Error with GPOs on Cisco NAC

Similar Messages

• Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

  Hi
  My Cisco NAC Agent  (version 4.9.1.682) doesn't work since I upgraded my Mac OS X  4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
  The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
  Any update on when a new version is going to be released - Its getting really frustrating?

  I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
      Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
      Select Keychain Access -> Preferences from the menu at the top of the screen
      Choose the Certificates tab
      Change the OCSP option from Best Effort to Off
      Close the Preferences dialog and quit Keychain Access
      You should be able to NAC now

• Antivirus scan with nessus plugins on cisco nac

  Hello,
  We plan to use nessus plugins with cisco nac.
  For some users, the computer should have any antivirus installed and updated before it can access network.
  For other users, the computer should have mcafee antivirus installed and updated.
  we tried to use plugins ID  16193 for the 1st check and 12107 for the 2d check.
  We'd like to know if we need to configure credentials under scan option on each computer to check
  if so, how to do if it's a guest's computer and we don't have credentials ?
  For test, a credential was configured (under scan option) for the computers.
  we chose "vulnerable if  hole, warning, info".
  We tried to authenticate from a computer that has no antivirus installed, and from another computer that has mcafee installed but outdated.
  we always get "no vulnerability detected" but when we launch test, it reports mcafee installed but outdated for the 2nd PC, no information for the 1st PC.
  we tried to check if ftp service is running on the computer and it works fine.
  We get notification on user's computer for FTP and client is not allowed to access network, but none for Antivirus (either Mcafee or any antivirus).
  - how to do if we need that user are notified when there's no antivirus installed on his computer or when it is outdated ?
  Any advice is extremelly appreciated.

  You must download and install the appropriate Nessus for your PC.
  After you download the latest plugins from the Nessus site, in the directory (for a Windows install) c:/Program Files/Tenable/Nessus/Plugins you will have a "plugin.tar.gz" file. You must rename or copy this to "plugins.tar.gz".
  Next, in the NAC Manager console, under CLEAN ACCESS -> NETWORK SCANNER -> Plugin Updates, browse to the same folder and pick the "plugins.tar.gz" file. It MUST be named exactly as shown - with the S - to work. Perform the UPLOAD. When finished navigate over to the Scan Setup tab and select All in the Show ___ Plugins dropdown. You should hae around 20,000 of them.
  HTH.
  Jim

• CISCO NAC deployment with ASA for internal servers (DMZ)

  We have deployed cisco ASA for our clients access to DMZ servers few months ago. Now we want to integrate cisco NAC solution without removing ASA
  from infrastructure. What will be the best deployment mode of cisco NAC so that clients can also pass through cisco ASA access list also for filtering before reaching to dmz servers.
  what gateway clients will use. Plz help.
  Should i use Virtual Gateway or Real Gateway for NAC. Client should first come to NAC(CAS) and then through ASA to reach DMZ servers.

  Hello,
  This should work. Please review the attached PDF for more clarity on this topic: https://supportforums.cisco.com/docs/DOC-9102
  HTH,
  Faisal

• Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

  Hi,
       I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
  FQDN: active.test.com
  Domain Name : test.com
  User : ccasso
  2011-02-05 12:00:30.225 +0700 WARN  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Server was not running ...
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Server starting server ...
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Server is now running ...
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - SPN : [ccasso/[email protected]]
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - building kdc list for domain active.test.com
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - done building kdc list for domain active.test.com
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - KDC(s) :[10.0.240.100]
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - writeKrbFile: writing to file ../conf/krb.txt
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - creating login context ...
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - created login context ...javax.security.auth.login.LoginCon                                                                           
  text@5ad7b2
  2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer                                                                                           
  - Unable to start server ... KDC has no support for encryption type (14)
  2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Notifying GSSServer status Stopped
  2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - server is exiting .

