Solved: NAC agent failing to popup

ZAHI BOU KHALIL · ‎06-25-2012

Dears,

I have two ISE appliances installed in a distributed deployment (primary "ISE1" and secondary "ISE2"), each node has the three personas installed on it. The servers are registered together and the replication is working properly between the nodes.

When we are working on the first node everything is fine, if I try to disconnect ISE1 and do my tests on ISE2, the cisco NAC agent doesn't popup, unless I uninstall it and reinstall it again from the ISE2. Then it will work properly.

Note: the NAC agent version is the following: nacagent-4.9.0.37.

Any idea?

Regards

Zahi

bikespace · ‎07-28-2012

I don't have access to an ISE at the moment to find it, but try this:

Policy > Policy Elements > Results > Client Provisioning > Resources

edit the profile and there should be a discovery host box.

Apologies, I'm guessing a little without access to the box, but it is definitely configurable, you don't have to add manually.

View solution in original post

Tarik Admani · ‎06-25-2012

Zahi,

Can you please post the contents of your pre-auth ACL? I wonder how the redirection is set for the swiss packets. Are you redirecting all traffic destined to port 8905,8906?

Also when you are performing the failover scenario are you shutting the port? How are you triggering the reauthentication?

Thanks,

Tarik Admani

ZAHI BOU KHALIL · ‎06-25-2012

Hi Tarik,

Thanks for your reply.

If you mean the ACL redirection, plz find it below:

ip access-list extended ACL-POSTURE-REDIRECT

deny ip any host 10.10.10.238 >>> IP address of ISE1

deny ip any host 10.10.10.239 >>> IP address of ISE2

deny udp any any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8443

To perform the failover I disconnect the ISE1 from the network, and apply the shut and no shut command on the port of the testing machine or sometimes I unplug and plug again the cable of that workstation.

Regards

Zahi

Tarik Admani · ‎06-26-2012

Can you also post the contents of your dACL? When you open a web browser do you get redirected to the nac agent download page?

Can you please post the show authentication session interface x/y, when the agent pops up with ISE1 and then again with ISE2.

Also it may be best to take a pcap of the client machine to see if ISE2 is responding.

Thanks,

Tarik Admani

ZAHI BOU KHALIL · ‎07-04-2012

Hi Tarik,

below are my answers:

1- The content of the dACL:

ip access-list extended POSTURE-REMEDIATION

permit udp any any eq domain

permit ip any host 10.10.10.125 >>>> antivirus server

permit ip any 10.10.240.0 0.0.0.255 >>>> voice subnet

permit ip any 10.10.31.0 0.0.0.255 >>>> quarantine vlan subnet

permit ip any host 10.10.10.238 >>>> ip add of ISE1

permit ip any host 10.10.10.239 >>>> ip add of ISE2

permit ip any host 10.10.10.206 >>>> wsus server

permit ip any host 10.10.10.10 >>>> domain 1

permit ip any host 10.10.10.100 >>>> domain 2

2- When I open a web browser, yes I get redirected to the nac agent download page

3- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:

sw#sho authentication sessions int fast 0/12
            Interface: FastEthernet0/12
          MAC Address: b8ac.6fc9.b26f
           IP Address: 10.10.31.2
            User-Name: RJ\15592
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 31
              ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
     URL Redirect ACL: ACL-POSTURE-REDIRECT
         URL Redirect: https://RJ-ISE-1.rj.com:8443/guestportal/gateway?session
Id=0A0A0C86000000186ADBBD8B&action=cpp
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0C86000000186ADBBD8B
      Acct Session ID: 0x00000023
               Handle: 0x31000018

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

sw#sho authentication sessions int fast 0/12
            Interface: FastEthernet0/12
          MAC Address: b8ac.6fc9.b26f
           IP Address: 10.10.30.12
            User-Name: RJ\15592
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 30
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0C86000000186ADBBD8B
      Acct Session ID: 0x00000023
               Handle: 0x31000018

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE2:

sw#sho auth sessions int fast 0/12
            Interface: FastEthernet0/12
          MAC Address: 0025.6458.8409
           IP Address: 10.10.31.8
            User-Name: RJ\15946
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 31
              ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
     URL Redirect ACL: ACL-POSTURE-REDIRECT
         URL Redirect: https://RJ-ISE-2.rj.com:8443/guestportal/gateway?session
Id=0A0A0C86000000206AF3FAC1&action=cpp
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0C86000000206AF3FAC1
      Acct Session ID: 0x0000002B
               Handle: 0x2C000020

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

you may find attached also the pcap file of the client machine when it is authenticating with the ISE2.

Thank you in advance

Zahi

Message was edited by: ZAHI BOU KHALIL

Tarik Admani · ‎07-04-2012

Zahi,

I dont understand your latest response, are you saying the agent is popping up with ISE2 or it is not popping up with ISE2?

Just so I understand this correctly the first client, authenticates on vlan 31, postures, and then is compliant and then set to vlan 30 with the permit ip any acl assigned.

In your ACL you sent me a different ACL which is defined on the switch, the ISE is referencing - "ACL-POSTURE-REDIRECT", please send the contents of this ACL.

I see that you are using two different machines, client 0025.6458.8409 is being redirected to ISE2 agent download page but does it have the client installed? If so, in the pcap the agent doesnt seem to be sending any discovery packets.

Please test with only one client, and reproduce the issue with the show authenticaiton sessions like you did previously.

Thanks,

Tarik admani

ZAHI BOU KHALIL · ‎07-05-2012

Hi Tarik,

In the second test I meant that this is the output after authenticating with the ISE2 but the agent didn't popup, sorry for any

Inconvenience. It's giving that the authentication is successful but the agent is not popping up.

As per the client machine, I'm doing this test remotely as the client is abroad, you're right it seems that he used different machine.

I will redo the test and unsure using same client machine.

I'll get back to you with the result.

Regards

Zahi

ZAHI BOU KHALIL · ‎07-10-2012

Hi Tarik,

Kindly find below the outputs of the test:

1- The content of the dACL:

ip access-list extended ACL-POSTURE-REDIRECT

deny ip any host 10.10.10.238

deny ip any host 10.10.10.239

deny udp any any

permit tcp any any eq www

permit tcp any any eq 443

permit tcp any any eq 8443

2- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:

SW#sho auth sess int fast 0/12
            Interface: FastEthernet0/12
          MAC Address: 0021.7070.87be
           IP Address: 10.10.31.4
            User-Name: 15919
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 31
              ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
     URL Redirect ACL: ACL-POSTURE-REDIRECT
         URL Redirect: https://RJ-ISE-1.rj.com:8443/guestportal/gateway?sessionId=0A0A0C860000002A89B45A9A&action=cpp
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0C860000002A89B45A9A
      Acct Session ID: 0x00000039
               Handle: 0xC500002A

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

SW#sho auth sess int fast 0/12
            Interface: FastEthernet0/12
          MAC Address: 0021.7070.87be
           IP Address: 10.10.30.3
            User-Name: 15919
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 30
              ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0C860000002A89B45A9A
      Acct Session ID: 0x00000039
               Handle: 0xC500002A

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

3- outputs of the show authentication session interface fast 0/12, when the agent fails to popup with ISE2:

SW#sho auth sess int fast 0/12
            Interface: FastEthernet0/12
          MAC Address: 0021.7070.87be
           IP Address: 10.10.31.4
            User-Name: 15919
               Status: Authz Success
               Domain: DATA
      Security Policy: Should Secure
      Security Status: Unsecure
       Oper host mode: single-host
     Oper control dir: both
        Authorized By: Authentication Server
          Vlan Policy: 31
              ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
     URL Redirect ACL: ACL-POSTURE-REDIRECT
         URL Redirect: https://RJ-ISE-2.rj.com:8443/guestportal/gateway?sessionId=0A0A0C860000002C89C063BE&action=cpp
      Session timeout: N/A
         Idle timeout: N/A
    Common Session ID: 0A0A0C860000002C89C063BE
      Acct Session ID: 0x0000003B
               Handle: 0xBD00002C

Runnable methods list:
       Method   State
       dot1x    Authc Success
       mab      Not run

SW#sho ip access-lists int fast 0/12
     permit udp any any eq domain (13 matches)
     permit ip any host 10.10.10.125
     permit ip any 10.10.240.0 0.0.0.255
     permit ip any 10.10.31.0 0.0.0.255 (42 matches)
     permit ip any host 10.10.10.238 (15 matches)
     permit ip any host 10.10.10.239
     permit ip any host 10.10.10.206
     permit ip any host 10.10.10.10 (8 matches)
     permit ip any host 10.10.10.100

You may find attached also to log files ISE2-1 and ISE2-2 retrieved when we were testing the client machine with the ISE2 (scenario repeated 2 times that's why I retrieved 2 log files).

Regards

Zahi

Tarik Admani · ‎07-10-2012

Can you post show run aaa, and show run interface fa 0/12.

Thanks,

Tarik Admani

Sent from Cisco Technical Support iPad App

ZAHI BOU KHALIL · ‎07-10-2012

below are the outputs:

SW#sh run | in aaa
aaa new-model
aaa authentication login default local
aaa authentication login TEST group radius local
aaa authentication enable default enable
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
aaa session-id common

SW#sh run int fas 0/12
Building configuration...

Current configuration : 200 bytes
!
interface FastEthernet0/12
switchport access vlan 22
switchport mode access
switchport voice vlan 110
authentication port-control auto
mab
dot1x pae authenticator
spanning-tree portfast
end

Regards

Zahi

Tarik Admani · ‎07-10-2012

Zahi,

Please use the following guide for reference, you need look into using an port based ACL which affects the way traffic is redirected.

http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_sw_cnfg.html

Thanks,

Tarik Admani

Pranav Gade · ‎11-12-2015

Hi Tarik,

Currently we are using ISE 1.4 with dot1x (machine & user authentication) and posturing.

We are using Cisco NAC agent 4.9.5.8 for all windows machines.

This works all well with windows 7 after authentication nac agent pops up properly and checks for the posture. But in windows 10 machine its stucking in machine authentication only it’s not going forward for Posture check and NAC agent not popping for the same.

Can anyone face this issue with Windows 10 machine?

Thanks in advance

bikespace · ‎07-13-2012

When your NAC agent DOES pop up, what discovery nodes are listed in the pop up window? Are both of your ISE's in there?

Both ISE's need to be in there otherwise it won't recognise the second one.

Or you can use a wildcard such as *.mydomain.com

I don't have access to a box to steer you to the page that is configured on at the moment, but I'm sure you'll be able to find it if that is the problem.

Gaz

Tarik Admani · ‎07-13-2012

Gaz,

That is not the proper way to configure the switch port and redirect urls, depending on your configuration and configuring the redirection profiles correctly the switch port should redirect all http, https and discovery agent traffic to the url that the ISE hands to the switchport. Similar to when you go to www.google.com and get redirected to download the nac agent, the same behavior must apply for tcp and udp traffic destined for the discovery ports.

Thanks,

Tarik Admani

bikespace · ‎07-14-2012

Think you've misunderstood my reply, I haven't suggested a method of configuring redirection. I've stated that if the redirection is working properly and you don't configure both discovery nodes to be authenticated i.e. both discovery nodes needs to be listed, then you won't get pop ups, the NAC client won't recognise the ISE.