NAC Agent and NSP provisioning with ISE 1.1.1

I am trying to get all workstations (OSX and Windows) to install both the Native Supplicant Wizard and NAC Agent during the On-boarding process.
I am currently using the default guest portal in ISE.
The environment has been setup using a Dual SSID design.
At the moment, devices can connect to the provisioning SSID and get CWA. Device registration works, the portal runs the NSP setup which correctly sets up the network adapter.
The problem is the portal never attempts to install the NAC Agent.
The client provisioning policy has a separate policies for wireless/wired as well as OS. Each policy applies both a NSP and NAC Agent configuration. It appears the guest portal only checks the NSP configuration and not the NAC Agent config.
Any ideas?

Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.
With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.
Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.
Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access
Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.
Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal
Hope that helps,
Tarik Admani
*Please rate helpful posts*

Similar Messages

  • Anybody know the Roadmap for combining NAC Agent and Cisco AnyConnect?

    Heard a rumor that Cisco is going to combine the functionality of the NAC Agent and Cisco AnyConnect as far as being an 802.1x supplicant, does anyone have any information about this?  Like is it true and if so, any idea when it will happen?

    Hi ,
    There is no comitted plan for NAC and Anyconnect  integration. But Anyconnect now comes with a module called NAM ( network access module) which can do dot1x as well.
    Here is the link for that :
    http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html
    Thanks
    Waris

  • Cisco NAC Agent and Windows 8 still not working

    Hello. I recently upgraded the Cisco NAC Agent to the latest version (4.9.1.13) on a Windows 8 VM. The release notes state that Windows 8 support has been added, and that a patch must be downloaded. However, the information about the patch is vague. I'm not sure if it's a client or server-side patch, or perhaps if I already have it as a result of upgrading to the latest version.
    I ask this because I plan to upgrade some computers to Windows 8, and have noticed that Cisco NAC Agent can't handshake with the NAC server on Windows 8 (both native and VM), and despite upgrading to the latest version, the handshake is still unsuccessful.
    Thanks,
    -Collin

    Hi Collin,
    The 4.9.1 Patch for Windows 8 Support can be downloaded from the following link :
    http://www.cisco.com/cisco/software/release.html?mdfid=282910502&flowid=34713&softwareid=282573326&release=4.9.1&relind=AVAILABLE&rellifecycle=&reltype=latest
    The patch should be applied to both 4.9.1 CAM and CAS.
    Please go through the README file for patch provided in the download link provided above. It has detailed information.
    Regards,
    Karthik Chandran

  • Different between cisco NAC agent and cisco Clean Access Agent

    Hi all,
    if anyone has idea about different between cisco NAC agent and cisco Clean Access Agent, please share your ideas.
    thank you

    In 4.6, the agent was overhauled and is now called the NAC agent.  Previous versions were referred to as the Clean Access Agent.  So pretty much, the 4.5 agent and 4.1.3.2 agents are Clean Access agents, and the 4.6.x and 4.7.x agents are called NAC agents.
    Some of the changes made were moving a lot of the agent configuration to an XML file, redesigning the GUI, adding a service portion (so that the stub agent is no longer required), and better agent logging.

  • Cisco ISE NAC agent and Microsoft roaming profiles

    Hi there,
    I have installed Identity services engine version 1.1.3 in didstributed mode. The NAC agent is installed on the end user PC joined to the domain. when a user with a roaming profile logs into the PC, the NAC agent fails to run posture assesment, but if a user with non-roaming profile logs in, the NAC agent does posture and full network access is granted.
    Is there something i need to do to enable the NAC agent to perform posture for users with a roaming profile.
    Regards,
    Henry

    Hello,
    I found the following from the cicso doc. Hope it helps!
    The following failure  scenarios might cause the Cisco NAC Agent to appear following successful  user authentication when the client machine roams between CASs in Layer  3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band  environments. Erroneous Agent login dialogs could also appear if users  roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC  network:
    –ARP poisoning
    –Temporary loss of network connection between the client machine and the CAS
    –Access to untrusted interface IP address on the CAS from non-NAC network segments on NAC-enabled client machines
    Cisco offers the following recommendations to prevent this situation:
    –Ensure  all trusted networks (post-authentication) can reach the CAS untrusted  interface IP address through the CAS trusted interface only
    –Block  discovery packets from all non-NAC networks to the CAS untrusted  interface IP address (discovery packets that arrive on the trusted  interface of the CAS are blocked by default)
    For more information please refer to the following link:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html

  • ISE redirect to install NAC Agent for Anyconnect users with Split Tunnel?

    Due to management directive I am not able to disable SPLIT TUNNEL for our VPN users. For this reason, I can not figure out how to enforce the REDIRECT to ISE for forcing the VPN users to install the NAC AGENT.
    Is this possible? If so can we get some documentation on how this is done? Screenshots would be great.
    Thanks,
    Dirk

    I couldn't find the answer that I seek in that doc.
    I am trying to see if I can force traffic to the redirect for installing the NAC agent, even on split tunnel traffic....perhaps forcing the first webpage the user opens forces the user to the redirect page if the NAC agent isn't detected.
    Thanks,
    Dirk

  • NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

    Agent Fails to Initiate Posture Assessment
    The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
    The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
    The redirected URL is working fine (SEE Evidence)
    We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
    The operations status remains with postering status pending forever and nothing else happens.
    Symptoms or Issue
    The agent login dialog box does not appear to the user following client provisioning.
    Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
    authentication session.
    Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
    Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
    CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
    Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
    • Ensure that the Cisco IOS release on the switch is equal to or more recent than
    Cisco IOS Release 12.2.(53)SE. - OK
    • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
    agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
    choose Properties, and check the discovery host.) - OK (See evidence)
    • Ensure that the access switch allows Swiss communication between Cisco ISE
    and the end client machine. Limited access ACL applied for the session should
    allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
    • If the agent login dialog still does not appear, it could be a certificate issue.
    Ensure that the certificate that is used for Swiss communication on the end client
    is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
    • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

    Hi.
    Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
    regards
    Zubair

  • NAC Server and Manager Failure with out failover

    Hi, I'm working on a NAC L2 OOB wired design with 1 CAM and 1 CAS. I've not included failover to the design for the obvious financial reasons, and want to figure out the affect that the network would have in the case of a failure.
    1.)What would the users experience in the event of a CAS failure? both currently online users and new users
    2.)What would the users experience in the event of a CAM failure? both currently online users and new users
    3.) Are there any ideas on how to minimize the effect on the users in the event of a failure, w/o adding failover bundle ?
    Many thanks for your valuable input in advance.
    Din

    If you are out OOB, then a CAS failure would not affect logged in, remediated users, anyone not logged in would be stuck because when the CAS fails, the connectivity to the CAM would be lost.
    If the CAM fails, you will not be able to log in, do remediation or anything. VLAN settings on switches will be frozen where they are at the moment of CAM faiure. Not that you could easily connect to switches, change vlans to allow users onto the LAN and the CAM would accept that passively when restarted but if you use the Agent it will probably want to log in again, which is not a huge issue if you use AD SSO.
    Dan Sichel
    Dan S.

  • NAC Agent is not responding to ISE

    Hi All,
    Cisco NAC Agent got downloaded to the client during client provisioning. After that also Posture status is showing as 'Not applicable'.
    Also Redirection is only happening if i type any ip address ex.1.1.1.1 on the browser. if i type google.com, its not redirecting.
    ISE is in Cluster mode 1 Admin, 1 Monitor, 1 PSN. Version 1.2.1.198.
    Note: Before the upgrade it was showing 'Posture Pending' status. 

    what is the NAC version?
    could be a bug CSCuq52821

  • Manage agent and  Crs resource with OEM

    Hello,
    through OEM and agent I can monitor the situation of a lot of crs resource:
    Scan, Database, Instance, Listener.
    I don't understand how it's possibile to monitor and control application like
    the agent itself and crs resource that I have create for control filesystem or application.
    There is a way to do this?
    Thanks in advance
    D.
    Configuration
    Rac 11g r2 solaris sparc
    oem 10g solaris sparc.

