Clean access server and wireless users

Similar Messages

• Invalid Clean Access Server

  We are seeing these messages in our CAM logs:
  "Unable to add user to Clean Access Server <CAS IP>, [00:00:00:00:AA:13 ## x.x.x.x] username"
  While the clients see:
  "Invalid Clean Access Server"
  We are running 4.1.3.1 software and using In-Band for our wireless. This is best reproduced by logging into CA via the agent and then move locations (wireless). At the new location the agent says "logged-in" but when you open a web browser you are redirected to the web authentication page. When you login to the web auth page you'll fail and receive the "Invalid Clean Access Server" error message below the login form. After this you are in a loop you can't get out of even after right-clicking the agent and logging off.
  The problem started after our upgrade from 4.1.1 to 4.1.3.1. Our TAC engineer hasn't found a solution yet so I thought I'd post here. Any help would be greatly appreciated.
  Thanks,
  -Dusty

  I'll answer my own question:
  Bug: CSCsl70418

• NAC/Clean Access Server no longer intercepting Clients after upgrade

  We recently upgraded our CISCO Clean Access Manager and Server to version 4.8.2 from 4.8.0.  Everything seemed to be working fine but I had a user log in without having the NAC Agent running and they had full access.  We didn't change anything other than upgrading to the new version.  We have found that the user has access even before the Windows Agent is completed with the assessement of the client.  It worked fine before the upgrade....Again, we made no changes other than upgrading to the new version (no route changes, etc).
  I even tried an explicit deny for the user's workstation's mac and the NAC SErver still let him through....I am a bit perplexed...Thanks for any assistance.

  Hmm, i removed the line but it does not help me ?
  I did run following command in terminal:
  sudo pico /Library/Server/Mail/Config/postfix/main.cf
  Removed the "reject_non_fqdn_helo_hostname" from the line smtpd_helo_restrictions.
  Saved the file and restarted Mail service
  get this in  log when i try to send from a windows client with Outlook2010:
  Aug 15 17:42:09 lundmark.jetoma.se log[236]: auth: Error: od(annicalundmark,192.168.20.103): Authentication server failed to complete the requested operation.
  Aug 15 17:42:09 lundmark.jetoma.se log[236]: auth: Error: od(annicalundmark,192.168.20.103): authentication failed for user=annicalundmark, method=DIGEST-MD5
  Have tryed different ports like 25 and 587 with SSL, TLS and "none" in SMTP advanced settings on klient.
  I did use the same instructions before in Lion server and there it did work ?!
  Any more ideas ?
  regards
  Jörgen

• Clean Access Server is unavailable on the network

  I have an issue where randomly (about 4 or 5 users per week out of about 150 concurrent users) people are getting "Clean Access Server is unavailable on the network".  We are using the full client v4.7.0.  Certs and DNS look good, and everything works fine for most people.  I read about the "work offline" bug, do you think that could cause this?  Also, the CAM and CAS clocks are about 4 minutes apart, what kind of issues could this cause?
  Thanks!

  I found it, it was described in TAC Case 614237013 w/ Nate Austin from RTP's AAA TAC.  Bug ID # CSCta39899.  Excerpts from the TAC case are below.
  David Swafford.
  =============================================================
  Subject: SR 614237013 - NAC Agent - CCA Server Unavailable Repeatedly
  Hi David,
  My name is Nate Austin with Cisco TAC and I just accepted ownership of
  your SR regarding NAC Appliance.
  Looking at the logs I can see two way communication with the CAS so we
  know it can reach it IP-wise. All the swiss communication is successful,
  but it appears the HTTPS requests are the ones that are failing.
  I have seen a couple things cause this:
  1) Personal firewall blocking ports from CCA Agent.
  2) More common - We use the same libraries as IE does for making HTTP
  calls - If IE Offline Mode is enabled, this will cause the agent to
  fail. Can you check in IE (especially if Firefox or Chrome are the users
  default browser because they'd never check IE) and see if Offline Mode
  is enabled. If so, disable it and try again?
  Thanks,
  Nate
  =============================================================
  Subject: Re: SR 614237013 - NAC Agent - CCA Server Unavailable Repeatedly
  Sounds good.
  FYI, if this does end up being the problem, there was a bug filed on
  this CSCta39899, and in the 4.8 agent the agent will disable Offline
  mode and re-enable it after it logs in.
  Thanks,
  Nate
  Nathaniel Austin                        Cisco Systems
  Customer Support Engineer               Research Triangle Park, NC

• Clean Access Server could not establish a secure connection

  I have a OOB Real IP GW setup on v4.1.2
  I seem to have a problem with the CAS connecting to the CAM although I have added the CAS to the CAM and can manage the CAS from the CAM.
  I noticed while troubleshooting client authentication that the client was not being redirected to the logon web page and it had full access to the trusted network from the untrusted authentication vlan. I eventually figured out that if I change the CAS Filter Fallback method from Allow to ignore then it tries to authenticate the client. However the fact that the fallback is activated tells you that something is not right.
  I have 2 problems:
  A) The clients web page is redirected for authentication but it only lists the domain name in the URL and not the hostname or host IP. In the lab I do not have a DNS server and it would not help as it does not include the hostname in the URL anyway. How do I fix this or perhaps it's related to the 2nd problem.
  B) When I manually change the URL by replacing the domain name with the IP of the CAS (untrusted OOB Real IP GW) then I get the following error message when logging on:
  Network Error:
  Clean Access Server could not establish a secure connection to Clean Access Manager at mydomain.com.
  This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
  Please report this to your network administrator.
  I would guess the culprit is No 2 but surely the system can run on self signed certificates? I have an NTP server so time is in sync. I have even tried regenerating the cetificates on the CAM
  & CAS.
  Any ideas?

  To overcome problem B, I regenerated the SSL Certificates using the host IP address instead of the name for all the CAM & CAS appliances. This seems to have resolved this problem.
  I also SSH'd from each of the CAS's to each of the CAM's from the CLI and it then prompts to permanently store the certificates. I'm not sure it this was necessary though.

• Network Error: Clean Access Server could not establish a secure connection to Clean Access Manager

  Hello everyone
  I am implementing a failover solution of NAC in OOB VG version 4.8, I have 2 CAS and 2 CAM.
  The Error I am getting is when I connect to both IP address and the FQDN of the CAS.
  ===========
  Network Error:
  Clean Access Server could not establish a secure connection to Clean Access Manager at camsrv3.cadivi.gob.ve.
  This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
  Please report this to your network administrator.
  ==========
  For the CAM's I use this names camsrv1 and camsrv2. then generate a CSR in the camsrv1 with the name camsrv3.mycompany.com corresponding  to virtual ip and it exported to camsrv2, Install the CA certificate of the company and everything works perfect.
  This is the failover configuration
  CAM:
  Primary:     10.1.206.248 camsrv1.mycompany.com
  Secondary: 10.1.206.249 camsrv2.mycompany.com
  Virtual:       10.1.206.250 camsrv3.mycompany.com
  Then I do exactly the same steps for the CAS's and this is the failover configuration:
  Primary:     10.1.216.248 cassrv1.mycompany.com
  Secondary: 10.1.216.249 cassrv2.mycompany.com
  Virtual:       10.1.216.250 cassrv3.mycompany.com
  Then I add the certificate of CAM in the CAS on the tab "Trusted Certificate Authorities"  and vice versa.
  The communication between all the CAM´s and CAS´s is correct (Primary, Secondary and Virtual). I can ping the IP and the FQDN and I can also manage the CAS through the CAM.
  I verify that the time was right in the CAM and the CAS and all good up there.
  Appreciate your help
  Eduardo Navas

  Eduardo,
  Bump up the CAS/CAS communications logging on both the CAS and CAMs, and then look in the log files for clues.
  On CAM they live in /perfigo/control/tomcat/logs and on CAS in /perfigo/access/tomcat/logs
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily

• Cisco NAC Guest Server for Wireless Users integration with IP telephony

  Hi Team
  I have a client who has the following requirement. The cleint requires a Guest server inorder to serve wireless needs for guests at their office. They want the guest to get their authentication codes via SMS. The cleint will have a lobby IP Phone where the guest will press the services button confgiured on the IP Phone. IT will then prompt the guest to enter his mobile number. Once the guest enters his mobile number, the guest will recieve a text via sms gateway with login credentials. They want to offload this from the receptionist and it is for this reason that they require this functionality.
  Has anyone done this sort of deployment ? We have already proposed NAC guest server and Wireless controller but we do not know whether the XML application for subscribing the service on the IP Phone is available directly with cisco or does it need to developed.
  Kindly advice on the same.
  Regards
  Azeem

  Hi Vishal,
  Please note that if you want to return ACLs (and usually in wired web auth you need to), you will have to integrate with ACS as NGS itself cannot return ACLs in the reply radius attributes.
  Basically the process is as follows:
  1 - Client plugs cable on switch.
  2 - Web auth is triggered on the port.
  3 - default ACL permiting only DNS and DHCP is applyed so that the client PC can obtain IP address and open a browser.
  4 - Client will be redirected to the NGS hotspot login page.
  5 - Client will enter credentials.
  6 - Client broswer will send an HTTP POST packet containing the credentials.
  7 - The switch will intercept the POS packets and retrieve the credentials entered.
  8 - The switch will send Radius Access-Request to the ACS.
  9 - The ACS will use the NGS as External Identity source to authenticate the client.
  10 - The NGS will reply with Radius Access-Accept to the ACS and the ACS will reply to the switch including the ACL in the Access-Accept.
  11 - the Switch authorizes the client on the port and applies the ACL it received from the ACS.
  Please follow the document Nicolas posted as it is a good one.
  HTH,
  Thanks

• Plse...help me on the communicating between CLEAN ACCESS MANAGER and Switch 3560E-24Ps by snmp

  Dear All,
  I try to configure in both Clean Access Manager and Switch 3560E-24Ps on SNMP Version 2 protocol but I can't make it working together (For CAM and Switch 3560G-48Ps I can do that). Plse give me any suggestion to solve that problem. All configuration is as below:

  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html

• How to move all my data to a server and wirelessly access it from any Mac

  Hi. I have a PB, an MBP, a Mac Mini and a new iMac, which all serve different purposes. I have got to the point at home where I want to have one private account with all my data on a HD and to just log in to it from whichever machine I happen to be using. I currently have an Airport Express as my wireless router and am considering buying and Airport Extreme/Time Capsule. I have about 500GB of data, which is growing pretty quickly since I have use of an HD camcorder, so I will buy one or two large drives in addition to the various external HDs I already (that total about 850GB) have. What is the best way (at relatively low cost) for me to set up my wireless home network in order to achieve the above goal?
  Thanks for your time.
  Matthew Whiting

  Don't go there. At least not for all your data.
  The relatively low throughput and high latency of the wireless connection (at least compared to direct-attached disks) will make accessing large files cumbersome and frustrating. Since you specifically mention HD video you should be aware that what takes a long time now will take a lot longer if the media is accessed over the wireless network.
  So while your goal might be technically feasible, it's unlikely to be workable.
  Instead you should consider focussing your centralized data on content that makes sense (e.g. maybe your iTunes library), and store data locally where it's more appropriate (e.g. consider one machine for video editing).
  Therefore you need to analyze your data - both in terms of content (what you have) and use (how you access it) to determine what makes sense to store centrally. Once you have that it will be easier to form a plan.

• How to configure Time Capsule etc as a local network server with remote access server and for backups

  I'm trying to set up new 3TB Time Capsule as a wireless network server (with remote access) and for backups for use in a small office (of two Macs). We have a late 2011 Intel MBP and a brand new MBA both running 10.8.3. We have two external 1TB hard drives that until now have been attached the MBP for storage and backing up that computer, which up until now was the only machine in use. The MBA is for a new employee and we need to share and work on the same files, both here in the office and ideally remotely too via Back to my Mac. The MBP needs constant access. The MBA only occasional. The TC has 7.6.3 firmware and we've set it up using AirPort Utility 6.2. It is currently attached to the MBP via ethernet and it has internet access via a Sagemcom router attached to TC's WAN port.
  We've managed to set up a wireless network and both have wireless internet access through the TC
  But there are so many issues I don't know where to begin - so I'll start with a description of what we're trying to achieve:
  I planned to use the TC as the main server drive and place all the key folders and files there so that both of us can access them wirelessly and remotely. The MBP would back up to the TC and to one or two of the external hard drives - one being attached to the Mac via USB and the other being attached to the TC's USB port. We would back up the important data on the TC using SuperDuper and copy it to both external USB drives.
  So , first of all, is that a sensible configuration? Should the 'server' be the one of the external hard drives attached to the TC USB port, backed up regularly to the TC using SuperDuper?

  But when you say 'So using USB drive does make sense if you want to use it as a file store', do you mean a USB drive plugged into the TC? I hope that I can attach an external drive to the TC so we can all access and read/write the content wirelessly via the TC network or remotely.
  Yes, USB.. as it prevents the sparsebundle mixing with data files. I guess it does depend on how much data you are talking about.. you can use the TC internal disk if you are careful and setup the sparsebundle with fixed sizes once you create them..
  And to be clear, I wasn't planning on backing up remotely via BTMM - only to access the shared folders on the TC data drive or USB external drive attached to it. I'm assuming that's ok?
  Yes, that is fine. Sorry I got the impression you were going to do backup over internet.
  What is the alternative? Having a Mac Mini that's always on? Do I need OS X Server etc.?
  A mini would be great.. you don't need server edition.. but I would see how the TC goes.. since you have it and it is much lower power consumption device. It is just that its design is not really for file storage.
  One big problem I have is to do with the sharing permissions. For everything on the TC or attached external drive attached to it, it says I have only custom access and every time I try to change permissions it says I don't have the permission to do that. And if I try to change the owner it says my user name is not valid.
  How is the security setup on the TC?
  The security is a bit tricky.. I must admit since I run windows computer in the network, that I simply turn on the guest account to read and write access. For a business setup that might not be adequate  but it allows me full access to all the files.
  If you setup the TC with user accounts then you are in trouble. That makes it very difficult to access, especially if one person already has the file open you may find a second user cannot login. I am not sure as I have avoided the security. IMHO it is meaningless.. since anyone with physical access to the TC can press the reset for one second and has full access.. and can add or change passwords.

• LDAP access levels for wireless users

  How is it possible if I want my Directory Server 5.2 to authenticate only few number of users to have wireless and dial-up access. LDAP should not permit the other users when they try to login by wireless or dial-up. But everyone should be authenticated when they try to login through a direct ethernet connection. Currently all my users are under ou=people.
  Joshua

  Hi,
  Directly-connected APs are supported in 7.4 code, if you are not on that code then
  The PoE Ports are not for the APs
  Ports 3 and 4 are PoE only ports; do not connect access point devices to these ports. The ports can be used for infra-switch connection using multiple an AP-Manager or data interface
  Connect port 1 to a trunk port on the switch.
  configure the native vlan ON THE TRUNKPORT only eg vlan 10
  Let's assume your wireless is on vlan 10 and your WLC2504 is 10.10.10.20 /24 gateway 10.10.10.1
  Enable and Configure DHCP scope for vlan 10
  The APs are then connected to a vlan 10 access port on the switch
  Configure the SSID
  DHCP server tips
  - enable bridging mode if using the controller as the DHCP server, otherwise disable it. 
  - if using other DHCP server and the DHCP server is in the same vlan as the controller, nothing further is needed.
  - if DHCP server is on another vlan, you will need to configure option 43 (vendor specific into)
  Check with these configuration it will hopefully fix your issue.

