07-02-2013 12:09 PM - edited 03-10-2019 08:36 PM
Dear All,
I am facing issue with automatic discovery of ISE node by NAC agent (Discovery Host). Our client was using Cisco NAC 3310 appliances which has been replaced by ISE and we have upgraded the NAC agent software as well. Now what is happening that whenever NAC agent starts on a user PC it shows ip address of old NAC manager in the discovery host field of NAC agent and due to this, posture assesment doesn't complete and user gets stuck in remediation state.
As a work arround , I changed the ip address manually in Discovery Host option of NAC agent to point towards new ISE node and then posture assesment gets completed. So kindly advice how I can make this process automatic so that NAC agent should communicated with ISE automatically.
Regards,
Mujeeb
07-02-2013 06:18 PM
same problem on me too,
i think we can't do it autamitacally, me may must do it manually...(i don't find any solution yet)
i can give u an advice : change IP Address of ISE to IP Address of previous NAC 3310, with this there is no need to change the discovery host of every NAC agent..
07-02-2013 08:06 PM
Hello,
Please check the following cisco doc for "NAC Agent Discovery Process for Identity Services Engine (ISE).
http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bec10c.shtml
07-02-2013 08:47 PM
Hi Yanuar,
Actually this is a 2 node ISE setup so NAC agent should communicate to secondary ISE node once primary fails. NAC agent is currently showing IP address of old NAC manager (not NAC appliances) so even if I change the ip address of first ISE node then there will be isse with failover.
Hi Mantej,
Yes, I have gone through this document and I am getting the proper response from ISE using the https syntax mentioned in this document which reflects that redirection ACL and other configuration works fine from switch configuration point of view.
Regards,
Mujeeb
07-02-2013 10:11 PM
Hello, you could remotely deploy the new "configuration.xml" file to all your workstations. Please notice that you can put any address as the discovery host. It's not mandatory to put the ip address of ISE. For example if you don't put anything in the discovery host field then NAC agent will try to send packets to port 80 of the default gateway, and those packets will be redirected to ISE due to the captive portal.
Please rate if this helps.
07-03-2013 12:40 AM
Hi Eduargoaliaga,
Could you please further explain how 'configuration.xml' can be deployed and we need to put ip address of both ISE nodes in that ?
Also I tried to remove the ip address from discovery host filed of NAC agent manually and left it blank then logged off the PC plus tried to initiate traffic from user PC but no luck. After logging in again it got the same ip address again as Discovery Host. Then I changed the ip address in Discovery Host field to primary ISE node and clear the authentication on the switch port and soon after this NAC agent started posture process and given the full network access to the PC.
Regards,
Mujeeb
07-03-2013 05:59 AM
The correct name is "NACAgentCFG.xml" (not configuration.xml, sorry for the confusion).
Everytime your workstation connects to the ISE (or the NAC Manager) the NAC agent downloads the NACAgentCFG.xml from ISE (or the NAC Manager).
This file could be located here "C:\Program Files (x86)\Cisco\Cisco NAC Agent"or here "C:\Program Files\Cisco\Cisco NAC Agent"
You can edit this file and choose the correct discovery host. After saving it you can mass copy this file to all your workstations by using Windows tools like pstools or xcopy.
Please rate if it helps.
07-03-2013 10:33 AM
Hi ,
What should be the syntax for putting 2 nodes into NACAgentCFG file ? as we have high redundancy. I tried using ip addresses of both primary & secondary nodes directly into discovery host field of NAC agent window separated with semi colon. Failover is also working fine by this manual entry.
Regards,
Mujeeb
07-03-2013 08:23 PM
I don't think you can put two ip address in the discovery host field.
Also, it's not mandatory to put the IP address of ISE in the discovery host field. According to ISE user guide:
"If the agent is not able to reach the primary Discovery Host address configured in the associated client
provisioning policy (after attempting to connect per the number of retries configured in the agent
profile), the agent automatically tries the Discovery Host address received from the access switch via
URL redirection to successfully connect to the network"
Let'say you have a distributed deployment with ISE-1 and ISE-2 and you configure ISE-1 as your discovery host. If ISE-1 fails then the NAC agent will have to time out and then will get the ISE-2 ip address from the switch (from the url redirection).
So I think your distributed deployment could work with an "empty" discovery host field, because the NAC agent will learn dynamically from the switch. If the switch says to redirect to ISE-1 then NAC agent will learn dynamically the ip address of ISE-1. If the switch says to redirect to ISE-2 then NAC agent will learn dynamically the ip address of ISE-2.
Please rate if this helps
07-03-2013 08:37 PM
I've been researching and it seems you're right. According to the following post
https://supportforums.cisco.com/message/3691250#3691250
you can put two IP addresses or two FQDN in the discovery host by using a semi-colon to separate them.
However, you also should be OK with an empty discovery host. Sadly, Cisco documentation is not very clear about the behavior of NAC agent. I will try a lab next week to prove the empty discovery host.
Please rate if this helps.
07-04-2013 11:14 AM
Hi,
It has been resolved without manual entry in NAC agent or NACAgentCFG file. Actually the redirection was not working properly for agent so I changed the redirect ACL as follows,
ip access-list ext ACL-AGENT-REDIRECT
#deny udp any any eq 53
#permit tcp any any eq 80
Kindly refer following document for the same.
Now the agent is able to find the primary ISE node and posture is woking fine.
Regards,
Mujeeb
07-06-2013 05:16 PM
This is a good find, I have seen where allowing http access to the ise nodes bedore denying all http traffic can be a problem in a distributed setup.
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide