Cisco NAC profiler

Hi,
I have few doubts if any1 can clear out it will be great. i have NAS OOB real ip gateway deployment in my network.
Assuming all the ports are Nac_controlled. Hence as soon as the client plugs in they will be in auth vlan.
now i have a cisco nac profiler in my network which i am going to configure for IP phones and printers.
for example if the port the ip phone is connected to it will be under auth vlan also.
hence as soon as ip phone as gets connected it, cisco profiler will see the profile and change the auth vlan to its respective vlan by mapping the profile with nac profile which we have mapped in the profiler and given the vlan in the NAC user profile for the ip phone.
please correct me if i am wrong, for the understanding of the working. I need to profile ip phones. i am not able to bridge the connection.
it would be great help if you can help me out.
thanks in advance.

Dear Nitesh,
The IP phones should be configured to work on the Voice VLAN; the NAC Manager on its OOB config can only manage the access VLAN for the switch port.
Given this, the correct config for the filters for the IP Phones is "ignore", as described here:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_addSrv.html#wp1092789
The NAC Profiler can help to add these filters without manual intervention, so you should configure the Profiler with the appropriate NAC event that configures the filter for the IP Phone MAC address to "ignore".
This won't cause the port to change status NAC wise, as the NAC Manager will simply "ignore" the MAC notification for the IP Phone(s).
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Similar Messages

  • NAC Profiler 2.18: Endpoint Profiles Missing

    This is a licensed Nac Profiler which has no canned Endpoint Profiles included.
    I go to Configuration--->Endpoint Profiles---> View/Edit Profile List
    The message I see is "No Profiles Found"
    Please clue me in on what I am missing.
    This is from the install guide:
    "Enabling Existing Endpoint Profiles
    Cisco NAC Profiler ships with a number of predefined Endpoint Profiles that have been created and tested in field deployments. These Profiles can be re-used as-is if desired, or may be modified as the situation dictates. In addition, they serve as templates for creating new profiles as outlined later in this section, and illustrate how different rule types and varying levels of certainty can be used to accurately Profile devices.
    To view the list of Endpoint Profiles that are currently available in the system configuration, navigate to the Configuration tab, and select Endpoint Profiles option from the global navigation menu in the far left hand pane, or select Endpoint Profiles from the leftmost column of the table on the main Configuration page. Select View/Edit Profile List to display the Endpoint Profiles currently saved in the system configuration."
    Thanks.

    To verify that Cisco NAC Profiler is populating entries properly in the Device Filter list of the CAM, log into the CAM as administrator. Select the Filters button under Device Management in the left-hand navigation bar. The following screen displays in the main pane of the browser, enumerating all the endpoints currently on the CAM Device Filter list.
    After configuring the Server module parameters, adding NAC Events, and performing a Synchronization process (full or NAC Event level), the endpoints that are in the Profile(s) matching enabled (and synchronized) NAC events should be populated to the device filter list of the CAM.
    http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/218/p_integration.html#wp1055729

  • NAC Profiler database utility for upgrade

    I am trying to upgrade NAC Profiler Lite by following the following Cisco Doc
    http://www.cisco.com/en/US/customer/docs/security/nac/profiler/release_notes/310/310rn.html#wp102045
    In section Upgrading 2.1.8 Cisco NAC Profiler Server and Profiler Lite Standalone Systems to 3.1.0.
    I'm trying to run the database migration utility. Utility is showing in the home/beacon directory. When I run the command specified in the Doc to untar the utility package (tar xvfz DB-utility_218to31x.tgz) I receive the followinig errors:
    gzip: stdin: not in gzip format
    tar: Child returned status 1
    tar: Error exit delayed from previous errors
    Any suggestions?

    The file name is DB-utility_219to31x.tgz and the MD5 on the download page is 335b7ca5215394ccc94c7b48ca242a3b.
    I'm not sure if it is changing during the download to my workstation or not. I had our IA Security guy look at it and he said there is no way for him to check the MD5 of the file on my workstation. Once I put it on the profiler, the MD5 is
    d9093b0525e904f94e19825a57589ac1

  • NAC Profiler integration - cant add filter list on CAM

    Hi All,
    I have a problem regarding the Profiler - NAC integration for end point profiling.
    Here is the situation:
    I already created the integration based on the steps on the guide: Configuring Cisco NAC Appliance Integration. I think the configuration is correct because i can do database synchronization between Profiler and CAM. Here is the Profiler server log:
       NAC_SYNC: Task_Queue_Runner starting up
       NAC_SYNC: Profiler / NAC Synchronization END [add 0, upd 0, desc 0, rm 0]
       NAC_SYNC: Profiler / NAC Synchronization START
       INFO: [2010-12-15 11:01:09 (fcapGetHWAddr:49)]  Getting MAC for eth0
    I already created end point profile named "Admin" which is based on IP address. I also created NAC events based on the end point profile "Admin".
    The NAC event is profiling "Admin" to a NAC role. The purpose for this event is to bypass "Admin" from NAC authentication so that the "Admin" can connect to network automatically to one NAC role.
    However when "Admin" connect to network, it is still challanged by NAC. I dont see the "Admin" on the CAM filter list either.
    This means that the end point profiling is still failed.
    Is there anyone who have any experiences with this?
    Thank you for the supports and comments
    Imad

    Hi,
    Ok, so the Profiler will only add devices to the CAM filter list, if a device fals into a profile for which a nac event is configured.
    If there is no device on the profile -> No NAC event -> No device added to the CAM.
    Is there any device that was assigned to that profile?
    Regarding the Active Rule column, it is used to quickly  ascertain which Endpoint Profiles on a system (if any) contain an Active  Rule that will result in the Profiler system doing active collection if  one or more NetInquiry Collector component modules are enabled. Active  profiling rules and active profiling is described in detail in the "Configuration of Active Directory Data Rules" section: http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/311/p_endpt_part231.html#wpxref59325.
    HTH,
    Tiago

  • Lost root password nac profiler

    hi all,
    any idea how to reset root password for network admission control (nac ) Profiler ?like some link or else ?
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Really appreciate to you all resolve my problem .

    Hi,
    To recover the root password, you'll want to follow these steps:  http://www.cisco.com/en/US/products/ps6128/products_password_recovery09186a008073cab6.shtml#later.
    Even though it is not specific to the profiler software, the appliance is the same so the recovery process is the same.
    If you've lost the admin password, you can reset the password using this procedure:  http://www.cisco.com/en/US/docs/security/nac/profiler/configuration_guide/310/p_user_man31.html#wp1066696.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Cisco NAC server hang issue

    Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
    The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
    The CAS server was recovered after manually power cycle the hardware. 
    After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
    I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
    That will be great if any one can help me out for the same.
    Thanks,
    Eric

    Hi Bro
    This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
    If all else fail, then a hardware swap would seem like the next best thing.

  • Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

    Hi
    My Cisco NAC Agent  (version 4.9.1.682) doesn't work since I upgraded my Mac OS X  4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
    The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
    Any update on when a new version is going to be released - Its getting really frustrating?

    I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
        Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
        Select Keychain Access -> Preferences from the menu at the top of the screen
        Choose the Certificates tab
        Change the OCSP option from Best Effort to Off
        Close the Preferences dialog and quit Keychain Access
        You should be able to NAC now

  • How to clear the endpoint directory in NAC Profiler

    Hi All,
    I want to delete all the endpoint discovered and profiled by the NAC Profiler.
    Can anybody guide me on this, such that I can delete all the endpoint discovered and profiled by the Profiler in one go.
    Thanks,
    Abuzar.

