NAC 4.7 "CAS unavailable" temporary role

Similar Messages

• NAC 4.7.1 L3 OOB - Temporary Role bugs ?

  Hi
  We have a L3 OOB routed gateway configuration (with redundant CAS and CAM), We are currently running 4.7.1 on the appliances and the agent is 4.7.10.
  We have experienced two problems:
  1. On several occasions we can abort a valid logon, but can still be allowed access to the network 'silently' ;
  a - without any indication on the CAM i.e. no online users, no certified devices
  b - the switch is still in the 'unauthenticated vlan' and the
  c - ip address of the client is on the 'untrusted' subnet.
  d - the 'unauthenticated' policy DOES NOT ALLOW web traffic.
  It would seem that the user is able to trick the system by aborting the logon with the agent i.e. closing the window etc, (the login credentials are
  correct and posture fails on an optional check and so amber) but the system DOES NOT show the user at all.
  The Temporary role does allow full access, if I disable the policy rule the traffic is stopped.
  The problem is there is no indication of this user on the system at all, this happens a couple of times a week.
  2. When a user is genuinely placed into a TEMPORARY role (as indicated by the system, note: not the same as above),
  about 50% of the time communication is blocked even though the policy allows it (repeated challenges by NAC).
  Close the agent and do it the second time and it will work.
  I think the symptoms are related as they both seem to be related to the usage of the TEMPORARY ROLE - has anyone else seen this bug ?

  Hi,
  You said not to configure a quarantine vlan, but by the time the users get connected how is gonna be the process for authentication (quarantine) and access vlan??? I mean how is it going to perform the nac process and how to control what happens if it fails (not in compliance) or if it suceed??
  It seems that the version 4.9(1) has the integration, but is not so clear:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cam/m_woob.html#wp1139585
  What versions were you running in your deployment.

• NAC Temporary Role

  Folks, I am
  configuring the NAC CAM 4.7.1 and I created two roles, Employ1 and
  Employ2 but when that roles are into posture assessment with CCAA (Clean Access Agent) I saw that role Employ1 fall in Temporary role and Employ2 fall in Unauthenticated role, I don't know why that difference.
  I want to put each profile with a specified quarantine role, How can I do this?
  thanks a lot

  Hi Faisal,
  thanks for your attention.
  Well, I saw that when I put requeriments on Employ1 for example WSUS requeriment and the client needs to update, that client fall in Unauthenticate role while Employ2 with the same WSUS requeriment fall in temporary role.
  This way I had to generate ACLs in both roles Unauthenticated role and temporary role.
  thanks

• Cisco NAC - How know why a machine is in Temporary Role?

  Hello,
  In our environment, workstatios that do not conform with the requirements remain under Temporary Role until the remediation is done.
  In Event Logs I see that the Workstation is just under Temporary Role, but do not know why it is in Temporary Role.
  How can I see this information?
  Ex:
  Authentication
  2011-01-21 11:12:26
  [00:21:9B:37:00:F0 ## x.x.x.x] user@domain - Successfully logged in temporary role, Provider: ADSSO, L2 MAC address: 00:21:9B:37:00:F0, Role: Temporary Role, OS: Windows XP Pro/Home
  Tanks
  Daniel Stefani

  Hi Daniel,
  you can check the info about this user/machine on the NAC agent reports:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_report.html#wp1481407
  There you get details about what checks failed on the client during the posture assessment phase.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• How to get Celan Access (NAC) reports about users stucked in Temporary role?

  I am using Clean Access 4.7.2.
  If a user does not mett a requirement and is unable to remediate, he is stucked in the Temporary role.
  I checked the "Device Management > Clean Access y Reports" but this does not show any user with failed status with red flag.
  The report shows successfull connection with green flag only.
  How can I obtain report on the CAM about failed checks?
  Thanks
  Csaba

  We had this problem and were told to press Cancel (and then confirm) in the top right corner of the Agent after failing posture assessment. When we did that, the complete report showed up in CAM within seconds and could then be used to manually remediate the machine.
  Hope that helps!

• OIM 11g support for Temporary roles with expiration date

  Dear All,
  Is there a support provided for temporary roles in OIM 11g?
  If not, what is the recommendation as for implementation?
  Kind regards
  Maria Adair

  I'm also interested if someone has any recommendation as for how to implement such a feature. Anyone has any ideas?

