×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ISE 1.1.1 Windows NAC client posture checking loop

Answered Question
Jul 18th, 2012
User Badges:

Hi all,


Just upgraded Cisco ISE to 1.1.1 in my lab/demo environment and am now having problems with a basic posture implementation. In short I connect to a wireless SSID and check posture based on the presence of a file. The NAC agent is declaring my host as compliant and granting full network access however about 5 seconds later it it checks for requirements again while placing my host in the temporary network access. At this point it states I am compliant again and 5 seconds later scans again. This behaivour does not stop and continues endlessly until I close the wireless connection. I had no problems with this setup on 1.1.


All logs indicate successful compliance and no errors in terms of compliance. ANy ideas would be appreciated.

Correct Answer by Eduardo Ferreir... about 4 years 11 months ago

Stephen , take a look at this , it looks like is really a bug and there s nothing we can do ...workaround , chose another authen method , pathetic..

lets wait for a patch




CSCua79768            Bug Details


EAP Chaining + Posture lost Compliant Session:PostureStatus in reauth
Symptom:
NAC Agent appears to continually posture endpoint in a continuous loop



Conditions:
EAP-TLS Machine Authentication + Posture


- OR -


EAP-Chaining + Posture

Workaround:
Use different authentication method.
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Stephen McBride Wed, 07/18/2012 - 20:55
User Badges:

I have tried with and without a PRA. Exact same issue. I have also tried the older NAC client, newer NAC client, different posture requirements all with the exact same looping result.

Stephen McBride Mon, 07/30/2012 - 20:48
User Badges:

OK as an update - this problem still exists for me. I have installed the previous 1.1 and run up the identical configuration in terms of authentication, authorisation, profiling, posturing and provisioning. The results are that my configuration works perfectly fine on 1.1 but with the same config on 1.1.1 posturing is severely broken. As described no matter what I do the NAC process completes deems the client compliant then proceeds to check compliance again.

Tarik Admani Mon, 07/30/2012 - 20:56
User Badges:
  • Green, 3000 points or more

Your best bet is to open a tac case to see what could be wrong with the policies and why the clients keep being re-postured. Also if you dont mind can you post the following debugs on the switch. "debug radius authentication" I am curious to see if there is a "session-timeout" attribute being set which is causing the switch to bounce the connection.


Also please send the running configuratoin of your port too.


Thanks,


Tarik Admani
*Please rate helpful posts*

Stephen McBride Mon, 07/30/2012 - 21:57
User Badges:

Heh, I probably should have mentioned that this is over wireless using EAP-TLS or PEAP. I also have CWA running for guests. Please also note that I have two ISE deployments side by side running the exact same policies - 1.1 works fine 1.1.1 does not. I am in contact with Cisco at present and am trying to arrange some assistance.

Tarik Admani Mon, 07/30/2012 - 22:30
User Badges:
  • Green, 3000 points or more

Sounds good are you running them through the same controller using different SSIDs or are you using different controllers. Just out of curiosity can you send me the client information for a user that just passes posture? Also you are on the latest code for the wlc? Also have you had a chance to run a tcpdump from the ISE monitoring tool on both ise nodes in order to compare the radius traffic between them?


Thanks,


Tarik Admani
*Please rate helpful posts*

Stephen McBride Mon, 07/30/2012 - 22:35
User Badges:

What output are you looking for with a user that passes - just the standard live auth output? Essentially all the  users pass posture and authentication but  instantly reinitiates posture discovery upon been granted full network access. I am on  the latest 7.2.110 code for my 5508. Furthermore my deployment is  standalone not distributed due to the demonstration nature of the  implementation. I am running a single SSID for EAP-TLS and PEAP using CoA to shift vlans and dACLs upon successful posture discovery/remediation.

Tarik Admani Mon, 07/30/2012 - 22:39
User Badges:
  • Green, 3000 points or more

I wanted to see the radius access-accept message that is sent from the running 1.1 vs the message that is sent from 1.1.1, in the access-accept packet i am interested to see if there is a change in the session-timeout attribute. I am also curious to see if there is a coa message being sent from the ise 1.1.1 immediatly after posture. There has to be some difference in the radius dialogue for this to occur and this will help point a finger as to where the bug lies.


Tarik Admani
*Please rate helpful posts*

Stephen McBride Mon, 07/30/2012 - 22:55
User Badges:

Sorry not entirely sure what exact dump to provide and where to retrievfe it from - as you know there are a tonne of logs associated with the process.

Tarik Admani Mon, 07/30/2012 - 22:58
User Badges:
  • Green, 3000 points or more

Sure no problem, ISE has a built in tcpdump utility from the GUI once you get done reproducing the issue you can stop the capture (using raw ....format), then you can download and open in wireshark. Please post the results from both boxes after you reproduce the issue on both the working vs not working 1.1.1. Also you can enter the filter on the bottom as 'ip host x.x.x.x' where x.x.x.x is the ip address the wlc uses to source the radius requests.


http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_mnt.html#wp1240485



Tarik Admani
*Please rate helpful posts*

Stephen McBride Tue, 07/31/2012 - 21:56
User Badges:

Please find attached.


The difference I can see is the Access-Accept after the CoA (Line 46 for Fail, line 20 for Success). The live authentication log confirms that host is compliant in both tests and the NAC client indicates it is refreshing the IP address on CoA. It is almost as if the 1.1.1 ISE does not match on the correct authorization after the CoA. When looking at these logs bear in mind that the configurations are identical

Tarik Admani Tue, 07/31/2012 - 22:18
User Badges:
  • Green, 3000 points or more

Stephen,


I see that also and that is what I wanted to confirm in the packet capture. I wanted to know a few things:


  • on the 1.1.1 unit has it been updated to the perfigo servers? (I assume it has if you are able to deploy the agent and perform the checks but figured I would ask anyways)
  • since the status is set to confirm can you compare the two posture reports (when you click on compliant it should take you to the posture report)
  • The authorization policy that you have configured for compliant machines, can you please remove it and then readd it and see if that fixes the issue?


Here is the reference for the following:


Having the ise node perform the updates - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1093078


Here is where you can pull the posture report from both machines - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1919498


Hope this helps!


Tarik Admani
*Please rate helpful posts*

Stephen McBride Tue, 07/31/2012 - 22:35
User Badges:
  • Not sure what the perfigo servers are however it was able to download all of the resources required for this configuration. 1.1.1 is currently configured with the following:https://www.cisco.com/web/secure/pmbu/provisioning-update.xml
  • The two posture reports are identical and compliant. My basic check for file and AV installation was successful.
  • I have deleted the policy and readded it with no change whatsoever.


I will also clarify that my deployments are standalone but this should not matter. ANother observation I can add is that on 1.1.1 when the posture process appears to be successful and the CoA is apparently occurring the NAC agent displays the text that the window will close in 30second or click this box to close. When I click the box the window will not close. I am using the same NAC client on both deployments with the same profile and compliance modules

Tarik Admani Tue, 07/31/2012 - 22:43
User Badges:
  • Green, 3000 points or more

Did you remove the agent from this machine and have the 1.1.1 install the agent? Also is the compliant rule that you need to match configure properly? How did you set the condition for the redirection. Does the rule specify "NOT compliant" and the permit all rule specify "compliant".


If that all checks out and still no luck I would try to reload the unit and see if that will straighten things out.


thanks,



Tarik Admani
*Please rate helpful posts*

Stephen McBride Tue, 07/31/2012 - 23:01
User Badges:

Agent has been removed and installed numerous times. The compliance rules work perfect on 1.1. My compliant rule is matching a certificate subject and equals compliant. My non compilant provisioning rule matches the same certificate and equals not compliant. Put simply I am very confident in my configuration having spent the past 5-6 weeks straight working on this product and the fact that the identical config on 1.1 does not present the issue. Unit has been rebooted many times and has also been rebuilt from scratch on a fresh vm.


Thanks for your assistance and suggestions on this task. I would understand completely if you give up on this one until a patch or new build is released. I am utilising 1.1 as it is more stable than 1.1.1 - but only just.

Tarik Admani Tue, 07/31/2012 - 23:06
User Badges:
  • Green, 3000 points or more

Check your private messages.


Sent from Cisco Technical Support iPad App

Stephen McBride Tue, 07/31/2012 - 23:21
User Badges:

PM received and replied to. I have also tested the compliant policy with the equal compliant removed - the client matches the policy and connects successfully. It is definately posture/CoA related.

Eduardo Ferreir... Fri, 08/17/2012 - 12:34
User Badges:

hi , is that problem solved ?, i have the same problem , but it only happens with eap tls , the same configuration , but using peap , works fine , any sugestions?

Stephen McBride Sun, 08/19/2012 - 15:39
User Badges:

Last week I tested on a number of machines and had the same issue yet at the same time other machines would work fine. I have no exact reason what is wrong with those builds that don't work but essentially it appears to be incompatibility. I have many issues related to client provisioning and posture with ISE in general mainly on mobile devices - for me deploying posture related services especially on wireless is at your own risk.

Eduardo Ferreir... Mon, 08/20/2012 - 12:08
User Badges:

one thing i noticed is that only happens with eap tls , i change for peap and everything works fime , ...can you try to use peap in the same machine that nac loops to seee what happens?

Stephen McBride Mon, 08/20/2012 - 20:21
User Badges:

Eduardo,AP-

I have conducted some tests and so far my results match with yours. I am having the loop issue with EAP-TLS only. The way my policies are structured means that both PEAP and EAP-TLS utilise the same Authentication rules but different authorization rules. PEAP works every time while TLS appears to work then loops.

Correct Answer
Eduardo Ferreir... Mon, 08/27/2012 - 16:45
User Badges:

Stephen , take a look at this , it looks like is really a bug and there s nothing we can do ...workaround , chose another authen method , pathetic..

lets wait for a patch




CSCua79768            Bug Details


EAP Chaining + Posture lost Compliant Session:PostureStatus in reauth
Symptom:
NAC Agent appears to continually posture endpoint in a continuous loop



Conditions:
EAP-TLS Machine Authentication + Posture


- OR -


EAP-Chaining + Posture

Workaround:
Use different authentication method.
Stephen McBride Mon, 08/27/2012 - 18:07
User Badges:

Where did you find the bug listing out of interest, I searched and searched but never found it. Either way it was apparent it was a bug, shame there is no fix for such a critical aspect of this technology. I have a similar looping issue for CWA guest auth on mobile devices that seems totally busted. Same policies work fine for a windows machine just not mobiles. Never mind though thanks a lot for the bug listing.

Eduardo Ferreir... Mon, 08/27/2012 - 18:35
User Badges:

Stephen , you can search for Cisco bug toolkit ,


one thing i notice , when you have one autho policy for those who authenticates machine and user and then get compliant status , if you dont authenticate machine , but authenticate user and gets the compliant , nac agent loops same way , i tried to use anyconnect for 802.1x but there a long delay for mach authentication  , if the users log off and then log on , you probably will not have the time to authenticate machine. windows supplicant is fine..


remember please to post if you find a solution for the CWA , im not using ISE for wireless , but i dont know about the future ..

Hi Steve,


It would appear that I am now experiencing the same issue as yourself...


