DescriptionThe agent is unable to communicate with NAC while in isolation.
SolutionThe NAC Server/Application Server has built-in SRV records for agent communication for agents in isolation. Verify NAC answers the following query (this can be done in the NAC Server/Application Server CLI):
dig @isolation SRV _bradfordagent._yourdomain.com
Example (where Application hostname is acorn.bradfordnetworks.com):
dig @isolation SRV _bradfordagent._udp.nwu.ac.za
Expected results (where 192.168.23.2 is the eth1 interface) :
; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> @isolation SRV _bradfordagent._udp.bradfordnetworks-
isol.com
; (1 server found)
;; global options: +cmd
;; Got Answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37618
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_bradfordagent._udp.bradfordnetworks-isol.com. IN SRV
;; ANSWER SECTION:
_bradfordagent._udp.bradfordnetworks-isol.com. 15 IN SRV 0 0 4567 acorn.bradfordnetworks.com.
;; AUTHORITY SECTION:
bradfordnetworks-isol.com. 15 IN NS isol.bradfordnetworks-isol.com.
;; ADDITIONAL SECTION:
isol.bradfordnetworks-isol.com. 15 IN A 192.168.23.2
;; Query time: 1 msec
;; SERVER: 192.168.23.2#53(192.168.23.2)
;; WHEN: Tue Jun 13 07:59:52 EDT 2017
;; MSG SIZE rcvd: 155
Solution: If no answer returns, verify the content of the following files are correct:
/var/named/chroot/etc/domain.zone.isol
Example:
$TTL 15s
bradfordnetworks-isol.com. IN SOA isol.bradfordnetworks-isol.com.
root.isol.bradfordnetworks-isol.com. (
1
10800
3600
604800
86400
)
IN NS isol.bradfordnetworks-isol.com.
IN TXT "Isolation Domain"
$ORIGIN bradfordnetworks-isol.com.
b._dns-sd._udp PTR @
lb._dns-sd._udp PTR @
_networksentry._tcp PTR AgentConfig._networksentry._tcp
;Insert agent line here
; Needs to be here for BN_OTHER_HOSTNAME
AgentConfig._networksentry._tcp SRV 0 0 443 acorn.bradfordnetworks.com.
TXT path=/registration/agent/config
_networksentry._tcp SRV 0 0 443 acorn.bradfordnetworks.com.
TXT path=/registration/agent/config
_bradfordagent._udp SRV 0 0 4567 acorn.bradfordnetworks.com.
_bradfordagent._tcp SRV 0 0 4568 acorn.bradfordnetworks.com.
*.bradfordnetworks-isol.com. IN A 192.168.23.2
;*.bradfordnetworks-isol.com. IN AAAA BN_ISOL_6IP
/var/named/chroot/etc/named.conf
The following entry ensures that the FQDN of the server is resolved to the local host (even if it's in zones.common):
// zone added for DNS SRV lookup
zone "acorn.bradfordnetworks.com" {
type forward;
forwarders { 127.0.0.6; };
};
The following entry is the master zone for the search domain provided through DHCP in isolation:
// ISOL zone added for DNS SRV lookup
zone "bradfordnetworks-isol.com" {
type master;
file "domain.zone.isol";
};