Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE 1.2.0 - Issue with Posture

Hi Experts,

I installed ISE 1.2.0.899 Patch 3. While testing, we found the below.

1) Authentication Suceeded

2) Redirection to NAC Agent Page is happening

3) NAC Version 4.9.4.3 (latest) is getting downloaded.

4) Status in ISE is shown as 'Pending' and stays the same.

Even i tried changing the NAC agent version to 4.9.0.42. But stuck in Pending status only.

Is there any solution for this..? do i need to apply patch or version..?

Thanks in advance.

Everyone's tags (1)
8 REPLIES
Gold

ISE posture dropped via CoA

CSCul66272

Symptom:
The NAC Agent gets suck in a posture loop. The sequence of events seen for the agent is:
1) An authentication entry is seen for the host and posture is set to pending.
2) A CoA is sent for the host with the posture status matching the globally set default posture status.
3) An authentication is again seen for the host with the posture status set to pending.

Conditions:
ISE 1.2.0.899
An application is installed on the end host that sends an HTTP or HTTPS packet with an unknown user-agent.
Posture is configured and in use.

Last Modified:
Jun 9,2014
Status:
Fixed
Severity:
3 Moderate
Product:
Cisco Identity Services Engine (ISE) 3300 Series Appliances
Known Affected Releases:
(1)
1.2(0.899)
Known Fixed Releases:
(2)
1.2(0.907)
1.2(1.198)
New Member

 Thank you so much for the

 

Thank you so much for the response.

Now i am planning to upgrade it to 1.2.1 from 1.2.0.899. Can you please help me how to upgrade and what are the procedure.

 

Gold

Instructions for Upgrading to

Instructions for Upgrading to Cisco ISE, Release 1.2.1

You can upgrade to Cisco ISE, Release 1.2.1 directly from any of the following releases:

  • Cisco ISE, Release 1.1.0.665 with patch 5 or later
  • Cisco ISE, Release 1.1.1.268 with patch 7 or later
  • Cisco ISE, Release 1.1.2 with patch 10 or later
  • Cisco ISE, Release 1.1.3 with patch 11 or later
  • Cisco ISE, Release 1.1.4 with patch 11 or later
  • Cisco ISE, Release 1.2.0.899 with patch 8 or later

The process for upgrading to Release 1.2.1 is the same as upgrading to Release 1.2. The system reboots twice when you upgrade from Release 1.1.x to 1.2.1 because it involves a 32-bit to 64-bit system upgrade, but only once when you upgrade from Release 1.2.x to 1.2.1 because Release 1.2 is a 64-bit system.

The application upgrade command is enhanced and includes the cleanup, prepare, and proceed options. You can use:

  • Cleanup—To clean a previously prepared upgrade bundle on a node locally. You can use this option if:
    • The application upgrade prepare command was interrupted for some reason
    • The application upgrade prepare command was run with an incorrect upgrade bundle
    • The upgrade failed for some reason
  • Prepare—To download and extract an upgrade bundle locally. You can use this command followed by the application upgrade proceed command.
  • Proceed—To upgrade Cisco ISE using the upgrade bundle you extracted with the prepare option. You can use this option after preparing an upgrade bundle instead of using the application upgrade ise-upgradebundle-1.2-to-1.2.1.xxx.i386.tar.gz remote-repository command.
New Member

Thanks for the Response. I

Thanks for the Response. I upgraded them now.

My doubt is AD should be integrated with Admin or PSN's ..?

New Member

if i'm understanding our

if i'm understanding our question correctly... The PSNs get their database from the admin node. So AD would integrate with the admin node.

New Member

Thank you so much Mr. Michael

Thank you so much Mr. Michael.

I have integrated with Primary Admin Node and also PSN. But i was able to retrieve groups only on Admin. As you say, PSN gets DB from Admin, it won't be a problem think :) thank you....

New Member

 Hi Mohan,I have done the

 

Hi Mohan,

I have done the upgradation of ISE to the 1.2.1 but still i am facing the same error :(

New Member

a couple thing...1. on the

a couple thing...

1. on the switch where the PC is plugged in while it is pending state, enter the command "clear authentication session interface <x/x>"

Does it then launch the NAC agent?

2. Are your redirect ACLs properly configured?

3. Is DNS and PSN allowed in the preauth and pre-posture ACL?

4. are you doing machine auth or just user?

5. what switch code are you using?

278
Views
15
Helpful
8
Replies