  Hi,
  This error means that your DC does not support the encryption method the ACS wants to use.
  Usually this happens when you run 2008 Server with 2003 functionality...
  You will need to run ktpass.exe according to the DC you are running:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
  For Windows 2008 Server at 2003 Server functional level:
  ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
  PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco NAC agent services not running on Windows XP

  Hi,
  I've problem with Cisco NAC agent services on Windows XP professional SP3.
  After first installation using user local administrator, the services of Cisco NAC agent on windows machine running well, but after logout, and login using another user which is registered in domain users, the services of Cisco NAC agent is going to stopped (going to Manual mode not automatic, and the status is stopped).
  This situation is not happened on all windows machines, several machines running well.
  Cisco NAC agent version 4.9.0.42
  Has anyone seen this type of problem?
  Below i attached windows machine information from ones running well and not running, Thanks
  Regards,
  Rian

  Hi thanks for your answers, dbconsole is started in services.msc and also Agent, but goes on to say that the agent is not running.
  In sysman log shows this,
  "03/20/2012 13:38:54,553 [MetricCollector: HOMETAB_THREAD600: 60] ERROR rt.DbMetricCollectorTarget _getAllData.328 - oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
  oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
  at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest_ (EMDClient.java: 1330)
  at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest (EMDClient.java: 1223)
  at oracle.sysman.emSDK.emd.comm.EMDClient.getMetrics (EMDClient.java: 640)
  at oracle.sysman.emo.perf.metric.rt.DbHomeTab._getAllData (DbHomeTab.java: 324)
  at oracle.sysman.emo.perf.metric.rt.DbHomeTab.getData (DbHomeTab.java: 139)
  at oracle.sysman.emo.perf.metric.eng.MetricCached.collectCachedData (MetricCached.java: 402)
  at
  at oracle.sysman.emo.perf.metric.eng.MetricCollectorThread.run (MetricCollectorThread.java: 320)
  at java.lang.Thread.run (Thread.java: 595)
  20/03/2012 22:00:03,335 [JobWorker 772: Thread-13] ERROR em.jobs executeCommand.161 - UpdateARUTables: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup parameters required to September."
  In event viewer shows this,
  "Agent process exited abnormally DURING initialization." but this message appears a few hours after having started the service.
  I am using the Administrator account

• Cisco NAC server hang issue

  Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
  The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
  The CAS server was recovered after manually power cycle the hardware. 
  After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
  I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
  That will be great if any one can help me out for the same.
  Thanks,
  Eric

  Hi Bro
  This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
  If all else fail, then a hardware swap would seem like the next best thing.

• Cisco NAC Web Agent + Windows 8

  Hello,
  I´m implementing a Cisco ISE 1.2 and I am having troubles with NAC Web Agent and Windows 8 compatibility.
  All time that I try install NAC Web Agent in Windows 8, I get the message "Agent User Operating System is Not Supported".
  Follow are some informations about my Environment:
  ISE 1.2 Patch 3
  OS: Windows 8 Enterprise
  IE: 10 (In Desktop Mode w and w/o Compatibility View)
  NAC Web Agent: 4.9.0.1007
  Could you help me ?
  Best Regards,
  Daniel Stefani

  Hi Charles,
  I can download all this files, but I can’t import it in ISE Resourses.
  NAC Agent MST files
  nacagentsetup-mst-4.9.3.9.zip
  NAC Agent MSI Installation file
  nacagentsetup-win-4.9.3.9.msi
  NAC Agent Installation Package
  nacagentsetup-win-4.9.3.9.tar.gz
  Mac Agent Installation Package for MacOSX
  CCAAgentMacOSX-4.9.3.803.tar.gz
  NAC Agent MST files
  nacagentsetup-mst-4.9.3.5.zip
  NAC Agent MSI Installation file
  nacagentsetup-win-4.9.3.5.msi
  NAC Agent Installation Package
  nacagentsetup-win-4.9.3.5.tar.gz
  In this link that you sent me doesn’t have options to Cisco NAC Web Agent.
  But in the follow yes…
  http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest
  Best Regards,
  Daniel Stefani

• Installation of Cisco ISE 1.1.4 on Cisco NAC Appliance 3315

  Hi,
  I am re-imaging the Cisco NAC Appliance 3315 and installing the Cisco ISE 1.1.4...
  After finishing the Installation, when i type "SETUP"... It gives me the below Error;
  # ERROR:  INPUT/OUTPUT ERRORS FOUND DURING THE INSTALLATION!        #
  # PLEASE REIMAGE THE APPLIANCE OR VM FROM THE INSTALLATION MEDIA.   #
  Please advise....
  I tried to change the Time/Date as per UTC/GMT accordingly... But, i didn't find the RAID in CLI... see the link below
  (http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_f-installing_on_NAC-AC.html)
  any idea...
  Regards,
  Mubasher Sultan

  Where did you get the recovery media? Did you download from cisco.com?
  Please download the image from CCO and ensure the ISE image is valid by checking the MD5 checksum of the downloaded image is matching to CCO image.You will then need to burn this ISO image onto bootable DVD.
  Supporting link:
  http://www.cisco.com/en/US/docs/security/ise/1.1/installation_guide/ise_ins.html#wp1134146
  Jatin Katyal
  - Do rate helpful posts -

• Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "

  Hi All,
  We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
  Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.

  Closest enhancement I could check on this is
  CSCts34764    NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
  Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines.  Many users disable this and install their own AntiSpyware product.  Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
  This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date.  Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Mac OS X 10.8.1 and Cisco Nac Agent to 4.9.1.683

  We have this problem with on of our clients:
  "Cisco NAC Agent is having a difficulty with the server. Agent user operation system
  is not supported".
  Anyone encounter this problem ?
  thanks.

  Hi Tarik,
  We have:
  Cisco Clean Access Server   Version 4.9.0
  Cisco Clean Access Lite Manager   Version 4.9.0
  I can see Your point now,  that I should start from upgrading to 4.9.1.
  Let me do  that, and see if it helps.
  thanks  very much, I will keep You posted.

• Cisco NAC: AV Defination Update Scenario !!!

  Hi,
  I just want to brain storm for this scenario to keep check the AV defiantion rule & requirement !!!
  I am using the Cisco NAC (4.8.2.3).... NAC updates are working fine and configured.
  My customer is using the Trend Micro OfficeScan AV (Ver = 10.5). I have configured the AV installation rule & requirement & mapped to the role. I wanted to check the 15 Days older AV Defnations. Configuration seems working fine.
  But, the issue is that, Cisco NAC Agent is showing the "Installed" Defination Date which is different for the each users. The showing date is the one, when they installed the AV on users. So, the users are getting failed to fullfil the 15 days older virus definations. When, i change the 15 days to e.g., 150 days to let th users fulful the requirement, then it works fine.
  The AV console is showing the right date on its software. I also found some registry keys which is keep updating & showing the latest date for AV defiantion date. I can use them but then it would need the administration to change it manually after each 15 days. But, i want to keep it automatic.
  how can we change in cisco nac agent to check the specified registry key???
  Please advise..
  BR,
  Mubasher Sultan

  Yes Correct,... Manuall update of antivirus when the PC is in quarantine state is working...it updates, but same the NAC agent is not triggering the antivirus update,
  Ok thanks Nicolas, i think i have to open TAC case for this issue.
  One thing more, does it has anything to do with av-posture-pack-win-3.4.16.1.tar.gz ??
  should i update this module ???

• Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus

  Hi,
  I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
  3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
  Please, give me some advice.
  Thanks in advance,
  Mladen

  Thanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
  3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
  I refer to
  "Implementing Network Admission Control Phase One Configuration and Deployment";
  "Network Admission Control Software Configuration Guide - Information About Network Admission Control".
  Thanks in advance,
  Mladen

• Cisco NAC AD SSO

  Hi,
  I need help with configuring CASUser Account for NAC AD SSO in a multidomain enviorment.
  We have two child domain (based on region) say A & B. We have created the casuser account in domain A. If a user from Domain A login, everything works fine and they are authenticated.
  But the problem starts if some one from domian B tries to login - they are authenticated by AD (checked through kerbtray and net time \set (can't see ticket for casuser account)....the NAC agaent keeps on prompting for username & password.
  Domain: Windows 20003
  Domain functional level: Windows 2000 native
  Cisco NAC Agent: Version : 4.8.0.32

  Hi Sanjeev,
  I was implemented the Cisco NAC in a multi domain environment and works fine until the customer add third AD server on Windows 2008.
  Do you verify that the created user CASUSER is visible on domain B?
  The CASUSER in my opinon must be created on root domain and will be broadcasted to domains A&B.
  Do you used LDAP user mapping to roles?
  Do you tested that was created user in domain B and verify in site A? It's the simple test for what you want to do.
  Which version Cisco NAC have you got?
  Kamil

• Cisco NAC web agent failure

  Is there a list somewhere that shows what the status's mean?  I have a few users getting this error, while others are working fine -
  Failed to download  Cisco NAC Web Agent ( status = -2 ) !
  Thanks!

  For the web agent, there are three error states
  -1 means that it was unable to launch the control at all,
  -2 means it failed to download the agent executable,
  -3 means there was an error running the web agent
  Are you using the Java or ActiveX version of the web agent?  Definitely check the browser settings for both and make sure that it's either allowing or prompting the user for the applets.  If you're using the ActiveX version, you could try forcing the Java version, as most users seem to have more lenient browser settings by default for it.