Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC agent failing to popup

                   Dears,

I have two ISE appliances installed in a distributed deployment (primary "ISE1" and secondary "ISE2"), each node has the three personas installed on it. The servers are registered together and the replication is working properly between the nodes.

When we are working on the first node everything is fine, if I try to disconnect ISE1 and do my tests on ISE2, the cisco NAC agent doesn't popup, unless I uninstall it and reinstall it again from the ISE2. Then it will work properly.

Note: the NAC agent version is the following: nacagent-4.9.0.37.

Any idea?

Regards

Zahi

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: NAC agent failing to popup

I don't have access to an ISE at the moment to find it, but try this:

Policy > Policy Elements > Results > Client Provisioning > Resources

edit the profile and there should be a discovery host box.

Apologies, I'm guessing a little without access to the box, but it is definitely configurable, you don't have to add manually.

35 REPLIES

NAC agent failing to popup

Zahi,

Can you please post the contents of your pre-auth ACL? I wonder how the redirection is set for the swiss packets. Are you redirecting all traffic destined to port 8905,8906?

Also when you are performing the failover scenario are you shutting the port? How are you triggering the reauthentication?

Thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

NAC agent failing to popup

Hi Tarik,

Thanks for your reply.

If you mean the ACL redirection, plz find it below:

ip access-list extended ACL-POSTURE-REDIRECT

deny   ip any host 10.10.10.238    >>> IP address of ISE1

deny   ip any host 10.10.10.239    >>> IP address of ISE2

deny   udp any any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8443

To perform the failover I disconnect the ISE1 from the network, and apply the shut and no shut command on the port of the testing machine or sometimes I unplug and plug again the cable of that workstation.

Regards

Zahi

NAC agent failing to popup

Can you also post the contents of your dACL? When you open a web browser do you get redirected to the nac agent download page?

Can you please post the show authentication session interface x/y, when the agent pops up with ISE1 and then again with ISE2.

Also it may be best to take a pcap of the client machine to see if ISE2 is responding.

Thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC agent failing to popup

Hi Tarik,

below are my answers:

1- The content of the dACL:

ip access-list extended POSTURE-REMEDIATION

permit udp any any eq domain

permit ip any host 10.10.10.125         >>>> antivirus server

permit ip any 10.10.240.0 0.0.0.255   >>>> voice subnet

permit ip any 10.10.31.0 0.0.0.255    >>>> quarantine vlan subnet

permit ip any host 10.10.10.238        >>>> ip add of ISE1

permit ip any host 10.10.10.239        >>>> ip add of ISE2

permit ip any host 10.10.10.206        >>>> wsus server

permit ip any host 10.10.10.10          >>>> domain 1

permit ip any host 10.10.10.100          >>>> domain 2

2- When I open a web browser, yes I get redirected to the nac agent download page

3- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:

sw#sho authentication sessions int fast 0/12
            Interface:  FastEthernet0/12
          MAC Address:  b8ac.6fc9.b26f
           IP Address:  10.10.31.2
            User-Name:  RJ\15592
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  31
              ACS ACL:  xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
     URL Redirect ACL:  ACL-POSTURE-REDIRECT
         URL Redirect:  https://RJ-ISE-1.rj.com:8443/guestportal/gateway?session
Id=0A0A0C86000000186ADBBD8B&action=cpp
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0A0C86000000186ADBBD8B
      Acct Session ID:  0x00000023
               Handle:  0x31000018

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

sw#sho authentication sessions int fast 0/12
            Interface:  FastEthernet0/12
          MAC Address:  b8ac.6fc9.b26f
           IP Address:  10.10.30.12
            User-Name:  RJ\15592
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  30
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0A0C86000000186ADBBD8B
      Acct Session ID:  0x00000023
               Handle:  0x31000018

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE2:

sw#sho auth sessions int fast 0/12
            Interface:  FastEthernet0/12
          MAC Address:  0025.6458.8409
           IP Address:  10.10.31.8
            User-Name:  RJ\15946
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  31
              ACS ACL:  xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
     URL Redirect ACL:  ACL-POSTURE-REDIRECT
         URL Redirect:  https://RJ-ISE-2.rj.com:8443/guestportal/gateway?session
Id=0A0A0C86000000206AF3FAC1&action=cpp
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0A0C86000000206AF3FAC1
      Acct Session ID:  0x0000002B
               Handle:  0x2C000020

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

you may find attached also the pcap file of the client machine when it is authenticating with the ISE2.

