Cisco Clean Access Server eth0 port inactive on install

Similar Messages

• Cisco Clean Access Manager is a software or hardware?

  HI,all
  Cisco Clean Access Manager is a software integratedin the Cisco Clean Access Server or a single hardware device?
  Nac is new to me.I cann't open the NAC flash demo,so anyone can provider me with the NAC appliance and NAC Framework deployed toplogy?Thank you.
  Respects!
  MinQuant

  Hi,
  This is an appliance ... so i'ts hardware
  Look here for more information on the subject:
  http://www.cisco.com/en/US/products/ps6128/products_qanda_item0900aecd803be813.shtml
  If you find this post usefull
  please don't forget to rate this
  #Iwan Hoogendoorn

• NAC/Clean Access Server no longer intercepting Clients after upgrade

  We recently upgraded our CISCO Clean Access Manager and Server to version 4.8.2 from 4.8.0.  Everything seemed to be working fine but I had a user log in without having the NAC Agent running and they had full access.  We didn't change anything other than upgrading to the new version.  We have found that the user has access even before the Windows Agent is completed with the assessement of the client.  It worked fine before the upgrade....Again, we made no changes other than upgrading to the new version (no route changes, etc).
  I even tried an explicit deny for the user's workstation's mac and the NAC SErver still let him through....I am a bit perplexed...Thanks for any assistance.

  Hmm, i removed the line but it does not help me ?
  I did run following command in terminal:
  sudo pico /Library/Server/Mail/Config/postfix/main.cf
  Removed the "reject_non_fqdn_helo_hostname" from the line smtpd_helo_restrictions.
  Saved the file and restarted Mail service
  get this in  log when i try to send from a windows client with Outlook2010:
  Aug 15 17:42:09 lundmark.jetoma.se log[236]: auth: Error: od(annicalundmark,192.168.20.103): Authentication server failed to complete the requested operation.
  Aug 15 17:42:09 lundmark.jetoma.se log[236]: auth: Error: od(annicalundmark,192.168.20.103): authentication failed for user=annicalundmark, method=DIGEST-MD5
  Have tryed different ports like 25 and 587 with SSL, TLS and "none" in SMTP advanced settings on klient.
  I did use the same instructions before in Lion server and there it did work ?!
  Any more ideas ?
  regards
  Jörgen

• 802.1x (DOT1x) and Cisco Clean Access 3140

  Hi,
  We have about 300 remote sites and would like to implement an authentication mechanism to authenticate end-devices (Windows PCs) before allowing access to the network. We thought we could implement DOT1x on our Cisco 2960, 3750 and 4500 series switches and send the "PC-switch" access requests to our centrally located Cisco Clean Access 3140 NAC servers -back at the HQ sites. We understand the NAC servers will be used to authenticate (among other things) the end-users workstations to ensure each workstation is a company owned PC and all  the security parameters are installed and up today. -RIGHT?
  Can the Cisco Clean Access 3140 server perform the Authentication security checks from the 802.1x (DOT1x) enabled switches?
  Does the Cisco Clean Access 3140 server have to be inline (on the users subnet) and/or be centrally located?
  Is the Cisco Clean Access 3140 still usable?
  Thanks
  Frank

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• Clean Access Server is unavailable on the network

  I have an issue where randomly (about 4 or 5 users per week out of about 150 concurrent users) people are getting "Clean Access Server is unavailable on the network".  We are using the full client v4.7.0.  Certs and DNS look good, and everything works fine for most people.  I read about the "work offline" bug, do you think that could cause this?  Also, the CAM and CAS clocks are about 4 minutes apart, what kind of issues could this cause?
  Thanks!

  I found it, it was described in TAC Case 614237013 w/ Nate Austin from RTP's AAA TAC.  Bug ID # CSCta39899.  Excerpts from the TAC case are below.
  David Swafford.
  =============================================================
  Subject: SR 614237013 - NAC Agent - CCA Server Unavailable Repeatedly
  Hi David,
  My name is Nate Austin with Cisco TAC and I just accepted ownership of
  your SR regarding NAC Appliance.
  Looking at the logs I can see two way communication with the CAS so we
  know it can reach it IP-wise. All the swiss communication is successful,
  but it appears the HTTPS requests are the ones that are failing.
  I have seen a couple things cause this:
  1) Personal firewall blocking ports from CCA Agent.
  2) More common - We use the same libraries as IE does for making HTTP
  calls - If IE Offline Mode is enabled, this will cause the agent to
  fail. Can you check in IE (especially if Firefox or Chrome are the users
  default browser because they'd never check IE) and see if Offline Mode
  is enabled. If so, disable it and try again?
  Thanks,
  Nate
  =============================================================
  Subject: Re: SR 614237013 - NAC Agent - CCA Server Unavailable Repeatedly
  Sounds good.
  FYI, if this does end up being the problem, there was a bug filed on
  this CSCta39899, and in the 4.8 agent the agent will disable Offline
  mode and re-enable it after it logs in.
  Thanks,
  Nate
  Nathaniel Austin                        Cisco Systems
  Customer Support Engineer               Research Triangle Park, NC