• NAC 4.7 CAS web login page url generation

  We have had third part certs generated for the CAS and the CAM and these have installed OK, along with the relevant root and intermediate certificates, and the CAS/CAM are communicating fine.
  However when a user is redirected to the authentication page, the url generated is using the CN from the certificate..
  https://al-nac.sitename.local.companyname.co.uk/auth/perfigo.......etc.
  However the machine cannot resolve the url.
  We cannot add dns entries for this url, we only administer the sitename.local domain.
  Is there a way for the CAS to request the user to access a URL via an IP address?
  If I requested a new certificate, but use the IP address instead of the machine name, would the auhentiation page be referenced by this?
  Regards
  Tony

  I'll give our certificate issuer a call this morning,however I'm sure they mentioned in the past they need a resolvable name to generate the certificate?
  As when we asked for certificates for al-nam.sitename.local they have been unable to generate them, hence the CN=al-nac.sitename.local.company.co.uk
  Is this the same for generating certificates against IP addresses?
  Regards
  Tony

• NAC 4.9 CAS inband with ASA 8.6

  We are working on a new deployment. The user logs in, the agent pops, and posture assessment happens. The screen for posture assessment closes at the test laptop. It acts like all is working. When we look at the inband user it shows as not having transitioned frm the auth the access VLAN. This is a simple install and the VLAN mapping is definitely there. Ideas?

  Steve,
  Here is a configuration guide for the ASA to CAS, its not the latest and greatest but this should work:
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
  When referrring to L2 and L3 adjacent this is different with respect to VGW and RIP.
  L2 and L3 refers to how the clients are positioned with respect to the CAS (not the CAM), are they being routed to the CAS untrusted interface or are they available on a vlan that the CAS can be a part of.
  VGW and RIP refers to the operation of the CAS, this is similar to the operation of the ASA, when it comes to transparent vs routed mode (you can use both the on same CAS), VGW bridges the two networks together, and RIP routes the traffic around and requires static routing since the CAS does not support dynamic routing protocols.
  You can use VGW by setting the group policy to route all tunneled traffic to an ip that is present on the trusted side of the CAS, also you can use the vlan attribute in the group-policy configuration to assign the remote users to a vlan which forces their traffic to flow through the CAS.
  http://cisconac.blogspot.com/2007/07/vpn-deployments-with-asa-80.html
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Installing second Exchange server 2010 with all roles (CAS, HT and MB) in the same domain?!

  Dear all,
  first of all thanks for reading this topic :-)
  In our enviroment, we have a Exchange 2010 server (Version: 14.01.0438.000), whitch is installed with all server roles (CAS, HT and MB) on one server(OS is Windows Server 2008 R2 Enterprise). This exchange server sends all external mails to a smarthost (Redddox).
  We are using Outlook Anywhere, Active Sync and OWA.
  Now, we need to migrate this Exchange server to another one, because we think, that the server´s OS is corrupt and also, there are wrong licenses installed. The "new" server will have the same OS Version and Exchange Version (2010).
  Currently I´m a little afraid, to install a new one - because I think when I will install the CAS and HT role, something will happen in my productive enviroment (Autodiscover, SMTP Connectors, Cerficates a.s.o.).
  To install the mailbox role, I think this will not affect anything.
  Can you help me a little bit in what to take care of? Do I need to preconfigure something, before I will install the second exchange? What about the version / service pack of Exchange to install? Must it be the same as installed on the first one?
  Any help would be appreciated!
  Jennie

  Hi Jennie,
  Below are the steps if you are not planning to upgrade.
  1) Install new Exchange2010-SP3 Server all roles Please check
  this
  2) Install the certificate in the new server by requesting a duplicate from the 3rdparty CA. Or export from the existing Exchange 2010 and import to the new one. Please check
  this
  3) Set your autodoscover, OAB, ECP, OWA URLs same as the current Exchange. Below artciles will help you to do that.
  For OAB, Autodiscover, EWS please check steps 5,6,7in this
  For setting OWA and ECP URLs please check
  this.
  4) Move few mailboxes as a test and check. If no errors move the rest.
  5) Move your OAB generation server to the new server. Please check
  this
  6) Move you public folder contents to the new server you have. Please check
  this
  7) Configure your firerwall to receive emails on the new server and other services like EWS, OWA, ActiveSync.
  8)
  Add the new server as the source server and in the current send connector and remove the old server from the send connector.
  Shutdown the server for a couple of days and monitor. So you will know if you missed something.
  Uninstall Exchange2010 from the add remove programs.
  Thanks, MAS
  Please mark as helpful if you find my comment helpful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

• Exchange server 2010 Hub-Cas server role remove from organization

  Dear all,
  I am going to remove my one of my hub-cas(both the roles installed in same server)server from my organization.
  Cas server configured into cas array. So anyone please guide me to remove safely.
  Parthiban selvaraj

  Hi,
  From your description, I would like to clarify the following thing:
  If you use NLB, you need to remove the CAS server from your NLB cluster and then remove this CAS&Hub server. If you use other sort of load balancer, you need to use it to remove the server from the CAS array and then remove the server.
  Hope it helps.
  Best regards,
  Amy Wang
  TechNet Community Support

• Installing and configuring NAC/CAM/CAS/COLLECTOR

  Hi everybody,
  I have been new to this community and I just joined this.
  I need some help regarding CISCO Nac profiler.
  I have 3 cisco nac appliances as below.
  1. 3355
  2. 3315
  3. 3315.
  My question is that when I power on these devices CAS is pre-configured in it but I have to install profiler, CAS, CAM.
  Got 5 hardware total of cisco which are as follows.
  1. CISCO NAC 3355.
  2. CISCO NAC 3315
  3. CISCO NAC 3315.
  4. CISCO Router.
  5. CISCO Switch.
  I have to installed these devices into a network.
  But the confusion is that whom to make profiler server, CAM, CAS and Collector.
  Please help me on this if you have a simple document describing about NAC profiler server, NAC profiler collector, CAS, CAM and how to configure these devices.
  Please help me on this its urgent

  Abuzar,
  Welcome.
  As for your questions, you can install the Profiler, CAM and CAS on any of these devices. Which ever device you make the CAS can act as a collector also. I would suggest making the biggest box you have (3355) the Profiler, and putting CAM/CAS on the 3315s.
  As for a simple document, I'm afraid no such thing exists. NAC installations are complex by nature and you really have to have a very good idea of what you're looking to accomplish before you even touch the first piece of hardware.
  HTH,
  Faisal

• NAC In-band Real IP Gateway process

  Hi all,
  I've been doing a lot of research and I still can't find good answers to some of my questions. All the big questions are answered for out-of-band configuration but I find that it's assumed that understanding in-band is taken for granted lol...I guess I'm slow =P
  How does In-band Real-IP Gateway work?
  What is the point of the /30 subnets?
  Are there access/auth VLAN pairs in in-band configurations?
  How does quarantining work?
  I read that the NAC Server can only send traffic out the untrusted port in one VLAN and that you aren't allowed to trunk that port. Does this mean that there's no support for multiple untrusted VLANs mapped to a single NAC Server?
  Can you do role-mapping with in-band configurations?
  Any help with any or all of these questions would be GREATLY appreciated!
  Thanks much =]
  ~ Xavier.

  Hi Xavier,
  let me try to answer your questions
  1.How does In-band Real-IP Gateway work?
  The CAS works in routed mode, so you have different IP addresses (on different subnets) on the trusted and untrusted interfaces. Since the CAS doesn't support routing protocols, all the routing has to be configured through static routes
  2. What is the point of the /30 subnets?
  The idea is to have small subnets for your clients so that with this IP config the clients in the authentication VLAN need to go through the CAS even to talk to other clients in the same L2 subnet.
  Check here for some explaination:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/47/cas/s_dhcp.html#wp1057889
  3. Are there access/auth VLAN pairs in in-band configurations?
  If you ask if there's VLAN mapping, then the answer is NO, as the aim of the VLAN mapping is to *bridge* traffic between the trusted and untrusted mapped VLANs, but in Real-IP the CAS does L3 routing of the traffic.
  4. How does quarantining work?
  When a client is quarantined, this works in the same way as in OOB, as in this phase the client is still inline to the CAS.
  So the concept is that the CAS assigns the user to the temporary or quarantine role and it applies a traffic policy that you configured for the temporary or quarantine role.
  5. I  read that the NAC Server can only send traffic out the untrusted port  in one VLAN and that you aren't allowed to trunk that port. Does this  mean that there's no support for multiple untrusted VLANs mapped to a  single NAC Server?
  The "single" VLAN restriction for Real-IP CAS applies only to the *trusted* side. The CAS can be the default gateway for multiple VLANs/IP Subnets on the *untrusted* side.
  You configure additional VLAN/IP addresses on the untrusted side using the "managed subnet" configuration.
  This is also mentioned here:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cas/s_deploy.html#wp1050938
  The Clean Access Server can manage one or more  subnets, with its untrusted interface acting as a gateway for the  managed subnets. For details on setting up managed subnets, see Configuring Managed Subnets or Static Routes, page 5-26.
  6. Can you do role-mapping with in-band configurations?
  Yes, you can do it! However, you cannot assign VLANs as you do in OOB but you can assign different access level based on the IP traffic policies and bandwidth restrictions you assign to the specific role.
  Check for instance here for more details:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_users.html#wp1040231
  In a nutshell, irrespective of the use of InBand vs. OutOfBand:
  - the clients are InBand to the CAS during the CAS discovery, authentication, posture assessment and remediation phases.
  The main difference occurs when the user is authorized to have access to the network and you perform role assignment both in IB and OOB but..:
  - in IB the client traffic keeps on flowing inline to the CAS, so you can apply different access policies (ACL) and bandwidth control policies depending on the role (but you cannot assign VLAN);
  - in OOB the client traffic bypasses the CAS once it's authorized: in this case you can apply different VLANs but (since the CAS is no longer along the path) you can't apply ACLs and/or traffic shaping policies in this case.
  I hope this answers your questions.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• NAC Host-Based Policies Issue