Thank you in advance

Zahi

Message was edited by: ZAHI BOU KHALIL

Re: NAC agent failing to popup

Zahi,

I dont understand your latest response, are you saying the agent is popping up with ISE2 or it is not popping up with ISE2?

Just so I understand this correctly the first client, authenticates on vlan 31, postures, and then is compliant and then set to vlan 30 with the permit ip any acl assigned.

In your ACL you sent me a different ACL which is defined on the switch, the ISE is referencing - "ACL-POSTURE-REDIRECT", please send the contents of this ACL.

I see that you are using two different machines, client 0025.6458.8409 is being redirected to ISE2 agent download page but does it have the client installed? If so, in the pcap the agent doesnt seem to be sending any discovery packets.

Please test with only one client, and reproduce the issue with the show authenticaiton sessions like you did previously.

Thanks,

Tarik admani

Tarik Admani *Please rate helpful posts*
New Member

NAC agent failing to popup

Hi Tarik,

In the second test I meant that this is the output after authenticating with the ISE2 but the agent didn't popup, sorry for any

Inconvenience. It's giving that the authentication is successful but the agent is not popping up.

As per the client machine, I'm doing this test remotely as the client is abroad, you're right it seems that he used different machine.

I will redo the test and unsure using same client machine.

I'll get back to you with the result.

Regards

Zahi

New Member

Re: NAC agent failing to popup

Hi Tarik,

Kindly find below the outputs of the test:

1- The content of the dACL:

ip access-list extended ACL-POSTURE-REDIRECT

deny   ip any host 10.10.10.238

deny   ip any host 10.10.10.239

deny   udp any any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8443

2- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:

SW#sho auth sess int fast 0/12
            Interface:  FastEthernet0/12
          MAC Address:  0021.7070.87be
           IP Address:  10.10.31.4
            User-Name:  15919
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  31
              ACS ACL:  xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
     URL Redirect ACL:  ACL-POSTURE-REDIRECT
         URL Redirect:  https://RJ-ISE-1.rj.com:8443/guestportal/gateway?sessionId=0A0A0C860000002A89B45A9A&action=cpp
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0A0C860000002A89B45A9A
      Acct Session ID:  0x00000039
               Handle:  0xC500002A

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run


SW#sho auth sess int fast 0/12 
            Interface:  FastEthernet0/12
          MAC Address:  0021.7070.87be
           IP Address:  10.10.30.3
            User-Name:  15919
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  30
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0A0C860000002A89B45A9A
      Acct Session ID:  0x00000039
               Handle:  0xC500002A

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

3- outputs of the show authentication session interface fast 0/12, when the agent fails to popup with ISE2:

SW#sho auth sess int fast 0/12
            Interface:  FastEthernet0/12
          MAC Address:  0021.7070.87be
           IP Address:  10.10.31.4
            User-Name:  15919
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  31
              ACS ACL:  xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
     URL Redirect ACL:  ACL-POSTURE-REDIRECT
         URL Redirect:  https://RJ-ISE-2.rj.com:8443/guestportal/gateway?sessionId=0A0A0C860000002C89C063BE&action=cpp
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A0A0C860000002C89C063BE
      Acct Session ID:  0x0000003B
               Handle:  0xBD00002C

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

SW#sho ip access-lists int fast 0/12
     permit udp any any eq domain (13 matches)
     permit ip any host 10.10.10.125
     permit ip any 10.10.240.0 0.0.0.255
     permit ip any 10.10.31.0 0.0.0.255 (42 matches)
     permit ip any host 10.10.10.238 (15 matches)
     permit ip any host 10.10.10.239
     permit ip any host 10.10.10.206
     permit ip any host 10.10.10.10 (8 matches)
     permit ip any host 10.10.10.100

You may find attached also to log files ISE2-1 and ISE2-2 retrieved when we were testing the client machine with the ISE2 (scenario repeated 2 times that's why I retrieved 2 log files).

