Cisco NAC web agent Network Security Policy

I have a computer with an installed McAfee Antivirus that us up to date. However, each time try to access one of my client's server via VPN, I successfully connect to VPN using Cisco Anyconnnect but whenever I try to download the web agent and the device security check is being run, I get the feedback "Host is not compliant with network security policy". It also tells me a Remediation description of "please update your antivirus". (see attached screenshot)
Please note that I already have my McAfee antivirus updated and I have done everything to keep my computer in good shape in terms of security.
What is the possible cause for this?

That means the CAM hasn't received an SNMP trap for that MAC address.  Double-check that the WLC is set up to send traps to the CAM: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cam/m_woob.html#wp1290626
You can see if the CAM's received a trap for a specific MAC by looking under OOB Management > Devices > Discovered Clients.

Similar Messages

  • Cisco NAC Web Agent + Windows 8

    Hello,
    I´m implementing a Cisco ISE 1.2 and I am having troubles with NAC Web Agent and Windows 8 compatibility.
    All time that I try install NAC Web Agent in Windows 8, I get the message "Agent User Operating System is Not Supported".
    Follow are some informations about my Environment:
    ISE 1.2 Patch 3
    OS: Windows 8 Enterprise
    IE: 10 (In Desktop Mode w and w/o Compatibility View)
    NAC Web Agent: 4.9.0.1007
    Could you help me ?
    Best Regards,
    Daniel Stefani

    Hi Charles,
    I can download all this files, but I can’t import it in ISE Resourses.
    NAC Agent MST files
    nacagentsetup-mst-4.9.3.9.zip
    NAC Agent MSI Installation file
    nacagentsetup-win-4.9.3.9.msi
    NAC Agent Installation Package
    nacagentsetup-win-4.9.3.9.tar.gz
    Mac Agent Installation Package for MacOSX
    CCAAgentMacOSX-4.9.3.803.tar.gz
    NAC Agent MST files
    nacagentsetup-mst-4.9.3.5.zip
    NAC Agent MSI Installation file
    nacagentsetup-win-4.9.3.5.msi
    NAC Agent Installation Package
    nacagentsetup-win-4.9.3.5.tar.gz
    In this link that you sent me doesn’t have options to Cisco NAC Web Agent.
    But in the follow yes…
    http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest
    Best Regards,
    Daniel Stefani

  • Cisco NAC web agent failure

    Is there a list somewhere that shows what the status's mean?  I have a few users getting this error, while others are working fine -
    Failed to download  Cisco NAC Web Agent ( status = -2 ) !
    Thanks!

    For the web agent, there are three error states
    -1 means that it was unable to launch the control at all,
    -2 means it failed to download the agent executable,
    -3 means there was an error running the web agent
    Are you using the Java or ActiveX version of the web agent?  Definitely check the browser settings for both and make sure that it's either allowing or prompting the user for the applets.  If you're using the ActiveX version, you could try forcing the Java version, as most users seem to have more lenient browser settings by default for it.

  • Use NAC Web Agent login with Ipad

    Hello Guys,
    I'm using NAC 4.8, and I'd like to login using NAC Web Agent on Ipad.
    When I'm trying to do that, I'm receiving a message on Ipad that I need to install Java Plug-In, but there is no JavaPlug-in available for Ipad.
    Does anyone know if there is any aditional configuration that I have to do on NAC Manager to be able to access the network using NAC Web Login on Ipad ?
    Best Regards

    Hi Luciano,
    Unfortunately, the NAC Web Agent and the persistant Agent are not supported for the iPad operating system. (It is called iOS). The following table documents this fact under footnote 3:
    http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html#wp125630
    Only normal Web Login with Safari browser is enabled.
    Hope this helps.
    -Shrikant
    P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

  • NAC web agent question

    Hi,
    I need to know when can i use the NAC web agent???  is it used for guests or visitors only????
    If i used NAC web agent for guests , can i perform posture assessment for the guest users ( i mean check windows update , AV/AS or certain services)?? or network scanning will be only applied to the guests who are using NAC web agent???? 
    i read the userguide of 4.7.1 of CAM and CAS but i have some conflicts regarding the above topic , so please i need your help.
    Mohamed

    Mohamed,
    You can use it for any kind of users (guest/regular) and can do posture assessment, but no remediation. Remediation requires the full agent. The other limitation is that the web agent is only valid on Windows machines and cannot run on Mac/Linux etc.
    HTH,
    Faisal

  • Does anyone know if Cisco has a free network security audit tool?

    Does anyone know if Cisco has a free network security audit too

    No there is no free network security audit tool but you can using any of the commercial and open source tools for the same purpose
    **********Do rate helpful posts*************

  • ISE 1.3 NAC Web Agent for Posture

    Hi,
    We have two categories of wireless users (Vendors and Guests) and we need only Vendors to do posture (AV update check).We need to have two different portals to be redirected once each category of user hit as Vendor portal should also do device compliance checked and Guest portal should not do. We made a policy matching SSID (Called-Satation-ID=ssid) however when we tried it does not hits the particular rule. When we use single portal it can either do device complaint or not compliant..?
    Appreciate if any one has tried this out or has better idea how to accompany this requirement.
    Thanks in advance.

    Hello,
    Perhaps re-order the rules so the guests are first and use a rule that calls Guest Flow or Guest Identity and then vendors come next.
    Chris

  • ISE - Can't install Web Agent

    Dear guys,
    I have problem in my lab case like sequence below:
    A guest access into internal network, then will be redirect to Guest Portal.
    A guest log in successfully using credential (was created by sponsor account)
    Then, "Client Provisioning" process starts. Base on Client Provisioning policy with OS: Windows 8, guest session will be apply on Web Agent.
    Then Web Agent install and check status process starts. But, in this phase. I got a error like this:
    In Chrome & FF browser: "You will not be allowed to access the network due to internal error. please contact your administrator"
    In IE browser:
    "You will not be allowed to access the network due to internal error. please contact your administrator"
    "Your login session failed! (status = 36) You will have limited network connectivity. Please try disconnecting and reconnecting to the network to start a new connection (or) contact your system administrator if the problem persists"
    In addition:
    I imported certificated (was signed by AD Root CA) into Local Certificates.
    I imported AD Root certificated into Certificate Store.
    I will be grateful for any help you can provide.
    Have a nice day !

    Web agent should handle cert. revocation dialog box similar to Win agent
    CSCsl40626
    Description
    Symptom:
    Revocation failed dialog box keeps popping up on client machine despite of clicking "Yes" button
    Conditions:
    This issue is seen on the client machine performing login either using Windows agent or NAC web agent. The issue happens when the Clean Access Server (CAS) certificate root CA is not listed in the trusted store on the client machine. The issue is known to be reproducible on all flavors of Win XP & Win Vista using Windows or NAC web agent
    Workaround:
    Try selecting Yes. If this does not work you can turn off the security certificates revocation check by changing the options in Internet Explorer IE.
    Use the following procedure to change the option in IE:
    1. Launch IE
    2. From the tool bar, select Tools then Internet Options
    3. Select the Advanced tab
    4. In the Security section, un-check the option "Check for server certificate revocation"
    5. Click on the Apply button
    6. Click on the OK button
    7. Close IE
    8. Try the web login again
    Product:
    Cisco NAC Appliance (Clean Access)
    Known Affected Releases:
    (1)
    4.1(3.6)

  • NAC appliance(security policy/update-files)

    Does anyone know something concerning to the following issues?
    Please teach me what I can refer to on the WEB,if possible.
    1. Is there any way to apply the policy(checking OS/AV) to the kind of client devices which CAA hadn't been installed such like guest user?
    2. Is it possible that NAC appliance does clients only "port-scanning" (not checking OS/AV)?
    3. If user-company already has their own "Anti-Virus Server" or "Windows-update Server", can CAM refer to their servers(not Cisco's policy-update-server) to get current update files?
    4. How long does it take the update-files become available via Cisco's policy-update-server after each OS/AV-vender had released them?
    Regards

    No, we should install Cisco Trust agent S/W in order to collect the information about the OS versions, AV versions etc to the Policy server. And based on the security policy of the organisation, we can communicate with the AV vendors like symmntac, Mcafee servers directly for the latest patches and updates.

  • ISE Network Access Security Policy Document - High/Low

    Has anybody created the High and Low level designs for the NASP?
    This is my first time and its always easier to have a template to work off of than to reinvent the wheel.  An incomplete example is displayed below but I was hoping someone had a complete one of high and low.
    Employee Authorization Rule
    Table of Contents for Employee Security Policy:
    I. Members pg. xxx
    II. Acceptable Use Policy pg. xxx
    III. Windows 7 Security Requirements pg. xxx
    1. Approved AV Installed & Up-to-date pg. xxx
    a. Security checks pg. xxx
    b. Security rules pg. xxx
    IV. Network Access Permissions pg. xxx
    1. VLAN Segmentation pg. xxx
    a. Noncompliant Posture VLAN pg. xxx
    b. Access VLAN Name/ID pg. xxx
    2. Access Control List pg. xxx
    3. SmartPort Macro pg. xxx
    4. Security Group Tag number pg. xxx
    IV. Network Access Permissions
    1. VLAN Segmentation – Yes
    a. Noncompliant Posture VLAN = quarantine-vlan/100
    b. Access VLAN Name/ID = employees/10
    2. Access Control List – Yes
    a. Compliant ACL = permit All IP
    b. Noncompliant ACL =
    5 Permit TCP from any to “AUP web server” equaling 80
    Description: Allow anyone to access the acceptable use policy link
    64 Cisco ISE for BYOD and Secure Unified Access
    10 Permit TCP from any to “Link based remediation resources” equaling 80 & 443
    Description: Allow web traffic to the appropriate remediation resources
    20 Permit TCP from any to “file based remediation” equaling 80 & 443
    Description: Allow web traffic to the cam for remediation file distribution
    30 Permit UDP from any to “dmz DNS Server” equaling DNS
    Description: Allow DNS only to the dmz dns server
    40 Deny IP from any to any
    Description: Block everything else
    3. SmartPort Macro – no
    4. Security Group Tag number – 10

    You can download Cisco ISE High Level design document template from the following link
    ATP Partner Resource Center
    http://www.ciscosecurityatp.com/login.asp?strReturn=/index.asp

  • Policy web agent configuration failed: NSPR error Configuration Failed!!!!

    I am having troubles to install agent Apache 2.2!!!!!
    The libamapc22.so uses libstdc++.so.5....
    so i have this error:
    root@ped-02 bin# service httpd start
    Starting httpd: httpd: Syntax error on line 995 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /opt/web_agents/apache22_agent/Agent_006/config/dsame.conf: Cannot load n/opt/web_agents/apache22_agent/lib/libamapc22.so into server: libstdc++.so.5: cannot open shared object file: No such file or directory
    In my OS is Installed the libstdc++.so.6
    if I Install the libstdc++.so.5
    I have this error:
    [Wed Aug 20 15:50:35 2008] [notice] Digest: generating secret for digest authentication ...
    [Wed Aug 20 15:50:35 2008] [notice] Digest: done
    [Wed Aug 20 15:50:35 2008] [alert] Policy web agent configuration failed: NSPR error Configuration Failed
    So I have installed NSPR and NSS but this error persists.
    In log /opt/web_agents/apache22_agent/Agent_006/logs/debug/amAgent
    ===========
    2008-08-20 16:16:36.152 Error 18271:b949c3d0 all: Connection::initialize() unable to initialize SSL libraries: NSS_Initialize returned -8128
    2008-08-20 16:16:36.156 Error 18271:b949c3d0 all: initialization error: am_properties_load(com.sun.am.policy.agents.config.stopInInit) failed, error = NSPR error (12): exiting...
    2008-08-20 16:16:36.156 Error 18271:b949c3d0 all: Process initialization failure:NSPR error
    My configuration: ---- AMAgent.properties
    com.sun.am.cookie.name = iPlanetDirectoryPro
    com.sun.am.cookie.secure = false
    com.sun.am.naming.url = http://accessmanager.coreo.network.ctbc:8080/opensso/namingservice
    com.sun.am.policy.am.login.url = http://accessmanager.coreo.network.ctbc:8080/opensso/UI/Login
    com.sun.am.policy.agents.config.local.log.file =/opt/web_agents/apache22_agent/Agent_006/logs/debug/amAgent
    com.sun.am.policy.agents.config.local.log.rotate = false
    com.sun.am.policy.agents.config.remote.log = amAuthLog.accessmanager.coreo.network.ctbc.80
    com.sun.am.log.level =
    com.sun.am.policy.am.username = amadmin
    com.sun.am.policy.am.password = fhfeUCQselvAndSuo17Pww==
    com.sun.am.sslcert.dir =
    com.sun.am.certdb.prefix =
    com.sun.am.trust_server_certs = true
    com.sun.am.notification.enable = false
    com.sun.am.notification.url=http://accessmaager.coreo.network.ctbc:80/UpdateAgentCacheServlet?shortcircuit=false
    com.sun.am.policy.am.url_comparison.case_ignore = true
    com.sun.am.policy.am.polling.interval=3
    com.sun.am.sso.polling.period=3
    com.sun.am.policy.am.userid.param=UserToken
    com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
    com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
    com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
    com.sun.am.policy.agents.config.session.attribute.map=
    com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
    com.sun.am.policy.agents.config.response.attribute.map=
    com.sun.am.load_balancer.enable = false
    com.sun.am.policy.agents.config.version=2.2
    com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
    com.sun.am.policy.agents.config.agenturi.prefix = http://accessmanager.coreo.network.ctbc:80/amagent
    com.sun.am.policy.agents.config.locale = en_US
    com.sun.am.policy.agents.config.instance.name = unused
    com.sun.am.policy.agents.config.do_sso_only = false
    com.sun.am.policy.agents.config.accessdenied.url =
    com.sun.am.policy.agents.config.fqdn.check.enable = true
    com.sun.am.policy.agents.config.fqdn.default = accessmanager.coreo.network.ctbc
    com.sun.am.policy.agents.config.fqdn.map =
    com.sun.am.policy.agents.config.cookie.reset.enable=false
    com.sun.am.policy.agents.config.cookie.reset.list=
    com.sun.am.policy.agents.config.cookie.domain.list=
    com.sun.am.policy.agents.config.anonymous_user=anonymous
    com.sun.am.policy.agents.config.anonymous_user.enable=false
    com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
    com.sun.am.policy.agents.config.notenforced_list.invert = false
    com.sun.am.policy.agents.config.notenforced_client_ip_list =
    com.sun.am.policy.agents.config.postdata.preserve.enable = false
    com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
    com.sun.am.policy.agents.config.client_ip_validation.enable = false
    com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
    com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
    com.sun.am.policy.agents.config.logout.url=
    com.sun.am.policy.agents.config.logout.cookie.reset.list =
    com.sun.am.policy.am.fetch_from_root_resource = true
    com.sun.am.policy.agents.config.get_client_host_name = true
    com.sun.am.policy.agents.config.convert_mbyte.enable = false
    com.sun.am.policy.agents.config.ignore_path_info = false
    com.sun.am.policy.agents.config.override_protocol =
    com.sun.am.policy.agents.config.override_host =
    com.sun.am.policy.agents.config.override_port =
    com.sun.am.policy.agents.config.override_notification.url =
    com.sun.am.policy.agents.config.connection_timeout =
    com.sun.am.receive_timeout = 0
    com.sun.am.connect_timeout = 0
    com.sun.am.poll_primary_server = 5
    com.sun.am.tcp_nodelay.enable = false
    com.sun.am.policy.agents.config.encode_url_special_chars.enable = false
    com.sun.am.policy.agents.config.iis.filter_priority = HIGH
    com.sun.am.policy.agents.config.cdsso.enable=false
    com.sun.am.policy.agents.config.cdcservlet.url = http://accessmanager.coreo.network.ctbc:8080/opensso/cdcservlet
    Jonathan Costa Muniz.

