Error with GPOs on Cisco NAC
I have cisco nac deployed inband, all PCs had the CCA Agent deployed via a gpo before the migration. Now that all the systems are behind NAC inband, none of the systems will process GPOs, Machine or user policies. I have the unauthenticated role allowing all traffic to all the domain controllers, but with no luck. If i move the PC to a vlan that is not trunked to the CAS the GPOs process with no problem. Any ideas...?
I think the ports list in the CAS Manual is not complete. Try this list of ports from the CAM Manual chapter:User Management: Traffic Control, Bandwidth, Schedule
Allow TCP *:* Server/255.255.255.255: 88
Allow UDP *:* Server/255.255.255.255: 88
Allow TCP *:* Server/255.255.255.255: 389
Allow UDP *:* Server/255.255.255.255: 389
Allow TCP *:* Server/255.255.255.255: 445
Allow UDP *:* Server/255.255.255.255: 445
Allow TCP *:* Server/255.255.255.255: 135
Allow UDP *:* Server/255.255.255.255: 135
Allow TCP *:* Server/255.255.255.255: 3268
Allow UDP *:* Server/255.255.255.255: 3268
Allow TCP *:* Server/255.255.255.255: 139
Allow TCP *:* Server/255.255.255.255: 1025
Similar Messages
-
Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4
Hi
My Cisco NAC Agent (version 4.9.1.682) doesn't work since I upgraded my Mac OS X 4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
Any update on when a new version is going to be released - Its getting really frustrating?I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
Select Keychain Access -> Preferences from the menu at the top of the screen
Choose the Certificates tab
Change the OCSP option from Best Effort to Off
Close the Preferences dialog and quit Keychain Access
You should be able to NAC now -
Antivirus scan with nessus plugins on cisco nac
Hello,
We plan to use nessus plugins with cisco nac.
For some users, the computer should have any antivirus installed and updated before it can access network.
For other users, the computer should have mcafee antivirus installed and updated.
we tried to use plugins ID 16193 for the 1st check and 12107 for the 2d check.
We'd like to know if we need to configure credentials under scan option on each computer to check
if so, how to do if it's a guest's computer and we don't have credentials ?
For test, a credential was configured (under scan option) for the computers.
we chose "vulnerable if hole, warning, info".
We tried to authenticate from a computer that has no antivirus installed, and from another computer that has mcafee installed but outdated.
we always get "no vulnerability detected" but when we launch test, it reports mcafee installed but outdated for the 2nd PC, no information for the 1st PC.
we tried to check if ftp service is running on the computer and it works fine.
We get notification on user's computer for FTP and client is not allowed to access network, but none for Antivirus (either Mcafee or any antivirus).
- how to do if we need that user are notified when there's no antivirus installed on his computer or when it is outdated ?
Any advice is extremelly appreciated.You must download and install the appropriate Nessus for your PC.
After you download the latest plugins from the Nessus site, in the directory (for a Windows install) c:/Program Files/Tenable/Nessus/Plugins you will have a "plugin.tar.gz" file. You must rename or copy this to "plugins.tar.gz".
Next, in the NAC Manager console, under CLEAN ACCESS -> NETWORK SCANNER -> Plugin Updates, browse to the same folder and pick the "plugins.tar.gz" file. It MUST be named exactly as shown - with the S - to work. Perform the UPLOAD. When finished navigate over to the Scan Setup tab and select All in the Show ___ Plugins dropdown. You should hae around 20,000 of them.
HTH.
Jim -
CISCO NAC deployment with ASA for internal servers (DMZ)
We have deployed cisco ASA for our clients access to DMZ servers few months ago. Now we want to integrate cisco NAC solution without removing ASA
from infrastructure. What will be the best deployment mode of cisco NAC so that clients can also pass through cisco ASA access list also for filtering before reaching to dmz servers.
what gateway clients will use. Plz help.
Should i use Virtual Gateway or Real Gateway for NAC. Client should first come to NAC(CAS) and then through ASA to reach DMZ servers.Hello,
This should work. Please review the attached PDF for more clarity on this topic: https://supportforums.cisco.com/docs/DOC-9102
HTH,
Faisal -
Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO
Hi,
I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
FQDN: active.test.com
Domain Name : test.com
User : ccasso
2011-02-05 12:00:30.225 +0700 WARN com.perfigo.wlan.jmx.adsso.GSSServer
- Server was not running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server starting server ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server is now running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - SPN : [ccasso/[email protected]]
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - done building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - KDC(s) :[10.0.240.100]
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: writing to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - creating login context ...