    You question:
    I don't understand how it's possibile to monitor and control application like
    the agent itself and crs resource that I have create for control filesystem or application.
    There is a way to do this?
    The agent yes, see my previous remark

  • Machine and User authentication with ISE 1.2.1

    Hi ,
    Can any one tell me in machine authentication what access need to be enable DACL for machine logon?
    Can we enable the access on port level ? direct to tcp/udp or ip level what is the best practice.
    Thanks 
    Pranav

    is this what you are looking for EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

  • ISE nac agent provisioning question

    I have downloaded the nac agents and compliancy modules to the ISE, and configured the client provisioning rules. The user guide doesn't really explain the next steps very good.
    I guess because User Identity Groups are used in the policy, the provisioning is used with webauth, is that correct?

    Jeppe,
    The client provisioning is done with any authentication method. Either via dot1x or webauth, it is the authorization policy that starts this process. You redirect your clients the client provisioning portal using the authorization policy. Then you determine which agent (web agent, nac agent, or no agent) via the client provisioning policy.
    Hope that helps,
    Tarik Admani
    *Please rate helpful posts*

  • ISE 1.0 Posture and Client provisioning

    I've configured 802.1x with dynamic VLAN for users and MAB for phones - it works fine. Now I wanna to implement client provisioning and posture validation for users. After reading ISE user guide there are still several big questions:
    1. Is it possible to combine 802.1x and posture? (it was not recommended with NAC)
    2. How can I bind existing 802.1x authorization profile and posture policy?
    3. What is a switch configuration for client provisioning to work(redirect, quarantine zone, download NAC agent)?
    4. Do ISE posture and client provisioning have L2 virtual gateway, trusted and untrusted ports, as in NAC?

    With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
    Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
    On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

  • NAC AGENT - DISCOVERY HOST IP ADDRESS with AD

    Hi,
    We have deployed a Cisco NAC Agent in our network with GPO update... The deployment model is L3 OOB / Real IP Gateway.
    The issue is that, we need to put the IP address in each host manually to start communicating with Cisco NAC Manager.
    Is there any way to make it automatic?
    Regards,
    Mubasher

    Hi Mubashir,
    I faced the same problem with cisco ISE and Tiago's response actually helped see below.
    " You can also distribute the NACAgentCFG.xml file with that value set.
    Please find here detailed info regarding this file:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376. "
    In that link, read the section: Agent Customization Settings
    From a NAC agent that has successfully been deployed with the IP configured , go to the NAC agent installation folder 
    C:\Program Files (x86)\Cisco\Cisco NAC Agent , and copy the NACAgentCFG.xml , open with wordpad and edit the line
    IP of PDP node or ISE standalone server
    Then place the edited NACAgent.xml file in the same folder as the one where your GPO will pick the agent from. When the Agent is installed , it automatically picks the configs from the .xml file.
    Regards,
    Henry

  • NAC agent don't popup on some computer

    Hi
    I use
    ISE version : 1.1.1.2 and NAC agent version : 4.9.0.42
    NAC agent  does not run on some computers and run on other(windows 7).
    What can be these problems?
    Please help
    Regards

    Please look in to this , it might help you
    Agent Login Dialog Not Appearing
    Symptoms or Issue
    The agent login dialog box does not appear to the user following client provisioning.
    Conditions
    This issue can generally take place during the posture assessment phase of any user authentication session.
    Possible Causes
    There are multiple possible causes for this type of issue. See the following Resolution descriptions for details.
    Resolution
    •Ensure that the agent is running on the client machine.
    •Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
    •Ensure  that the discovery host address on the Cisco NAC agent or Mac OS X  agent is pointing to the Cisco ISE FQDN. (Right-click the NAC agent icon, choose Properties, and check the discovery host.)
    •Ensure  that the access switch allows Swiss communication between Cisco ISE and  the end client machine. Limited access ACL applied for the session  should allow Swiss ports:
    remark Allow DHCP
    permit udp any eq bootpc any eq bootps
    remark Allow DNS
    permit udp any any eq domain
    remark ping
    permit icmp any any
    permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
    permit tcp any host 80.0.80.2 eq www --> Provides access to internet
    permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
    port
    permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    permit udp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    deny ip any any
    •If  the agent login dialog still does not appear, it could be a certificate  issue. Ensure that the certificate that is used for Swiss communication  on the end client is in the Cisco ISE certificate trusted list.
    •Ensure that the default gateway is reachable from the client machine.

Maybe you are looking for