Cisco ISE & NAC Agent in a Vmware View VDI Environment

Similar Messages

• ZCM 11.2.4 in a VMWare View VDI environment

  We have been running 11.2.4 in our View VDI environment and overall been very successful. We just rolled Win 7 and are seeing approx. 10% of the VMs with the zenworkswindowsservice.exe running steadily around 50% for hours. Any thoughts? One thing I just set to try was excluding that from Microsoft FEP AV. Anything other thoughts to resolve? Thanks.

  There are no known issues regarding VMWare view that would cause this.
  For AV see -> http://www.novell.com/support/kb/doc.php?id=7007545
  I find ProcMon for Sysinternals useful to see if other prcesses such as
  AV are hitting those files unexpectedly. A few times I have seen AV
  Exclusions not quite working as expected until tweaked.
  The ZMD-Messages.log may show if the agent is doing something....
  On 9/30/2014 9:36 PM, harrymsg wrote:
  >
  > We have been running 11.2.4 in our View VDI environment and overall been
  > very successful. We just rolled Win 7 and are seeing approx. 10% of the
  > VMs with the zenworkswindowsservice.exe running steadily around 50% for
  > hours. Any thoughts? One thing I just set to try was excluding that
  > from Microsoft FEP AV. Anything other thoughts to resolve? Thanks.
  >
  >
  Going to Brainshare 2014?
  http://www.brainshare.com
  Use Registration Code "nvlcwilson" for $300 off!
  Craig Wilson - MCNE, MCSE, CCNA
  Novell Technical Support Engineer
  Novell does not officially monitor these forums.
  Suggestions/Opinions/Statements made by me are solely my own.
  These thoughts may not be shared by either Novell or any rational human.

• Cisco ISE NAC agent and Microsoft roaming profiles

  Hi there,
  I have installed Identity services engine version 1.1.3 in didstributed mode. The NAC agent is installed on the end user PC joined to the domain. when a user with a roaming profile logs into the PC, the NAC agent fails to run posture assesment, but if a user with non-roaming profile logs in, the NAC agent does posture and full network access is granted.
  Is there something i need to do to enable the NAC agent to perform posture for users with a roaming profile.
  Regards,
  Henry

  Hello,
  I found the following from the cicso doc. Hope it helps!
  The following failure  scenarios might cause the Cisco NAC Agent to appear following successful  user authentication when the client machine roams between CASs in Layer  3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band  environments. Erroneous Agent login dialogs could also appear if users  roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC  network:
  –ARP poisoning
  –Temporary loss of network connection between the client machine and the CAS
  –Access to untrusted interface IP address on the CAS from non-NAC network segments on NAC-enabled client machines
  Cisco offers the following recommendations to prevent this situation:
  –Ensure  all trusted networks (post-authentication) can reach the CAS untrusted  interface IP address through the CAS trusted interface only
  –Block  discovery packets from all non-NAC networks to the CAS untrusted  interface IP address (discovery packets that arrive on the trusted  interface of the CAS are blocked by default)
  For more information please refer to the following link:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html

• Cisco ISE NAC Agent RDP session

  Is there a way to get the NAC Agent to run when a user logs on a Windows machine in a RDP session?

  You have to go and check the dACL that is part of authorization profile, you will find that it is blocking your RDP access as when you do a remote desktop your authentication token is host/machine-name.domain. Now, the easiest FIX to permit RDP traffic is to modify the dACL but this won't solve your problem. Why? Because now your dACL will allow you do a remote desktop now BUT it will block rest of your communication.
  So either you permit all as soon as your machine is authenticated or you will continue to face this issue.

• MAC OS X unable to download Cisco ISE supplicant agent

  Hi,
  I have a problem with MAC OS X clients unable to download the Cisco ISE supplicant agent using Safari browser but able to login on the ISE guest portal. If the same client was to login to the ISE guest portal using Firefox; it has no issues downloading the ise supplicant and posture agent.
  I have tried to update the Java version on the client to the latest; however it does not resolve the issue. As I am new to MAC OS clients; I was wondering what may be the cause of the issue?
  I have summarized the issue as follows:
  1. MAC OS X 10.8 with safari 6 -- unable to download agent but can login successfully on the Cisco ISE guest portal
  2. MAC OS X 10.8 with Firefox -- able to login to Cisco ISE guest portal and download agents; no issues
  3. MAC OS X 10.7 with safari and firefox ---  unable to download agent but can login successfully on the Cisco ISE guest portal
  4. Windows XP & Windows 7 & Iphone/Ipad/Android -- able to login/download agent without any issues
  Any suggestions is appreciated.
  Thanks.

