Clean Acess Agent don't popup
hello
I use NAC for remote vpn conexion.
I don't have any problem with vpn.
I have the following problem:
when the response time from the client vpn (after that it connected to the vpn server) to CAS clean access server is greater than 600ms, the clean access agent don't popup but when it is lower than that (for exemple 150ms) the clean access agent popup.
are there any option to resolve this problem?
thank you for your help.
hello
I use:
Windows Clean Access Agent
Setup Version: 4.1.3.1
also the Clean Access Server has the same version 4.1.3.1
Similar Messages
-
Clean Access Agent can't popup
Hi, we setup a CAS and CAM in L2 OOB virtuil gateway and the switch is a 3560 using SVI and L3 for routing. We can authenticate using web agent but there is a problem when using a Clean Access agent. I have configured the discovery host using the ip address of the CAM but the login doesn't popup. I changed the discovery host of the ip of the server and tried reinstalling the access agent but login doesn't popup. Do I need to reboot the server when i changed the ip of the discovery host?What do i need to configure on the CAM or CAS?
For L2 or L3 deployments, the Clean Access Agent will pop up on the client if "Popup Login Window" is enabled on the Agent and the Agent detects it is behind the Clean Access Server. If the Agent does not pop up, this indicates it cannot reach the CAS.
To Troubleshoot L2 Deployments:
1. Make sure the client machine can get a correct IP address. Open a command tool (Start > Run > cmd) and type ipfconfig or ipconfig /all to check the client IP address information.
2. If necessary, type ipconfig /release, then ipconfig /renew to reset the DHCP lease for the client.
To Troubleshoot L3 Deployments:
1. Check whether the Discovery Host field is set to the IP address of the CAM itself under Device Management > Clean Access > Clean Access Agent > Installation | Discovery Host. This field must be the address of a device on the trusted side and cannot be the address of the CAS.
2. Uninstall the Clean Access Agent on the client.
3. Change the Discovery Host field to the IP address of the CAM and click Update.
4. Reboot the CAS.
5. Re-download and re-install the Clean Access Agent on the client.
Note The Login option on the Clean Access Agent is correctly disabled (greyed out) in the following cases:
â¢For OOB deployments, the Agent user is already logged in through the CAS and the client port is on the Access VLAN.
â¢For multi-hop L3 deployments, Single Sign-On (SSO) has been enabled and the user has already authenticated through the VPN concentrator (therefore is already automatically logged into Cisco NAC Appliance).
â¢MAC address-based authentication is configured for the machine of this user and therefore no user login is required. -
NAC agent don't popup on some computer
Hi
I use
ISE version : 1.1.1.2 and NAC agent version : 4.9.0.42
NAC agent does not run on some computers and run on other(windows 7).
What can be these problems?
Please help
RegardsPlease look in to this , it might help you
Agent Login Dialog Not Appearing
Symptoms or Issue
The agent login dialog box does not appear to the user following client provisioning.
Conditions
This issue can generally take place during the posture assessment phase of any user authentication session.
Possible Causes
There are multiple possible causes for this type of issue. See the following Resolution descriptions for details.
Resolution
•Ensure that the agent is running on the client machine.
•Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
•Ensure that the discovery host address on the Cisco NAC agent or Mac OS X agent is pointing to the Cisco ISE FQDN. (Right-click the NAC agent icon, choose Properties, and check the discovery host.)
•Ensure that the access switch allows Swiss communication between Cisco ISE and the end client machine. Limited access ACL applied for the session should allow Swiss ports:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
•If the agent login dialog still does not appear, it could be a certificate issue. Ensure that the certificate that is used for Swiss communication on the end client is in the Cisco ISE certificate trusted list.
•Ensure that the default gateway is reachable from the client machine. -
Clean and get rid of popups and adware in mackbook pro,OSX 10.9.5
clean and get rid of popups andadware in MacBook Pro, OS X 10.9.5
Click here and follow the instructions, or if there’s a type of adware not covered by them on the computer, these ones. If you're willing to use a tool to remove it(you don't need to, but may find it easier), you can instead run Adware Medic; this link is a direct download.
(120361) -
Clean Access Agent in Windows 8, 64 bit
Hey guys,
I posted this on another Cisco community site, someone there suggested I try here. He also gave me this page as a possible solution but I'm unable to download from the page as I don't have a service contract, I'm just a Dad trying to get his kid's computer online at school.
http://www.cisco.com/cisco/software/release.html?mdfid=282855549&flowid=34712&softwareid=282573326&release=4.8.3&relind=AVAILABLE&rellifecycle=&reltype
Kind of at our wit's end here. My daughter is at Mass Art in Boston with a nearly new computer (6 months old at most) with Windows 8 Pro and the Clean Access Agent isn't letting her connect saying she has no updated AV installed. However, we did have BitDefender installed and updated and I've seen BitDefender on a Cisco list on line somewhere, the tech department at the school also said that it should work. Thinking there might be a conflict with BitDefender and Windows Defender we uninstalled BitDefender but to no avail, the agent still won't allow access.
Now the tech dept. at the school is telling her she has to reformat her hard drive (Ha!!) which is simply and completely unacceptable.
Does anyone here know if the above link may solve our problem?
Can someone send me the necessary files?
Is there someone the school tech people can contact for this?
Am I asking enough annoying questions?
Many thanks for your time,
KenHello Ajay,
When I try to download either the "4.8.3 Patch for Windows 8 support" or the "4.8.3 Patch for Windows 8 Official support" it says I need a service contract. Which, of course, I don't have. I'm just a Dad trying to get his kids computer connected to the school's network!
Do you know what the difference is between the "4.8.3 Patch for Windows 8 support" and the "4.8.3 Patch for Windows 8 Official support" downloads?
Might you be able to email me what I need to [email protected]?
I don't know how all of this works between the school and Cisco but if you can't send it to me might it be something the tech support people at the school can download? I would have to guess they do, indeed, have a service contract.
Thanks again,
Ken -
Dear ,
i install nac system and working fine, but when the user loging in , the agent delay about 10 minutes before popup to the user, i don't know why the agent don't appear immedaitly after the pc finish startup.I only use OOB configurations, so I haven't tested IB configurations. However, you may see some issues in both configurations since the agent needs send user/PC information to the CAM.
In our setup, the fact that the agent doesn't load until after the desktop comes up has produced a delay in total login time that can reach 20 minutes (I've timed it), depending on the situation. I haven't yet been able to determine what MSoft is trying talk to that it can't (the delay is waiting for a bunch of things to time out).
Now, if the desktop is loaded and all user programs are running and it still takes 10 minutes for the popup, then the issue is probably with the discovery host (or lack of one) as you have been discussing with Faisal. -
Nac appliance - clean access agent report
Hi,
I have been searching a lot, and I don't find any good explanation about how the clean access agent report works. I experienced that not all agent activity will be reported. Sometimes it showed up report about the "passed" and "failed" agent, but not at another time. Would someone give me explanation about when the agent will show up reports and it will not ? or did it show bugs ?
Thanks in advance.Hi,
does anybody experience this ? or Everything is going fine on your NAC ? I am using NAC 4.1.3.1.
Thanks. -
Clean Access Agent not loading automatically
We have a SSL VPN environment that is directly dependent on our CAS, the Clean Acces Agent does not automatically load at our end users. A need to browse or create traffic must be done for this Agent to load and then scan. Would you know any issue for this to happen?
Hello,
Are you saying that the agent is installed, but it doesn't pop-up when you do VPN? If so, check the discovery host and make sure it has an IP address listed which lives on your trusted network. For most customers the CAM always is on the trusted network, so using the IP of the CAM should work.
HTH,
Faisal -
Hi there
I don't know why, every time I try to log on to Clean Access agent I get this error message. (see attached doc.) It prevents me from logging on. Then I have to remove the program, turn off the pc. Turn on the pc again to reinstall the program for it to works.
can anyone help?
many thanks
paulWhat version are you running of CCA Agent and NAC Appliance Server ?
This is not normal behaviour so can you try to disable AV, Firewall etc and try running the Agent Again.
The Agent will poll every 5 secs to discover the CAS, using the Discovery Host which will either be an IP or hostname. If it is a hostname make sure it is resolvable.
Inti -
Dears,
I have two ISE appliances installed in a distributed deployment (primary "ISE1" and secondary "ISE2"), each node has the three personas installed on it. The servers are registered together and the replication is working properly between the nodes.
When we are working on the first node everything is fine, if I try to disconnect ISE1 and do my tests on ISE2, the cisco NAC agent doesn't popup, unless I uninstall it and reinstall it again from the ISE2. Then it will work properly.
Note: the NAC agent version is the following: nacagent-4.9.0.37.
Any idea?
Regards
ZahiHi Tarik,
below are my answers:
1- The content of the dACL:
ip access-list extended POSTURE-REMEDIATION
permit udp any any eq domain
permit ip any host 10.10.10.125 >>>> antivirus server
permit ip any 10.10.240.0 0.0.0.255 >>>> voice subnet
permit ip any 10.10.31.0 0.0.0.255 >>>> quarantine vlan subnet
permit ip any host 10.10.10.238 >>>> ip add of ISE1
permit ip any host 10.10.10.239 >>>> ip add of ISE2
permit ip any host 10.10.10.206 >>>> wsus server
permit ip any host 10.10.10.10 >>>> domain 1
permit ip any host 10.10.10.100 >>>> domain 2
2- When I open a web browser, yes I get redirected to the nac agent download page
3- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:
sw#sho authentication sessions int fast 0/12
Interface: FastEthernet0/12
MAC Address: b8ac.6fc9.b26f
IP Address: 10.10.31.2
User-Name: RJ\15592
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 31
ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://RJ-ISE-1.rj.com:8443/guestportal/gateway?session
Id=0A0A0C86000000186ADBBD8B&action=cpp
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0C86000000186ADBBD8B
Acct Session ID: 0x00000023
Handle: 0x31000018
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
sw#sho authentication sessions int fast 0/12
Interface: FastEthernet0/12
MAC Address: b8ac.6fc9.b26f
IP Address: 10.10.30.12
User-Name: RJ\15592
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 30
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0C86000000186ADBBD8B
Acct Session ID: 0x00000023
Handle: 0x31000018
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE2:
sw#sho auth sessions int fast 0/12
Interface: FastEthernet0/12
MAC Address: 0025.6458.8409
IP Address: 10.10.31.8
User-Name: RJ\15946
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 31
ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://RJ-ISE-2.rj.com:8443/guestportal/gateway?session
Id=0A0A0C86000000206AF3FAC1&action=cpp
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0C86000000206AF3FAC1
Acct Session ID: 0x0000002B
Handle: 0x2C000020
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
you may find attached also the pcap file of the client machine when it is authenticating with the ISE2.
Thank you in advance
Zahi
Message was edited by: ZAHI BOU KHALIL -
Problem with Clean Access Agent and Windows Updater
I have a problem with a laptop when using Cisco Clean Access Agent. The agent keeps directing the laptop to get updates from the Windows Update site, but when I have connected the laptop via cable, windows updates tells me there are no updates either essential or optional. The laptop is a Sony VIVO VGN-FJ270 running XP Home Edition SP2 and the Clean Access Agent is version 4.0.2.1
Any help is appreciated!!Verify the allowed hosts in CCA agent.
Try these link:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
http://www.cisco.com/en/US/products/ps6128/products_qanda_item09186a00803b7a81.shtml -
Removing Cisco Clean Access Agent 4.5 (CCA)
I'm more or less having trouble with uninstalling Cisco Clean Access Agent 4.5.0.0, so I can install CCA 4.1...
I removed CCAAgent 4.5 + the files within "Library/ApplicationSupport/" and in "Library/Receipts"...yet when I try to install 4.1, it tells me there's a newer version of the software on this disk & won't let me install.
I am on Snow Leopard, too - by the way.
Any solutions to this?Tim:
Seen this page yet....anything there help?
http://www.cisco.com/en/US/docs/security/nac/appliance/configurationguide/45/cam/magntd.html#wp1276391
Do you have a fresh backup if needed? Have you tried repairing permissions and checking for hidden files with a similar name? -
Cisco Clean Access Agent patch?
I just upgraded to Snow Leopard today without realizing that my campus uses Cisco's Clean Access Agent to allow access to the network. Every time I try to log in log in it tells me "Agent user operator system not supported." It is version 4.6.0.3. I realize now that this is not a campus problem, but more likely a program problem. Is there any word on a way around this or a patch in the near future?
Thanks.The same issue occurred on my campus. Cisco claims they will fix the problem between 3 and 90 days.
-
Hi,
Can anyone tell me that If I want my user to download clean access agent so how can I achieve that...I have uploaded agent to my CAM but Im confused that should my user use web agent first then download the agent over network or he can download Clean agent directly ?Unlike the Clean Access Agent, the Cisco NAC Web Agent is not a "persistent" entity, thus it only exists on the client machine long enough to accommodate a single user session. Instead of downloading and installing an Agent application, once the user opens a browser window, logs in to the NAC Appliance web login page, and chooses to launch the temporal Cisco NAC Web Agent, an ActiveX control or Java applet (you specify the preferred method using the Web Client (ActiveX/Applet) option in the Administration > User Pages > Login Page configuration page) initiates a self-extracting Agent Stub installer on the client machine to install Agent files in a client's temporary directory, perform posture assessment/scan the system to ensure security compliance, and report compliance status back to the NAC Appliance system. During this period, the user is granted access only to the Temporary Role and if the client machine is not compliant for one or more reasons, the user is informed of the issues preventing network access and may do one of the following as mentioned in the below URL:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_cca.html#wp1130212 -
Cisco Clean Access agent for Ipad
My university uses Cisco Clean Access agent for wifi.
I have been able to login using the alotted password through Safari, however the next step is a prompt to download Clean Access Agent.
When I try to download the application, Safari prompts that the file can not be downloaded.
Any suggestions for this problem so that I can use my Ipad at campus.The only things you can download are on the App Store. Check there, but I'm mostly sure that there is no Cisco Clean Agent available for iphone.
Maybe you are looking for
-
You keep trying to get me to update but my grandson's program needs the older version. This last time it just started to up date and so I tried to close it to stop it. The next time I opened it it had the Error message of Platform 1.9.1.9 not compati
-
Is i mac OS 10.5.8 compatible with hp office jet pro 8615e printer
can an imac osx 10.5.8 be compatible with an hpofficejet pro 8615 e printer?
-
I am finishing up a project that has taken me almost 3 years to complete. I was trying to reconnect all my media and when I tried to open the project file I got the above mentioned error. I also couldn't display the TIMELINE, CANVAS, AUDIO METERS or
-
Mackbook pro 10.7.2 lion running too slow!!!
mackbook pro 10.7.2 lion running too slow!!! why ?
-
Is a Miles card right for me?
Hi, I've utilized this forum a long time and reading all the posts and helpful responses has been invaluable, so thank you to everyone for that. I have a specific question that I cannot figure out a clear answer for. Here is all the pertinent informa