Cisco NAC Clean access update

Similar Messages

• Cisco Clean Access Update Website and Firewall Port Required

  Hi,
  I was wondering if anyone may know the website the clean access manager would be using to upate as well as the firewall port required. This is due to a firewall in place. Based on some reading, not sure if it uses other website besides the following http://www.perfigo.com/clean_machine_1/version-se.txt on port 80.
  Thanks.

  Hi,
  For CAM checks and rules update, that's the only site required.
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily

• NAC/Clean Access Server no longer intercepting Clients after upgrade

  We recently upgraded our CISCO Clean Access Manager and Server to version 4.8.2 from 4.8.0.  Everything seemed to be working fine but I had a user log in without having the NAC Agent running and they had full access.  We didn't change anything other than upgrading to the new version.  We have found that the user has access even before the Windows Agent is completed with the assessement of the client.  It worked fine before the upgrade....Again, we made no changes other than upgrading to the new version (no route changes, etc).
  I even tried an explicit deny for the user's workstation's mac and the NAC SErver still let him through....I am a bit perplexed...Thanks for any assistance.

  Hmm, i removed the line but it does not help me ?
  I did run following command in terminal:
  sudo pico /Library/Server/Mail/Config/postfix/main.cf
  Removed the "reject_non_fqdn_helo_hostname" from the line smtpd_helo_restrictions.
  Saved the file and restarted Mail service
  get this in  log when i try to send from a windows client with Outlook2010:
  Aug 15 17:42:09 lundmark.jetoma.se log[236]: auth: Error: od(annicalundmark,192.168.20.103): Authentication server failed to complete the requested operation.
  Aug 15 17:42:09 lundmark.jetoma.se log[236]: auth: Error: od(annicalundmark,192.168.20.103): authentication failed for user=annicalundmark, method=DIGEST-MD5
  Have tryed different ports like 25 and 587 with SSL, TLS and "none" in SMTP advanced settings on klient.
  I did use the same instructions before in Lion server and there it did work ?!
  Any more ideas ?
  regards
  Jörgen

• NAC Clean Access Agent Issue

  Hi,
  Can anyone tell me that If I want my user to download clean access agent so how can I achieve that...I have uploaded agent to my CAM but Im confused that should my user use web agent first then download the agent over network or he can download Clean agent directly ?

  Unlike the Clean Access Agent, the Cisco NAC Web Agent is not a "persistent" entity, thus it only exists on the client machine long enough to accommodate a single user session. Instead of downloading and installing an Agent application, once the user opens a browser window, logs in to the NAC Appliance web login page, and chooses to launch the temporal Cisco NAC Web Agent, an ActiveX control or Java applet (you specify the preferred method using the Web Client (ActiveX/Applet) option in the Administration > User Pages > Login Page configuration page) initiates a self-extracting Agent Stub installer on the client machine to install Agent files in a client's temporary directory, perform posture assessment/scan the system to ensure security compliance, and report compliance status back to the NAC Appliance system. During this period, the user is granted access only to the Temporary Role and if the client machine is not compliant for one or more reasons, the user is informed of the issues preventing network access and may do one of the following as mentioned in the below URL:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_cca.html#wp1130212

• NAC Clean Access Authentication not doing anything

  Hi!
  I have instaled an NAC solution, using oob with acl's.
  When i get to the Clean Access Authentication page, using the right user and password, or an worng one, the page keeps showing up, requesting to authenticate and without any errors.
  Did this happened to anyone?
  TKX
  Miguel

  Hi Miguel,
  The configuration so far looks OK.
  The only test I would suggest would be to keep the clients on a vlan/subnet different from the CAS untrusted IP's subnet.
  I am telling this because usually we have the following:
  1. Clients are being assigned to a trusted vlan/subnet, for which we have an IP address configured in the CAS as a managed subnet and assigned to that vlan.
  2. In this case, clients are getting an IP on the same subnet as the untrusted interface of the CAS, which is not doing any kind of vlan tagging.
  As a further test, you could for example keep the clients on a subnet that is not the same as the one for the CAS untrusted interface and add the corresponding managed subnet for that client vlan.
  Alternatively, you could configure the CAS untrusted interface to tag traffic on the same vlan where clients are getting an IP, but this is usually more tricky.
  This suggestion comes from the fact that what you are experiencing (clients continuously re-prompted for authentication) is often seen when the CAS is not configured for the proper managed subnets.
  One more thing to verify is that the user being authenticated is not falling under the Unauthenticated Role.
  This could happen for example when configuring an Authentication Provider with the default role as Unauthenticated and mapping rules: if mapping rules are not triggered correctly, the default Unauthenticated Role will be assigned and the client will keep getting the authentication prompt.
  If these further points didn't show any improvements, I would recommend to keep following this through a TAC Service Request:
  http://tools.cisco.com/ServiceRequestTool/create/launch.do
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco NAC: AV Defination Update Scenario !!!

  Hi,
  I just want to brain storm for this scenario to keep check the AV defiantion rule & requirement !!!
  I am using the Cisco NAC (4.8.2.3).... NAC updates are working fine and configured.
  My customer is using the Trend Micro OfficeScan AV (Ver = 10.5). I have configured the AV installation rule & requirement & mapped to the role. I wanted to check the 15 Days older AV Defnations. Configuration seems working fine.
  But, the issue is that, Cisco NAC Agent is showing the "Installed" Defination Date which is different for the each users. The showing date is the one, when they installed the AV on users. So, the users are getting failed to fullfil the 15 days older virus definations. When, i change the 15 days to e.g., 150 days to let th users fulful the requirement, then it works fine.
  The AV console is showing the right date on its software. I also found some registry keys which is keep updating & showing the latest date for AV defiantion date. I can use them but then it would need the administration to change it manually after each 15 days. But, i want to keep it automatic.
  how can we change in cisco nac agent to check the specified registry key???
  Please advise..
  BR,
  Mubasher Sultan

  Yes Correct,... Manuall update of antivirus when the PC is in quarantine state is working...it updates, but same the NAC agent is not triggering the antivirus update,
  Ok thanks Nicolas, i think i have to open TAC case for this issue.
  One thing more, does it has anything to do with av-posture-pack-win-3.4.16.1.tar.gz ??
  should i update this module ???

• NAC clean access policy requirement

  we have Clean Access Manager Version: 4.1.2
  the policy is to check that the user has symantec antivirus on its machine , if not the NAC will redirect a link to the user to install the antivirus ,
  the main problem is that all the PCs joined the domain & all the user accounts have limited user privilege to install the antivirus , so is there any means in windows like creating a pakage , or istalling under DOS with using patch file or any other solution

  If you have a software distribution system you can normally run a local file on the PC that checks for requires software, in this case the symantic antivirus. The file then reports to the software distribution server and any missing applications become pushed down.
  Another thing you can do is create a script that will pull and install the application (with admin rights) from a server.

• NAC clean access agent (CCA) question

  Hi,
  Iam going through OOB NAC deployment and i have a question about the CCA agent that will be persistent on the clients machines , if a client leave his work with the laptop that has the CCA agent and will use it in home or any different network , will the agent affect on the laptop access in any different network or not??? and why??
  waiting your replies
  MAM

  Faisal
  thanks for your reply.
  please i have another question, if we integrate the NAC appliance with AD (enabling AD SSO feature) , will we need to do Mapping Rules on the CAM server or not ???
  MAM

• NAC - Clean Access Agents keeps poping up even when it's authenticated

  Hi All,
  I've setup OOB/IB/L3 NAC. after login to CAA, authentication happens and VLAN is changed on switch. But CAA pops up again and asks for usrename and password, even it's been already authenticated.
  any suggestion would be appreciated.
  Alex

  Alex,
  How are you forcing the traffic to the NAC? Using ACLs or PBRs?
  What you're describing indicates that you're more than likely using ACL method. If so, ensure that in your access subnet, you are disallowing traffic being sent to the CAS. After your client authenticates and is in the access VLAN, the agent would still continue to send out the discovery packets every 5 seconds, and if that traffic is allowed in the access VLAN, it will pop the agent up again.
  HTH,
  Faisal

• NAC/Clean Access for VOIP Phones

  Hello - here is a snippet from the CAM manual. "You must create a Global Device filter list of MAC Addresses designed to ignore IP phones through which client machines connect to your network. You can define a list of MAC Addresses by compiling a collection of individual MAC addresses (Cisco recommends this method only for small deployments)"
  Therefore - what does Cisco recommend for large deployments?
  Maintaining a whitelist of Printers/APs is bad enough, now we have to whitelist hundreds of phones? I doubt the wildcard filters would match all of them.

  You can always use Great Bay Beacon. This is what Cisco has recommended in the past.
  http://www.cisco.com/en/US/products/ps6128/products_white_paper0900aecd8056c574.shtml

• NAC Clean Access as a VM Official Support?

  When will (or is it already?) NAC be officially supported running as a VM?
  4.8.1 installs just fine and appears to run well (I was using an eval license) on vSphere 4.1.
  -Mike

  Hi Mike,
  The next major release NAC 4.9 is expected to release by the end of this year.
  There is no planning for support on VM for NAC. You may contact your accounts team if you need any further information so that they can reach out to the NAC product team.
  Hope this helps
  - Srilatha

• NAC clean access agent page redirect

  I have a NAM and NAS pair that I have recently upgraded from 4.1 to 4.7 using the proper upgrade path.  These devices also received new IP addressing.
  My issue is that when a user is routed to the NAS the redirect page seems to point to the old IP address of the NAM rather than the new IP address, so naturally this page cannot be displayed.  My discovery host is set to the IP of the NAM currently, have tried both NAM and NAS.
  Thanks,
  Matt

  Matt,
  Look at the certificate installed on your CAS. It is still issued to the old IP/NAME I think. Change that and try.
  HTH,
  Faisal

• NAC/Clean Access Configuration Documentation

  Have I missed the obvious? I want to record the configuration of my CAM/CAS in a human-readable format. All I can think of is screen shots, but these don't show the full character string in a scrolling text box, and also after 40 screen shots I still haven't captured everything. Is there a better way?

  I ran into the same issue and also resorted to screenshots.
  Luckily I have TechSmith's SNAGIT which will capture scrolling windows.
  Maybe 4.6 will have this as a new feature?

• Clean Access / NAC Visio Stencils or Templates?

  Anyone know of any stencils or templates for NAC / Clean Access for Visio?
  Working on documentation for deployment and it would be nice to have some rather then just use something generic. I can't seem to find any on Cisco's site.

  Try this link:
  http://www.cisco.com/en/US/products/ps6128/products_data_sheet0900aecd802da1b5.html

• Cisco Clean Access Agent patch?

  I just upgraded to Snow Leopard today without realizing that my campus uses Cisco's Clean Access Agent to allow access to the network. Every time I try to log in log in it tells me "Agent user operator system not supported." It is version 4.6.0.3. I realize now that this is not a campus problem, but more likely a program problem. Is there any word on a way around this or a patch in the near future?
  Thanks.

  The same issue occurred on my campus. Cisco claims they will fix the problem between 3 and 90 days.