  For Agent Download Issues on Client Machine
  • Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the
  policy identity group, conditions, and type of agent(s) defined in the policy.
  (Also ensure whether or not there is any agent profile configured under Policy >
  Policy Elements > Results > Client Provisioning > Resources > Add > ISE
  Posture Agent Profile, even a profile with all default values.)
  • Try reauthenticating the client machine by bouncing the port on the access
  switch.
  Remember that the client provisioning agent installer download requires the following:
  • The user must allow the ActiveX installer in the browser session the first time an agent is installed
  on the client machine. (The client provisioning download page prompts for this.)
  • The client machine must have Internet access.
  Client Machine Operating Systems and Agent Support in Cisco ISE
  Check the following link
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp95449

• App-V packages not streaming on VMWare View VDI

  Hello All,
  We are currently running SCCM 2012 R2 CU2 on VMware View VDI's.
  We maintain our golden image using SCCM OSD.
  NExt to applications installed in the image, we are also using app-v packages.
  Before we can deploy the image, it needs to be stripped (or sysprepped) so as to garantuee that the clones will not report to the Management Point using the same SCCM Guids etc.
  There for we perform the following:
  net stop "CcmExec"
  Remove-Item c:\windows\smscfg.ini
  Get-ChildItem -Path cert:\LocalMachine\SMS | Remove-Item
  Get-wmiObject -Namespace root\ccm\invagt -class inventoryActionStatus | where {$_.inventoryactionID -eq "{00000000-0000-0000-0000-000000000001}" } | remove-wmiobject
  Clear-EventLog -logname Application
  Clear-EventLog -logname System
  Clear-EventLog -logname Security
  Get-ChildItem c:\windows\ccm\logs | remove-item
  When we deploy the new version of an image, we see that APP-V packages are not being streamed immediately to the clients.
  While troubleshooting, I noticed that whenever I login and run a Machine Policy Evaluation & Retrieval cycle, that a ccmrepair and ccmrestart is being executed.
  After the restart, the client immediately starts streaming the App-V packages.
  Can anyone help me in pinpointing where the ccmrestart gets triggered from?
  I've searched to already a lot of logs (ccmexec, execmgr, policyagent, policyevaluator,..) for the root cause but am unable to find it.
  Many thanks in advance!
  Filip Theyssens

  Hi,
  I just ran the action "Machine Policy Evaluation & Retrieval cycle" on my client, the Ccmrepair and Ccmrestart were not being executed from the logs.
  You could trigger the CcmRestart by running "%windir%\CCM\CcmRestart.exe".
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Redondance de cisco ise: l'agent nac ne s'affiche pas

  Bonjour,
  J'implemente actuellement la solution cisco ISE avec 4 serveurs deux Admin/Monitor nodes et deux Policy Nodes. Lorsque je déconnecte le Policy node principal, l'agent NAC ne s'affiche plus à la connexion d'un utilisateur. j'ai configuré la redondance des serveurs Radius sur mes Switch d'accès (
  radius-server retry method reorder). dans l'host discovery de l'Agent NAC, il est mis les deux policy nodes séparés par un point virgule (svr-politc-ise01.xxx.ci; svr-polidr-ise01.xxx.ci). Pouvez-vous m'aider?
  Hello,
  I currently implements the solution Cisco ISE with 4 servers, two Admin / Monitor Nodes and two Policy nodes. When I disconnect the main Policy node  NAC Agent is no longer displayed. I configured the RADIUS server redundancy on my Access Switch (radius-server retry method reorder). in the host discovery of the NAC Agent, it is both set policy nodes separated by a semicolon (politc-svr-ise01.xxx.ci; polidr-svr-ise01.xxx.ci). Can you help me?

  Hi.
  I too have the same behaviour. After selecting values for the fields presented, except for the Products for Selected Vendor, I click on the "Save" button and I am asked to select a Product; though product is displayed.
  What have I missed in the exercise?
  I have run a POSTURE update too.

• ISE nac Agent automatic upgrade possible ?

  Hello all,
  I have this :
  802.1x windows with NacAgent version (let's say 1) <----> 802.1x Enabled Switch (aaa radius OK) <------> ISE and AD on the same LAN
  ISE is configured for client provisionning with material (NacAgent version 2) downloaded from Cisco website (as depicted in the documentation)
  I've a basic authentication and authorization scheme that let me in properly but I expect the NACAgent to be upgraded.
  No profiling is configured for the time being.
  Is anybody can help ?
  Best regards ?

