ISE 1.3 NAC Web Agent for Posture

Similar Messages

• NAC web agent question

  Hi,
  I need to know when can i use the NAC web agent???  is it used for guests or visitors only????
  If i used NAC web agent for guests , can i perform posture assessment for the guest users ( i mean check windows update , AV/AS or certain services)?? or network scanning will be only applied to the guests who are using NAC web agent???? 
  i read the userguide of 4.7.1 of CAM and CAS but i have some conflicts regarding the above topic , so please i need your help.
  Mohamed

  Mohamed,
  You can use it for any kind of users (guest/regular) and can do posture assessment, but no remediation. Remediation requires the full agent. The other limitation is that the web agent is only valid on Windows machines and cannot run on Mac/Linux etc.
  HTH,
  Faisal

• Cisco NAC Web Agent + Windows 8

  Hello,
  I´m implementing a Cisco ISE 1.2 and I am having troubles with NAC Web Agent and Windows 8 compatibility.
  All time that I try install NAC Web Agent in Windows 8, I get the message "Agent User Operating System is Not Supported".
  Follow are some informations about my Environment:
  ISE 1.2 Patch 3
  OS: Windows 8 Enterprise
  IE: 10 (In Desktop Mode w and w/o Compatibility View)
  NAC Web Agent: 4.9.0.1007
  Could you help me ?
  Best Regards,
  Daniel Stefani

  Hi Charles,
  I can download all this files, but I can’t import it in ISE Resourses.
  NAC Agent MST files
  nacagentsetup-mst-4.9.3.9.zip
  NAC Agent MSI Installation file
  nacagentsetup-win-4.9.3.9.msi
  NAC Agent Installation Package
  nacagentsetup-win-4.9.3.9.tar.gz
  Mac Agent Installation Package for MacOSX
  CCAAgentMacOSX-4.9.3.803.tar.gz
  NAC Agent MST files
  nacagentsetup-mst-4.9.3.5.zip
  NAC Agent MSI Installation file
  nacagentsetup-win-4.9.3.5.msi
  NAC Agent Installation Package
  nacagentsetup-win-4.9.3.5.tar.gz
  In this link that you sent me doesn’t have options to Cisco NAC Web Agent.
  But in the follow yes…
  http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest
  Best Regards,
  Daniel Stefani

• Use NAC Web Agent login with Ipad

  Hello Guys,
  I'm using NAC 4.8, and I'd like to login using NAC Web Agent on Ipad.
  When I'm trying to do that, I'm receiving a message on Ipad that I need to install Java Plug-In, but there is no JavaPlug-in available for Ipad.
  Does anyone know if there is any aditional configuration that I have to do on NAC Manager to be able to access the network using NAC Web Login on Ipad ?
  Best Regards

  Hi Luciano,
  Unfortunately, the NAC Web Agent and the persistant Agent are not supported for the iPad operating system. (It is called iOS). The following table documents this fact under footnote 3:
  http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html#wp125630
  Only normal Web Login with Safari browser is enabled.
  Hope this helps.
  -Shrikant
  P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

• Cisco NAC web agent failure

  Is there a list somewhere that shows what the status's mean?  I have a few users getting this error, while others are working fine -
  Failed to download  Cisco NAC Web Agent ( status = -2 ) !
  Thanks!

  For the web agent, there are three error states
  -1 means that it was unable to launch the control at all,
  -2 means it failed to download the agent executable,
  -3 means there was an error running the web agent
  Are you using the Java or ActiveX version of the web agent?  Definitely check the browser settings for both and make sure that it's either allowing or prompting the user for the applets.  If you're using the ActiveX version, you could try forcing the Java version, as most users seem to have more lenient browser settings by default for it.

• ISE - Can't install Web Agent

  Dear guys,
  I have problem in my lab case like sequence below:
  A guest access into internal network, then will be redirect to Guest Portal.
  A guest log in successfully using credential (was created by sponsor account)
  Then, "Client Provisioning" process starts. Base on Client Provisioning policy with OS: Windows 8, guest session will be apply on Web Agent.
  Then Web Agent install and check status process starts. But, in this phase. I got a error like this:
  In Chrome & FF browser: "You will not be allowed to access the network due to internal error. please contact your administrator"
  In IE browser:
  "You will not be allowed to access the network due to internal error. please contact your administrator"
  "Your login session failed! (status = 36) You will have limited network connectivity. Please try disconnecting and reconnecting to the network to start a new connection (or) contact your system administrator if the problem persists"
  In addition:
  I imported certificated (was signed by AD Root CA) into Local Certificates.
  I imported AD Root certificated into Certificate Store.
  I will be grateful for any help you can provide.
  Have a nice day !

