Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1191
Views
0
Helpful
1
Replies

NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

NetService Smartnet
Level 1
Level 1

‎08-09-2012 08:26 PM - edited ‎03-10-2019 07:24 PM

Agent Fails to Initiate Posture Assessment

The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.

The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.

The redirected URL is working fine (SEE Evidence)

We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.

The operations status remains with postering status pending forever and nothing else happens.

Symptoms or Issue

The agent login dialog box does not appear to the user following client provisioning.

Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user

authentication session.

Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following

Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .

CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS

Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK

• Ensure that the Cisco IOS release on the switch is equal to or more recent than

Cisco IOS Release 12.2.(53)SE. - OK

• Ensure that the discovery host address on the Cisco NAC agent or Mac OS X

agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,

choose Properties, and check the discovery host.) - OK (See evidence)

• Ensure that the access switch allows Swiss communication between Cisco ISE

and the end client machine. Limited access ACL applied for the session should

allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)

• If the agent login dialog still does not appear, it could be a certificate issue.

Ensure that the certificate that is used for Swiss communication on the end client

is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)

• Ensure that the default gateway is reachable from the client machine. (TESTED OK)

1 person had this problem
Labels:
133105-NAC Agent ISSUE.rar.zip
0 Helpful
1 Reply 1

zujalal
Cisco Employee
Cisco Employee

‎08-09-2012 09:56 PM

Hi.

Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.

regards

Zubair

0 Helpful
Customers Also Viewed These Support Documents