• NAC differentiate wired and wireless users

  We have NAC installed and are using it control both wired and wireless ports.  We also have the Guest Server that we are in the process of implementing.  We would like for only users that are created via the Guest Server to use both wired and wireless access, which we are able to do @ this point.  Our issue is that we have a Guest account that we would like to restrict to only wired users, this account is posted in conference rooms for internet access only.  We don't want this account to be able to be used on the wireless network, is this possible?
  Thanks,
  Joe

  Where are those conference room guests authenticating currently ? Through Nac ? Through webauth on a switch linked with NGS ?
  Nicolas

• AP or RADIuS Server disconnects Wireless Users constantly

  Hi,
  We are working with an Autenthication Server with Wireless Network, the AP´s are located on diferent LAN´s, but the problem is that some users get disconnection constantly, while anothers users are working without problems, same AP or diferent, you can be working without problems, but sometimes this problem can be in your PC.
  Do you know, what i need to check ? do you have any idea about it?
  Thank you, regards.

  I would strongly advise you to try to find a constant in your troubleshooting, be it a specific wlan client radio, a specific vlan, our perhaps a group policy on the radius server. Your approach can aid you greatly in eliminating possible culprits if your approach is effective, else you find yourself covering the same ground and making no headway toward resolve. This could be something as simple as an "idle-timeout" setting in radius (seems like it would impact all clients, but not all clients are logging in at the same time or staying on continuously)...there is a variable that you've yet to discover that could be a one-stop solution to your problem. Based on the limited info in your post, it would be mile-long checklist to troubleshoot, but you can do so if you look, as mentioned before, for a constant. Wish I could help more!

• Cisco Clean Access Server eth0 port inactive on install

  I am trying to learn how the Cisco NAC appliances work. I have created a small self-contained test network with a Server 2003 domain controller, a fake domain setup and some workstations joined to the domain.
  I have two NAC appliances, one is the Server and one is the Manager.
  When I follow the instructions from the manual to install the server from the CD everything seems to go fine. I plan to use it as a bridge in the network so I applied the same IP address to both the eth0 and eth1 interface (the eth1 interface is not connected to the network during install as per instructions)
  Here is the issue I am having: After configuration is finished and the CCA server re-boots, I cannot ping the server when it is connected by eth0. If I swap the network cable over to eth1, however I can ping the device.
  Is this normal?

  I have the same issue. But it gets even stranger; I had the CAM/CAS working in a test LAN enviroment, got the AD SSO to work by appllying VLANs based on AD group membership of the user logging on. Client was pleased.
  Move the two NAC devices to their location and reloaded clean both CAM & CAS from CD, did the same configuration and now eth0 (Trusted) can't see the AD domain controller but can see the CAM. I ran nslookup on the CAS to test the network settings and the result is no server found - the DNS server is the AD domain controller.

• Read Only privileges for Access Server and Identity Server - OAM 10g

  Hi,
  I am working on Oracle Access Manager 10g version 10.1.4.
  I use an administrative account that is a member of the 'COREid Administrators' group to log into the access console and identity console of OAM.
  Since this is the administrative account, it has the rights to modify and update all access/identity entities.
  How can I set up an account that has "view only" privileges over all access and identity objects in OAM?
  I need to log into the access and identity consoles of OAM and view all policy domains/policies/access system configuration/user manager config/group manager config etc bt not be able to modify any of them.
  Is there a way to setup such an account in OAM?
  Regards,
  Abhishek.

  Hi Abhishek,
  It is possible to define different levels of administrator, but it is not possible to give an admin read access (to objects in the consoles) without also giving modify access. I do not believe that there is a straightforward way to meet this requirement - for the Access System you could use the Policy Manager API and write your own interface (which does not have the ability to modify) but obviously this would be some development effort.
  Regards,
  Colin