  Web agent should handle cert. revocation dialog box similar to Win agent
  CSCsl40626
  Description
  Symptom:
  Revocation failed dialog box keeps popping up on client machine despite of clicking "Yes" button
  Conditions:
  This issue is seen on the client machine performing login either using Windows agent or NAC web agent. The issue happens when the Clean Access Server (CAS) certificate root CA is not listed in the trusted store on the client machine. The issue is known to be reproducible on all flavors of Win XP & Win Vista using Windows or NAC web agent
  Workaround:
  Try selecting Yes. If this does not work you can turn off the security certificates revocation check by changing the options in Internet Explorer IE.
  Use the following procedure to change the option in IE:
  1. Launch IE
  2. From the tool bar, select Tools then Internet Options
  3. Select the Advanced tab
  4. In the Security section, un-check the option "Check for server certificate revocation"
  5. Click on the Apply button
  6. Click on the OK button
  7. Close IE
  8. Try the web login again
  Product:
  Cisco NAC Appliance (Clean Access)
  Known Affected Releases:
  (1)
  4.1(3.6)

• Intermedia web agent for IIS - crashes from time to time

  Hi,
  We have Intermedia images in a table on our Oracle 8.1.6 Database.
  We have a web server (Running IIS 4) and a database server, both running on NT 4 and on two seperated computer but in the same LAN.
  We have installed the Intermedia web agent for IIS and it usually works fine, but every 3 days or so it crashes. On the "ISAPI filters" form of the IIS a red "down arrow" is shown next to the intermedia's DLL.
  I click on "edit", "apply" and "ok" and then I restart the IIS. The filter starts to function again like nothing happened.
  Do you have any idea why it happens?
  This is critical because we can not go "production" without making sure this thing works without crashed.
  Thanks,
  Lior King,
  Internet Dept. manager.
  ImageID Ltd.
  null

  I don't know from the screenshots.  Is there anything in your log files?  /var/log/* that corresponds to the time of the crash?
  Have you considered that it is a hardware problem?  Try running memtest86+ to see if it's bad memory.  Check for SMART errors on your filesystems with smartmontools.
  Last edited by graysky (2011-03-17 01:53:35)

• The Web Agent for IIS will not work

  Environment: NT4 Server, IIS4
  I try to install the Web Agent in use with IIS but IIS fails to load the dll. After the installation I can read the event-log :
  The HTTP server was unable to load the ISAPI Application 'C:\Oracle\Ora81\ord\web\bin\wsciis81.dll'. The data is the error.
  And the Browser gives me:
  A dynamic link library (DLL) initialization routine failed.
  What can be wrong?

  Note: On Windows NT, use \ instead of / to separate file system directory
  paths.
  1. Check the Web Agent's log file.
  Look in <oracle_home>/ord/web/logs for a log file in the form
  wsc_<yyyymmdd>_<pid>.log. If the file exists, review it for errors,
  then take the necessary action to remedy the problem. Possible
  problems that might be logged are non-recoverable errors in the Web
  Agent's configuration file <oracle_home>/ord/web/admin/wsc.cfg. If the
  configuration file or the <oracle_home>/ord/web directory hierarchy
  doesn't exist, then re-do the installation.
  2. Check the Web Agent's "last-chance" error log file.
  If the <oracle_home>/ord/web/logs directory exists, but there are no
  log files, check in the %SystemRoot% directory on Windows NT or the
  /tmp directory on Unix for a file named wsclstch.err. This is the Web
  Agent's "last-chance" error log file. The Web Agent will try to write
  to this file if it encounters a fundamental startup error, such as a
  problem initializing CORE or NLS, creating a log file, or opening its
  message file. If the file exists, review it for errors, then take the
  necessary action to remedy the problem. (In a command window on
  Windows NT, type set SystemRoot to find where the wsclstch.err file
  would be written.)
  3. Check the web server configuration.
  If the Web Agent failed to create either its normal log file or its
  "last-chance" error log file, verify that the Web Agent has been
  configured correctly for the particular web server being used and that
  the web server is running.
  o Microsoft IIS
  Use the Internet Service Manager to verify that IIS has been
  configured correctly for the Web Agent. Review the installation
  and configuration instructions in the wsciis.html or wsciis.txt
  files to verify that the Web Agent has been configured correctly
  and to make any changes or fixes necessary. Check that the filter
  is up and running and that the virtual path has been configured.
  To check the filter, select the web site, then click the
  properties button (or right-click the web site icon). Select the
  Filters tab. The Web Agent should appear in the list with a green
  up-arrow. If it appears with a red down-arrow, check the Windows
  NT event log for any errors relating to the Web Agent. IIS
  doesn't always write detailed error messages. For example, if a
  DLL used by the Web Agent can't be located, then IIS typically
  logs the fact that a load error occurred along with the message
  "the data was the error". Note that the installation and
  configuration instructions describe the case where the filter
  must be installed manually if there were no existing filters
  registered at the time the Web Agent for IIS was installed.
  If the filter looks OK, check the oracle_intermedia_bin virtual
  path by clicking the properties button (or right-click the
  virtual path icon). The path should reference the
  <oracle-home>\ord\web\bin directory, which should contain the
  wsciis81.dll file. In the properties window, select the directory
  security tab, then click the anonymous access and authentication
  control button. Verify that Basic authentication has been checked
  and that Windows NT challenge/response has been cleared.
  To function correctly, the Oracle8i home must be specified
  correctly for IIS. Use the Oracle Home Selector to verify that
  the Oracle8i home is specified as the default home. Use the
  System Control Panel to verify that the Oracle8i home /bin
  directory is specified prior to any other Oracle homes in the
  PATH environment variable.
  null

• Site Minder Web Agent for Weblogic 6.1

  Hello,
  I am installing Netegrity Peoplesoft connector for Weblogic 6.1 on Solaris. For this as a prequisite I need to install a Site Minder Web Agent for Weblogic 6.1. Can anyone tell me from where I can download this ? appreciate your help

  You need to contact Netegrity Sales representative and register for an evaluation.
  KBL
  Sreekumar <[email protected]> wrote:
  Hello,
  I am installing Netegrity Peoplesoft connector for Weblogic 6.1 on Solaris.
  For this as a prequisite I need to install a Site Minder Web Agent for
  Weblogic 6.1. Can anyone tell me from where I can download this ? appreciate
  your help

• Cisco NAC web agent Network Security Policy

  I have a computer with an installed McAfee Antivirus that us up to date. However, each time try to access one of my client's server via VPN, I successfully connect to VPN using Cisco Anyconnnect but whenever I try to download the web agent and the device security check is being run, I get the feedback "Host is not compliant with network security policy". It also tells me a Remediation description of "please update your antivirus". (see attached screenshot)
  Please note that I already have my McAfee antivirus updated and I have done everything to keep my computer in good shape in terms of security.
  What is the possible cause for this?

  That means the CAM hasn't received an SNMP trap for that MAC address.  Double-check that the WLC is set up to send traps to the CAM: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cam/m_woob.html#wp1290626
  You can see if the CAM's received a trap for a specific MAC by looking under OOB Management > Devices > Discovered Clients.

• New version available for Intermedia Clipboard Utility and Web Agent for Oracle9i?

  Hi!
  I have downloaded the files from the OTN website under the
  section "interMedia Clipboard Utility & Web Agent Utility for
  NT". After installing the files, it crashes my Oracle HTTP
  Server on Apache. I am currently testing stuff on Oracle 9i and
  I guess the utility that I downloaded is for Oracle 8i. Is new
  the for Oracle 9i available already? How do I download it?
  Thanks!
  Lily

  Lily,
  The interMedia Clipboard and Web Agent are not supported on
  Oracle 9i. For information on alternatives to the
  Web Agent, please see the interMedia software page on OTN:
  http://otn.oracle.com/software/products/intermedia/content.htm
  The closest equivalent of the Web Agent is the interMedia Code
  Wizard for the PL/SQL Gateway.
  Regards,
  Rajiv

• Intermedia Web Agent for Unix

  Is there also an Intermedia Web Agent available for Oracle Application Server (4.0.8.2) running on Unix
  Regards
  JP

  Hi,
  The Web Agent supports OAS 4.0.8.2 on Solaris only. You can download the latest kit, which is version 8.1.5.4.1, from the following URL: http://otn.oracle.com/software/products/intermedia/software_index.htm
  Simon

• The Web Agent for Apache not working

  Any chances to put the last version of Web Agent (im8154) working with Apache in Linux?
  I4m using a Red Hat 6.2 system with Apache 1.3.12 and I compile the web agent without errors. In the some box I use php40 with Apache and I connect and use my Oracle database in another machine without problem.
  All the enviroment is set (ORACLE_HOME, LD_LIBRARY_PATH, PATH) and I even put the Apache user running as oracle.dba
  The problem is always the some: the Apache don4t find any page (404 in the log) in the /intermedia path. It4s seems that dont fire the web agent module that is compiled (I confirm with httpd -l) into. I can put anything in the httpd.conf in the Intermedia Location section that the symtom is the same: no errors, no logs in ORACLE_HOME/ord/web/log or in the /tmp, nothing at all. Just "Page not Found". But the others Location sections are working like the server-status.
  Any ideias people?
  Fernando Soares

  Any chances to put the last version of Web Agent (im8154) working with Apache in Linux?
  I4m using a Red Hat 6.2 system with Apache 1.3.12 and I compile the web agent without errors. In the some box I use php40 with Apache and I connect and use my Oracle database in another machine without problem.
  All the enviroment is set (ORACLE_HOME, LD_LIBRARY_PATH, PATH) and I even put the Apache user running as oracle.dba
  The problem is always the some: the Apache don4t find any page (404 in the log) in the /intermedia path. It4s seems that dont fire the web agent module that is compiled (I confirm with httpd -l) into. I can put anything in the httpd.conf in the Intermedia Location section that the symtom is the same: no errors, no logs in ORACLE_HOME/ord/web/log or in the /tmp, nothing at all. Just "Page not Found". But the others Location sections are working like the server-status.
  Any ideias people?
  Fernando Soares

• Where can I find 2.1-04 web agent for IIS?

  I think this update will solve one of my problems,
  but where can I find it?

  You have to contact support to get this version, it is not public available AFAIK.
  hth
  Chris

• ISE and WLC for posture remediation

  Please can anybody clarify a few things in relation to ISE and wireless posture.
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an ACL to redirect only some traffic to kickoff posture checking?
  2) Can/Should a dACL/wACL be specified as a remediation ACL?
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?)
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)?
  5) Any other advice or pointers would be helpful too as no docs i have found so far, be it TrustSec2, CiscoLive or anything else, dont seem to help me understand WLC posture and remediation
  thanks
  Nick

  Nick,
  Answers are inline:
  1) Is the ACL-POSTURE-REDIRECT used for remediation, or is it just an  ACL to redirect only some traffic to kickoff posture checking? This is for both (if ports 8905..are included) then this is for initial redirection, and remediation
  2) Can/Should a dACL/wACL be specified as a remediation ACL? Wireless does not support DACL, you will have to reference another ACL in the the authorization policy, the new versions have the Airespace ACL field, where you will have the ACL defined locally on the wlc.
  3) Do the WLC ACLs have to be written in long format (manually specifying source and dest ports/doesny direction any work?) Yes you have to add two entries, for example for all traffic redirection to ise...source = any, destination=iseipadd, source port=any, destination port=any direction=any action=permit
  source=iseipaddr, destination ip = any, source port=any, destination port=any, direction=any action permit. Its not the easiest but I will attach a screenshot that will show you my example.
  4) Does anybody have working example ACLs for posture redirect (cpp) and remediation (dACL)? ISE doesnt support DACLs so when you build your authorization profile in ISE you select the web authentication type (Posture Discovery) after that the ACL field will come up, there you will "call" the posture ACL which is defined on your controller.
  5)  Any other advice or pointers would be helpful too as no docs i have  found so far, be it TrustSec2, CiscoLive or anything else, dont seem to  help me understand WLC posture and remediation Keep in mind that you have to have radius NAC and AAA override enabled under the advanced settings for COA to work.
  You have to turn on COA under the global settings in ISE (Administration > Profiling > Coa Type > Reauth)
  Then you have to build your policies so that when a user connects to the network they are redirected to the download the nac agent (this is where the Posture Discovery and redirect ACL work in tandem).
  Once the client download the nac agent and is compliant the report is forwarded to ISE where a COA event is triggered.
  Then the client will reauthenticate and will hit another policy that will give them access once their machine is compliant, you can set the ACLs for restricted access, use dynamic vlan assignment, or just send the access-accept.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*