• Cisco Clean Access OOB with virtual gateway

  I have set the clean access OOB virtual gateway mode, i put managed subnet one of unused ip with unauthenticated vlan,some of the pc running with dhcp so i put ip refresh after successful authentication (this working fine), but some of them running with static so i cannot refresh the ip address,
  after authentication through clean access clean access manager changing Unautheticated vlan(44) authenticated vlan (4), but i can't access internet and any other application through network (even with static ip and dhcp (if i put refresh dhcp ip i can) ), in pc arp cache i can see the orginal gateway mac address if i clear the arp cache with arp -d command the moment it start working how can solve this issue please help me guys
  thank you

  This document describes how to configure the syslog settings in order to log the events to an external server in the Cisco Network Admission Control (NAC) Appliance, formerly known as Cisco Clean Access (CA).
  http://www.cisco.com/en/US/products/ps6128/products_tech_note09186a008085d6e9.shtml

• Cisco Clean Access (CCA) Agent and iPod Touch

  Has anyone had any success in connecting an ipod to this type of wireless network?
  In looking the post, I see there has been a problem with macs and CCA. Since I know nothing about CCA is this something that even works with and ipod?
  The college, where my son attends, sent him this reply: Unfortunately, we are not able to get any iPods connected on campus at this time due to limitations of the iPod software. However, we are working on resolving this problem with the company that provided our Cisco Clean Access system and will keep students informed as a solution is reached.
  Thanks for your input.

  The college where my boy goes has a person on in the IT department who supports Apple equipment. You need to find the IT person at your school who supports Macs. That will help a bunch.
  I spoke with him about the problem, and in their case, the company that implemented CCA was going to fix the problem. I did send him the file from the link, iPhone Enterprise Deployment Guide, on the page you looked over. Go to that page again, click on "iPhone Enterprise Deployment Guide" then on "iPhone OS - Enterprise Deployment Guide" That should download a PDF which has information on how they can setup for iPhones so it should work for iPhone. A few weeks later it was working again.
  I know nothing about how to do it, but from looking though the doc, if memory serves me, it wouldn't be that hard for the tech person who works with it everyday.
  Hope this helps.

• Clean Access Server could not establish a secure connection

  I have a OOB Real IP GW setup on v4.1.2
  I seem to have a problem with the CAS connecting to the CAM although I have added the CAS to the CAM and can manage the CAS from the CAM.
  I noticed while troubleshooting client authentication that the client was not being redirected to the logon web page and it had full access to the trusted network from the untrusted authentication vlan. I eventually figured out that if I change the CAS Filter Fallback method from Allow to ignore then it tries to authenticate the client. However the fact that the fallback is activated tells you that something is not right.
  I have 2 problems:
  A) The clients web page is redirected for authentication but it only lists the domain name in the URL and not the hostname or host IP. In the lab I do not have a DNS server and it would not help as it does not include the hostname in the URL anyway. How do I fix this or perhaps it's related to the 2nd problem.
  B) When I manually change the URL by replacing the domain name with the IP of the CAS (untrusted OOB Real IP GW) then I get the following error message when logging on:
  Network Error:
  Clean Access Server could not establish a secure connection to Clean Access Manager at mydomain.com.
  This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
  Please report this to your network administrator.
  I would guess the culprit is No 2 but surely the system can run on self signed certificates? I have an NTP server so time is in sync. I have even tried regenerating the cetificates on the CAM
  & CAS.
  Any ideas?

  To overcome problem B, I regenerated the SSL Certificates using the host IP address instead of the name for all the CAM & CAS appliances. This seems to have resolved this problem.
  I also SSH'd from each of the CAS's to each of the CAM's from the CLI and it then prompts to permanently store the certificates. I'm not sure it this was necessary though.

• Run-time error '7': Out of memory - Cisco Clean Access problem

  Hi all,
  I hope this question is in the appropriate place. I'm trying to use my company's vpn service. Here's how the process should work:
  1) Log on with username/password using Cisco AnyConnect VPN Client
  2) Log-in to the portal. During this step the Cisco Clean Access Agent is supposed to automatically log-in. However I get the following error:
  Run-time error '7':
  Out of memory
  My company's network services didn't seem to be much of a help so I was hoping one of you would have a good suggestion(s).
  Please keep in mind that I'm not great with computers. I know how to use them and all that but I'm not familiar with the inner-workings at all (registry editing etc.)
  Thanks in advance!
  -Bill

  I should add that the version of CCA is 4.1.10

• Confusion on Cisco clean access and Cisco NAC

  Dear Pros,
  I still confuse with the name mismatch as above. Please any one give me the correct NAC part number for both server and manager
  swamy

