This document describes how the Cisco Network Admission Control (NAC)
Agent discovers a Cisco Identity Services Engine (ISE) policy node, as well as
the configuration required to ensure successful communication between the NAC
agent and the ISE.
Cisco recommends that you meet these requirements:
Client machine must be provisioned with NAC agent.
ISE must be configured correctly for client provisioning
AAA client (switch or WLC) must be configured with proper redirect
ACL. It is critical that this ACL redirects any communication on port 80 and
does not redirect communication on port 8905.
Client machine must be able to resolve the ISE
The information in this document is based on these software and
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
When the NAC agent starts, it follows this sequence:
HTTP discovery probe on port 80 to discovery host, if one is
HTTPS discovery probe on port 8905 to the discovery host, if one is
HTTP discovery probe on port 80 to default
HTTPS reconnect probe on 8905 to previously contacted ISE policy
Repeat from 1.
Successful posture validation depends on the agent reaching the policy
node that authenticated the original 802.1x/MAB session and receiving the
session information. This information is available to the switch but not the
agent. The agent attempts to connect to any node when it comes up.
In steps 1 and 3, notice that the NAC agent uses HTTP traffic to port
80 specifically to reach the discovery host or the default gateway. This
process occurs because the ISE client provisioning flow requires port 80 to be
redirected to the ISE policy node that authenticated the session. As long as
the control path processor (CPP) flow and URL redirect configuration is correct
and working, any NAC agent in the network should experience no problems
reaching the correct policy node. One caveat to remember is that the redirect
URL contains the hostname of ISE, so the client machine should be able to
resolve that to the IP of the policy node.
If URL redirect is not working or is not configured, then steps 2 and 4
are used as failover. These steps are used only if you have configured a
discovery host or if the agent has connected to this ISE deployment previously.
Even if the agent gets to a Policy Decision Point (PDP) using step 2 or 4, it
does not guarantee that the posture validation will succeed because the session
information may not be available on that PDP.
In order to work around this issue, node groups can be set up to share
session information. However, it is much simpler to configure and get URL
In order to verify whether the NAC agent will be able to reach the
policy node, open a browser on the client machine and go to this URL:
ISE should return a page that includes this text:
X-Perfigo-CAS=<FQDN of ISE>