    Hi,
    you can either try to reboot or go to "configuration", "apply changes" and then "re-model".
    I don't think you can simply delete everything, you just re-profile everything from scratch
    Nicolas

  • Cisco NAC Web Agent + Windows 8

    Hello,
    I´m implementing a Cisco ISE 1.2 and I am having troubles with NAC Web Agent and Windows 8 compatibility.
    All time that I try install NAC Web Agent in Windows 8, I get the message "Agent User Operating System is Not Supported".
    Follow are some informations about my Environment:
    ISE 1.2 Patch 3
    OS: Windows 8 Enterprise
    IE: 10 (In Desktop Mode w and w/o Compatibility View)
    NAC Web Agent: 4.9.0.1007
    Could you help me ?
    Best Regards,
    Daniel Stefani

    Hi Charles,
    I can download all this files, but I can’t import it in ISE Resourses.
    NAC Agent MST files
    nacagentsetup-mst-4.9.3.9.zip
    NAC Agent MSI Installation file
    nacagentsetup-win-4.9.3.9.msi
    NAC Agent Installation Package
    nacagentsetup-win-4.9.3.9.tar.gz
    Mac Agent Installation Package for MacOSX
    CCAAgentMacOSX-4.9.3.803.tar.gz
    NAC Agent MST files
    nacagentsetup-mst-4.9.3.5.zip
    NAC Agent MSI Installation file
    nacagentsetup-win-4.9.3.5.msi
    NAC Agent Installation Package
    nacagentsetup-win-4.9.3.5.tar.gz
    In this link that you sent me doesn’t have options to Cisco NAC Web Agent.
    But in the follow yes…
    http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest
    Best Regards,
    Daniel Stefani

  • Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315

    Hi,
    I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
    After finishing the Installation, when i type "SETUP"... It gives me the below Error;
    # ERROR:  INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION!        #
    # PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA.   #
    Please advise....
    I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
    (http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
    any idea...
    Regards,
    Mubasher Sultan

    Where did you get the recovery media? Did you download from cisco.com?
    Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
    Supporting link:
    http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
    Jatin Katyal
    - Do rate helpful posts -

  • RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE

    Dear Team,
    I have faced an issue with dot1x mab authorization between cisco switch 3750 and ISE 1.1. I have cisco IP phone connected on port # gig1/0/1 to authenticated through MAB with cisco ISE
    int gig 1/0/1
    switchport mode access
    switchport access vlan 9
    switchport voice vlan 410
    authentication order mab dot1x
    authentication priority dot1x mab
    spanning-tree portfast
    authentication host-mode multi-domain
    authentication port-control auto
    dot1x pae authenticator
    mab
    dot1x timeout tx-period 3
    dot1x max-reauth-req 2
    authentication periodic
    authentication timer reauthenticate server
    I can get authentication successfuly but can't download the authorization profile on the gig1/0/1 port since I can see that everything seems fine from the ISE side. the phone is authenticated and authorized fine. so, I debug the dot1x & radius flows from the switch side and get this result.
    RADIUS/ENCODE(00000043):Orig. component type = Dot1X
    RADIUS(00000043): Config NAS IP: 1.1.1.2
    RADIUS(00000043): Config NAS IPv6: ::
    RADIUS/ENCODE(00000043): acct_session_id: 57
    RADIUS(00000043): sending
    RADIUS(00000043): Sending a IPv4 Radius Packet
    RADIUS(00000043): Send Access-Request to 1.1.1.1:1812 id 1645/72, len 261
    RADIUS:  authenticator 82 94 D8 85 E9 E0 CF 71 - 03 FE C5 BA 76 EC 76 C4
    RADIUS:  User-Name           [1]   14  "00152bd20c19"
    RADIUS:  User-Password       [2]   18  *
    RADIUS:  Service-Type        [6]   6   Call Check                [10]
    RADIUS:  Vendor, Cisco       [26]  31 
    RADIUS:   Cisco AVpair       [1]   25  "service-type=Call Check"
    RADIUS:  Framed-MTU          [12]  6   1500                     
    RADIUS:  Called-Station-Id   [30]  19  "30-F7-0D-CD-5F-01"
    RADIUS:  Calling-Station-Id  [31]  19  "00-15-2B-D2-0C-19"
    RADIUS:  Message-Authenticato[80]  18 
    RADIUS:   90 B9 61 65 CC A6 B2 89 BC C8 3D DC D4 14 03 C5               [ ae=]
    RADIUS:  EAP-Key-Name        [102] 2   *
    RADIUS:  Vendor, Cisco       [26]  49 
    RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8424200000036001B2AAE"
    RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
    RADIUS:  NAS-Port            [5]   6   50101                    
    RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/1"
    RADIUS:  Called-Station-Id   [30]  19  "30-F7-0D-CD-5F-01"
    RADIUS:  NAS-IP-Address      [4]   6   1.1.1.2                  
    RADIUS(00000043): Started 5 sec timeout
    RADIUS: Received from id 1645/72 1.1.1.1:1812, Access-Accept, len 297
    RADIUS:  authenticator D5 2C 29 3B AC C8 A7 2F - A4 75 45 F5 51 6D 4F A8
    RADIUS:  User-Name           [1]   19  "00-15-2B-D2-0C-19"
    RADIUS:  State               [24]  40 
    RADIUS:   52 65 61 75 74 68 53 65 73 73 69 6F 6E 3A 43 30  [ReauthSession:C0]
    RADIUS:   41 38 34 32 34 32 30 30 30 30 30 30 33 36 30 30  [A842420000003600]
    RADIUS:   31 42 32 41 41 45            [ 1B2AAE]
    RADIUS:  Class               [25]  50 
    RADIUS:   43 41 43 53 3A 43 30 41 38 34 32 34 32 30 30 30  [CACS:C0A84242000]
    RADIUS:   30 30 30 33 36 30 30 31 42 32 41 41 45 3A 69 73  [00036001B2AAE:is]
    RADIUS:   65 33 2F 31 35 30 33 30 36 35 37 38 2F 33 38 36  [ e3/150306578/386]
    RADIUS:  Termination-Action  [29]  6   1                        
    RADIUS:  Message-Authenticato[80]  18 
    RADIUS:   09 17 84 AB 27 8E B4 E0 F4 A6 93 EE 19 2A A6 34               [ '*4]
    RADIUS:  Vendor, Cisco       [26]  34 
    RADIUS:   Cisco AVpair       [1]   28  "device-traffic-class=voice"
    RADIUS:  Vendor, Cisco       [26]  75 
    RADIUS:   Cisco AVpair       [1]   69  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-4fe7f797"
    RADIUS:  Vendor, Cisco       [26]  35 
    RADIUS:   Cisco AVpair       [1]   29  "profile-name=Cisco-IP-Phone"i
    RADIUS(00000043): Received from id 1645/72
    RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE
    %MAB-5-SUCCESS: Authentication successful for client (0015.2bd2.0c19) on Interface Gi1/0/1 AuditSessionID C0A8424200000036001B2AAE
    %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0015.2bd2.0c19) on Interface Gi1/0/1 AuditSessionID C0A8424200000036001B2AAE
    %DOT1X_SWITCH-5-ERR_VLAN_RSPAN: Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1. 802.1x is incompatible with RSPAN AuditSessionID C0A8424200000036001B2AAE
    RADIUS/ENCODE(00000000):Orig. component type = Invalid
    so, I notice two things :-
    1-" RADIUS/DECODE: parse unknown cisco vsa "profile-name" - IGNORE " on the radius attribute since I beleive that I configure the radius vsa attribute fine as shows
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa accounting dot1x default start-stop group radius
    aaa accounting system default start-stop group radius
    aaa session-id common
    aaa accounting update periodic 5
    aaa server radius dynamic-author
    client 1.1.1.1 server-key 0 cisco
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    radius-server dead-criteria time 5 tries 3
    radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key cisco
    radius-server vsa send accounting
    radius-server vsa send authentication
    2- "%DOT1X_SWITCH-5-ERR_VLAN_RSPAN:" since I didn't have any configuration related to RSPAN.
    so, anybody have any idea to fix this issue.
    Regards
    Basel