  Hi Tarik,
  Your are right regarding that option "upgrade is mandatory"
  However, my case was that you do need to enter the ISE's FQDN on the NAC Client and make sure that DNS operates properly.
  Once authenticated, the NAC agent shows an upgrade message.
  It works.
  Thank you all.

• ISE - NAC agent profile

  Dears
  I want to deploy NAC agent via GPO and I need to create agent profile , I know how to create it on ISE but how i get the file in xml format to be distributed ?

  You can try installing only one PC (either by manual installation or by captive portal). If you have configured the posture rules in ISE then the NAC Agent automatically contacts the ISE server and downloads the last NACAgentcfg.xml available.
  Then you could browse the following directory and find the NACAgentcfg.xml file in your PC.
  C:\Program Files (x86)\Cisco\Cisco NAC Agent
  After that you can mass deploy the NAC agent along with the xml file. Although is not mandatory to deploy the xml file  because as a I said, every time there's a posture rule the NAC agent will download the last NACAgentcfg.xml available from ISE server.
  Please rate if it helps.

• ISE nac agent provisioning question

  I have downloaded the nac agents and compliancy modules to the ISE, and configured the client provisioning rules. The user guide doesn't really explain the next steps very good.
  I guess because User Identity Groups are used in the policy, the provisioning is used with webauth, is that correct?

  Jeppe,
  The client provisioning is done with any authentication method. Either via dot1x or webauth, it is the authorization policy that starts this process. You redirect your clients the client provisioning portal using the authorization policy. Then you determine which agent (web agent, nac agent, or no agent) via the client provisioning policy.
  Hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE on VMware blank Web GUI

  Hi,
  I have just installed Cisco ISE on a VM in VMware workstation 7.1 so that I can play around with the interface.
  I have tried multiple browsers including Mozilla 3.6 all with the same symtoms.
  From the host I can-
  -Ping the ISE
  -I can browse to https://10.0.0.2/admin and I recieve a certificate error ( if I check the certificate I can validate it is a self signed certificate from the ISE) I continue and I get a blank webpage with Identity Services Engine on the tab at the top.
  From the ISE CLI-
  - I can ping the host 10.0.0.1.
  - I can do a "sh application status ise" and all applications are running and have PIDs
  VM settings -
  - Memory 4096
  - Hard drive 60 Gig
  - 1 prcecessor
  - Host only network connection

  If I do a view source in Mozilla 3.6 I get the following the page itself appears blank. I have also verified java is installed and up to date.
       Identity Services Engine
       css/images/favicon.ico">
       lib/xwt/themes/kubricklite/kubricklite-base.css">
       lib/xwt/themes/kubricklite/kubricklite-xwt.css">
       css/errorpage.css">
            djConfig = {
                    isDebug: false,
                    debugAtAllCosts: false,
                    parseOnLoad: true
       lib/dojo/dojo.js">
       lib/cpm/widget/ErrorPage.js">
                 var hrefurl = "http://www.cisco.com";

• Posture Assessment passed in Error using Cisco ISE

  Hi all,
  I would like some help trying to understand why a client that has not been connected to the network for just over a month was allowed full network access despite the AV definitions being over 28days old.
  We have 2 mandatory posture requirements,
  1. Symantec Av MUST be installed
  2. the AV definitions MUST be LESS THAN 28 days out of date
  Currently, the machine I have is showing the AV defs as being 25th March 2013.
  When I produce the detailed posture report, it even shows me that the two mandatory requirements as described above were successfully meant meaning the endpoint is posture compliant. Clearly this is not the case though...!
  Is there anything else I can check on the ISE to help debug this?
  Mario              

