cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
990
Views
15
Helpful
8
Replies

ISE 1.2.0 - Issue with Posture

Prasan Venky
Level 3
Level 3

Hi Experts,

I installed ISE 1.2.0.899 Patch 3. While testing, we found the below.

1) Authentication Suceeded

2) Redirection to NAC Agent Page is happening

3) NAC Version 4.9.4.3 (latest) is getting downloaded.

4) Status in ISE is shown as 'Pending' and stays the same.

Even i tried changing the NAC agent version to 4.9.0.42. But stuck in Pending status only.

Is there any solution for this..? do i need to apply patch or version..?

Thanks in advance.

8 Replies 8

mohanak
Cisco Employee
Cisco Employee
CSCul66272

Symptom:
The NAC Agent gets suck in a posture loop. The sequence of events seen for the agent is:
1) An authentication entry is seen for the host and posture is set to pending.
2) A CoA is sent for the host with the posture status matching the globally set default posture status.
3) An authentication is again seen for the host with the posture status set to pending.

Conditions:
ISE 1.2.0.899
An application is installed on the end host that sends an HTTP or HTTPS packet with an unknown user-agent.
Posture is configured and in use.

Last Modified:
Jun 9,2014
Status:
Fixed
Severity:
3 Moderate
Product:
Cisco Identity Services Engine (ISE) 3300 Series Appliances
Known Affected Releases:
(1)
1.2(0.899)
Known Fixed Releases:
(2)
1.2(0.907)
1.2(1.198)

 

Thank you so much for the response.

Now i am planning to upgrade it to 1.2.1 from 1.2.0.899. Can you please help me how to upgrade and what are the procedure.

 

Instructions for Upgrading to Cisco ISE, Release 1.2.1

You can upgrade to Cisco ISE, Release 1.2.1 directly from any of the following releases:

  • Cisco ISE, Release 1.1.0.665 with patch 5 or later
  • Cisco ISE, Release 1.1.1.268 with patch 7 or later
  • Cisco ISE, Release 1.1.2 with patch 10 or later
  • Cisco ISE, Release 1.1.3 with patch 11 or later
  • Cisco ISE, Release 1.1.4 with patch 11 or later
  • Cisco ISE, Release 1.2.0.899 with patch 8 or later

The process for upgrading to Release 1.2.1 is the same as upgrading to Release 1.2. The system reboots twice when you upgrade from Release 1.1.x to 1.2.1 because it involves a 32-bit to 64-bit system upgrade, but only once when you upgrade from Release 1.2.x to 1.2.1 because Release 1.2 is a 64-bit system.

The application upgrade command is enhanced and includes the cleanup, prepare, and proceed options. You can use:

  • Cleanup—To clean a previously prepared upgrade bundle on a node locally. You can use this option if:
    • The application upgrade prepare command was interrupted for some reason
    • The application upgrade prepare command was run with an incorrect upgrade bundle
    • The upgrade failed for some reason
  • Prepare—To download and extract an upgrade bundle locally. You can use this command followed by the application upgrade proceed command.
  • Proceed—To upgrade Cisco ISE using the upgrade bundle you extracted with the prepare option. You can use this option after preparing an upgrade bundle instead of using the application upgrade ise-upgradebundle-1.2-to-1.2.1.xxx.i386.tar.gz remote-repository command.

Thanks for the Response. I upgraded them now.

My doubt is AD should be integrated with Admin or PSN's ..?

if i'm understanding our question correctly... The PSNs get their database from the admin node. So AD would integrate with the admin node.

Thank you so much Mr. Michael.

I have integrated with Primary Admin Node and also PSN. But i was able to retrieve groups only on Admin. As you say, PSN gets DB from Admin, it won't be a problem think :) thank you....

 

Hi Mohan,

I have done the upgradation of ISE to the 1.2.1 but still i am facing the same error :(

MMstre
Level 3
Level 3

a couple thing...

1. on the switch where the PC is plugged in while it is pending state, enter the command "clear authentication session interface <x/x>"

Does it then launch the NAC agent?

2. Are your redirect ACLs properly configured?

3. Is DNS and PSN allowed in the preauth and pre-posture ACL?

4. are you doing machine auth or just user?

5. what switch code are you using?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: