Cisco NAC Remediation Config Assistance

I'm deploying NAC for a large enterprise. They would like the use the NAC for posture assessments but manual remediation. If the users do not meet the windows patch and AV requirements they are expected to manually remediate their systems, not using the CCA agent.
Is this possible? I cannot find a specific example of this. Their reasons for this design is they have multiple partners using this service but they cannot remediate systems which they do no manage, we can only enforce the policies.
Thanks for the assistance.

There will be three requirements:
- a custom requirement checking for registry entries and files to determine if the system is a corporate asset or not.
- a windows patch check
- AV checks
The customer does not require remediation from the NAC at all. They only wish to use the product for posture assessment only. I do not want to offer the option of remediation at all. There are two reasons for this decision:
1) They cannot perform remediation to 3rd party systems since they do not manage the asset.
2) They currently have software deployment farmed out to another company which do not use WSUS. They use tivoli.
Any advice would be appreciated. Thanks!

Similar Messages

1800 not connecting to Cisco Config Assistant

Hello,
I have Cisco Config Assistant running in my server room, i am able to connect my ESW 520 switch without any issue.
When I goes to connect to my 1800 Router my admin account with pirv 15 on it does not work.
If anyone can help me find what is missing in my config id be very appreciative.

I run CUVA 2.2.2.0 on Windows 7 x64. It works fine with my 7975 and IP Communicator. Earlier versions didnt have the x64 CDP driver for win7 which is why it couldnt see the phone.
You mention that you're running on a UC560 but on a different handset than you previously had while in a working state.
Have you checked the UC config to ensure "video" is enabled on that "ephone"? Should see the camera icon at the bottom right of your Phone screen if it's enabled.

Question about cisco nac agent

When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
Please answer me early. Thank you for your answer.

Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
1) You have to decide which vulnerabilities you want to scan for.
2) The more plug-ins you enable, the longer (obviously) the scan takes.
3) There are configuration steps for many of the plug-ins
4) Your users will still need to go to a login page in order to be scanned.
5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

Cisco NAC Placemant

Hi,
I am new in to NAC and I have an implementation coming up . we have sold them 2 NAC servers , 1 NAC manager and an ACS server.
Customer has VPN users, Wireless users and 3 remote branches ,I am planing place the devices in OOB , Virtual IP and L2 mode , Is this a good practice ? will this make any complications ?
How can i place ACS server (appliance) in the network . do I need to use 802.1x ? is this a good practice to use NAC solution + 802.1x in a network ?
Kindly suggest me how place ACS .
Thanks in advance .

Hi,
you can use NAC + ACS for VPN and Wireless access.
Basically you can leverage VPN Auth using RADIUS and also Wirelss authentication using RADIUS/802.1x.
Then you can enable VPN/Wireless SSO on the CAS, so to leverage the RADIUS/802.1x authentication also for NAC, and have the clients to go through posture assessment.
Although you cannot do OOB for VPN, you can do this for Wireless with the Cisco WLC.
If you use VPN and/or Wireless clients that are not L2 adjacent to the CAS, you will have to use L3 mode on the CAS.
A CAS can only be IB *OR* OOB.. Virtual-Gateway *OR* Real-IP Gateway at any given time.
So if you want to combine Wireless OOB with VPN, you will need to use separate CAS for Wireless and VPN.
Please look at the following documents for more details:
* CAS config guide:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_vpncon.html
* Wireless NAC OOB Config example:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080a138cc.shtml
* VPN In-Band VGW config example:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Cisco NAC profiler

Hi,
I have few doubts if any1 can clear out it will be great. i have NAS OOB real ip gateway deployment in my network.
Assuming all the ports are Nac_controlled. Hence as soon as the client plugs in they will be in auth vlan.
now i have a cisco nac profiler in my network which i am going to configure for IP phones and printers.
for example if the port the ip phone is connected to it will be under auth vlan also.
hence as soon as ip phone as gets connected it, cisco profiler will see the profile and change the auth vlan to its respective vlan by mapping the profile with nac profile which we have mapped in the profiler and given the vlan in the NAC user profile for the ip phone.
please correct me if i am wrong, for the understanding of the working. I need to profile ip phones. i am not able to bridge the connection.
it would be great help if you can help me out.
thanks in advance.

Dear Nitesh,
The IP phones should be configured to work on the Voice VLAN; the NAC Manager on its OOB config can only manage the access VLAN for the switch port.
Given this, the correct config for the filters for the IP Phones is "ignore", as described here:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_addSrv.html#wp1092789
The NAC Profiler can help to add these filters without manual intervention, so you should configure the Profiler with the appropriate NAC event that configures the filter for the IP Phone MAC address to "ignore".
This won't cause the port to change status NAC wise, as the NAC Manager will simply "ignore" the MAC notification for the IP Phone(s).
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Database Config Assistant - Oracle 9.2 on Linux

I installed Oracle 9.2.0.1.0 on Red Hat Linux v8.
When I try to use the Database Config Assistent to create a database, I get an ora-27123, "unable to attach to shared memory", error.
This occurs in the 3rd step of database creation,
Copying database files
Initializing database
Creating and starting Oracle Instance
I can create a database manually - using hand written scripts.
If I forget to define and export ORACLE_SID, I get
the same problem when I try to startup a database.
1. does the DBCA work correctly in Oracle 9.2.0.1.0
on Linux?
2. if so, how do I get it to work ok?

Just a question...
I have got Oracle 9.0.1 installed on win xp in C drive and 6i patch 15 installed in D drive..My window xp in on D drive.....
So after installation of LINUX will I be able to install another Oracle 9.2 database if yes..Which Drive ( C or D) should I install ? or its better to keep only on Oracle database version...
Thanks

Cisco NAC server hang issue

Hi All Cisco NAC Experts, I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
The CAS server was recovered after manually power cycle the hardware.
After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
That will be great if any one can help me out for the same.
Thanks,
Eric

Hi Bro
This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
If all else fail, then a hardware swap would seem like the next best thing.

Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

Hi
My Cisco NAC Agent (version 4.9.1.682) doesn't work since I upgraded my Mac OS X 4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
Any update on when a new version is going to be released - Its getting really frustrating?

I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
    Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
    Select Keychain Access -> Preferences from the menu at the top of the screen
    Choose the Certificates tab
    Change the OCSP option from Best Effort to Off
    Close the Preferences dialog and quit Keychain Access
    You should be able to NAC now

Cisco NAC Web Agent + Windows 8

Hello,
I´m implementing a Cisco ISE 1.2 and I am having troubles with NAC Web Agent and Windows 8 compatibility.
All time that I try install NAC Web Agent in Windows 8, I get the message "Agent User Operating System is Not Supported".
Follow are some informations about my Environment:
ISE 1.2 Patch 3
OS: Windows 8 Enterprise
IE: 10 (In Desktop Mode w and w/o Compatibility View)
NAC Web Agent: 4.9.0.1007
Could you help me ?
Best Regards,
Daniel Stefani

Hi Charles,
I can download all this files, but I can’t import it in ISE Resourses.
NAC Agent MST files
nacagentsetup-mst-4.9.3.9.zip
NAC Agent MSI Installation file
nacagentsetup-win-4.9.3.9.msi
NAC Agent Installation Package
nacagentsetup-win-4.9.3.9.tar.gz
Mac Agent Installation Package for MacOSX
CCAAgentMacOSX-4.9.3.803.tar.gz
NAC Agent MST files
nacagentsetup-mst-4.9.3.5.zip
NAC Agent MSI Installation file
nacagentsetup-win-4.9.3.5.msi
NAC Agent Installation Package
nacagentsetup-win-4.9.3.5.tar.gz
In this link that you sent me doesn’t have options to Cisco NAC Web Agent.
But in the follow yes…
http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest
Best Regards,
Daniel Stefani

Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315

Hi,
I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
After finishing the Installation, when i type "SETUP"... It gives me the below Error;
# ERROR: INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION! #
# PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA. #
Please advise....
I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
(http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
any idea...
Regards,
Mubasher Sultan

Where did you get the recovery media? Did you download from cisco.com?
Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
Supporting link:
http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
Jatin Katyal
- Do rate helpful posts -

Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "

Hi All,
We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.

Closest enhancement I could check on this is
CSCts34764 NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines. Many users disable this and install their own AntiSpyware product. Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date. Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
~BR
Jatin Katyal
**Do rate helpful posts**

DB Config Assistant Problem post install

I have downloaded Oracle 8i Personal Ed from Oracle Technet. I have gotten almost to the end of installation onto Win2K Professional. It has successfully configured Net8 Config Assistant and OMS NT Service, but the Oracle DB Config Assistant configuration fails. The dbSilentCreate.log file only says the following :
8i is an invalid command line argument.
Can you help me out please.
Thanks In Advance
Andrew
null

can you be a bit more specific about which parameters you need help with?
defaults are (to my understanding):
Listener port number: 1521
Database SID: $ORACLE_SID
Service name: $ORACLE_SID
Email address for notification: [email protected], if left null no emails are sent
Email gateway for notification: localhost (if you have sentmail or postfix installed and configured)
Password for dbsnmp: secret?
Password for sysman: secret?
Password for sys: secret?
This should help you.
@andreas: giving the advice to run a script that jlopes needs help with, isn't the best advice in the world. Trying to get your postcount up?

Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

Hi,
     I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
FQDN: active.test.com
Domain Name : test.com
User : ccasso
2011-02-05 12:00:30.225 +0700 WARN com.perfigo.wlan.jmx.adsso.GSSServer
- Server was not running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server starting server ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server is now running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - SPN : [ccasso/[email protected]]
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - done building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - KDC(s) :[10.0.240.100]
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: writing to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - creating login context ...
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - created login context ...javax.security.auth.login.LoginCon
text@5ad7b2
2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer
- Unable to start server ... KDC has no support for encryption type (14)
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Notifying GSSServer status Stopped
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- server is exiting .

Hi,
This error means that your DC does not support the encryption method the ACS wants to use.
Usually this happens when you run 2008 Server with 2003 functionality...
You will need to run ktpass.exe according to the DC you are running:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
For Windows 2008 Server at 2003 Server functional level:
ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Mac OS X 10.8.1 and Cisco Nac Agent to 4.9.1.683

We have this problem with on of our clients:
"Cisco NAC Agent is having a difficulty with the server. Agent user operation system
is not supported".
Anyone encounter this problem ?
thanks.

Hi Tarik,
We have:
Cisco Clean Access Server Version 4.9.0
Cisco Clean Access Lite Manager Version 4.9.0
I can see Your point now, that I should start from upgrading to 4.9.1.
Let me do that, and see if it helps.
thanks very much, I will keep You posted.

Oracle Net config assistant not opening on windows.

Hi,
I installed Oracle 9i server on a windows XP machine on Friday, 2nd December. I configured the listener service, netconfig name and my application was up and running.
Today I wanted to make some changes in the listener service; but the net config assistant window is not coming up. New processes launch.exe and jrew.exe are starting in the background with each attempt to launch.
I made sure I am logged in as the same user which installed Oracle on the machine(having ORA_DBA privilages), gave the full control privilages to this user. But the net config assistant is still not opening up.
Could anyone help in this regard.
Thanks
Puneet

Has anyone of you seen this problem before??
Kindly reply asap.
Thanks

Cisco NAC Remediation Config Assistance

Similar Messages

Maybe you are looking for