every ISE PSNs in the "discovery host field" ? or leaving this field empty ?

2) Is it possible to trigger the NAC agent immediately after computer authentication ? currently the NAC agent triggers only after user authentication, and for some endpoints it will take up to a minute for the NAC agent to pop-up, that's very annoying for the user.

Best regards

Hello Eduardo,

1) What would you say it's the best practice to configure the "discovery host" in a distributed deployment. Will it be to put the ip addresses of every ISE PSNs in the "discovery host field" ? or leaving this field empty ?

It depends. If you're talking about 802.1x you normally don't need to configure a discovery host. As part of the discovery process, the Agent will send a HTTP packet to its gateway.

If the redirection is properly configured and applied on the port, this request is redirected to the policy server which replies and initiates the posture assessment.

For VPN users with IPEP you need to enter only one discovery host. The recommendation is to NOT use ISE as a discovery host. Rather, it should be an IP/hostname that would trigger a redirection to the active policy node.

2) Is it possible to trigger the NAC agent immediately after computer authentication ? currently the NAC agent triggers only after user authentication, and for some endpoints it will take up to a minute for the NAC agent to pop-up, that's very annoying for the user.

Not that I know of.

Thank you and best regards,

Bernardo

Hi Bernardo,

Thank you for the quick reply. After your answer, we realized that the issue wasn't related to DHCP, it was most likely a PC issue.

During the NAC Agent implementation, I have observed several cases of the NAC Agent not popping up, even though network configuration is OK (I always test with no Discovery Host configuration enabled - or I delete the .xml file). I have not been able to pinpoint the exact cause, though sometimes the NAC Agent does pop up if I restart PC's with the Ethernet cable connected.

We have also seen problems with users going from Wired to Wi-Fi and ending up stuck in Posture_Discovery phase. Do you have any insight into this issue, and why it seems to happen on a random basis? Would a NAC Agent update help with this issue? (currently running 4.9.0.51).

Thank you!

Hi Radu,

This would require analysis of the logs, I'd suggest opening a TAC case if the issue is persisting.

Thank you,

Bernardo

jcarrabine1
Level 1
Level 1

Hi Bernardo

I have two questions regarding my ISE implementaion

1) VLAN's won't move for wired VLAN's. Is ISE capable of doing this? If so what would cause them not to move. Wireless works fine.

2) I have a distributed deployment. The ISE primary admin and policy services node sit in one building on one network, and the secondary admin and policy services nodes sit in another building on a different network. I have a third building that I want to manage via ISE that is on a third network. What do I need to configure on the core in thier building to make their traffic direct to ISE. I already have ip helper-address configured for all VLAN's is there anything else?

Hello jcarrabine

ISE can change VLANs. You have to create the auhorization condition , the authorization profile, and then tie those elements in a single authorization rule.

About distributed deployment, the ip helper-address is useful when sending DHCP information to ISE in order to do profiling. If you want to do only authentication there's no need to redirect the user traffic to ISE. If you want to do posture then you need a redirect access-list in order to use the posture captive portal.

Please rate if this is helpful

Interesting. The method you described for moving the wired VLAN's is how I'm doing it for wired and wireless, but it's only working for the wireless VLAN's. I wonder if there is an IOS issue? Hmmm

Hi,

You could check the ISE compatability matrix to see if you have the required IOS:

http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html

Nope. that's not it. Running 12.2(33)SXI11

Hello jcarrabine,

Indeed it's possible to assign vlans with radius attributes. Are clients hitting the correct authorization profile?

Is authorization configured on the switch? It must have 'aaa authorization network' configured, otherwise radius attributes for 802.1x authentications aren't processed.

Does the vlan exist on the switch? What hostmode do you have configured on the interface?

Thank you and best regards,

Bernardo

I think it's the aaa authorization network command. I forgot that I had removed that command because when I put it in the switch it removed aaa authorization TACACS+ local so I wanted to research what kind of impact that would have on the network without the aaa authorization TACACS+ local. We do still use ACS for TACACS.

Thank you,

Jeff

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: