Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
2
Replies

ISe with NAC agent pop up and Posture waiting

pemasirid
Level 1
Level 1

‎04-25-2013 02:43 PM - edited ‎03-10-2019 08:21 PM

Hi,

I have ISE running ver 1.1.1.268. We limited access certain services before authuenticate with ACL-DEFAULT(given below) as per the Trustsec desgin guide.

Now the issue is that when you have ACL-DEFAULT on the port NAC agent doest not pop-up and doest not start the posture part and saying waiting for Posture validation. When the ACL-DEFAULT removed from the access port NAC agent popup and do the posture validation.

However we do not want user to get access to network before the authorization and that is the reason we use the ACL-DEFAULT.

Please can someone advise me how to achieve the above both task. Why the NAC agent does not popup and do the posture when ACL-DEFAULT there in the switch.

Here is what I have configured on ACL-DEFAULT.

ip access-list extended ACL-DEFAULT

remark DHCP

permit udp any eq bootpc any eq bootps

remark DNS

permit udp any any eq domain

permit tcp any any eq domain

permit udp any any eq 389

permit tcp any any eq 135

permit tcp any any eq 445

permit udp any any eq 445

permit tcp any any range 135 139

permit tcp any any eq 389

permit tcp any any eq 3268

permit icmp any any

remark PXE / TFTP

permit udp any any eq tftp

permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Pri)

permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Sec)

remark Drop all the rest

deny   ip any any log

Appreciate if someone can give a solid resolution and explanation to this.

Labels:
0 Helpful
2 Replies 2

Saurav Lodh
Level 7
Level 7

‎04-25-2013 04:24 PM

Please check the necessary tcp port, 80 and 8905 to be opened for web NAC agent installation and update. The below document  informs about the ports.

http://www.cisco.com/en/US/docs/security/ise/1.0.4/install_guide/ise104_app_e-ports.html

0 Helpful

pemasirid
Level 1
Level 1
In response to Saurav Lodh

‎04-27-2013 05:32 AM

Hi Saurav,

We have already allowed those ports with another acl (ACL-POSTURE-REDIRECT). Our issue is not with the web nac agent.

The issue is with NAC agent installed on corperate PCs connecting via wired port. With the ACL-DEFAULT it does not pop-up and does not do the posturing, however once we removed the ACL-DEFAULT from the access port, everything works fine.

Since we do not want any user to access unwanted services before authorization we add this ACL on the access-port and as per the trustsec desgin this has to be there if you want to have ISE with closed mode.

thanks

0 Helpful
Customers Also Viewed These Support Documents