Dear Tarik/Bikespace,

I have added in the discovery host the name of the second ISE as per the below picture and it worked properly the agent is now able to pop up. but is there a way to do this for all user without going to the agent on each machine and adding the name of the second ISE2 manually?

Noting that at the beginning the only node listed in the discovery host was the ISE1.

Regards

Zahi

Hi Bikespace,

Thank you for your help, I have used this procedure and it is working now .

Much appreciated.

Zahi Boukhalil

Hi,

Could you please let us know what host name that you configured when you have two ISE appliance. In my ISE discovery host is configured with FQDN of primary ISE. So in the case of primary ISE down what name should I configured there..? so should we use any common name representing both ISE appliances or should we manually change the discovery host of 2nd ISE when primary is down.?

thanks in advance.

Hello Experts,

Can some one please give any resolution to the above.?

I will let the original thread owner confirm, but I think they used a : or semi colon to delimit the two ise hostnames in the discovery field settings in the agent profile configuration section in ISE.

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

Yes it is correct we have used semi colon ; to delimit the two ISE hostnames and in the Mode column we have used override mode as per the attached pic.

regards

Zahi

Thanks Tarik and Zahi for your replies.

I will do the changes accordingly and will update you.

Hi,

One note on this.

There appears to be a limit to the number of characters that you can enter in the Posture Agent Profile, Discovery Host field. When I attempt to enter the fqdn of both PDPs as :

xyz-hqs-isepdp1.xyzhqs.com; xyz-hqs-isepdp2.xyzhqs.com

it is truncated to:

xyz-hqs-isepdp1.xyzhqs.com;xyz-hqs-isepdp2.xyzhqs.

It appears that the limit is 50 characters.

Cheers,

Greg

We may need TAC to provide some clarity, because in my deployments i have not used this setting. If you take a packet capture from the client, you can see a http request from the nac agent go out, and when you see the responding 302 message, this is where the agent learns of the active ise node that they should forward their requests to. I have also seen this in the decrypted agent logs in a few of my tac cases. I can open up a TAC case tomorrow to see what the best practices are when using multiple PSN, since the character and having to configure an ise posture agent profile isnt well documented.

Thanks,

Sent from Cisco Technical Support iPad App

Thanks Tarik, appreciate if you can update us once have a confirmation from TAC.

Hmmm... OK, this may be our answer:

Doesn't work:

ip access-list extended ACL-POSTURE-REDIRECT
deny ip any host 10.10.10.238
deny ip any host 10.10.10.239
deny udp any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443

Try this:

ip access-list extended ACL-POSTURE-REDIRECT
deny udp any any eq domain
deny udp any host 10.10.10.238 eq 8905 8906
deny tcp any host 10.10.10.239 eq 8443 8905
deny udp any host 10.10.10.238 eq 8905 8906
deny tcp any host 10.10.10.239 eq 8443 8905
permit ip any any

Reasoning:

Since, in the original access list, you are allowing the port 80 discovery packet to reach the ISE servers without redirect, the NAC agent does not learn the actual address of the answering ISE server (ISE2) via the 302 redirect message (it is never triggered) but uses the programmed address of ISE1 instead. This also explains why it does work when you program the address of the second ISE in the NAC agent (still no 302 redirect message, but the agent tries both ISE servers).

In the second access list, you are allowing SWISS traffic (and 8443) to bypass the redirect, but forcing the port 80 traffic to trigger the redirect message.

Cheers

Team,

**Greg- I completely missed your post which hit it right on the head.**

I found the documentation that states this, basically when the nac agent fires up it sends an http (port 80) discovery probe. Once it receives the http 302 (redirect with the location) it then resolves the ip address based on the value sent back from the ISE node that authenticated the dot1x session. Then the agent forwards its posture traffic to the correct ise node. In my original post, I recommended not having to do this step, however I did not mention if you leave the posture discovery blank, however I have never tested this before but I will not be able to test this till later this week.

Here is the following guide that mentions this, I also have a pcap that follows this behavior, attached is the http probe (pcap1) followed by the http 302 (pcap2).

Here is the guide that states this as well:

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic1

Thanks,

Tarik Admani
*Please rate helpful posts*

Hi Tarik,

What do we have to write under Discovery Host field, if we have more than one policy node. Do we have to keep this field blank or write down all PSN FQDN on it.

Awaiting for you positive response.

Thanks