Security Method: EAP-PEAP(MsChapV2)

Encryption: WPA2

Machine & User Auth (with MAR)

Posture: AV & AS

Agent: 4.9.0.42

ISE 1.1.1

Clients: Windows XP SP3


We found when we setup the appliance and tested using 2 manually configured test laptops all was working fine (machauth > clientauth > preposture> permit access). However, now the policy has been rolled out through GPO certain client machines are running infinite posture validations despite coming through on the ISE as compliant.


The clients will connect, machine auth, user auth and then enter posture-remediation. The nac agent runs, grants full network access and then does this process repeatedly.


Did you have any luck resolving yours or is it still an issue?

Cheers,


Nick

Stephen McBride Mon, 09/03/2012 - 18:39
User Badges:

It is interesting that your issue is occurring on PEAP. My issue revolved purely around EAP-TLS further up this post there is a Cisco bug pertaing to EAP-TLS and posture loop. My other issue with BYOD CWA, which is similar but different, is also covered under a bug. Without the benefit of your exact configs I am unable to suggest whether it is a bug or a config issue. As stated however my issue is soley with EAP-TLS. One test I used a lot with these things was utilising the webagent instead of the nac agent. Some of my issues were related to the NAC agent software not so much the ISE itself.


On another note it is worth mentioning that I have over all experienced a fair bit of randomness in both performance and actual functionality. My latest issue was to do with the nac agent updating the signatures/policy I have also encountered a number of issues that were related to the host devices where one would work and another wouldn't. FOr example I had an issue with CoA vlan changes where the windows/intel native supplicant is unable to release an IP address- I had to use the Cisco agent instead.

Cheers for the response, I must have misread above.


I have also notived some strange issues whereby certain clients react differently to others. For instance, i've seen a client perform posture having only done machine authentication when it should be both, a client stuck in posture loop where it runs over and over despite being compliant and full access granted and lastly i've seen a perfect run whereby the machine auths, the user auths, posture runs and is then compliant prior to full network access.


I'm leaning toward a client machine / xp problem at the moment. Not had to deploy BYOD yet but we're using the central webauth for 2 wlans and had good results.

koeppend Fri, 09/07/2012 - 00:08
User Badges:

Hey Stephen

I have exactly the same problem as you. As soon as I upgraded to 1.1.1 the looping started when I was authenticating with EAP-TLS, when I migrated back to PEAP the issue went away.


CISCO: Can we please get an offical response from Cisco on this bug, its kind of a big deal for my currect customers running ISE 1.1.0 as they are keen leverage SCEP for BYOD. Also my new deployments for 1.1.1 are now in jepody as majority of my client base dont want peap if they are installing 802.1x. This needs to be actioned asap.



Regards

Dale

Tarik Admani Fri, 09/07/2012 - 08:55
User Badges:
  • Green, 3000 points or more

Hello,


ISE 1.2 is scheduled to release soon, however please bring this defect up to you local Cisco account teams and please open TAC cases for these issues. Just like any company Cisco is metrics driven and please make sure the case remains open till the defects are resolved. Even though there is a reasonable workaround, however I understand that this may frustrate a few of you, just explain to the TAC engineer that this will not work with the current requirements of the ISE deployment for you or your customer's network.


Cisco should be able to release a patch to address this issue.


Thanks,

Tarik Admani
*Please rate helpful posts*

Arafat Bique Tue, 10/16/2012 - 04:18
User Badges:

I really dont understand how cisco keep this bug for so long and have some clients with no choice.


When we will have a patch for this problem???


or when the 1.2 comes out with fix?


I really dont understand...

Patrick Ryon Tue, 10/16/2012 - 04:48
User Badges:

I agree.


For what it's worth I did get an update from the agent handling my TAC case telling me that this issue is now supposed to be addressed in version 1.1.2 rather than 1.2. Unfortunately, the 1.1.2 release date is currently the end of November.

jrabinow Tue, 11/06/2012 - 11:52
User Badges:
  • Cisco Employee,

The 1.1.2 maintenance release is now available and includes a fix for this issue

Actions

This Discussion

Related Content