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - created login context ...javax.security.auth.login.LoginCon
text@5ad7b2
2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer
- Unable to start server ... KDC has no support for encryption type (14)
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Notifying GSSServer status Stopped
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- server is exiting .Hi,
This error means that your DC does not support the encryption method the ACS wants to use.
Usually this happens when you run 2008 Server with 2003 functionality...
You will need to run ktpass.exe according to the DC you are running:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
For Windows 2008 Server at 2003 Server functional level:
ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Cisco NAC agent services not running on Windows XP
Hi,
I've problem with Cisco NAC agent services on Windows XP professional SP3.
After first installation using user local administrator, the services of Cisco NAC agent on windows machine running well, but after logout, and login using another user which is registered in domain users, the services of Cisco NAC agent is going to stopped (going to Manual mode not automatic, and the status is stopped).
This situation is not happened on all windows machines, several machines running well.
Cisco NAC agent version 4.9.0.42
Has anyone seen this type of problem?
Below i attached windows machine information from ones running well and not running, Thanks
Regards,
RianHi thanks for your answers, dbconsole is started in services.msc and also Agent, but goes on to say that the agent is not running.
In sysman log shows this,
"03/20/2012 13:38:54,553 [MetricCollector: HOMETAB_THREAD600: 60] ERROR rt.DbMetricCollectorTarget _getAllData.328 - oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest_ (EMDClient.java: 1330)
at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest (EMDClient.java: 1223)
at oracle.sysman.emSDK.emd.comm.EMDClient.getMetrics (EMDClient.java: 640)
at oracle.sysman.emo.perf.metric.rt.DbHomeTab._getAllData (DbHomeTab.java: 324)
at oracle.sysman.emo.perf.metric.rt.DbHomeTab.getData (DbHomeTab.java: 139)
at oracle.sysman.emo.perf.metric.eng.MetricCached.collectCachedData (MetricCached.java: 402)
at
at oracle.sysman.emo.perf.metric.eng.MetricCollectorThread.run (MetricCollectorThread.java: 320)
at java.lang.Thread.run (Thread.java: 595)
20/03/2012 22:00:03,335 [JobWorker 772: Thread-13] ERROR em.jobs executeCommand.161 - UpdateARUTables: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup parameters required to September."
In event viewer shows this,
"Agent process exited abnormally DURING initialization." but this message appears a few hours after having started the service.
I am using the Administrator account -
Hi All Cisco NAC Experts, I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
The CAS server was recovered after manually power cycle the hardware.
After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
That will be great if any one can help me out for the same.
Thanks,
EricHi Bro
This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
If all else fail, then a hardware swap would seem like the next best thing. -
Cisco NAC Web Agent + Windows 8
Hello,
I´m implementing a Cisco ISE 1.2 and I am having troubles with NAC Web Agent and Windows 8 compatibility.
All time that I try install NAC Web Agent in Windows 8, I get the message "Agent User Operating System is Not Supported".
Follow are some informations about my Environment:
ISE 1.2 Patch 3
OS: Windows 8 Enterprise
IE: 10 (In Desktop Mode w and w/o Compatibility View)
NAC Web Agent: 4.9.0.1007
Could you help me ?
Best Regards,
Daniel StefaniHi Charles,
I can download all this files, but I can’t import it in ISE Resourses.
NAC Agent MST files
nacagentsetup-mst-4.9.3.9.zip
NAC Agent MSI Installation file
nacagentsetup-win-4.9.3.9.msi
NAC Agent Installation Package
nacagentsetup-win-4.9.3.9.tar.gz
Mac Agent Installation Package for MacOSX
CCAAgentMacOSX-4.9.3.803.tar.gz
NAC Agent MST files
nacagentsetup-mst-4.9.3.5.zip
NAC Agent MSI Installation file
nacagentsetup-win-4.9.3.5.msi
NAC Agent Installation Package
nacagentsetup-win-4.9.3.5.tar.gz
In this link that you sent me doesn’t have options to Cisco NAC Web Agent.
But in the follow yes…
http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest
Best Regards,
Daniel Stefani -
Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315
Hi,
I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
After finishing the Installation, when i type "SETUP"... It gives me the below Error;
# ERROR: INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION! #
# PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA. #
Please advise....
I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
(http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
any idea...
Regards,
Mubasher SultanWhere did you get the recovery media? Did you download from cisco.com?
Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
Supporting link:
http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
Jatin Katyal
- Do rate helpful posts - -
Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "
Hi All,
We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.Closest enhancement I could check on this is
CSCts34764 NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines. Many users disable this and install their own AntiSpyware product. Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date. Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
~BR
Jatin Katyal
**Do rate helpful posts** -
Mac OS X 10.8.1 and Cisco Nac Agent to 4.9.1.683
We have this problem with on of our clients:
"Cisco NAC Agent is having a difficulty with the server. Agent user operation system
is not supported".
