I have ISE 1.2 primary and secondary setup. NAC agent is working fine on the primary but as a test when I take the primary down to check if secondary will take over, NAC agent doesn't pop up at all. I did some troubleshooting:
- HA setup is fine between the servers and replication is done successfully
- I broke the HA setup between the servers and brought it back. Nothing changed
- Collected sniffer traces on the test machine. When using the primary server, I see the SWISS packets exchanged successfully between the client and ISE but that doesn't show up in the sniffer trace taken on the secondary case. I can't see any SWISS packets exchanged there
- Tracked the client behavior on the switch. "show auth session interface" shows the client going through the machine auth fine and then the "CPP" redirection link is pushed fine, then it fails over to the default authorization rule "Deny Access"
- I saw some posts that discovery host need to be edited under the default profile for client provisioning so that both servers are added there. Tried that but didn't work
I opened a TAC case for this issue, it turned out to be a configuration to be modified on:
- In the discovery host option on the agent profile, you need to add an unusable IP address on the same subnet as the primary and secondary servers
- Then redirect HTTP traffic on that IP on the redirect ACL on the switch. Meaning, if I had a primary ISE IP as: 184.108.40.206 and a secondary IP as: 220.127.116.11, then the discovery host IP should be something like 18.104.22.168. Then in the ACL used for redirection which denies ISE IP addresses from redirection you need to make sure to redirect the traffic on the virtual IP
As a best practice, in the redirection ACL, you can use:
deny "IP address of primary"
deny "IP address of secondary"
permit ip any any
This way, the switch will not redirect any traffic destined to both IP addresses of primary and secondary but will redirect anything else. Hence, when NAC agent pops up it will see that it should redirect HTTP traffic on the virtual IP configured on the discovery host and not specifically on one of the two IP addresses of primary and secondary.
Attached is a screen shot of how the redirect ACL should look like. instead of locking the deny statements to SWISS ports, I just used deny ip any host "IP of ISE"
I just saw your discussion , and it looks interesting ..
I'm using this redirection ACL:
ip access-list extended ACL-REDIRECT deny ip any host ise1 deny ip any host ise2 permit ip any any
my problem is that the NAC agent does not pop up when the user login , on the client machine , I can resolve the ise ip , and if I use the redirection acl directly on the client browser it to goes to the ISE ccp portal ..
have you face the same issue when you use this redirection ACL?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :