08-28-2014 12:27 AM - edited 03-10-2019 09:58 PM
Hi Experts,
I installed ISE 1.2.0.899 Patch 3. While testing, we found the below.
1) Authentication Suceeded
2) Redirection to NAC Agent Page is happening
3) NAC Version 4.9.4.3 (latest) is getting downloaded.
4) Status in ISE is shown as 'Pending' and stays the same.
Even i tried changing the NAC agent version to 4.9.0.42. But stuck in Pending status only.
Is there any solution for this..? do i need to apply patch or version..?
Thanks in advance.
08-28-2014 01:04 AM
Symptom:
The NAC Agent gets suck in a posture loop. The sequence of events seen for the agent is:
1) An authentication entry is seen for the host and posture is set to pending.
2) A CoA is sent for the host with the posture status matching the globally set default posture status.
3) An authentication is again seen for the host with the posture status set to pending.
Conditions:
ISE 1.2.0.899
An application is installed on the end host that sends an HTTP or HTTPS packet with an unknown user-agent.
Posture is configured and in use.
Known Affected Releases: | (1) |
Known Fixed Releases: | (2) |
08-28-2014 02:43 AM
Thank you so much for the response.
Now i am planning to upgrade it to 1.2.1 from 1.2.0.899. Can you please help me how to upgrade and what are the procedure.
08-28-2014 03:43 AM
You can upgrade to Cisco ISE, Release 1.2.1 directly from any of the following releases:
The process for upgrading to Release 1.2.1 is the same as upgrading to Release 1.2. The system reboots twice when you upgrade from Release 1.1.x to 1.2.1 because it involves a 32-bit to 64-bit system upgrade, but only once when you upgrade from Release 1.2.x to 1.2.1 because Release 1.2 is a 64-bit system.
The application upgrade command is enhanced and includes the cleanup, prepare, and proceed options. You can use:
09-08-2014 12:29 AM
Thanks for the Response. I upgraded them now.
My doubt is AD should be integrated with Admin or PSN's ..?
09-08-2014 09:41 AM
if i'm understanding our question correctly... The PSNs get their database from the admin node. So AD would integrate with the admin node.
09-09-2014 03:53 AM
Thank you so much Mr. Michael.
I have integrated with Primary Admin Node and also PSN. But i was able to retrieve groups only on Admin. As you say, PSN gets DB from Admin, it won't be a problem think :) thank you....
10-06-2014 03:39 AM
Hi Mohan,
I have done the upgradation of ISE to the 1.2.1 but still i am facing the same error :(
09-08-2014 09:44 AM
a couple thing...
1. on the switch where the PC is plugged in while it is pending state, enter the command "clear authentication session interface <x/x>"
Does it then launch the NAC agent?
2. Are your redirect ACLs properly configured?
3. Is DNS and PSN allowed in the preauth and pre-posture ACL?
4. are you doing machine auth or just user?
5. what switch code are you using?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: