Cisco Cisco AnyConnect Secure Mobility Client v2.x Guide De Dépannage
In case you decide to not redirect HTTP traffic destined to the proxy, your users have direct access to the
whole Internet (since all traffic goes through the proxy) without authenticating or posturing. The solution is to
actually modify the clients' browser settings and to add an exception for the ISE IP address in the proxy
settings. This way, when the client has to reach ISE, it sends the request directly to the ISE and not to the
proxy. This avoids the infinite loop where the client constantly gets redirected but never sees the login page.
whole Internet (since all traffic goes through the proxy) without authenticating or posturing. The solution is to
actually modify the clients' browser settings and to add an exception for the ISE IP address in the proxy
settings. This way, when the client has to reach ISE, it sends the request directly to the ISE and not to the
proxy. This avoids the infinite loop where the client constantly gets redirected but never sees the login page.
Note that the NAC agent is not affected by the proxy settings entered in the system and it continues to act
normally. This means that if you use a web proxy, you cannot both have the NAC agent discovery working
(because it uses port 80) and have users self−install the agent once they are redirected to the posture page
when they browse (since that uses the proxy port and typical switches cannot redirect on multiple ports).
normally. This means that if you use a web proxy, you cannot both have the NAC agent discovery working
(because it uses port 80) and have users self−install the agent once they are redirected to the posture page
when they browse (since that uses the proxy port and typical switches cannot redirect on multiple ports).
Discovery Hosts Are Configured in the NAC Agent
Especially after ISE Version 1.2, it is recommended to not configure any discovery host on the NAC agent
unless you have expertise on what it does and does not do. The NAC agent is supposed to discover the ISE
node that authenticated the client device through HTTP discovery. If you rely on discovery hosts, you might
have the NAC agent contact another ISE node than the one that authenticated the device and that does not
work. ISE Version 1.2 rejects an agent that discovers the node through the discovery host process because it
wants the NAC agent to get the session ID from the redirect URL so this method is discouraged.
unless you have expertise on what it does and does not do. The NAC agent is supposed to discover the ISE
node that authenticated the client device through HTTP discovery. If you rely on discovery hosts, you might
have the NAC agent contact another ISE node than the one that authenticated the device and that does not
work. ISE Version 1.2 rejects an agent that discovers the node through the discovery host process because it
wants the NAC agent to get the session ID from the redirect URL so this method is discouraged.
In some cases, you might want to configure a discovery host. Then it should be configured with any IP
address (even if non−existing) that will be redirected by the redirect ACL, and it should ideally not be in the
same subnet as the client (otherwise the client will ARP indefinitely for it and never send the HTTP discovery
packet).
address (even if non−existing) that will be redirected by the redirect ACL, and it should ideally not be in the
same subnet as the client (otherwise the client will ARP indefinitely for it and never send the HTTP discovery
packet).
NAC Agent Does Not Pop Up Sometimes
When the issue is more intermittent and actions such as unplugging/replugging the cable/wifi connectivity
make it work, it is a more subtle problem. It could be a problem with the RADIUS session IDs where the
session ID is deleted on the ISE by RADIUS accounting (disable accounting to see if it changes something).
make it work, it is a more subtle problem. It could be a problem with the RADIUS session IDs where the
session ID is deleted on the ISE by RADIUS accounting (disable accounting to see if it changes something).
If you use ISE Version1.2, another possibility is that the client sends many HTTP packets so that none come
from a browser or the NAC agent. ISE Version 1.2 scans the user−agent field in HTTP packets to see if it
comes from the NAC agent or a browser, but many other applications send HTTP traffic with a user−agent
field and do not mention any operating system or useful information. ISE Version 1.2 then sends a Change of
Authorization to disconnect the client. ISE Version 1.3 is not affected by this issue beause it works in a
different manner. The solution is either to upgrade to Version 1.3 or to allow all detected applications in the
redirect ACL so that they are not redirected towards ISE.
from a browser or the NAC agent. ISE Version 1.2 scans the user−agent field in HTTP packets to see if it
comes from the NAC agent or a browser, but many other applications send HTTP traffic with a user−agent
field and do not mention any operating system or useful information. ISE Version 1.2 then sends a Change of
Authorization to disconnect the client. ISE Version 1.3 is not affected by this issue beause it works in a
different manner. The solution is either to upgrade to Version 1.3 or to allow all detected applications in the
redirect ACL so that they are not redirected towards ISE.
Reverse Problem: Agent Pops Up Repeatedly
The opposite problem can arise where the agent pops up, does the posture analysis, validates the client, and
then pops up again shortly after instead of allowing network connectivity and staying silent. This happens
because, even after a successful posture, the HTTP traffic is still redirected to the CPP portal on ISE. It is a
good idea to then go through the ISE authorization policy and check that you have a rule that sends a permit
access (or similar rule with possible ACLs and VLANs) when it sees a compliant client and NOT a CPP
redirection again.
then pops up again shortly after instead of allowing network connectivity and staying silent. This happens
because, even after a successful posture, the HTTP traffic is still redirected to the CPP portal on ISE. It is a
good idea to then go through the ISE authorization policy and check that you have a rule that sends a permit
access (or similar rule with possible ACLs and VLANs) when it sees a compliant client and NOT a CPP
redirection again.