  Hi
  I have a problem... when I try to permit in a temporary role a web page (for example www.microsoft.com) the user can't open it and display security message but when i add the web ip the users can access.... the nac is working on real-ip layer 3...
  thanks for your help

  Hi
  The result of the dns lookup in the host is the next:
  *** Can't find server name for address 172.16.48.253: Non-existent domain
  *** Default servers are not available
  Server: UnKnown
  Address: 172.16.48.253
  Non-authoritative answer:
  Name: com.com.mx
  Address: 74.52.164.242
  Aliases: www.cisco.com.com.mx
  The result of the nslookup in the CAS is the next
  [root@CAS-MTY ~]# nslookup www.cisco.com
  Server: 172.16.48.253
  Address: 172.16.48.253#53
  Non-authoritative answer:
  Name: www.cisco.com
  Address: 198.133.219.25
  Help me

• NAC Agent Issue

  Hi
  I have implemented Cisco NAC for remote VPN users. As part of this they go through 3 checks:
  1. Antivirus installation check
  2. Antivirus definition check
  3. File check
  I have configured the definition check to remediate via internal update servers if 30 days or more out of date.
  The issue I'm seeing is that the end user recieves the following Cisco Agent error during the remediation process (while in the temporary role):
  "The remediation you are attempting is reporting an access denied error. This is usually due to a privilege issue. Please contact your system administrator."
  The definition update happens in the background though (I have allowed the required access through the NAC server) and once complete places the user in the correct role. Therefore It's no so much an issue, just a misleading message displayed to the user.
  Has anyone seen this before or know where this is configure?
  Kind Regards
  Terry

  Hi Faisal,
  I am still having this problem.
  Even though the agent displays that error message, the AV still updates in the background. The problem then is that the agent fails to realise that the definitions are then fully up to date and does not re-check posture automaticly. therefore i am having to disconnect and re-connect the network cable for the agent to realise that I am not fully compliant.
  Is there anything that i can do to make this posture / remediation process, automatic and seemless?
  Mario

• Nac remediation failed

  Hi All,
  Anyone encountered this issue. Recently upgraded to 4.9. Using L2 OOB wireless. Symantec endpoint protection ver 11, virus definition is out of date, when user clicked repair, takes a long time to remediate and then gave a failed error. "The remediation you are attempting had a failure. If the problem persist contact the system admin"
  Traffic control is allowing update in temporary role, and there's no blocking from quarantine vlan to symantec server. Also we notice that the definition gets updated after a while.
  Thanks.
  Regards
  Joachim

  Hi Joachim,
  In my enviroment, we have workstations with SEP ver 11 too and i would like to know  where your users are searching for updates during the remediation process.
  We have Symantec Endpoint Protection Manager acting as antivirus server  and when the NAC Agent calls the Symantec LiveUpdate to perform the repair, users will get updates on the Internet and not on
  Antivirus Server.
  Could you give me more information about your environment?
  regards,
  Daniel Stefani