cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5889
Views
4
Helpful
41
Replies
Participant

Re: Ask the Expert: BYOD with Identity Services Engine

Hello Bernardo,

Can you please detail how can one configure posture for remote access users using iPEP and an ASA that is providing RA VPN services, internet connectivity for internal users and resource publishing by using DMZ?

I'm asking this in the context in which the ASA has to send the traffic from RA VPN pool to inside network and only this traffic by the means of iPEP, and ASA does not support Policy Based Routing so that the routing decision to be made using the source IP address.

Any thoughts/ideas? Is there any Cisco tehnical support team /portal for cases like this one?

I've also wrote a fairly long post about this problem, but nobody had the pleasure or willing to answer.

(https://supportforums.cisco.com/thread/2224538)

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hello Octavian,

If I understand correctly, your main challenge is how to separate in ASA the traffic that needs to be sent directly from the traffic that needs to flow through IPEP.

For this, I'd suggest to post your question in an ASA forum. The ASA is out of my area of expertise, I don't know if this is possible to achieve.

Thank you and best regards,

Bernardo

Beginner

Ask the Expert: BYOD with Identity Services Engine

Hello Bernardo,

I am having issues with the Cisco NAC Agent popping up in my current ISE deployment. ISE version is 1.1.3 patch 2, and the deployed NAC agent version is 4.9.0.51.

The Cisco NAC agent has no problem popping - no preconfigured XML file - up with PC's connected via both Wi-Fi (WLC 4400) and wired (CAT4500 15.0.2 - SGA6) on VLANs with DHCP turned on. When I connect the PC - wired - to a VLAN with no DHCP server configured and with a static IP address, the NAC Agent does not pop up, and the PC is stuck in the Posture_Discovery_AuthZ phase.

This happens on the same switch, on the same port with the same configuration - the only difference being the VLAN swap (works with DHCP VLAN, doesn't work with STATIC IP VLAN).

Are there any known caveats for NAC Agent popping up with PC's with Static IP's set?

Thanks!

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hello Radu,

I'm not aware of any caveats for NAC Agent with static IP address.

When the Agent starts, it tries to discover the policy node like like this:

1. HTTP discovery probe on port 80 to discovery host, if one is configured.

2. HTTPS discovery probe on port 8905 to the discovery host, if one is configured.

3. HTTP discovery probe on port 80 to default gateway.

4. HTTPS reconnect probe on 8905 to previously contacted ISE policy node.

5. Repeat from 1.

As you don't have a discovery host configured, the first 2 steps are skipped. Then, the Agent should send the HTTP discovery probe on port 80 to the default gateway. This request should be redirected by the switch, with the redirect URL it receives from ISE.

I suggest checking:

  - client default gateway configuration

  - that the switch interface is getting the redirect URL

  - that the ACL redirects the HTTP traffic towards the ISE

Thank you and best regards,

Bernardo

Enthusiast

Ask the Expert: BYOD with Identity Services Engine

Hello Bernardo

1) What would you say it's the best practice to configure the "discovery host" in a distributed deployment. Will it be to put the ip addresses of every ISE PSNs in the "discovery host field" ? or leaving this field empty ?

2) Is it possible to trigger the NAC agent immediately after computer authentication ? currently the NAC agent triggers only after user authentication, and for some endpoints it will take up to a minute for the NAC agent to pop-up, that's very annoying for the user.

Best regards

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hello Eduardo,

1) What would you say it's the best practice to configure the "discovery host" in a distributed deployment. Will it be to put the ip addresses of every ISE PSNs in the "discovery host field" ? or leaving this field empty ?

It depends. If you're talking about 802.1x you normally don't need to configure a discovery host. As part of the discovery process, the Agent will send a HTTP packet to its gateway.

If the redirection is properly configured and applied on the port, this request is redirected to the policy server which replies and initiates the posture assessment.

For VPN users with IPEP you need to enter only one discovery host. The recommendation is to NOT use ISE as a discovery host. Rather, it should be an IP/hostname that would trigger a redirection to the active policy node.

2) Is it possible to trigger the NAC agent immediately after computer authentication ? currently the NAC agent triggers only after user authentication, and for some endpoints it will take up to a minute for the NAC agent to pop-up, that's very annoying for the user.

Not that I know of.

Thank you and best regards,

Bernardo

Beginner

Ask the Expert: BYOD with Identity Services Engine

Hi Bernardo,

Thank you for the quick reply. After your answer, we realized that the issue wasn't related to DHCP, it was most likely a PC issue.

During the NAC Agent implementation, I have observed several cases of the NAC Agent not popping up, even though network configuration is OK (I always test with no Discovery Host configuration enabled - or I delete the .xml file). I have not been able to pinpoint the exact cause, though sometimes the NAC Agent does pop up if I restart PC's with the Ethernet cable connected.

We have also seen problems with users going from Wired to Wi-Fi and ending up stuck in Posture_Discovery phase. Do you have any insight into this issue, and why it seems to happen on a random basis? Would a NAC Agent update help with this issue? (currently running 4.9.0.51).

Thank you!

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hi Radu,

This would require analysis of the logs, I'd suggest opening a TAC case if the issue is persisting.

Thank you,

Bernardo

Beginner

Ask the Expert: BYOD with Identity Services Engine

Hi Bernardo

I have two questions regarding my ISE implementaion

1) VLAN's won't move for wired VLAN's. Is ISE capable of doing this? If so what would cause them not to move. Wireless works fine.

2) I have a distributed deployment. The ISE primary admin and policy services node sit in one building on one network, and the secondary admin and policy services nodes sit in another building on a different network. I have a third building that I want to manage via ISE that is on a third network. What do I need to configure on the core in thier building to make their traffic direct to ISE. I already have ip helper-address configured for all VLAN's is there anything else?

Enthusiast

Ask the Expert: BYOD with Identity Services Engine

Hello jcarrabine

ISE can change VLANs. You have to create the auhorization condition , the authorization profile, and then tie those elements in a single authorization rule.

About distributed deployment, the ip helper-address is useful when sending DHCP information to ISE in order to do profiling. If you want to do only authentication there's no need to redirect the user traffic to ISE. If you want to do posture then you need a redirect access-list in order to use the posture captive portal.

Please rate if this is helpful

Beginner

Re: Ask the Expert: BYOD with Identity Services Engine

Interesting. The method you described for moving the wired VLAN's is how I'm doing it for wired and wireless, but it's only working for the wireless VLAN's. I wonder if there is an IOS issue? Hmmm

Beginner

Re: Ask the Expert: BYOD with Identity Services Engine

Hi,

You could check the ISE compatability matrix to see if you have the required IOS:

http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html

Beginner

Re: Ask the Expert: BYOD with Identity Services Engine

Nope. that's not it. Running 12.2(33)SXI11

Cisco Employee

Ask the Expert: BYOD with Identity Services Engine

Hello jcarrabine,

Indeed it's possible to assign vlans with radius attributes. Are clients hitting the correct authorization profile?

Is authorization configured on the switch? It must have 'aaa authorization network' configured, otherwise radius attributes for 802.1x authentications aren't processed.

Does the vlan exist on the switch? What hostmode do you have configured on the interface?

Thank you and best regards,

Bernardo

Highlighted
Beginner

Ask the Expert: BYOD with Identity Services Engine

I think it's the aaa authorization network command. I forgot that I had removed that command because when I put it in the switch it removed aaa authorization TACACS+ local so I wanted to research what kind of impact that would have on the network without the aaa authorization TACACS+ local. We do still use ACS for TACACS.

Thank you,

Jeff