  Cisco Clean Access and NAC are the same.
  NAC is just the new naming.
  You can have NAC installed in two way, Framework or Appliance mode.
  I think Framework is not available anymore (I may be wrong).
  If you go with the appliance, you'll need a minimum of two. 1 for the CAM (Clean Access Manager) which manages the policies and 1 for the CAS (Clean Access Server) that is the "filter" between your authentication lan and your prod network.
  Dominic

• Problem with Cisco Secure Access Server 3.0

  Hi All,
  Please what is my problem? I use Cisco Secure Access Server Version 3.0 for Windows 2000/NT Servers to authenticate users on our wireless network. I however wish to assign monthly time limits to each user after which he/she will no longer have access until next month or the timer is reset. I tried this with the "User Usage Quota" under User setup. I set the Server to "Limit user to X hours of online time per Month" and enabled the "Use these settings" and also checked the box by the side of the option. I saved and restarted my server. Unfortunetly the settings did not work for all the users whose quotas I set.
  What Am I doing wrong. Please assist.
  Chafe

  Do you have your AP's sending accounting data? If not, ACS has no way of knowing how long they've been online?
  You can utilize your ACS logging to see what your accounting looks like to confirm whether you are receiving accounting packets or not?
  HTH
  Jeff

• Removing Cisco Clean Access Agent 4.5 (CCA)

  I'm more or less having trouble with uninstalling Cisco Clean Access Agent 4.5.0.0, so I can install CCA 4.1...
  I removed CCAAgent 4.5 + the files within "Library/ApplicationSupport/" and in "Library/Receipts"...yet when I try to install 4.1, it tells me there's a newer version of the software on this disk & won't let me install.
  I am on Snow Leopard, too - by the way.
  Any solutions to this?

  Tim:
  Seen this page yet....anything there help?
  http://www.cisco.com/en/US/docs/security/nac/appliance/configurationguide/45/cam/magntd.html#wp1276391
  Do you have a fresh backup if needed? Have you tried repairing permissions and checking for hidden files with a similar name?

• Cisco Clean Access agent for Ipad

  My university uses Cisco Clean Access agent for wifi.
  I have been able to login using the alotted password through Safari, however the next step is a prompt to download Clean Access Agent.
  When I try to download the application, Safari prompts that the file can not be downloaded.
  Any suggestions for this problem so that I can use my Ipad at campus.

  The only things you can download are on the App Store. Check there, but I'm mostly sure that there is no Cisco Clean Agent available for iphone.

• Clean access server and wireless users

  Hi,
  The AP has several vlans (employee, guest). There is a trunk up to the switch and all l3 vlan interfaces are created on the switch.
  I would like to add a clean access server.
  1) Besides the configuration of the clean access server, do I just need to move the l3 vlan interface from the switch to the clan access server untrusted interface?
  2) Is the ip address of the trusted interface on the clean access server a trunk too?
  Thank you,
  Best regards,
  Pascal

  I think yes. The ip address of the trusted interface on the clean access server needs to be configured as a trunk too. This is upto my knowledge.

• Network Error: Clean Access Server could not establish a secure connection to Clean Access Manager

  Hello everyone
  I am implementing a failover solution of NAC in OOB VG version 4.8, I have 2 CAS and 2 CAM.
  The Error I am getting is when I connect to both IP address and the FQDN of the CAS.
  ===========
  Network Error:
  Clean Access Server could not establish a secure connection to Clean Access Manager at camsrv3.cadivi.gob.ve.
  This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
  Please report this to your network administrator.
  ==========
  For the CAM's I use this names camsrv1 and camsrv2. then generate a CSR in the camsrv1 with the name camsrv3.mycompany.com corresponding  to virtual ip and it exported to camsrv2, Install the CA certificate of the company and everything works perfect.
  This is the failover configuration
  CAM:
  Primary:     10.1.206.248 camsrv1.mycompany.com
  Secondary: 10.1.206.249 camsrv2.mycompany.com
  Virtual:       10.1.206.250 camsrv3.mycompany.com
  Then I do exactly the same steps for the CAS's and this is the failover configuration:
  Primary:     10.1.216.248 cassrv1.mycompany.com
  Secondary: 10.1.216.249 cassrv2.mycompany.com
  Virtual:       10.1.216.250 cassrv3.mycompany.com
  Then I add the certificate of CAM in the CAS on the tab "Trusted Certificate Authorities"  and vice versa.
  The communication between all the CAM´s and CAS´s is correct (Primary, Secondary and Virtual). I can ping the IP and the FQDN and I can also manage the CAS through the CAM.
  I verify that the time was right in the CAM and the CAS and all good up there.
  Appreciate your help
  Eduardo Navas

  Eduardo,
  Bump up the CAS/CAS communications logging on both the CAS and CAMs, and then look in the log files for clues.
  On CAM they live in /perfigo/control/tomcat/logs and on CAS in /perfigo/access/tomcat/logs
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily