ISE 1.3 and Windows Posture Web Agent
Hello,
I am running ISE 1.3 and have an issue running the Posture Web Agent. The client authenticates and gets redirected to the client provisioning portal but get the following message
Detecting if Web Agent is installed and running gets ticked and then it keeps rolling at scanning your device. Open Web Agent to check the current status of the system scan and update your system as instructed.
See attached screen shot
is this issue specific to particular groups of clients/OS type... if using Windows 8, Internet Explorer 10 has two modes: Desktop and Metro. In Metro mode, the ActiveX plugins are restricted. You cannot download the Cisco NAC Agent in Metro mode. You must switch to Desktop mode, ensure ActiveX controls are enabled, and then launch Internet Explorer to download the Cisco NAC Agent. (If users are still not able to download Cisco NAC agent, check and enable “compatibility mode.”)
Similar Messages
-
Hi Guys,
i have a ISE works fine using 802.1x but we have a strange behavior when the client just logoff the windows machine, after the client login again, the machine does not authenticate and stuck as a message " not possible to authenticate". Then I need to take off the cable machine and put again, after this everything works fine.
This happens just using logoff windows.
could someone help me about it?
thanks a lotHi Rik,
I am using this configuration.
interface GigabitEthernet3/33
switchport access vlan 22
switchport mode access
switchport voice vlan 23
ip access-group ACL-DEFAULT in
logging event link-status
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
qos trust device cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy
service-policy output AutoQos-4.0-Output-Policy
the client are using the NAC Agent the way to perform a posture.
If i take off the cable and put again, everything works fine, but if the client try to logoff and after a time login again, the NIC Card can not be authenticated.
thanks a lot -
SCEP on ISE 1.2 and Windows 2003 Server
Hi there
has anyone ever be able to get SCEP on ISE 1.2 working with Windows 2003 Server? I know Cisco recommends Windows 2008 Server onwards, but sometimes the server infrastructure is not yet there.
Thanks in advance and best regards
DominicHmm, good question that I would also like to know the answer to. All of my deployments have been either 2008 or 2012. I believe long time ago I got it working in my lab with 2003 but then my 2003 server blew up so when I re-created it I did it with 2008. However, I cannot confirm 100% and even if it was true it was not in a full production environment. So it would be nice if someone else can chime in here.
I did come across this though that would suggest that it is supported with some tweaks:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Borderless_Networks/Unified_Access/BYOD_Design_Guide/BYOD_ISE.html
Windows Server 2003, Microsoft SCEP (MSCEP) required a Resource Kit add-on to be installed on the same computer as the CA. In Windows Server 2008, MSCEP support has been renamed NDES and is part of the operating system. NDES may be installed on a different computer than the CA (http://technet.microsoft.com/en-us/library/cc753784%28WS.10%29.aspx).
Thank you for rating helpful posts! -
WLC with ISE as radius and also external web server
Hi friends,
I am biulding a wireless network with 5508 WLC and trying to use ISE as radius server and also to redirect the web-login to it.
I was trying to understand that to achieve the external web-login, do i need to use the raduius-nac option under advanced on the guest wireless where i am trying this out. and if not, where do i actually use it?
So far what i have understood that i do need to have preauth ACL on the Layer 3 security, but the issue is there is no hit reaching the ISE.
any suggestions would be higly appreciated guys!
Regards,
MohitHi mohit,
Please make sure the below steps for guest auth thru ISE,
1)Add the WLC in your ISE as netork devices.
2)In Guest SSID you need to choose the pre authentication acl.That acl should allow the below traffic
a. any to ISE
b.ISE to any
c.any to dns server
d.dns to any
3)The external redirect url will be
https://ip address:8443/guestportal/Login.action
4)AAA server for that SSId would be your ISE ip with port number 1812.
5)In advanced tab please choose the AAA override. No need of radius nac.
6)Create appropriate authorization profile in ISE for guest.Example is below , -
DPM 2012 R2 UR2 and Windows 2003 SP2 Agent Version Issue
Hi All, I have UR2 installed on my DPM 2012 R2 server and have followed Mike's guide on getting them protected:
http://blogs.technet.com/b/dpm/archive/2014/06/11/details-on-protecting-windows-server-2003-computers-using-data-protection-manager-2012-r2.aspx
The agents now show in the DPM console but display as needing an update and showing as agent version 4.1.3313.0 instead of 4.1.3441.0, which is odd.
Servers have:
.Net 3.5 Sp1 Full
Visual C++ 2008 Redistributable - x86 9.0.30729.17
From the DPM server:
C:\Program Files\Microsoft System Center 2012 R2\DPM\DPM\agents\RA\4.2.1235.0\i386\1033\DPMAgentInstaller_Win2K3_i386.exe
Executed:
setdpmserver.exe -dpmservername DPMserverName
From the DPM server:
Attach-ProductionServer.ps1 script on the DPM server and refreshed twice
What have I missed?Hi.
Reboot your 2003 Server
Run DPM Setup again on Server 2003
Run setdpmserver.exe again
click refresh in DPM Server
worked for me
Seidl Michael | http://www.techguy.at |
twitter.com/techguyat | facebook.com/techguyat -
Web Agent and Clip Board set up for multi user environment
Hi
Our environment is
Database: 0racle8.1.5 on Sun Solaris
Currently we are not using OAS but a portal server and Apache
Intermedia Web Agent and Clip Board are working fine.
The questions are
1. if there are multiple users (content managers) who would be adding /modifying content in the database, the how can I go about with Clip board.
2.The requirement is these people should be able to search documents on the basis of keywords. So how do we integrate Intermedia query capabilities on this clip board interface.
3. For production level how do we go about implementing.
Should we continue to have the ctxsys user and use that itself.
Thank you for any solutionsI have NO idea if these "exact problems" pertain to Macs, since I think most of these discussions are about Windows... but, some reading (not all PPro, but I put all the links I have saved, just for general information)
-see #3 http://forums.adobe.com/thread/771151
-you may NOT "map" your My Documents folder to a network drive
-you MUST give all users administrator accounts to use Premiere
-and especially Encore dual layer http://forums.adobe.com/thread/969395
-#5 Server 2008 is UNsupported http://forums.adobe.com/thread/851602
-a work around, of sorts http://forums.adobe.com/thread/957523
-and not on a "domain" http://forums.adobe.com/thread/858977
-also PreEl see #5 http://forums.adobe.com/thread/1017199
-more PreEl problem http://forums.adobe.com/thread/975117
The solution... some day... may be at this link
Adobe Anywhere http://www.adobe.com/products/adobeanywhere.html -
Web agent installation on oracle8.1.7
Hi,
I am running an oracle8.1.7 on NT4.0, and trying to install the web agent on the apache(1.3.12 with JServer). coming with the oracle817.
I downloaded the web agent zip file, and installed the web agent for apache web server. Then I modified the httpd.conf following the instruction in wscape.html.
After i restarted the web server, i cannot display http://webserver/intermedia/~about.
Thanks for any suggestion/help.
wu
nullI got it. The agent should be oracle http....
null -
Hi all,
I was wondering whether the Web Agent component for 10g OLAP is available. From what I can see on the Oracle sites, there is only an install for 9.2.0.4.
Can some one please confirm, as I am interested in upgrading to the New version, to take a look at the newer features available with the AW, however I require Web Agent.
Regards,
ImranHi Imran,
If you want to run Oracle OLAP Web Agent with the Oracle 10g database, you should install OLAP Web Agent 9.2.1 base version - patch 3467263 on Metalink, and then install Web Agent 9.2.1 patch 1 - patch 3941853 on Metalink. Patch 1 is required for 10g compatability.
I will try and ensure that it gets correctly listed for the 10g database.
We will soon release 9.2.1 Patch 2 with updated Java certificates.
Regards,
Aneel Shenker
Senior Product Manager
Oracle Business Intelligence -
Hi,
I'm running an 8.1.6 db and using WebAgent on Redhat 6.1.
I have a running application to upload files into blob columns that usually works well except that from time to time the following error message appears:
"Oracle interMedia Web Agent
An error occurred processing your MEDIAGET or MEDIAPUT request
Error while trying to retrieve text for error ORA-03113"
I have no idea why I'm getting this error, if I refresh the page then I get the normal MEDIAPUT succeeded message and the document is loaded.
This is a little disconcerting for my end-users. Does anyone know what is causing this error or where to start looking?
Many Thanks.
Niall.
nullHi Niall,
Unfortunately, the fact that you're not seeing any trace files or
anything in the alert log isn't giving us much to go on. I'll answer
your questions first, then list some ideas at the end.
The error message you are seeing, "MWM-00608: error executing a SQL
statement", indicates that the Web Agent really is executing a
statement - its pretty specific about what its doing when it has to
write an error message. For example, if the error were occuring when
it was trying to connect to the server or start a new database
session, then you'd see something like "MWM-00546: OCI error attaching
to database server using service name '%s'" or "MWM-00548: OCI error
beginning database session using service name '%s'".
Are there any delay / timeout parameters that should be examined or
changed ?The Web Agent doesn't use any timers. It simply issues calls to OCI and
waits for the response.
Does the Web Agnet try to keep it's connection alive from the previous
upload ?Yes it does. For database agents defined with a fixed user name and
password, the Web Agent keeps both the server connection and database
session active for use in subsequest requests. For database agents
that do not specify a password, the Web Agent keeps only the server
connection active between requests. It does this to avoid the overhead
of creating a new server connection/database session for every
request, something which would result in a noticeable in servicing
requests.
The fact that the MEDIAPUT request works immediately after the error
(upon page refresh) makes me wonder if the server process is not
coming up fast enough for the Web Agent? A page refresh should result in the browser resending the same request
to the web server. When the web agent gets the request, it will simply
create a new server connection/database session with which to execute
the necessary SQL. That is, assuming the request goes to the same
process. If it goes to a different process, then there may already be
an existing connection that can be used, or a new connection may be
created.
Here are some thoughts as to what might be causing the problem, plus
some suggestions where I can make any:
1. The database is being shutdown and restarted without restarting the
web agent and/or web server. This will cause the error you are
seeing, because the Web Agent doesn't know the database has gone
down and will try to use existing sessions when new requests
arrive.
If you're using Apache, then you'll need to restart Apache in order
to restart the Web Agent. If you're using iPlanet Web Server in
single-process mode, then you can use the Web Agent's on-line admin
interface to reload the configuration, which will cause the Web
Agent to shutdown any existing database sessions and server
connections, then re-read the configuration file. As new requests
are received, new connections will be established.
2. Individual database sessions are being killed by something and/or
someone. Although some documentation I read says that clients
should get an ORA-00028 error message, when I tried it, I got
ORA-03113. I didn't see anything in my alert log when I was trying
it, but there may be settings you can use to enable the logging of
such actions.
3. Individual TCP/IP network connections are being killed by something
and/or someone. I don't know how you're web server and database
server are configured, or what transport they're using, but this
sort of thing will result in the error you are seeing.
4. There's some sort of bug in the 8.1.6 server on Linux which results
in the server consuming virtual memory or some other resource to the
point that when the resource runs out, it doesn't have enough resource
to write a trace dump file.
If this is happening, then its going to be a case for the support
folks to look at. One possible way of proving this would be to
periodically restart the web server or reload the Web Agent
configuration, so re-initializing all the connections.
Some other questions that may or may not have a bearing on the issue.
- How often does this occur? Once a day, once a week, or multiple
times per day to different users?
- Which web server are you using?
- Does it always happen to the empentblobs.empent_doc procedure or
do other procedures experience problems?
- What does the empentblobs.empent_doc procedure do, and can it be
simplified in any way to narrow down the problem?
That's all I can think of for now. Please let us know if any of this
helps, or at least helps to point in the right directory.
Regards,
Simon
null -
Cisco ISE 1.2.x with Posture Configuration - Windows Patches
Hi, Anybody has any experience in integrating Cisco ISE Posture with Microsoft SCCM?
With WSUS this works fine, but with SCCM I don't have any idea how to proceed. Anybody knows what it's included in the predefined rules
pr_WSUSRule and pr_WSUSCheck? I can't find any information in ISE Console or Cisco documentation.
Thanks.Once agent performs the posture checks containing the windows hotfix checks, if the administrator configured the Launch Program Posture Remediation , agent will launch the script file which will initiate the windows hotfix updates via SCCM client configuration manager pre-installed/pre-configured on the box.
-
Cisco NAC Web Agent + Windows 8
Hello,
I´m implementing a Cisco ISE 1.2 and I am having troubles with NAC Web Agent and Windows 8 compatibility.
All time that I try install NAC Web Agent in Windows 8, I get the message "Agent User Operating System is Not Supported".
Follow are some informations about my Environment:
ISE 1.2 Patch 3
OS: Windows 8 Enterprise
IE: 10 (In Desktop Mode w and w/o Compatibility View)
NAC Web Agent: 4.9.0.1007
Could you help me ?
Best Regards,
Daniel StefaniHi Charles,
I can download all this files, but I can’t import it in ISE Resourses.
NAC Agent MST files
nacagentsetup-mst-4.9.3.9.zip
NAC Agent MSI Installation file
nacagentsetup-win-4.9.3.9.msi
NAC Agent Installation Package
nacagentsetup-win-4.9.3.9.tar.gz
Mac Agent Installation Package for MacOSX
CCAAgentMacOSX-4.9.3.803.tar.gz
NAC Agent MST files
nacagentsetup-mst-4.9.3.5.zip
NAC Agent MSI Installation file
nacagentsetup-win-4.9.3.5.msi
NAC Agent Installation Package
nacagentsetup-win-4.9.3.5.tar.gz
In this link that you sent me doesn’t have options to Cisco NAC Web Agent.
But in the follow yes…
http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest
Best Regards,
Daniel Stefani -
Cisco ise 1.1.3 patch 3 and Windows 8
Hello,
Cisco NAC Agent does not display on my windows 8 computer. I have Cisco ise 1.1.3 and Nac Agent 9.8.0.52. Can you help me?I suspect the below listed defect here:
CSCue41912 Posture : NAC agent not triggering on WIN8.
~BR
Jatin Katyal
**Do rate helpful posts** -
My Intermedia Web agent and Clipboard doesn't work!
Hi,Simon
I'v just downloaded the Intermedia Web agent and Clipboard plugin from OTN a few days ago.But both of it don't work when I install it.Would you please help me look for the reason?
My operating system is Windows 2000 Professional,and my web server is OAS 4.0.8.1,and my database is 8i.
When I visit these address"http://host:port/intermedia/^about"and "http://host:port/intermedia/admin",the browser returns to me a error page.
When I connect to host in Clipborad,it returns to me an error message which says"The following error was received from the intermedia web agent,<HTML><HEAD><TITLE>Invalid host specified</TITLE></HEAD><BODY>The request did not specify a valid virtual host</BODY>
I don't know if this web agent can work with OAS 4.0.8.1 and if OAS 4.0.8.1 can run in the Windows 2000 Professional.
Thanks
nullHi,Simon,
Thank you for your help!I have sent my application information to your product manager by email!
But the error stll appears.When I typed the whole domain name in the host area of Clipborad,the error message changed to "An application error has occured,please try again!".When I typed the address"http://My host:port/intermedia/~about"(I have substituted ^ with ~ )"and "http://My host:port/intermedia/admin",it still returns an error page which says"HTTP 500 Server internal error......"like before!
Also,I found other errors about OAS.One Application cannot add the second Cartridge,it returns an error:"OWS-09103:Cartridge section'[Application wscWRBApp" when I do it.So I suspect the reason is my operating system platform,I will try to reinstall it now.
Regards!
Reemon -
ISE 1.1.1 Windows NAC client posture checking loop
Hi all,
Just upgraded Cisco ISE to 1.1.1 in my lab/demo environment and am now having problems with a basic posture implementation. In short I connect to a wireless SSID and check posture based on the presence of a file. The NAC agent is declaring my host as compliant and granting full network access however about 5 seconds later it it checks for requirements again while placing my host in the temporary network access. At this point it states I am compliant again and 5 seconds later scans again. This behaivour does not stop and continues endlessly until I close the wireless connection. I had no problems with this setup on 1.1.
All logs indicate successful compliance and no errors in terms of compliance. ANy ideas would be appreciated.Stephen,
I see that also and that is what I wanted to confirm in the packet capture. I wanted to know a few things:
on the 1.1.1 unit has it been updated to the perfigo servers? (I assume it has if you are able to deploy the agent and perform the checks but figured I would ask anyways)
since the status is set to confirm can you compare the two posture reports (when you click on compliant it should take you to the posture report)
The authorization policy that you have configured for compliant machines, can you please remove it and then readd it and see if that fixes the issue?
Here is the reference for the following:
Having the ise node perform the updates - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_client_prov.html#wp1093078
Here is where you can pull the posture report from both machines - http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1919498
Hope this helps!
Tarik Admani
*Please rate helpful posts* -
ISE with dot1x and Posture deployment in pararrel with certain users
Hi,
We want to deploy ISE in sequencial order, meaning that I will initially have all users authenticate/authorized with dot1x/MAB etc, then only on certain locations or users to have posture condition validation/verification while others not.
Can someone please advise whether this approach is possible, as far I understand, once you have posture policies in place as authorization rule it will hit all the users. This may be possible where you can match the switch or the location as a seperate condition, but if all users are spread/mixed we just need to find a simple way how to do it or whether it is not possible..?We have modified the attached policy on rule 04 and 05 (from top) and add a new condition Device locationEqual "Switch1".According to this rule any user connected to Switch1 only do the posture and same user PCconnect any other switch (other than switch1), it should do only the dot1x/MAB (rule 1-3). But in our case user PC connect any other switch than switch1, it hit the ISE default policy(not included in this attachement) and also it pop-ups the NAC agent and do the posturing. Questions-why the PC/user is not hitting rule 1-3 and goes to default rule-why the PC/user is doing posture where there's no posture rule hitting.
Hi,
First of all, I would assume you configured the PC for machine or user authentication.
So, when a user connects to the network using other switch but not switch1, it will get 2 hits:
1. Computer authentication - this PC is part of Domain Computers
2. Default rule - because you configured (domain) user authentication for dot1x requests that are received only from switch1!
You haven't specified a rule for domain users alone (with no location condition) and with no posture.
You have to add something like this:
1. dot1x + Domain PC
2. dot1x + Domain User + location + preposture
3. dot1x + Domain User + location + posture compliant
4. dot1x + Domain User (and no posture condition)
To answer your second question, event though you 've excepted a certain user from posture, if NAC Agent is installed, it will popup and it will say that you're compliant, so practically it isn't doing posture
(http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html)
Generating a Posture Requirement The run-time services requests for the posture requirement for the endpoint by looking up at the role to which the user belongs to and the operating system on the client. If you do not have a policy associated with the role, then the run-time services communicate to the NAC Agent with an empty requirement. If you have a policy associated with the role, then the run-time services run through the posture policies through one or more requirements associated with the policies and for each requirement through one or more conditions.
If you want to rollout for posture, you could use exception rules (check the top section of authorization rules) or you could do only posture audit for your rules so that everyone can get network access event though they're not compliant.
Maybe you are looking for
-
I have been running CFBuilder Beta 2 in Eclipse 3.5.1 64-bit (Java EE edition) on OS X since October 5 like a champ. All of a sudden, Monday, 14 December, I received the "Your evaluation period for CFBuilder has expired. Thank you for trying CFBuild
-
How to lock running of abap program?
Hi Friends, I want to lock my abap program. So, I want to provide that my program can be once at any time. And I need to unlock my program. Is there any functions that do my requests?
-
Pagemaker 7 - XP - Screen problems
I am running PageMaker 7.0 English version on a PC (XP SP 3) English version. My monitor is a Mirai 22" with 1680x1050 resolution, 32 bit color. A few months ago I produced a small book without problems, but today I am getting problems with my monito
-
Orange light keeps flashing - but all seems to be OK!
HI, just got an Airport Extreme Basestation and I set it up with no trouble and everything (for now the internet...have to check the printers and drives soon) runs OK. So why is the orange light still flashing? It says in the manual that it has no co
-
Dear Community. I am playing a "window-mode" game in which takes up the full resolution for my screen. In order to compensate for the room needed at the bottom of the screen I have chosen to "auto-hide" the task bar. I have chosen to stay in window m