Clean Access

Similar Messages

• Clean Access Server could not establish a secure connection

  I have a OOB Real IP GW setup on v4.1.2
  I seem to have a problem with the CAS connecting to the CAM although I have added the CAS to the CAM and can manage the CAS from the CAM.
  I noticed while troubleshooting client authentication that the client was not being redirected to the logon web page and it had full access to the trusted network from the untrusted authentication vlan. I eventually figured out that if I change the CAS Filter Fallback method from Allow to ignore then it tries to authenticate the client. However the fact that the fallback is activated tells you that something is not right.
  I have 2 problems:
  A) The clients web page is redirected for authentication but it only lists the domain name in the URL and not the hostname or host IP. In the lab I do not have a DNS server and it would not help as it does not include the hostname in the URL anyway. How do I fix this or perhaps it's related to the 2nd problem.
  B) When I manually change the URL by replacing the domain name with the IP of the CAS (untrusted OOB Real IP GW) then I get the following error message when logging on:
  Network Error:
  Clean Access Server could not establish a secure connection to Clean Access Manager at mydomain.com.
  This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
  Please report this to your network administrator.
  I would guess the culprit is No 2 but surely the system can run on self signed certificates? I have an NTP server so time is in sync. I have even tried regenerating the cetificates on the CAM
  & CAS.
  Any ideas?

  To overcome problem B, I regenerated the SSL Certificates using the host IP address instead of the name for all the CAM & CAS appliances. This seems to have resolved this problem.
  I also SSH'd from each of the CAS's to each of the CAM's from the CLI and it then prompts to permanently store the certificates. I'm not sure it this was necessary though.

• Windows Vista conflicting with Clean Access?

  When I try to log into Clean Access to use the internet, it gives me an error message saying that in order to fulfill all of my requirements and get into the system, I need to download windows defender. But Windows defender comes with Windows Vista, which is what I have...So when I try to download Windows Defender and install it, it gives me a popup saying that I already have it on my comnputer and that I don't need to download it. Any ideas? Anybody? Please? Am I even in the right place for this kind of question?

  If you using Windows Vista,You already have windows defender. Ensure the version of the defender because if Windows Defender informed you that an update is available, you are running an older version.
  Below are Windows Vista Supported Antispyware Product as of the latest release of the Cisco Clean Access software.
  Product version - 1.x
  AS Checks Supported
  (Minimum Agent Version Needed) are:
  Installation - (4.0.5.0)
  Spyware Definition - (4.0.5.0)

• Plse...help me on the communicating between CLEAN ACCESS MANAGER and Switch 3560E-24Ps by snmp

  Dear All,
  I try to configure in both Clean Access Manager and Switch 3560E-24Ps on SNMP Version 2 protocol but I can't make it working together (For CAM and Switch 3560G-48Ps I can do that). Plse give me any suggestion to solve that problem. All configuration is as below:

  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/412_cam_book.html

• Clean access rules and Windows service pack 3

  I am having a small issue with our Clean Access Manager blocking any Windows XP computer that has service pack 3 installed. The main failure it is giving in the reports is this
  Failed Checks:
  pc_Windows-XP-SP2, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 2]
  pc_Windows-XP-SP1, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 1]
  The key that is there when sp3 is installed is this:
  \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 3
  I have verified that pc_Windows-XP-SP1 and pc_Windows-XP-SP2 are there as well as created a check for service pack 3 eric_pc_Windows-XP-SP3 and added the check to the rules governing windows updates for XP pro/home and windows media edition. But for some reason they are not taking effect. The CAM is running version 4.1.3.1 and the the CAA is version 4.1.3.2. Any assistance would be greatly appreciated.
  Thank you,
  Eric

  Here is the configuration guide for the Clean Access Manager which will help you :
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_instal.html

• Clean Access and Windows 2003 Server

  I am trying to install the Clean Access Client on a VM running Windows 2003 Server. When I connect to our customer's network the VPN client appears to connect properly and I see the Clean Access window. Then it all seems to fall over. My customer tells me I should see a blue window with a red OK button on it but I never see it. As a result I never get completely into the network. Is this because I am running this on Windows 2003 Server or should I be looking at something else? Can this run in a Virtual Environment and on 2003 Server?

  I work it out partially by myself:
  1)
  (excuse me, I meant "kinit and Krb5LoginModule" not "kinit and kinit.exe").
  Krb5LoginModule seems to work now (with TCP). The output is:
  KRBError:sTime is Tue Jun 01 17:13:51 CEST 2004 1086102831000
  suSec is 945761
  error code is 52
  error Message is Response too big for UDP, retry with TCP
  realm is SSOTEST.RTC.CH
  sname is krbtgt/SSOTEST.RTC.CH
  KrbKdcReq send: kdc=rtcnt978.ssotest.rtc.ch TCP:88, timeout=30000, number of retries =3, #bytes=232
  DEBUG: TCPClient reading 1496 bytes
  KrbKdcReq send: #bytes read=1496
  KrbKdcReq send: #bytes read=1496
  EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
  KrbAsRep cons in KrbAsReq.getReply sso_testuserCommit Succeeded
  Which is what I want (it tries first with UDP, then the KDC says the TGT is too big for UDP and the client tries again with TCP)
  2)
  I still have the error :-(

• Run-time error '7': Out of memory - Cisco Clean Access problem

  Hi all,
  I hope this question is in the appropriate place. I'm trying to use my company's vpn service. Here's how the process should work:
  1) Log on with username/password using Cisco AnyConnect VPN Client
  2) Log-in to the portal. During this step the Cisco Clean Access Agent is supposed to automatically log-in. However I get the following error:
  Run-time error '7':
  Out of memory
  My company's network services didn't seem to be much of a help so I was hoping one of you would have a good suggestion(s).
  Please keep in mind that I'm not great with computers. I know how to use them and all that but I'm not familiar with the inner-workings at all (registry editing etc.)
  Thanks in advance!
  -Bill

  I should add that the version of CCA is 4.1.10

• Help with Clean Access Architecture

  Hello All,
  I wanted to engage some of the NetPros out there about designing our Clean Access architecture. We purchased 4 3140s (2 x CAMs w/ FO, 2 x CASs w/ FO). The goal is to use Clean Access to validate select areas of our head quarters, along with validate users in a remote location.
  The HQ part of the design I can understand without issue. It's when we begin to deal with the remote office that I become uncertain about the design. The remote office is MPLS connected to HQ (L3 multi-hop). We want users in the remote office to also be L2 authenticate to the Clean Access cluster at HQ. Across MPLS this does not appear to be straightforward. We'd like to do a L2 deployment, but from what I've read this will require using L2TPv3 at the remote office to "tunnel" the VLANs from HQ to remote and vice-versa. My fear is that now the default gateway for the remote clients is the HQ Clean Access cluster. Therefore... all traffic will be "switched" across their WAN link. This becomes and issue as the remote office has local Windows domain controllers for faster file access on another VLAN... and in this scenario it sounds like the workstations would have to travel across the L2TPv3 tunnel to HQ to just have to go back across the tunnel to the remote office for file access. Sounds slow!
  Does anyone have recommendations as to how to design this centralized, L2, OOB architecture. In my mind I would want the clients attempting authentication to the switch... switch forward to the CAS... CAS validates posture and passes down necessary VLAN to switch. All VLAN'ing and switching is kept remote. We operate all 3750 switches... so our infrastructure can work with NAC. Sorry for the long post, just wanted to try to explain the requirements. Thanks for the help.
  -Mike
  http://cs-mars.blogspot.com

  Hi Mike -
  Very good questions. You definitely do not need the L2TPv3 across the WAN to control the ports at the remote site.
  The CASs can be deployed L2 In-Band (IB), L3 In-Band (IB), L2 Out-of-Band (OOB) or L3 Out-of-Band (OOB).
  L3 OOB can be used to control the switches at the remote sites. A 2nd vlan is required for the remote site to serve as the authentication vlan. All ports start off on this Auth Vlan when a user plugs in.
  The user receives an IP Address on this Auth Vlan and the local L3 device is the GWY. The L3 device should have ACLs to protect the rest of the network from this Auth Vlan. The only permit entries in the ACL should let the users get to CAS and the remediation servers. Using a network like 192.168.x.x and varying the 3rd octet on a per-site basis simplifies the ACLs if you are using the 10.x.x.x as your internal addressing. The ACLs should be places on all the MPLS routers to protect the production network from the Auth network.
  Once the user proves trustworthy, the Clean Access changes the vlan on the switch to the production/normal vlan and the user has complete access as before.
  CASs can be either one of the 4 roles (L2 IB, L3 IB, L2 OOB, L3 OOB) when they are added to the CAM.
  If you plan to use L2 OOB for your HQ and L3 OOB for the remotes, you may need to add 1 more CAS pair to your architecture.
  We have some great diagrams that the Clean Access product team have put together that will illustrate this architecture to you.
  Your local SE / CSE should be able to provide this to you.
  Let us know if you have any follow up questions.
  Hope this helps.
  peter

• Confusion on Cisco clean access and Cisco NAC

  Dear Pros,
  I still confuse with the name mismatch as above. Please any one give me the correct NAC part number for both server and manager
  swamy

  Cisco Clean Access and NAC are the same.
  NAC is just the new naming.
  You can have NAC installed in two way, Framework or Appliance mode.
  I think Framework is not available anymore (I may be wrong).
  If you go with the appliance, you'll need a minimum of two. 1 for the CAM (Clean Access Manager) which manages the policies and 1 for the CAS (Clean Access Server) that is the "filter" between your authentication lan and your prod network.
  Dominic

• Smartcard authentication for Clean Access SSO

  Is anyone doing smartcard authentication into clean access via SSO? I have an issue where the UPN is not the username and the domain suffix is different from the AD domain so the agent is appending  @domain.com to the $user$ variable and so it is failing to authenticate.

  Did you run KTPASS correctly?
  I had the same problem, (very undocumented 'feature', I would say) the KTPASS command must be run slightly different when running against a DC, versus running it against a AD Domain.
  For Domain Authentication:
  ktpass.exe -princ cleanaccess/domain_in_lower_case.co.za@DOMAIN_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
  For AD Server Authentication:
  ktpass.exe -princ cleanaccess/SERVERNAME.domain_in_lower_case.co.za@DOMAIN_IN_UPPER_CASE.CO.ZA -mapuser cleanaccess -pass mypassword -out c:\cleanaccess.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly
  NOTE: SERVERNAME need to be exactly as indicated under My Computer > Properties. (ie, correct UPPERCASE and lowercase letters in the right places)
  Another thing to look out for is the cleanaccess AD account you have created, make sure that the display name matches the account name, and do not specify anything for the Firstname, Lastname fields. This seems to break things ans gets the authentication to fail for some reason.
  O, and if you have set up the account at first for DC Server Authentication, delete it and recreate it for the AD Domain Authentication, because that breaks it too, when you run the KTPASS.EXE again.
  Another thing, try using ADSSO without the lookup account configured to see that the machine authenticates first, then ad the Lookup Account, maybe the problem lies there.
  Hope this helps.

• Problem with Clean Access Agent and Windows Updater

  I have a problem with a laptop when using Cisco Clean Access Agent. The agent keeps directing the laptop to get updates from the Windows Update site, but when I have connected the laptop via cable, windows updates tells me there are no updates either essential or optional. The laptop is a Sony VIVO VGN-FJ270 running XP Home Edition SP2 and the Clean Access Agent is version 4.0.2.1
  Any help is appreciated!!

  Verify the allowed hosts in CCA agent.
  Try these link:
  http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
  http://www.cisco.com/en/US/products/ps6128/products_qanda_item09186a00803b7a81.shtml

• NAC/Clean Access Server no longer intercepting Clients after upgrade

  We recently upgraded our CISCO Clean Access Manager and Server to version 4.8.2 from 4.8.0.  Everything seemed to be working fine but I had a user log in without having the NAC Agent running and they had full access.  We didn't change anything other than upgrading to the new version.  We have found that the user has access even before the Windows Agent is completed with the assessement of the client.  It worked fine before the upgrade....Again, we made no changes other than upgrading to the new version (no route changes, etc).
  I even tried an explicit deny for the user's workstation's mac and the NAC SErver still let him through....I am a bit perplexed...Thanks for any assistance.