Anyone encounter this problem ?
thanks.Hi Tarik,
We have:
Cisco Clean Access Server Version 4.9.0
Cisco Clean Access Lite Manager Version 4.9.0
I can see Your point now, that I should start from upgrading to 4.9.1.
Let me do that, and see if it helps.
thanks very much, I will keep You posted. -
Cisco NAC: AV Defination Update Scenario !!!
Hi,
I just want to brain storm for this scenario to keep check the AV defiantion rule & requirement !!!
I am using the Cisco NAC (4.8.2.3).... NAC updates are working fine and configured.
My customer is using the Trend Micro OfficeScan AV (Ver = 10.5). I have configured the AV installation rule & requirement & mapped to the role. I wanted to check the 15 Days older AV Defnations. Configuration seems working fine.
But, the issue is that, Cisco NAC Agent is showing the "Installed" Defination Date which is different for the each users. The showing date is the one, when they installed the AV on users. So, the users are getting failed to fullfil the 15 days older virus definations. When, i change the 15 days to e.g., 150 days to let th users fulful the requirement, then it works fine.
The AV console is showing the right date on its software. I also found some registry keys which is keep updating & showing the latest date for AV defiantion date. I can use them but then it would need the administration to change it manually after each 15 days. But, i want to keep it automatic.
how can we change in cisco nac agent to check the specified registry key???
Please advise..
BR,
Mubasher SultanYes Correct,... Manuall update of antivirus when the PC is in quarantine state is working...it updates, but same the NAC agent is not triggering the antivirus update,
Ok thanks Nicolas, i think i have to open TAC case for this issue.
One thing more, does it has anything to do with av-posture-pack-win-3.4.16.1.tar.gz ??
should i update this module ??? -
Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus
Hi,
I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
Please, give me some advice.
Thanks in advance,
MladenThanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
I refer to
"Implementing Network Admission Control Phase One Configuration and Deployment";
"Network Admission Control Software Configuration Guide - Information About Network Admission Control".
Thanks in advance,
Mladen -
Hi,
I need help with configuring CASUser Account for NAC AD SSO in a multidomain enviorment.
We have two child domain (based on region) say A & B. We have created the casuser account in domain A. If a user from Domain A login, everything works fine and they are authenticated.
But the problem starts if some one from domian B tries to login - they are authenticated by AD (checked through kerbtray and net time \set (can't see ticket for casuser account)....the NAC agaent keeps on prompting for username & password.
Domain: Windows 20003
Domain functional level: Windows 2000 native
Cisco NAC Agent: Version : 4.8.0.32Hi Sanjeev,
I was implemented the Cisco NAC in a multi domain environment and works fine until the customer add third AD server on Windows 2008.
Do you verify that the created user CASUSER is visible on domain B?
The CASUSER in my opinon must be created on root domain and will be broadcasted to domains A&B.
Do you used LDAP user mapping to roles?
Do you tested that was created user in domain B and verify in site A? It's the simple test for what you want to do.
Which version Cisco NAC have you got?
Kamil -
Is there a list somewhere that shows what the status's mean? I have a few users getting this error, while others are working fine -
Failed to download Cisco NAC Web Agent ( status = -2 ) !
Thanks!For the web agent, there are three error states
-1 means that it was unable to launch the control at all,
-2 means it failed to download the agent executable,
-3 means there was an error running the web agent
Are you using the Java or ActiveX version of the web agent? Definitely check the browser settings for both and make sure that it's either allowing or prompting the user for the applets. If you're using the ActiveX version, you could try forcing the Java version, as most users seem to have more lenient browser settings by default for it.
Maybe you are looking for
-
Combining different measures based on different dates in a single table
Hi, I'm attempting to produce a report that gives two counts of items in a database, the first based on the date added to the database, the second based on the date marked as deleted, all reported by month over the last 12 months. The following perti
-
Just bought IPhone4 and keep getting "could not activate Cellular data network" - any ideas please?
-
HT1665 Iphone 5 30 pin adapter
Will the 30 pin adapter work in Bose sounddock series II
-
Site Component Manager failed to reinstall this component on this site system
Site Component Manager failed to reinstall this component on this site system. Solution: Review the previous status messages to determine the exact reason for the failure. Site Component Manager will automatically retry the reinstallation in 60 minu
-
RPT_ECATT_EXECUTE_TEST to execute eCATT Test Scripts in background
Hi everyone, Found this program RPT_ECATT_EXECUTE_TEST to execute eCATT Test Scripts in the background. However, when i try to run a TCD test script in the background, im getting a "Control Framework: Fatal error - GUI cannot be reached" error in