cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2280
Views
0
Helpful
16
Replies

Self Provisioning - Supplicant then NAC

David Boos
Level 1
Level 1

I'm trying to setup a scenario such as -

Laptop brought on network - joins open wireless network - through open wireless network it registers with ISE using the supplicant wizard - once the supplicant wizard completes it joins a secure SSID - after navigating to another webpage NAC is delivered and client is postured.

I've gotten all the way to the last part.  It runs through the supplicant wizard, successfully registers, and joins the 802.1x network without a problem.

When I go to any other webpage it redirects me to "Unable to verify credentials required to access the network." page.  The only way to stop it is to remove it from the clients page on the WLC - once it's removed and rejoins the 802.1x network the NAC agent install comes up, installs, and postures according to the posture policies.

It seems like everything is where it should be but it doesn't install at the proper time without being removed from the network.

16 Replies 16

Tarik Admani
VIP Alumni
VIP Alumni

Is this for wireless? What version of contoller code are you on?


Sent from Cisco Technical Support Android App

I have a Cisco 5508 running 7.5.102.0 - I was on 7.4 and had the same issue.

I am testing this same scenario also. When the client connects to the SSID after the onboarding provisioning is completed what do you see as far as the client entry? Is it in a RUN state. Also does the state change when you remove the user from the client database?

Sorry i didnt read through your first post, I see now that you are on wireless.

Tarik Admani
*Please rate helpful posts*

No problem.  I've attached screenshots from the WLC.  These are the only differences between when the client is on the controller after the supplicant has been installed and after I have removed the client from the controller and it has authenticated.  It seems the only difference is the session ID.

In the authentication logs you can see where the session changes and I've forced the client to reconnect.

1st redirect URL

/guestportal/gateway?sessionId=ac1e104500000c73520da9cc&action=cpp

2nd redirect URL

/guestportal/gateway?sessionId=ac1e104500000c74520daa40&action=cpp

I've attached authentication logs as well. 

Before

After

ISE Authentication log screenshot.

These are my provisioning policies.

David,

I am trying to follow the authorization logs, however in my scenario on version 1.1.4 patch 3 the below is sequence of my use case, it looks like you are on 1.2...

Client authenticates with CWA

Client is redirected to the native supplication provisioning portal

clients connects with 802.1x

Client is redirected to posture

Finally posture status determines fate of connection

In the logs you provided I see the following in your sequence...

Client authenticates with CWA

----I do not see the client redirected to the NSP phase---

Client authenticates with eap-tls

Then after the delay you are hitting it connects and is compliant

Can you delete the endpoint entry, and the wireless network profile and run through the entire process. From what I can tell your policies look fine  and you are using the nac agent. Also when you get redirected to the page not available message, can you verify that the sessionid in the url matches the session id in the ise logs?

Are you using the default ip value or are you customizing the hostname that is sent in the authorization profile?

Thanks,

Tarik Admani
*Please rate helpful posts*

You are correct, sorry I didn't mention it - I'm on ISE 1.2.

No customization and the supplicant hits right after the login which is how it arrives at the EAP-TLS phase.

The logs I've posted are of a client that has not been registered and has been removed from the WLC before the attempt (it's my test Win7 client). I've tried clients that have never been registered to ISE with the same result just to be sure it's not a problem with the client.

The URLs passed by ISE do match the session ID.

David,

What I am trying to see--based on my experience---is the native supplciant provisioning phase. Can you post a screenshot of the Client_unknown authorization policy?

Thanks,

Tarik Admani
*Please rate helpful posts*

I've attached screenshots of the policy below.

Can you provide the ACL contents of the ACL_Client_Unknown? Are you running multiple PSNs? Also send me the screenshot of the graybox that shows all the attributes for the attributes you sent above?

Thanks,

Tarik Admani
*Please rate helpful posts*

I have two ISE nodes, one is primary on all services the other is secondary on all services.

I have two WLC's one with the high availability SKU - it is in hot standby mode during these tests.

ACL for Client Unknown - 172.30.16.70 and .71 are the ISE nodes.

Attribute information -

Can you add an entry to deny all traffic to port 80, this will help in failover scenarios if the discovery host is pointing to an ise node that isnt servicing the redirect request. I do not think this will fix your scenario but everything else looks solid.

typically the discovery agent updates at the time the ise is redirected for posturing, so when the nac agent connects it sends a http discovery probe for the discovery host, if ise1 is the discovery host and ise2 is the active psn for the session, then the discovery probe will see the session is redirected to a different psn to prevent this scenario.

I also allowing dhcp traffic in the ACL which I recommend disabling so the client is forced to re-ip during the CWA to 802.1x transition. When you reproduce the issue where the client is unable to view the page, check the ip address and make sure that the client still doesnt have the old ip address, if so then the dhcp entries in the ACL may be the issue.

It would be best to run a packet capture on the test client to see if dns resolution is failing or if ISE sending back the error.

Thanks,

Tarik Admani
*Please rate helpful posts*

David Boos
Level 1
Level 1

Disabling fast ssid switching in the wireless lan controller fixed the issue.


Sent from Cisco Technical Support Android App

I had this problem too and as David did, disabling fast ssid solved the issue.

Is there any drawback for this? I read somewhere this setting help Apple IOS to move between SSID.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: