Clean Access License issue

Similar Messages

• NAC Clean Access Agent Issue

  Hi,
  Can anyone tell me that If I want my user to download clean access agent so how can I achieve that...I have uploaded agent to my CAM but Im confused that should my user use web agent first then download the agent over network or he can download Clean agent directly ?

  Unlike the Clean Access Agent, the Cisco NAC Web Agent is not a "persistent" entity, thus it only exists on the client machine long enough to accommodate a single user session. Instead of downloading and installing an Agent application, once the user opens a browser window, logs in to the NAC Appliance web login page, and chooses to launch the temporal Cisco NAC Web Agent, an ActiveX control or Java applet (you specify the preferred method using the Web Client (ActiveX/Applet) option in the Administration > User Pages > Login Page configuration page) initiates a self-extracting Agent Stub installer on the client machine to install Agent files in a client's temporary directory, perform posture assessment/scan the system to ensure security compliance, and report compliance status back to the NAC Appliance system. During this period, the user is granted access only to the Temporary Role and if the client machine is not compliant for one or more reasons, the user is informed of the issues preventing network access and may do one of the following as mentioned in the below URL:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_cca.html#wp1130212

• Clean Access Agent Windows XP permission/Rights Issue

  Hi,
  I have a problem with Clean Access Agent.
  When a domain user installs the agent on the computer, only that user is able to login into the network using the CCAgent. Any other user who tries to login in on the same machine gets an error. In short, only the DOMAIN USER who installed the agent authenticates without a problem (or a user with administrative rights)
  The error that the second user gets is the same as the one here;
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.1ddf8b7d
  I am not sure if this problem is related to this one;
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.1ddfc848
  Anybody with ideas?
  Edd

  One quick fix could be to try restarting the HTTPD services. Although there should be no conflict if you install CSA and CCA, but you can uninstall CSA and check if other users are able to login on the same machine.

• How To Migrate Cisco Clean Access to Cisco ISE

  We have a Cisco Clean Access 3.6.3 (3140 Appliance) in which we would love to migrate to Cisco ISE 1.1 (3315 Appliance).  Does anyone have an idea on how to do this?
  I was wondering if I need to upgrade the a later version of Cisco Clean Access and them back it up the CCA.  Backup the CCA and then restore/import the backup to the ISE.
  Any help will be greatly appreciated?
  Thanks.

  Hi Mate,
  Refer to below instructions for hosting licenses on ISRs:
  http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9001047
  Rehosting a License
  Prerequisites:
  • Valid Cisco.com account (username/password)
  • Retrieve Product Id and Serial Number with either the IOS "show license udi" command or label tray from both the source and destination devices.
  • Retrieve Source Device Credentials by issue the following IOS commands in exec mode:
  – license save credential flash0:CredentialFileName
  – more flash0:CredentialFileName
  • The source device has rehostable licenses.
  Rehosting a License with Cisco's Licensing Portal
  This process can be used when the source and the destination device cannot communicate directly with Cisco licensing portal
  Summary Steps:
  1. Obtain UDI and device credentials from the source and destination devices using IOS CLI commands
  2. Contact the Product License Registration page on Cisco.com and enter the source Device Credentials and UDI into the license transfer portal tool.
  3. The portal will display licenses that can be transferred from the source device.
  4. Select the licenses that need to be transferred. A permission ticked is issued. You can use this permission ticket to start the rehost process using Cisco IOS c  for any further help.ommands.
  5. Apply the permissions ticket to the source device using the license revoke command. The source device will then provide a rehost ticket indicating proof of revocation. A sixty day grace period license is also installed on the device to allow enough time to transfer the licenses to destination device.
  6. Enter the rehost ticket into the license transfer portal tool on Cisco.com along with destination device UDI.
  7. Receive the license key via E-mail
  8. Install the license key on the destination device.
  You can also email [email protected]
  -Terry
  Please rate all helpful posts

• Please clarify the following license issue

  Hello
  Please clarify the following license issue
  Oracle 10g se license requirement while using a power 6 P520 machine with 2-core 4.2 GHz processor card,4 memory DIMM slots. Are we entitled for paying for one oracle 10g SE license?
  many thanks in advance

  When you read through that thread, did you see where I linked to and quoted the licensing definitions
  Processor: shall be defined as all processors where the Oracle programs are installed and/or running. Programs licensed on a processor basis may be accessed by your internal users (including agents and contractors) and by your third party users. For the purpose of counting the number of processors which require licensing for a Sun UltraSPARC T1 processor with 4, 6 or 8 cores at 1.0 gigahertz or 8 cores at 1.2 gigahertz for only those servers specified on the Sun Server Table which can be accessed at http://oracle.com/contracts , “n” cores shall be determined by multiplying the total number of cores by a factor of .25. For the purposes of counting the number of processors which require licensing for AMD and Intel multicore chips, “n” cores shall be determined by multiplying the total number of cores by a factor of .50. For the purposes of counting the number of processors which require licensing for all hardware platforms not otherwise specified in this section, a multicore chip with "n" cores shall be determined by multiplying "n" cores by a factor of .75. All cores on all multicore chips for each licensed program for each factor listed below are to be aggregated before multiplying by the appropriate factor and all fractions of a number are to be rounded up to the next whole number. When licensing Oracle programs with Standard Edition One or Standard Edition in the product name, a processor is counted equivalent to a socket.
  It appears that you fall under the "not otherwise specified" category because you're not dealing with an UltraSPARC T1 (multiplier 0.25) or an AMD/ Intel chip (multiplier 0.5) so your multiplier would be 0.75.
  0.75 * 2 cores = 1.5 processors which would have to be rounded up to 2 processors. If you had 4 total cores, you would only need a 3 processor license.
  Justin

• Clean access rules and Windows service pack 3

  I am having a small issue with our Clean Access Manager blocking any Windows XP computer that has service pack 3 installed. The main failure it is giving in the reports is this
  Failed Checks:
  pc_Windows-XP-SP2, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 2]
  pc_Windows-XP-SP1, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 1]
  The key that is there when sp3 is installed is this:
  \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 3
  I have verified that pc_Windows-XP-SP1 and pc_Windows-XP-SP2 are there as well as created a check for service pack 3 eric_pc_Windows-XP-SP3 and added the check to the rules governing windows updates for XP pro/home and windows media edition. But for some reason they are not taking effect. The CAM is running version 4.1.3.1 and the the CAA is version 4.1.3.2. Any assistance would be greatly appreciated.
  Thank you,
  Eric

  Here is the configuration guide for the Clean Access Manager which will help you :
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_instal.html

• Help with Clean Access Architecture

  Hello All,
  I wanted to engage some of the NetPros out there about designing our Clean Access architecture. We purchased 4 3140s (2 x CAMs w/ FO, 2 x CASs w/ FO). The goal is to use Clean Access to validate select areas of our head quarters, along with validate users in a remote location.
  The HQ part of the design I can understand without issue. It's when we begin to deal with the remote office that I become uncertain about the design. The remote office is MPLS connected to HQ (L3 multi-hop). We want users in the remote office to also be L2 authenticate to the Clean Access cluster at HQ. Across MPLS this does not appear to be straightforward. We'd like to do a L2 deployment, but from what I've read this will require using L2TPv3 at the remote office to "tunnel" the VLANs from HQ to remote and vice-versa. My fear is that now the default gateway for the remote clients is the HQ Clean Access cluster. Therefore... all traffic will be "switched" across their WAN link. This becomes and issue as the remote office has local Windows domain controllers for faster file access on another VLAN... and in this scenario it sounds like the workstations would have to travel across the L2TPv3 tunnel to HQ to just have to go back across the tunnel to the remote office for file access. Sounds slow!
  Does anyone have recommendations as to how to design this centralized, L2, OOB architecture. In my mind I would want the clients attempting authentication to the switch... switch forward to the CAS... CAS validates posture and passes down necessary VLAN to switch. All VLAN'ing and switching is kept remote. We operate all 3750 switches... so our infrastructure can work with NAC. Sorry for the long post, just wanted to try to explain the requirements. Thanks for the help.
  -Mike
  http://cs-mars.blogspot.com

  Hi Mike -
  Very good questions. You definitely do not need the L2TPv3 across the WAN to control the ports at the remote site.
  The CASs can be deployed L2 In-Band (IB), L3 In-Band (IB), L2 Out-of-Band (OOB) or L3 Out-of-Band (OOB).
  L3 OOB can be used to control the switches at the remote sites. A 2nd vlan is required for the remote site to serve as the authentication vlan. All ports start off on this Auth Vlan when a user plugs in.
  The user receives an IP Address on this Auth Vlan and the local L3 device is the GWY. The L3 device should have ACLs to protect the rest of the network from this Auth Vlan. The only permit entries in the ACL should let the users get to CAS and the remediation servers. Using a network like 192.168.x.x and varying the 3rd octet on a per-site basis simplifies the ACLs if you are using the 10.x.x.x as your internal addressing. The ACLs should be places on all the MPLS routers to protect the production network from the Auth network.
  Once the user proves trustworthy, the Clean Access changes the vlan on the switch to the production/normal vlan and the user has complete access as before.
  CASs can be either one of the 4 roles (L2 IB, L3 IB, L2 OOB, L3 OOB) when they are added to the CAM.
  If you plan to use L2 OOB for your HQ and L3 OOB for the remotes, you may need to add 1 more CAS pair to your architecture.
  We have some great diagrams that the Clean Access product team have put together that will illustrate this architecture to you.
  Your local SE / CSE should be able to provide this to you.
  Let us know if you have any follow up questions.
  Hope this helps.
  peter

• Licensing issue by using Applications AC and PC

  Hi,
  The SAP GRC 10.0 solution comes as bundled solution for AC, PC and RM. While downloading the SAP GRC 10.0 all the three components are downloaded but in a dormant state.
  With the release of GRC 10.0, Access Control and Process Control are offered as an integrated solution, both at the data layer and at the user interface layer. This new unified platform enables increased harmonization of key master data.
  GRC 10.0 is a harmonized platform. Although maintenance of data within AC and PC is similar in 10.0 as it was in previous releases, there are some key differences. The following master data is shared between AC and PC for the release 10.0 integration scenario.
  u2022 Organizations
  u2022 Business Processes
  u2022 Business Subprocesses
  u2022 Controls
  SAP GRC System Add-ons:
  Access Control, Process Control and Risk Management are contained in one ABAP add-on u201CGRCFND_Au201D
  SAP Backend System Plug-ins:
  A. GRCPINW: NW Function Modules hold the AC functions for ERP systems without HR (former non-HR RTA)
  B. GRCPIERP: PC relevant features are contained in the plug-in GRCPIERP, for example, for running automated controls and the HR relevant functions for AC (former HR RTA)
  There are multiple activation points for AC, PC and RM:
  u2022 SAP GRC SPRO -> activate the Application. However
  u2022 When we go for the Plug-ins (GRCPIERP) installation in backend systems with HR function module it also brings in the PC relevant features.
  u2022 Mitigating Control definition based on Organizations
  I had activated the Application AC and PC for some time assuming that PC is required to create the Mitigation Control and Organizations. However I just realized that Mitigating Control and Organization can be created even without Activating PC, which does nothing but removes the additional features of PC.
  My Query:
  u2022 Kindly let me know if I can still use PC to create and assign Mitigating Control as a shared resource for AC and PC or I have violated Licensing issue by using Applications AC and PC when I am supposed to use just Access Control.
  u2022 How is shared resources in SAP GRC 10 dealt in terms of Licensing of Applications in SAP GRC 10.
  Thanking you in advance.

  all the new pc's we've purchased for a time now, don't have a Win7 CoA product key attached, even though they come with Win7 downgrade rights, so your strategy to use the CoA pkeys for the Win7 install on the new machines might be flawed.
  We don't buy HP, and I'm in Australia, so I'm not sure if this will be the same for you.
  Also, the OEM image that you would use to re-deploy/re-image with, may need to be different for varying models (OEMs might include different drivers, or other checks or blockers, in their image and OOBE scripts), and, the embedded OEM "master" product key/certificate
  could vary (or not align) across model types/generations.
  Ours do have the SLIC table in firmware and the OA markers, and we use VL Win7 Enterprise anyway, so our 40,000 machine fleet means VL and Software Assurance as a part of our EA + Select is an (expensive) no-brainer really.
  The other thought I have for you, is the re-imaging rights that are bestowed when you have a VL agreement (and therefore, are not bestowed if you don't have one). Because we do have a VL agreement, I've never dived into how it might be worked if we didn't
  have VL.
  http://www.microsoft.com/licensing/about-licensing/briefs/reimaging.aspx
  http://www.microsoft.com/licensing/about-licensing/briefs/downgrade-rights.aspx
  If you do look at a VL agreement, I'm told they start from as few as 5 machines. And, if you purchase new pc's, you have the option to enrol the new pc's into Software
  Assurance within 90days of purchase, which I imagine would save you some cost, compared to attaching SA to them at a later time, presumably requiring you to pay full ticket price for that.
  I'd recommend you get some advice from an MS reseller, even if only to work out what the various options/costs might be.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• The number of client access licenses may be reset to five in Windows Small Business Server 2003

  Ran into an issue on the server after the power loss.
  My Client Access Licenses were reset to 5 with Maximum usage of 12. I have about 25 PC's and Server also hosts exchange, which now prevents users from accessing OWA and local profiles. After digging around and reading logs, I eliminated issue to the licensing.
  All the steps described in the  Article ID: 888818 do not work, since the licenses were never backed up in the first place. Resetting, did not help either, since it's looking for a file, we don't have.
  Additionally, the auto-populated solutions, were already tried with no success. 
  Please let me know if there is a way to restore licensing via original license key, provided on the machine, or I have to purchase it.
  Thank you for your time.
  The number of client access licenses may be reset to five in Windows Small Business Server 2003

  Any help here?  (especially the autolicstr.cpa file)
  Small Business Server 2003 - The Dreaded 5 CAL Reset Issue
  http://blog.chrisara.com.au/2006/09/small-business-server-2003-dreaded-5.html
  Merv Porter
  =========================

• Windows 2008 R2 RDS Licensing Issue

  I have Citrix Presentation Server 4.5 farm (with all of the application servers running Windows 2003) and I have just migrated from using a Windows 2003 server for the terminal services licensing to a Windows 2008 R2 RDS server for the licensing. We have
  a number of thin-clients that connect to the Citrix farm and provide a kiosk for users. We have 85 per device licenses however we are only using 15 of those licenses (plans were made but never implemented to use the rest), so we have 70 available licenses.
  The licenses are configured per device and as Windows Server 2003 licenses.
  After the migration to 2008 R2, the thin-clients connected to the new licensing server without any trouble at all. As I monitored the licenses on the new server, each thin-client was given a temporary license first and then at the
  next connection they got a permanent license. All of this I have been able to confirm through the event logs on the server.
  However, what I get in the event logs of the new 2008 R2 licensing server an event with event ID 21 that says:
  The Remote Desktop license server "ServerName" does not have any remaining permanent Remote Desktop Services client access licenses (RDS CALs) of the type "Windows Server 2003 - TS Per Device CAL". As a result, the Remote Desktop license server cannot issue
  RDS CALs of the type "Windows Server 2003 - TS Per Device CAL" to the Remote Desktop Session Host server "vvv.xxx.yyy.zzz". To resolve this problem, verify that the Remote Desktop licensing mode configured on the RD Session Host server matches the type of
  RDS CALs installed on the Remote Desktop license server. If required, purchase and install additional RDS CALs as needed for this Remote Desktop license server.
  (Note I have removed the server name and IP address due to company policy.) I have confirmed that every server in my Citrix farm has its terminal services configuration set for "per device" licensing and I have also specified the name of the 2008
  R2 server rather than allow the servers to automatically find the licensing server. I have confirmed that my 2008 R2 server is configured for "per device" licensing.
  The IP addresses I have seen in the event log messages are the IP addresses of a Citrix server rather than one of the thin-clients, and so far every Citrix server we have has appeared in one of these event log messages. I have been able
  to determine that this event does not occur when a thin-client is connecting up nor does this event occur when I remotely log into the server.
  As I noted above we only have 15 thin-clients using the 85 licenses so we have 70 available licenses for the Citrix servers so why are we out of licenses? What is this message trying to tell me?
  Thanks
  Brent

  Hi Bent,
  According the Event ID 21, I think you might have the license connection issues with RDS CALs. I suggest you analyze some relative services and
  make sure your network without any misconfiguration.
  Hopefully, there is an article describes how to troubleshoot this license issue on the terminal server.
  Event ID 21 — Terminal Services Client Access License (TS CAL)
  http://technet.microsoft.com/en-US/library/A98D84AC-B824-4F00-BF58-3CFF23493BF9.aspx
  By the way, the license of Windows Server 2003 does not support to assign CAL to allow user to access the Windows Server 2008. You should buy a
  new Windows Server 2008 license to meet the requirement above if necessary.
  Hope this helps.

• Adobe Error 150:30    Its a licensing issue I guess...how do I fix this?

  I just transferred CS4 onto my new mac but its telling me there is an "Error 150:30"   Its a licensing issue I guess...how do I fix this so I can use the program on my new mac? Is it even possible to fix? I don't think I have the physical software anymore its been so long since I have had this program!

  Klizb this often occurs when Adobe Creative applications are copied/transferred/migrated to a different computer.  Please make sure to run any available uninstallers followed by the use of the CC Cleaner Tool to attempt to recover from the transfer process.  You can find details on how to use the CC Cleaner Tool at Use the CC Cleaner Tool to solve installation problems | CC, CS3-CS6.
  If you need to download a fresh copy of the retail installation files they are available at Download CS4 products.

• Smartcard authentication for Clean Access SSO

  Is anyone doing smartcard authentication into clean access via SSO? I have an issue where the UPN is not the username and the domain suffix is different from the AD domain so the agent is appending  @domain.com to the $user$ variable and so it is failing to authenticate.

  Did you run KTPASS correctly?
  I had the same problem, (very undocumented 'feature', I would say) the KTPASS command must be run slightly different when running against a DC, versus running it against a AD Domain.
  For Domain Authentication:
  ktpass.exe -princ cleanaccess/domain_in_lower_case.co.za@DOMAIN_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
  For AD Server Authentication:
  ktpass.exe -princ cleanaccess/SERVERNAME.domain_in_lower_case.co.za@DOMAIN_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
  NOTE: SERVERNAME need to be exactly as indicated under My Computer > Properties. (ie, correct UPPERCASE and lowercase letters in the right places)
  Another thing to look out for is the cleanaccess AD account you have created, make sure that the display name matches the account name, and do not specify anything for the Firstname, Lastname fields. This seems to break things ans gets the authentication to fail for some reason.
  O, and if you have set up the account at first for DC Server Authentication, delete it and recreate it for the AD Domain Authentication, because that breaks it too, when you run the KTPASS.EXE again.
  Another thing, try using ADSSO without the lookup account configured to see that the machine authenticates first, then ad the Lookup Account, maybe the problem lies there.
  Hope this helps.

• MAC Clean Access Agent - Temp Certificate

  Trying to get a Mac OS X client working with Clean Access. Got the agent loaded however everytime we try to authenticate it prompts with an error about communication issues and says that if we are using a temporary certificate (which we are) we need to add the certificate file to KeyChains. We've added the certificates however we still cannot logon. A windows client logs in no problem. Any ideas?

  jvr775 - Yeah, that is what we thought the original problem was so we regenerated all the self-signed certs to use FQDNs based on the DNS records. All devices are pointing to the same DNS server and everything resolves names to IP and IP to names correctly. I've uploaded the error message that we are getting from the MAC client. In addition we've added the new certs to the MAC's X509Ancors Keychains and still no luck.

• Cisco Clean Access Agent patch?

  I just upgraded to Snow Leopard today without realizing that my campus uses Cisco's Clean Access Agent to allow access to the network. Every time I try to log in log in it tells me "Agent user operator system not supported." It is version 4.6.0.3. I realize now that this is not a campus problem, but more likely a program problem. Is there any word on a way around this or a patch in the near future?
  Thanks.

  The same issue occurred on my campus. Cisco claims they will fix the problem between 3 and 90 days.

• CISCO CLEAN ACCESS AGENT ALWAYS POPS-UP EVEN ALREADY AUTHENTICATED

  Hello,
  Just wonder why clean access agent always pops-up even already authenticated. Please how can i eliminate those multiple pops-up?
  thank you and best regards,
  Edwin

  Hi:
  I have the same issue. Would you please tell me what you did exactly?
  I am using OOB VGW mode.
  NAC version is 4.7.2
  Switch configurations:
  snmp-server community RO RO
  snmp-server community RW RW
  snmp-server location LOCATION
  snmp-server contact CONTACT
  snmp-server enable traps snmp linkdown linkup
  snmp-server enable traps mac-notification change move threshold
  snmp-server host CAM_IP version 2c RW  mac-notification snmp
  mac address-table notification change interval 0
  mac address-table notification change
  mac address-table aging-time 3600