  Hmm, i removed the line but it does not help me ?
  I did run following command in terminal:
  sudo pico /Library/Server/Mail/Config/postfix/main.cf
  Removed the "reject_non_fqdn_helo_hostname" from the line smtpd_helo_restrictions.
  Saved the file and restarted Mail service
  get this in  log when i try to send from a windows client with Outlook2010:
  Aug 15 17:42:09 lundmark.jetoma.se log[236]: auth: Error: od(annicalundmark,192.168.20.103): Authentication server failed to complete the requested operation.
  Aug 15 17:42:09 lundmark.jetoma.se log[236]: auth: Error: od(annicalundmark,192.168.20.103): authentication failed for user=annicalundmark, method=DIGEST-MD5
  Have tryed different ports like 25 and 587 with SSL, TLS and "none" in SMTP advanced settings on klient.
  I did use the same instructions before in Lion server and there it did work ?!
  Any more ideas ?
  regards
  Jörgen

• Clean Access Agent in Windows 8, 64 bit

  Hey guys,
  I posted this on another Cisco community site, someone there suggested I try here. He also gave me this page as a possible solution but I'm unable to download from the page as I don't have a service contract, I'm just a Dad trying to get his kid's computer online at school.
  http://www.cisco.com/cisco/software/release.html?mdfid=282855549&flowid=34712&softwareid=282573326&release=4.8.3&relind=AVAILABLE&rellifecycle=&reltype
  Kind of at our wit's end here. My daughter is at Mass Art in Boston with a nearly new computer (6 months old at most) with Windows 8 Pro and the Clean Access Agent isn't letting her connect saying she has no updated AV installed. However, we did have BitDefender installed and updated and I've seen BitDefender on a Cisco list on line somewhere, the tech department at the school also said that it should work. Thinking there might be a conflict with BitDefender and Windows Defender we uninstalled BitDefender but to no avail, the agent still won't allow access.
  Now the tech dept. at the school is telling her she has to reformat her hard drive (Ha!!) which is simply and completely unacceptable.
  Does anyone here know if the above link may solve our problem?
  Can someone send me the necessary files?
  Is there someone the school tech people can contact for this?
  Am I asking enough annoying questions?
  Many thanks for your time,
  Ken

  Hello Ajay,
  When I try to download either the "4.8.3 Patch for Windows 8 support" or the "4.8.3 Patch for Windows 8 Official support" it says I need a service contract. Which, of course, I don't have. I'm just a Dad trying to get his kids computer connected to the school's network!
  Do you know what the difference is between the "4.8.3 Patch for Windows 8 support" and the "4.8.3 Patch for Windows 8 Official support" downloads?
  Might you be able to email me what I need to [email protected]?
  I don't know how all of this works between the school and Cisco but if you can't send it to me might it be something the tech support people at the school can download? I would have to guess they do, indeed, have a service contract.
  Thanks again,
  Ken

• Mac OS X Leopard Fails with Clean Access Agent

  Hey All,
  I've had several students in my office saying that Leopard and Clean Access don't work together. I haven't seen a specific error, yet, but was wondering if anyone else is seeing this problem...?
  I'm using the 4.1.2.0 agent for Macs.
  Mike

  I am at Cal Poly SLO and we have this error "Agent user operating system is not supported" Part of our system has been changed back to allowing Mac users to Authenticate using the web browser instead of the agent. That should work until cisco updates the agent

• Windows 7 and Clean Access

  Since Microsoft is saying that Windows 7 will be out for the Holiday season, I'm wondering when Cisco will have Clean Access ready to fully support Windows 7.
  We will end up with lots of students coming back to campus with brand new computers running Windows 7 and expecting them to work.
  Has anyone heard anything about Clean Access support for Windows 7?

  Yes, I know it doesn't support it (yet), but I wanted to get the discussion started now.
  I haven't heard anything from Cisco regarding Clean Access and Windows 7 and I really don't want students/users showing up after the holiday season with Windows 7 computers that "don't work because Clean Access doesn't support Windows 7, yet". That's my fear anyway...
  Mike

• 802.1x (DOT1x) and Cisco Clean Access 3140

  Hi,
  We have about 300 remote sites and would like to implement an authentication mechanism to authenticate end-devices (Windows PCs) before allowing access to the network. We thought we could implement DOT1x on our Cisco 2960, 3750 and 4500 series switches and send the "PC-switch" access requests to our centrally located Cisco Clean Access 3140 NAC servers -back at the HQ sites. We understand the NAC servers will be used to authenticate (among other things) the end-users workstations to ensure each workstation is a company owned PC and all  the security parameters are installed and up today. -RIGHT?
  Can the Cisco Clean Access 3140 server perform the Authentication security checks from the 802.1x (DOT1x) enabled switches?
  Does the Cisco Clean Access 3140 server have to be inline (on the users subnet) and/or be centrally located?
  Is the Cisco Clean Access 3140 still usable?
  Thanks
  Frank

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?