  Hi,
  You might have two problems:
  1. In ISE you have a gobal setting regarding the unsupported NAC Agent clients (Android, etc) that specifies what is their default compliance status. If the default setting is "compliant" and you don't have a provisioning rule for that client or you simply don't have client provisioning rules, any machine that doesn't fit in the provisioning rule (ie ISE thinks that is not supported) will get a compliance status of compliant event though NAC Agent is installed and the rules are not satisfied.
  2. NAC Agent version problem?
  I've seen in logs that you're using NAC Agent 4.9.1.6 but the latest recommended version of NAC Agent to be used with (the latest) ISE is version 4.9.0.51.
  Version 4.9.1.6 is a NAC Appliance release and Cisco offers no guarantee that is 100% compatible with ISE.
  Check
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp78131
  Cisco NAC Agent Interoperability Between NAC Appliance and Identity Services Engine (ISE) Cisco supports different versions of the NAC Agent for integration with  NAC Appliance and ISE. Current releases are developed to work in either  environment, however, interoperability between deployments is not  guaranteed. Therefore, there is no explicit interoperability support for  a given NAC Agent version intended for one environment that will  necessarily work in the other. If you require support for both NAC  Appliance and ISE using a single NAC Agent, be sure to test NAC Agent in  your specific environment to verify compatibility. Unless there is a specific defect or feature required for your NAC  Appliance deployment, Cisco recommends deploying the most current agent  certified for your ISE deployment. If an issue arises, Cisco recommends  restricting the NAC Agent's use to its intended environment and  contacting Cisco TAC for assistance. Cisco will be addressing this issue  through the standard Cisco TAC support escalation process, but NAC  Agent interoperability is not guaranteed. Cisco is working on an approach to address NAC Agent interoperability testing and support in an upcoming release.

• Cisco ISE: How to match an endpoint belong to an identity group ?

  Hello,
  I am running Cisco ISE 1.1.4.218 in a standalone environment.
  I am trying to setup Compound Condition for Authorization.
  I would like the condition to match the MAC address of the calling machine to the internal endpoint MAC address list.
  I created 1 endpoint identity group and 2 children groups
  - GroupParent
       - ChildA
       - ChildB
  I put the MAC address of my machine in the group ChildA.
  In my condition, I tried the following:
  IdentityGroup:Name, Equals, ChildA
  IdentityGroup:Name, Equals, GroupParent:ChildA
  IdentityGroup:Name, Match, .*(ChildA).*
  I even tried to put the MAC address in the GroupParent level and tried to update the condition to be:
  IdentityGroupName, Equals, GroupParent
  IdentityGroupName, Match, .*(GroupParent).*
  But no one of these options worked.
  I am almost sure that in Cisco ISE 1.1.1, it was working fine. But I updated today to 1.1.4 and I cannot make it work.
  Can anyone help me ?
  Best regards,
  David

  You could try the following to match only the parent group
  IdentityGroup:Name EQUALS GroupParent
  You could try the following to match only child group A
  IdentityGroup:Name EQUALS GroupParent#ChildA
  You could try the following to match all child groups of GroupParent
  IdentityGroup:Name STARTS_WITH GroupParent
  Please rate if this helps

• NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

  Agent Fails to Initiate Posture Assessment
  The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
  The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
  The redirected URL is working fine (SEE Evidence)
  We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
  The operations status remains with postering status pending forever and nothing else happens.
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
  authentication session.
  Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
  Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
  CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
  Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
  • Ensure that the Cisco IOS release on the switch is equal to or more recent than
  Cisco IOS Release 12.2.(53)SE. - OK
  • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
  agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
  choose Properties, and check the discovery host.) - OK (See evidence)
  • Ensure that the access switch allows Swiss communication between Cisco ISE
  and the end client machine. Limited access ACL applied for the session should
  allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
  • If the agent login dialog still does not appear, it could be a certificate issue.
  Ensure that the certificate that is used for Swiss communication on the end client
  is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
  • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• ISE and NAC Agent

  Hello, we currently run NAC for our wired (OOB), wireless (IB) and VPN (IB) enviroments. We are looking at migrating over to ISE for our wireless enviroment as a first step, with follow-up projects to move the VPN and wired clients over. I have been reading that ISE will still use the NAC agent. Our current NAC enviroment is at 4.7.2 and we are running the 4.7.2.10 agent. We do not want to upgrade this enviroment, we would rather focus on migrating to ISE. So our thought was to upgrade the clients to the latest NAC agent version 4.9.1.5. This agent is supported against the 4.7.2 NAC Manager. The problem is, I do not see this agent version listed as supported in the ISE compatibility matrix. Instead, they list a NAC agent of 4.9.0.37, which ironically, is NOT listed in the NAC compatiblity matrix. So what version of NAC agent should we run in a mixed enviroment? I am hoping 4.9.1.5 is supported against ISE, and the matrix is simply not updated yet. Thank you in advance for your help.

  Not sure I understand. The 4.9.1.5 NAC agent does run against our CAM, as we have tested that and it is listed in the support matrix. So if we upgrade our NAC applainces, we would still run that agent. Does that agent tun against ISE, and if not, what is Cisco's recommendation to bring ISE into the enviroment? We have to have a migration path, and wireless seemed like a logical first step. But we need a NAC agent that will work against Clean Access AND ISE as our laptops will be wireless and wired at different times. Which Agent would be recommended?