    Hi joncmuniz,
    Are you managed to resolve this problem? I have the same.
    In logs i have such information:
    2008-10-08 16:48:02.471   Debug 23153:84d5368 all: Connection::initialize() calling NSS_Initialize() with directory = "" and prefix = ""
    2008-10-08 16:48:02.471   Debug 23153:84d5368 all: Connection::initialize() Connection timeout wen receiving data = 0 milliseconds
    2008-10-08 16:48:02.472   Error 23153:84d5368 all: Connection::initialize() unable to initialize SSL libraries: NSS_Initialize returned -8128
    2008-10-08 16:48:02.475   Error 23153:84d5368 all: initialization error: am_properties_load(com.sun.am.policy.agents.config.stopInInit) failed, error = NSPRerror (12): exiting...
    2008-10-08 16:48:02.475   Error 23153:84d5368 all: Process initialization failure:NSPR errorI think the problem is with certificates, but i can't point where.
    Can you help?

  • Cisco NAC policy sync

    I have a failover CAM configured, one is configured as the Master and the other one is receiver.
    when I do manual sync between them this is what happen:
    Successfuly completed pre-sync check with 10.10.80.248
    then I click continue it fails to sync:
    this is the log :
    *************** Master Log ***************
    Starting policy import/export on Policy Sync Master.
    Created dump file for policy: Device Management > Filters > Devices (all Access Types other than ROLE and CHECK)
    Created dump file for policy: User Management > User Roles > List of Roles/Schedule
    Created dump file for policy: Device Management > Clean Access > Clean Access Agent > Role-Requirements
    Created dump file for policy: Device Management > Filters > Devices (Access Type ROLE and CHECK only)
    Created dump file for policy: User Management > Traffic Control > IP
    Created dump file for policy: User Management > Traffic Control > Host
    Created dump file for policy: User Management > Traffic Control > Ethernet
    Dump file creation is complete.
    Created policy import/export dump file.
    No file available for policy sync as large object.
    Created  policy import/export header file.
    Created policy import/export tar file.
    *************** Receiver Log ***************
    Starting policy import on Policy Sync Receiver.
    Hash value is a match.
    Policy Sync Master and Receiver CAM versions match.
    The Policy Sync Reciever is not active, Please retry policy sync later.
    Failed to store all policies on Policy Sync Receiver.
    Receiver failed sync

    Hi,
    Please note that this feature is not meant to be used between 2 CAMs of an HA pair.
    As you can see on the config guide:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_admin.html#wp1050935,
    - All CAMs must run release 4.5 or later to enable Policy Sync.
    - On CAM HA-pairs, Policy Sync settings are disabled for the Standby CAM.
    So, this means you can use this feature only in active CAMs or Standalone CAMs.
    In HA pairs, Only the Active CAM will be active for this feature.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Question about cisco nac agent

    When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
    Please answer me early. Thank you for your answer.

    Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
    We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
    1) You have to decide which vulnerabilities you want to scan for.
    2) The more plug-ins you enable, the longer (obviously) the scan takes.
    3) There are configuration steps for many of the plug-ins
    4) Your users will still need to go to a login page in order to be scanned.
    5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
    From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
    It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
    Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
    Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

  • Cisco Nac Agent Requirement type Audit

    Hi experts,
    i can configure a requirement type as audit (opposed to mandatory or optional), so the client will still access the network, the user will not be notified, and the information will be sent to the cas.
    It is possibile to generate an email or similar automated process to notify administrators on these audits?
    (version in use 4.7.2)
    Thanks
    Andrea

    Hi Andrea,
    In 4.7.2 there wasn't much you could do within the CAM itself - really you could just export them from the GUI into a spreadsheet and analyze based on that.
    The CAM does have an API however that would allow you to export reports via scripting interfaces and give you all that information which you could then manipulate. You can access the CAM API documentation by browsing to:
    https:///admin/api/cisco_api_doc.jsp
    (The "getreports" function is likely what you would want to look into).
    In version 4.8 and later there was a new "Reporting" section of the GUI that you can see more details about passed and failed requirements:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_report.html#wp1495842
    Thanks,
    Nate

  • Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

    Hi
    My Cisco NAC Agent  (version 4.9.1.682) doesn't work since I upgraded my Mac OS X  4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
    The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
    Any update on when a new version is going to be released - Its getting really frustrating?

    I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
        Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
        Select Keychain Access -> Preferences from the menu at the top of the screen
        Choose the Certificates tab
        Change the OCSP option from Best Effort to Off
        Close the Preferences dialog and quit Keychain Access
        You should be able to NAC now

Maybe you are looking for