This document describes how the Cisco Network Admission Control (NAC) Agent discovers a Cisco Identity Services Engine (ISE) policy node, as well as the configuration required to ensure successful communication between the NAC agent and the ISE.
Cisco recommends that you meet these requirements:
Client machine must be provisioned with NAC agent.
ISE must be configured correctly for client provisioning flow.
AAA client (switch or WLC) must be configured with proper redirect ACL. It is critical that this ACL redirects any communication on port 80 and does not redirect communication on port 8905.
Client machine must be able to resolve the ISE hostname.
The information in this document is based on these software and hardware versions:
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
When the NAC agent starts, it follows this sequence:
HTTP discovery probe on port 80 to discovery host, if one is configured.
HTTPS discovery probe on port 8905 to the discovery host, if one is configured.
HTTP discovery probe on port 80 to default gateway.
HTTPS reconnect probe on 8905 to previously contacted ISE policy node.
Repeat from 1.
Successful posture validation depends on the agent reaching the policy node that authenticated the original 802.1x/MAB session and receiving the session information. This information is available to the switch but not the agent. The agent attempts to connect to any node when it comes up.
In steps 1 and 3, notice that the NAC agent uses HTTP traffic to port 80 specifically to reach the discovery host or the default gateway. This process occurs because the ISE client provisioning flow requires port 80 to be redirected to the ISE policy node that authenticated the session. As long as the control path processor (CPP) flow and URL redirect configuration is correct and working, any NAC agent in the network should experience no problems reaching the correct policy node. One caveat to remember is that the redirect URL contains the hostname of ISE, so the client machine should be able to resolve that to the IP of the policy node.
If URL redirect is not working or is not configured, then steps 2 and 4 are used as failover. These steps are used only if you have configured a discovery host or if the agent has connected to this ISE deployment previously. Even if the agent gets to a Policy Decision Point (PDP) using step 2 or 4, it does not guarantee that the posture validation will succeed because the session information may not be available on that PDP.
In order to work around this issue, node groups can be set up to share session information. However, it is much simpler to configure and get URL redirection working.
In order to verify whether the NAC agent will be able to reach the policy node, open a browser on the client machine and go to this URL: https://<ise-hostname>:8905/auth/discovery
ISE should return a page that includes this text: X-Perfigo-CAS=<FQDN of ISE>