Clean Access and MSE 2.x
We have lots of users on MSE and a new version was recently released (mid-December)...and since it's a new version Cisco NAC doesn't know anything about. Have there been any updates released so the server/agent will recognize MSE 2.x? Anyone know how to make it recognize MSE 2.x?
-Mike
Hi Mike,
just to be clear, by MSE you mean Microsoft Security Essentials?
If this is the case, then this AV is not yet recognized by the compliance module:
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/WinAV-AS-vers85.pdf
This enhancement is tracked under bug CSCtl11604:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl11604
For the time being you may create a custom check and rule as described on the bug workaround:
Create a custom check and rule and tie this to the current AV Installation requirement.
The check can be of type File Check for the following file to exist:
SYSTEM_PROGRAMS\Microsoft Security Client\CleanUpPolicy.xml
I hope this helps!
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.
Similar Messages
-
Confusion on Cisco clean access and Cisco NAC
Dear Pros,
I still confuse with the name mismatch as above. Please any one give me the correct NAC part number for both server and manager
swamyCisco Clean Access and NAC are the same.
NAC is just the new naming.
You can have NAC installed in two way, Framework or Appliance mode.
I think Framework is not available anymore (I may be wrong).
If you go with the appliance, you'll need a minimum of two. 1 for the CAM (Clean Access Manager) which manages the policies and 1 for the CAS (Clean Access Server) that is the "filter" between your authentication lan and your prod network.
Dominic -
Clean Access and Windows 2003 Server
I am trying to install the Clean Access Client on a VM running Windows 2003 Server. When I connect to our customer's network the VPN client appears to connect properly and I see the Clean Access window. Then it all seems to fall over. My customer tells me I should see a blue window with a red OK button on it but I never see it. As a result I never get completely into the network. Is this because I am running this on Windows 2003 Server or should I be looking at something else? Can this run in a Virtual Environment and on 2003 Server?
I work it out partially by myself:
1)
(excuse me, I meant "kinit and Krb5LoginModule" not "kinit and kinit.exe").
Krb5LoginModule seems to work now (with TCP). The output is:
KRBError:sTime is Tue Jun 01 17:13:51 CEST 2004 1086102831000
suSec is 945761
error code is 52
error Message is Response too big for UDP, retry with TCP
realm is SSOTEST.RTC.CH
sname is krbtgt/SSOTEST.RTC.CH
KrbKdcReq send: kdc=rtcnt978.ssotest.rtc.ch TCP:88, timeout=30000, number of retries =3, #bytes=232
DEBUG: TCPClient reading 1496 bytes
KrbKdcReq send: #bytes read=1496
KrbKdcReq send: #bytes read=1496
EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
KrbAsRep cons in KrbAsReq.getReply sso_testuserCommit Succeeded
Which is what I want (it tries first with UDP, then the KDC says the TGT is too big for UDP and the client tries again with TCP)
2)
I still have the error :-( -
Clean Access and satellite internet
We have NAC 4.1.6 enabled for our IPSec VPN client users, and have at least one user coming in from a HughesNet satellite Internet connection. When he connects via HughesNet, the VPN connection works fine but the NAC agent will not run and check his machine. However, when he uses any other type of Internet connection (including a Verizon aircard), NAC works properly.
Has anyone experienced this, and is there a fix or workaround? He's running the 4.1.6 Windows agent. Thanks.Try connecting the console directly to the router which is connected to the internet and check if it works. If it works then you will only have to change the MTU size on the ASA. Another option will be to have the console connect directly to the internet bypassing the CCA.
-
Since Microsoft is saying that Windows 7 will be out for the Holiday season, I'm wondering when Cisco will have Clean Access ready to fully support Windows 7.
We will end up with lots of students coming back to campus with brand new computers running Windows 7 and expecting them to work.
Has anyone heard anything about Clean Access support for Windows 7?Yes, I know it doesn't support it (yet), but I wanted to get the discussion started now.
I haven't heard anything from Cisco regarding Clean Access and Windows 7 and I really don't want students/users showing up after the holiday season with Windows 7 computers that "don't work because Clean Access doesn't support Windows 7, yet". That's my fear anyway...
Mike -
How To Migrate Cisco Clean Access to Cisco ISE
We have a Cisco Clean Access 3.6.3 (3140 Appliance) in which we would love to migrate to Cisco ISE 1.1 (3315 Appliance). Does anyone have an idea on how to do this?
I was wondering if I need to upgrade the a later version of Cisco Clean Access and them back it up the CCA. Backup the CCA and then restore/import the backup to the ISE.
Any help will be greatly appreciated?
Thanks.Hi Mate,
Refer to below instructions for hosting licenses on ISRs:
http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9001047
Rehosting a License
Prerequisites:
• Valid Cisco.com account (username/password)
• Retrieve Product Id and Serial Number with either the IOS "show license udi" command or label tray from both the source and destination devices.
• Retrieve Source Device Credentials by issue the following IOS commands in exec mode:
– license save credential flash0:CredentialFileName
– more flash0:CredentialFileName
• The source device has rehostable licenses.
Rehosting a License with Cisco's Licensing Portal
This process can be used when the source and the destination device cannot communicate directly with Cisco licensing portal
Summary Steps:
1. Obtain UDI and device credentials from the source and destination devices using IOS CLI commands
2. Contact the Product License Registration page on Cisco.com and enter the source Device Credentials and UDI into the license transfer portal tool.
3. The portal will display licenses that can be transferred from the source device.
4. Select the licenses that need to be transferred. A permission ticked is issued. You can use this permission ticket to start the rehost process using Cisco IOS c for any further help.ommands.
5. Apply the permissions ticket to the source device using the license revoke command. The source device will then provide a rehost ticket indicating proof of revocation. A sixty day grace period license is also installed on the device to allow enough time to transfer the licenses to destination device.
6. Enter the rehost ticket into the license transfer portal tool on Cisco.com along with destination device UDI.
7. Receive the license key via E-mail
8. Install the license key on the destination device.
You can also email [email protected]
-Terry
Please rate all helpful posts -
Clean Access AV Version Updates
I manage Clean Access on a small college network. We allow several different AV products. One of the most popular is AVG because it's small, fast, unobtrusive, and free.
AVG recently released v8, but Clean Access won't recognize it and there is no option to allow v8 in my AV rule list.
My general question is for Cisco:
What kind of communication do you maintain with AV vendors so that the Clean Access list is kept up-to-date with current AV product versions?
This is especially troublesome with users who have purchased AV products such as Norton 360, McAfee, etc. Upgrades for these products come out, but are not support by Clean Access and I have to tell users to either go back to the previous version, or uninstall their current product and use a free one like AVG.
Am I missing something, or is this a problem for other Clean Access admins out there, too?
-MikeI spoke with Cisco support about this last week. 4.1.3.2 will recognize the program, but the definition files are NOT supported (in AVG 8, Free edition).
According to the tech, AVG 8.0 (both Free and Pay versions) will be fully supported in the big software release at the end of this month (is it out yet?).
In the mean time, he helped me create a custom rule to check for the application and the definitions.
Since we did this it has been working fine. With both 4.1.3.1 and 4.1.3.2.
I'm swamped right now, but if I get some free time I'll try to post what we did (doubt it will be this week).
Chris -
Plse...help me on the communicating between CLEAN ACCESS MANAGER and Switch 3560E-24Ps by snmp
Dear All,
I try to configure in both Clean Access Manager and Switch 3560E-24Ps on SNMP Version 2 protocol but I can't make it working together (For CAM and Switch 3560G-48Ps I can do that). Plse give me any suggestion to solve that problem. All configuration is as below:http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html
-
Clean access rules and Windows service pack 3
I am having a small issue with our Clean Access Manager blocking any Windows XP computer that has service pack 3 installed. The main failure it is giving in the reports is this
Failed Checks:
pc_Windows-XP-SP2, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 2]
pc_Windows-XP-SP1, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 1]
The key that is there when sp3 is installed is this:
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 3
I have verified that pc_Windows-XP-SP1 and pc_Windows-XP-SP2 are there as well as created a check for service pack 3 eric_pc_Windows-XP-SP3 and added the check to the rules governing windows updates for XP pro/home and windows media edition. But for some reason they are not taking effect. The CAM is running version 4.1.3.1 and the the CAA is version 4.1.3.2. Any assistance would be greatly appreciated.
Thank you,
EricHere is the configuration guide for the Clean Access Manager which will help you :
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_instal.html -
Problem with Clean Access Agent and Windows Updater
I have a problem with a laptop when using Cisco Clean Access Agent. The agent keeps directing the laptop to get updates from the Windows Update site, but when I have connected the laptop via cable, windows updates tells me there are no updates either essential or optional. The laptop is a Sony VIVO VGN-FJ270 running XP Home Edition SP2 and the Clean Access Agent is version 4.0.2.1
Any help is appreciated!!Verify the allowed hosts in CCA agent.
Try these link:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
http://www.cisco.com/en/US/products/ps6128/products_qanda_item09186a00803b7a81.shtml -
802.1x (DOT1x) and Cisco Clean Access 3140
Hi,
We have about 300 remote sites and would like to implement an authentication mechanism to authenticate end-devices (Windows PCs) before allowing access to the network. We thought we could implement DOT1x on our Cisco 2960, 3750 and 4500 series switches and send the "PC-switch" access requests to our centrally located Cisco Clean Access 3140 NAC servers -back at the HQ sites. We understand the NAC servers will be used to authenticate (among other things) the end-users workstations to ensure each workstation is a company owned PC and all the security parameters are installed and up today. -RIGHT?
Can the Cisco Clean Access 3140 server perform the Authentication security checks from the 802.1x (DOT1x) enabled switches?
Does the Cisco Clean Access 3140 server have to be inline (on the users subnet) and/or be centrally located?
Is the Cisco Clean Access 3140 still usable?
Thanks
Frankunfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
What are using for a radius server? -
Clean access agent keep on running again and again
Added some registry checks in NAC 4.5 after that Clean access Agent keeps on running again and again on the client(looping)
ThanksPhilip,
Windows 7 wasn't supported with CCA till 4.7.x and agents also have to be 4.7.x
Best approach would be to get to a supported version and then if that doesn't work we can work with you to see what might be causing this.
HTH,
Faisal -
Clean access server and wireless users
Hi,
The AP has several vlans (employee, guest). There is a trunk up to the switch and all l3 vlan interfaces are created on the switch.
I would like to add a clean access server.
1) Besides the configuration of the clean access server, do I just need to move the l3 vlan interface from the switch to the clan access server untrusted interface?
2) Is the ip address of the trusted interface on the clean access server a trunk too?
Thank you,
Best regards,
PascalI think yes. The ip address of the trusted interface on the clean access server needs to be configured as a trunk too. This is upto my knowledge.
-
Trouble with Leopard and Clean Access Agent
I just got Leopard yesterday. I loaded it to my computer and all went well. Except when I tried to get on the internet (on my college campus that requires Cisco Clean Access) it wouldn't let me. I realize this is a third party software problem, but I was wondering if anyone else is dealing with this and had found a way around it.
its the same situation at my school (OSWEGO STATE), after a long heated discussion with the CTS department i still had no answer.
however this morning i was notified that Cisco is in no rush to update and may, if we're lucky update by the end of November.
i've decided to try and run a cable modem through my TV service, my CTS on campus has just screwed over Mac users for the past few years, and they have no motivation to stop and help us out. -
Checkpoint SecureRemote and Clean Access solution
I am trying to implement the Clean Access solution (NAC In-Band Real-IP) with Checkpoint SecureRemote VPN clients and wondering whether it is possible to setup single-sign-on? If yes, can I use VPNSSO or do I need to configure ADSSO?
Thanks for your time and help.Please open a TAC case for a timely response on code versions and matrix compatability. We did not use clean access in our PCI Solution for Retail so I do not have a reference for you.
Maybe you are looking for
-
How can I resolve this issue? Now if my contacts don't have my email in my contact they get a seperate converstion. It's rather annoying.
-
Clamshell mode w/external monitor broken in 10.8.2
Ever since I made the .2 upgrade in mountain lion clamshell mode does not work with my MBPro 8,2. Previously in Lion and Mountain Lion clamshell mode worked fine, I even executed the following terminal command so I could open the lid without the int
-
Problem in Creating Employee as a supplier in backend by AP supplier
Hi friends, Im facing issue in creating Employee as a supplier in backend through AP supplier interface, as im getting the below error like Employee_id is invalid and Employee info is invalidThis is the codings that i followed to perform that interfa
-
Time Machine to Restore After Upgrade
So I want to update to Snow Leopard soon, and my hard drive needs a reformat anyway, so I wanted to do a clean install. What I want to know is if Time Machine can still be used to restore any/all files after upgrading the OS. My guess is that I canno
-
How to use ADF Active Data Service
Hi All, I have one requirement. I have one BPEL Webservice which is generating some Events, after that the data is going to save in Database. Now i want to display this data on UI whenever there is new event is occurred. So I am going to use ADS. Ple