Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

NAC Agent failure on secondary ISE server

Hi Guys,

 

I have ISE 1.2 primary and secondary setup. NAC agent is working fine on the primary but as a test when I take the primary down to check if secondary will take over, NAC agent doesn't pop up at all. I did some troubleshooting:

- HA setup is fine between the servers and replication is done successfully

- I broke the HA setup between the servers and brought it back. Nothing changed

- Collected sniffer traces on the test machine. When using the primary server, I see the SWISS packets exchanged successfully between the client and ISE but that doesn't show up in the sniffer trace taken on the secondary case. I can't see any SWISS packets exchanged there

- Tracked the client behavior on the switch. "show auth session interface" shows the client going through the machine auth fine and then the "CPP" redirection link is pushed fine, then it fails over to the default authorization rule "Deny Access"

- I saw some posts that discovery host need to be edited under the default profile for client provisioning so that both servers are added there. Tried that but didn't work

 

Any ideas on this one?

 

Thanks,

Mohammad

3 REPLIES
New Member

Hi Guys,I opened a TAC case

Hi Guys,

I opened a TAC case for this issue, it turned out to be a configuration to be modified on:

- In the discovery host option on the agent profile, you need to add an unusable IP address on the same subnet as the primary and secondary servers

- Then redirect HTTP traffic on that IP on the redirect ACL on the switch. Meaning, if I had a primary ISE IP as: 1.1.1.1 and a secondary IP as: 1.1.1.2, then the discovery host IP should be something like 1.1.1.3. Then in the ACL used for redirection which denies ISE IP addresses from redirection you need to make sure to redirect the traffic on the virtual IP

As a best practice, in the redirection ACL, you can use:

deny "IP address of primary"

deny "IP address of secondary"

permit ip any any

This way, the switch will not redirect any traffic destined to both IP addresses of primary and secondary but will redirect anything else. Hence, when NAC agent pops up it will see that it should redirect HTTP traffic on the virtual IP configured on the discovery host and not specifically on one of the two IP addresses of primary and secondary.

Attached is a screen shot of how the redirect ACL should look like. instead of locking the deny statements to SWISS ports, I just used deny ip any host "IP of ISE"

 

Good luck :)

- Mohammad

New Member

Hi Mohammed,I just saw your

Hi Mohammed,

I just saw your discussion , and it looks interesting ..

I'm using this redirection ACL:

ip access-list extended ACL-REDIRECT    
deny ip any host ise1   
deny ip any host ise2       
permit ip any any 

my problem is that the NAC agent does not pop up when the user login , on the client machine , I can resolve the ise ip , and if I use the redirection acl directly on the client browser it to goes to the ISE ccp portal ..

have you face the same issue when you use this redirection ACL?

 

New Member

Hi Mohammad Alsouqi,

Hi Mohammad Alsouqi,

Did that solve your issue ?

Thanks,

Mohamed

164
Views
0
Helpful
3
Replies
CreatePlease to create content