Regards

Zahi

Re: NAC agent failing to popup

Can you post show run aaa, and show run interface fa 0/12.

Thanks,

Tarik Admani

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC agent failing to popup

below are the outputs:

SW#sh run | in aaa
aaa new-model
aaa authentication login default local
aaa authentication login TEST group radius local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
aaa session-id common

SW#sh run int fas 0/12
Building configuration...

Current configuration : 200 bytes
!
interface FastEthernet0/12
switchport access vlan 22
switchport mode access
switchport voice vlan 110
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
end

Regards

Zahi

NAC agent failing to popup

Zahi,

Please use the following guide for reference, you need look into using an port based ACL which affects the way traffic is redirected.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sw_cnfg.html

Thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

Hi Tarik,

Hi Tarik,

 

Currently we are using ISE 1.4 with dot1x (machine & user authentication) and posturing.

We are using Cisco NAC agent 4.9.5.8 for all windows machines.

 

This works all well with windows 7 after authentication nac agent pops up properly and checks for the posture. But in windows 10 machine its stucking in machine authentication only it’s not going forward for Posture check and NAC agent not popping for the same.

 Can anyone face this issue with Windows 10 machine?

Thanks in advance

 

 

New Member

NAC agent failing to popup

When your NAC agent DOES pop up, what discovery nodes are listed in the pop up window? Are both of your ISE's in there?

Both ISE's need to be in there otherwise it won't recognise the second one.

Or you can use a wildcard such as *.mydomain.com

I don't have access to a box to steer you to the page that is configured on at the moment, but I'm sure you'll be able to find it if that is the problem.

Gaz

NAC agent failing to popup

Gaz,

That is not the proper way to configure the switch port and redirect urls, depending on your configuration and configuring the redirection profiles correctly the switch port should redirect all http, https and discovery agent traffic to the url that the ISE hands to the switchport. Similar to when you go to www.google.com and get redirected to download the nac agent, the same behavior must apply for tcp and udp traffic destined for the discovery ports.

Thanks,

Tarik Admani

Tarik Admani *Please rate helpful posts*
New Member

NAC agent failing to popup

Think you've misunderstood my reply, I haven't suggested a method of configuring redirection. I've stated that if the redirection is working properly and you don't configure both discovery nodes to be authenticated i.e. both discovery nodes needs to be listed, then you won't get pop ups, the NAC client won't recognise the ISE.

NAC agent failing to popup

Zahi,

I wanted to know if you were able to get this issue resolved?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC agent failing to popup

Dear Tarik/Bikespace,

I have added in the discovery host the name of the second ISE as per the below picture and it worked properly the agent is now able to pop up. but is there a way to do this for all user without going to the agent on each machine and adding the name of the second ISE2 manually?

Noting that at the beginning the only node listed in the discovery host was the ISE1.

Regards

Zahi

New Member

Re: NAC agent failing to popup

I don't have access to an ISE at the moment to find it, but try this:

Policy > Policy Elements > Results > Client Provisioning > Resources

edit the profile and there should be a discovery host box.

Apologies, I'm guessing a little without access to the box, but it is definitely configurable, you don't have to add manually.

New Member

Re: NAC agent failing to popup

Hi Bikespace,

Thank you for your help, I have used this procedure and it is working now .

Much appreciated.

Zahi Boukhalil

New Member

Re: NAC agent failing to popup

Hi,

Could you please let us know what host name that you configured when you have two ISE appliance. In my ISE discovery host is configured with FQDN of primary ISE. So in the case of primary ISE down what name should I configured there..? so should we use any common name representing both ISE appliances or should we manually change the discovery host of 2nd ISE when primary is down.?

thanks in advance.

New Member

Re: NAC agent failing to popup

Hello Experts,

Can some one please give any resolution to the above.?

NAC agent failing to popup

I will let the original thread owner confirm, but I think they used a : or semi colon to delimit the two ise hostnames in the discovery field settings in the agent profile configuration section in ISE.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

NAC agent failing to popup

Hi Tarik,

Yes it is correct we have used semi colon ; to delimit the two ISE hostnames and in the Mode column we have used override mode as per the attached pic.

regards

Zahi

New Member

NAC agent failing to popup

Thanks Tarik and Zahi for your replies.

I will do the changes accordingly and will update you.

New Member

NAC agent failing to popup

Hi,

One note on this.

There appears to be a limit to the number of characters that you can enter in the Posture Agent Profile, Discovery Host field. When I attempt to enter the fqdn of both PDPs as :

xyz-hqs-isepdp1.xyzhqs.com; xyz-hqs-isepdp2.xyzhqs.com

it is truncated to:

xyz-hqs-isepdp1.xyzhqs.com;xyz-hqs-isepdp2.xyzhqs.

It appears that the limit is 50 characters.

Cheers,

Greg

Re: NAC agent failing to popup

We may need TAC to provide some clarity, because in my deployments i have not used this setting. If you take a packet capture from the client, you can see a http request from the nac agent go out, and when you see the responding 302 message, this is where the agent learns of the active ise node that they should forward their requests to. I have also seen this in the decrypted agent logs in a few of my tac cases. I can open up a TAC case tomorrow to see what the best practices are when using multiple PSN, since the character and having to configure an ise posture agent profile isnt well documented.

Thanks,

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
New Member

Re: NAC agent failing to popup

Thanks Tarik, appreciate if you can update us once have a confirmation from TAC.

New Member

Re: NAC agent failing to popup

Hmmm... OK, this may be our answer:

Doesn't work:

ip access-list extended ACL-POSTURE-REDIRECT
deny ip any host 10.10.10.238
deny ip any host 10.10.10.239
deny udp any any
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 8443

Try this:

ip access-list extended ACL-POSTURE-REDIRECT
deny udp any any eq domain
deny udp any host 10.10.10.238 eq 8905 8906
deny tcp any host 10.10.10.239 eq 8443 8905
deny udp any host 10.10.10.238 eq 8905 8906
deny tcp any host 10.10.10.239 eq 8443 8905
permit ip any any

Reasoning:

Since, in the original access list, you are allowing the port 80 discovery packet to reach the ISE servers without redirect, the NAC agent does not learn the actual address of the answering ISE server (ISE2) via the 302 redirect message (it is never triggered) but uses the programmed address of ISE1 instead. This also explains why it does work when you program the address of the second ISE in the NAC agent (still no 302 redirect message, but the agent tries both ISE servers).

In the second access list, you are allowing SWISS traffic (and 8443) to bypass the redirect, but forcing the port 80 traffic to trigger the redirect message.

Cheers

Re: NAC agent failing to popup

Team,

**Greg- I completely missed your post which hit it right on the head.**

I found the documentation that states this, basically when the nac agent fires up it sends an http (port 80) discovery probe. Once it receives the http 302 (redirect with the location) it then resolves the ip address based on the value sent back from the ISE node that authenticated the dot1x session. Then the agent forwards its posture traffic to the correct ise node. In my original post, I recommended not having to do this step, however I did not mention if you leave the posture discovery blank, however I have never tested this before but I will not be able to test this till later this week.

Here is the following guide that mentions this, I also have a pcap that follows this behavior, attached is the http probe (pcap1) followed by the http 302 (pcap2).

Here is the guide that states this as well:

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic1

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

NAC agent failing to popup

Hi Tarik,

What do we have to write under Discovery Host field, if we have more than one policy node. Do we have to keep this field blank or write down all PSN FQDN on it.

Awaiting for you positive response.

Thanks

10974
Views
9
Helpful
35
Replies