    It is not the ACL it is ignoring, it's the profile-name, which it should, because it has nothing to use that for. However, you should look into VLAN 410, to check and see if you have any config relating to that vlan, the only actual error i see in your logs is the one regarding assigning vlan 410. Could you please post you entire switch config, see we can see what else you might have configured.
    %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at:  https://supportforums.cisco.com/message/3863298#3863298
    %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at:  https://supportforums.cisco.com/message/3863298#3863298
    %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at:  https://supportforums.cisco.com/message/3863298#3863298
    %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298
    %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298
    %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298
    %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298
    %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298
    %DOT1X_SWITCH-5-ERR_VLAN_RSPAN:  Attempt to assign RSPAN VLAN 410 to 802.1x port GigabitEthernet1/0/1.  802.1x is incompatible with RSPAN AuditSessionID  C0A8424200000036001B2AAE - See more at: https://supportforums.cisco.com/message/3863298#3863298

  • Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "

    Hi All,
    We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
    Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.

    Closest enhancement I could check on this is
    CSCts34764    NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
    Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines.  Many users disable this and install their own AntiSpyware product.  Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
    This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date.  Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

    Hi,
         I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
    FQDN: active.test.com
    Domain Name : test.com
    User : ccasso
    2011-02-05 12:00:30.225 +0700 WARN  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Server was not running ...
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Server starting server ...
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Server is now running ...
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - SPN : [ccasso/[email protected]]
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - building kdc list for domain active.test.com
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - done building kdc list for domain active.test.com
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - KDC(s) :[10.0.240.100]
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - writeKrbFile: writing to file ../conf/krb.txt
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - creating login context ...
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - created login context ...javax.security.auth.login.LoginCon                                                                           
    text@5ad7b2
    2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer                                                                                           
    - Unable to start server ... KDC has no support for encryption type (14)
    2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Notifying GSSServer status Stopped
    2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - server is exiting .

    Hi,
    This error means that your DC does not support the encryption method the ACS wants to use.
    Usually this happens when you run 2008 Server with 2003 functionality...
    You will need to run ktpass.exe according to the DC you are running:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
    For Windows 2008 Server at 2003 Server functional level:
    ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
    PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Mac OS X 10.8.1 and Cisco Nac Agent to 4.9.1.683

    We have this problem with on of our clients:
    "Cisco NAC Agent is having a difficulty with the server. Agent user operation system
    is not supported".
    Anyone encounter this problem ?
    thanks.

    Hi Tarik,
    We have:
    Cisco Clean Access Server   Version 4.9.0
    Cisco Clean Access Lite Manager   Version 4.9.0
    I can see Your point now,  that I should start from upgrading to 4.9.1.
    Let me do  that, and see if it helps.
    thanks  very much, I will keep You posted.

  • NAC Profiler DNS Name Queries

    Hi Guys,
    I'm having an issue with NAC Profiler 3.1.1_18 when trying to profile servers using DNS Name.
    I have one collector configured to  do DNS Collection with Zone transfer enabled.
    If I do a search with string *.server.*, the system returns me just servers with the word "server" in dns name. This is working fine.
    But when a create a profile (named Servers) and add a rule to match dns server names with the string *.server.*, profiler will put in the Servers' profile all devices that has any data on DNS Name field. no matter if it has the word "server" in the name or not.
    Any idea about what I'm forgetting?
    NetInquiry Configuration
    Module Status:
    Running
    Maximum allowed workers:
      (default = 5)
    Enable DNS Collection:
    Zone Transfer:
    Domain Name:
    Network blocks (one per line):
    10.0.0.0/8

    Hi Luciano,
    You may wanna test quickly by using the following string in the DNS Name field: /server/i
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Maybe you are looking for