NAC Agent 4.5.2 and hosts files
Hi
since the PC are managed by NAC, some users met problems with the "host" file (file empty).
Does the NAC agent have any influence on this mechanism?
Is it possible to reload this file?
Thanks for your help
Murielle,
NAC wouldn't do anything to the hosts file on your client machines. There's something else at play here.
HTH,
Faisal
Similar Messages
-
How can I get sendmail to read etc/hosts when I boot our solaris machine?
Hi
The order of name lookups depends on what has been set in the file /etc/nsswitch.conf.
Usually the name lookup will first take place in /etc/hosts, then DNS
the entry in /etc/nsswitch.conf will look like this:
hosts: files dns
During the boot process, the hosts file is used to configure the basics of the host so that it
can get up and running on the network. Sendmail will start at run level 2 after any name service
is running, but will resolve itself with the local host file if the setup is as above.
If your post is regarding the "unable to qualify my own domain name - using short name"
message that gets posted to /var/adm/messages, you will need to put a fully qualified domain
name into the /etc/hosts file.
regards -
Agent not installing correctly and host not appearing in console
Hi,
I encounter troubles with agents on some servers running Red Hat Enterprise Linux ES release 4 (Nahant Update 5).
*1)* The install script doesn't run correctly. It hangs after some times
install.log :
11-21-2007 17:37:05> check rpm with rpm -q rpm
11-21-2007 17:37:05> Checking if user is root
11-21-2007 17:37:05> Checking UCE upgrade
11-21-2007 17:37:05> rpm -q sun-uce-agent
11-21-2007 17:37:05> CMD: rpm -q director-agent
11-21-2007 17:37:05> checking /opt/local/uce/agent//bin/.uce.rc
11-21-2007 17:37:05> /opt/local/uce/agent//bin/.uce.rc was not found
If I install the rpm manually, the packages is successfully installed. I then just copy the .uce.rc file at the correct location.
*2)* On those servers when the agent it running, it fails to connect to the SDS with this error in the error.log :
29739:2007-11-21_17:01:13 ERROR [ default_logger: source_unavailable: #0 ] 17236224 Failed to initialize application. Check that you entered passwords and keys correctly.
Any idea of what could be done ?
Best regards,
Fred. OgerHi,
Still don't know why the agent installer doesn't work correctly, but I found the reason of the host not appearing in console :
The uce.public file had to be installed in /opt/local:uce/agent/bin -
ISe with NAC agent pop up and Posture waiting
Hi,
I have ISE running ver 1.1.1.268. We limited access certain services before authuenticate with ACL-DEFAULT(given below) as per the Trustsec desgin guide.
Now the issue is that when you have ACL-DEFAULT on the port NAC agent doest not pop-up and doest not start the posture part and saying waiting for Posture validation. When the ACL-DEFAULT removed from the access port NAC agent popup and do the posture validation.
However we do not want user to get access to network before the authorization and that is the reason we use the ACL-DEFAULT.
Please can someone advise me how to achieve the above both task. Why the NAC agent does not popup and do the posture when ACL-DEFAULT there in the switch.
Here is what I have configured on ACL-DEFAULT.
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
permit tcp any any eq domain
permit udp any any eq 389
permit tcp any any eq 135
permit tcp any any eq 445
permit udp any any eq 445
permit tcp any any range 135 139
permit tcp any any eq 389
permit tcp any any eq 3268
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Pri)
permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Sec)
remark Drop all the rest
deny ip any any log
Appreciate if someone can give a solid resolution and explanation to this.Hi Saurav,
We have already allowed those ports with another acl (ACL-POSTURE-REDIRECT). Our issue is not with the web nac agent.
The issue is with NAC agent installed on corperate PCs connecting via wired port. With the ACL-DEFAULT it does not pop-up and does not do the posturing, however once we removed the ACL-DEFAULT from the access port, everything works fine.
Since we do not want any user to access unwanted services before authorization we add this ACL on the access-port and as per the trustsec desgin this has to be there if you want to have ISE with closed mode.
thanks -
NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?
Agent Fails to Initiate Posture Assessment
The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
The redirected URL is working fine (SEE Evidence)
We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
The operations status remains with postering status pending forever and nothing else happens.
Symptoms or Issue
The agent login dialog box does not appear to the user following client provisioning.
Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
authentication session.
Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
• Ensure that the Cisco IOS release on the switch is equal to or more recent than
Cisco IOS Release 12.2.(53)SE. - OK
• Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
choose Properties, and check the discovery host.) - OK (See evidence)
• Ensure that the access switch allows Swiss communication between Cisco ISE
and the end client machine. Limited access ACL applied for the session should
allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
• If the agent login dialog still does not appear, it could be a certificate issue.
Ensure that the certificate that is used for Swiss communication on the end client
is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
• Ensure that the default gateway is reachable from the client machine. (TESTED OK)Hi.
Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
regards
Zubair -
NAC agent don't popup on some computer
Hi
I use
ISE version : 1.1.1.2 and NAC agent version : 4.9.0.42
NAC agent does not run on some computers and run on other(windows 7).
What can be these problems?
Please help
RegardsPlease look in to this , it might help you
Agent Login Dialog Not Appearing
Symptoms or Issue
The agent login dialog box does not appear to the user following client provisioning.
Conditions
This issue can generally take place during the posture assessment phase of any user authentication session.
Possible Causes
There are multiple possible causes for this type of issue. See the following Resolution descriptions for details.
Resolution
•Ensure that the agent is running on the client machine.
•Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
•Ensure that the discovery host address on the Cisco NAC agent or Mac OS X agent is pointing to the Cisco ISE FQDN. (Right-click the NAC agent icon, choose Properties, and check the discovery host.)
•Ensure that the access switch allows Swiss communication between Cisco ISE and the end client machine. Limited access ACL applied for the session should allow Swiss ports:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
•If the agent login dialog still does not appear, it could be a certificate issue. Ensure that the certificate that is used for Swiss communication on the end client is in the Cisco ISE certificate trusted list.
•Ensure that the default gateway is reachable from the client machine. -
NAC Agent Customization Distribution
Looks like the NAC agent customizations can be done only when the client PC pulls
the install from the CAM. Our PCs do not have admin rights and the software will be pushed through a software
distribution tool. Is there any way to distribute the software with the customization file , just like there is an option
to install with the agent configuration file?
Thanks
ShaffeelHi Shaffel,
You cannot include the branding files on the MSI installation package of the Agent.
I have not much experience with the centralized client management tools, but you could try a workaround by pushing those files to the client at the appropriate location and then restart the Agent.
The files to be pushed are the ones you prepared on the branding file to be uploaded to the CAM.
The location of the files is documented at this page:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1606140
Specifically:
In a system that has NAC Agent installed, you can find the "nac_login.xml" file in the "C:\Program Files\Cisco\Cisco NAC Agent\UI\nac_divs\login" directory.
The "nacStrings_xx.xml" file is available in the supported location. The "xx" indicates the locale. In the system that has NAC Agent installed, you can find a complete list of the files in the "C:\Program Files\Cisco\Cisco NAC Agent\UI\cues_utility" directory.
The files are available in the directories mentioned above when the Agent is installed at the default location. If the Agent is installed at a different location, then the files would be available at "\Cisco\Cisco NAC Agent\UI\nac_divs\login" and "\Cisco\Cisco NAC Agent\cues_utility".
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it. -
NAC AGENT - DISCOVERY HOST IP ADDRESS with AD
Hi,
We have deployed a Cisco NAC Agent in our network with GPO update... The deployment model is L3 OOB / Real IP Gateway.
The issue is that, we need to put the IP address in each host manually to start communicating with Cisco NAC Manager.
Is there any way to make it automatic?
Regards,
MubasherHi Mubashir,
I faced the same problem with cisco ISE and Tiago's response actually helped see below.
" You can also distribute the NACAgentCFG.xml file with that value set.
Please find here detailed info regarding this file:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376. "
In that link, read the section: Agent Customization Settings
From a NAC agent that has successfully been deployed with the IP configured , go to the NAC agent installation folder
C:\Program Files (x86)\Cisco\Cisco NAC Agent , and copy the NACAgentCFG.xml , open with wordpad and edit the line
IP of PDP node or ISE standalone server
Then place the edited NACAgent.xml file in the same folder as the one where your GPO will pick the agent from. When the Agent is installed , it automatically picks the configs from the .xml file.
Regards,
Henry -
SCCM and citrix servers - SCCM routing to localhost in hosts file
I have recently taken over administration of Citrix servers in our company.
I can't find the answer to this in my organisation, so I ask here:
What could be the reason for routing our SCCM server address to 127.0.0.1 in the hosts file? I noticed all of our Citrix servers have this in the hosts file. This is not default on other servers or client computers.
What I was thinking was perhaps it was a crude way of blocking access to the application catalog. But any ideas? Do anyone know when doing this is common practice?
KthxbaiConfigMgr (or in this case the ConfigMgr client agent) doesn't use anything to resolve DNS names. It passes the names to the networking API which in turn use the Windows name resolution APIs. Name resolution is much more than nslookup which simply queries
a DNS server. Don't confuse the results of nslookup with anything a client will ever use for name resolution, it simply doesn't work that way and would be a bad thing if it did. Querying a DNS server is only part of name resolution and won't happen if the
name is found in the local name cache or the HOSTS file (by default although it is actually possible to change this behavior).
Peter's initial response is the only possibility here. And, just because the client is installed on the server doesn't mean it's reporting in correctly at all. As for SCEP definitions, there are multiple other sources for it to get definitions from which
is what is almost assuredly happening.
I generally concur with John, remove this "dirty" hack; however, you probably should find the Citrix guys as I'm sure they were the ones whining about something that resulted in the hack in the first place.
Jason | http://blog.configmgrftw.com -
CSA agent and NAC agent together
Hi, do you have experience of CSA agent and NAC agent together on the same pc ?
Does one include the other ?
Which one have I to test first ?
thank you in advance
greatings
RSCisco Trust Agent collects security posture information from the NAC-compliant applications running on the network client and reports them to the Cisco Secure Access Control Server (ACS). These are some NAC-compliant applications:
- Antivirus applications
- Personal firewalls
- Host-based intrusion protection applications, such as Cisco Security Agent (CSA)
Cisco NAC is a strategic element of the Self-Defending Network. Working together with other Self-Defending Network components such as Cisco Security Agent and the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS), Cisco NAC helps organizations achieve more accurate threat identification and prevention while increasing patch management efficiency. -
I do not want Bing in my computer.
I get angry and uninstall the new firefox because i can not keep bing at bay. Every time I go back and install Firefox because I do not like Opera I have Microsoft's Bing invading my system as yahoo search or bing.
I want to know what are the host files I need to enter, so I can completely block this search engine virus that keeps invading my system.For the record: Yahoo search is Microsoft Bing, with a different name.
Yahoo search was a great search engine in the past, that knowledge was given to Microsoft to improve Bing, and Yahoo signed an financial agreement with Microsoft to use Bing.
I can remove Bing, but it always returns in 6 hours, or in several days. It has the qualities of malware, in that it keeps reappearing. There is no method I can find of keeping Bing search off my system, other than to not install Firefox.
Application Basics
Name: Firefox
Version: 34.0.5
User Agent: Mozilla/5.0 (X11; Linux i686; rv:34.0) Gecko/20100101 Firefox/34.0
Multiprocess Windows: 0/1
Crash Reports for the Last 3 Days
All Crash Reports
Extensions
Graphics
Adapter Description: X.Org -- Gallium 0.4 on AMD RV670
Device ID: Gallium 0.4 on AMD RV670
Driver Version: 2.1 Mesa 8.0.5
GPU Accelerated Windows: 0/1 Basic
Vendor ID: X.Org
WebGL Renderer: X.Org -- Gallium 0.4 on AMD RV670
windowLayerManagerRemote: false
AzureCanvasBackend: cairo
AzureContentBackend: cairo
AzureFallbackCanvasBackend: none
AzureSkiaAccelerated: 0
Important Modified Preferences
browser.cache.disk.capacity: 358400
browser.cache.disk.smart_size_cached_value: 358400
browser.cache.disk.smart_size.first_run: false
browser.cache.disk.smart_size.use_old_max: false
browser.cache.frecency_experiment: 1
browser.places.importBookmarksHTML: false
browser.places.smartBookmarksVersion: 7
browser.sessionstore.upgradeBackup.latestBuildID: 20141203173539
browser.startup.homepage_override.buildID: 20141126041045
browser.startup.homepage_override.mstone: 34.0.5
dom.mozApps.used: true
extensions.lastAppVersion: 34.0.5
media.gmp-gmpopenh264.lastUpdate: 1421161010
media.gmp-gmpopenh264.version: 1.1
media.gmp-manager.lastCheck: 1421161010
network.cookie.prefsMigrated: true
places.database.lastMaintenance: 1420584204
places.history.expiration.transient_current_max_pages: 104858
plugin.disable_full_page_plugin_for_types: application/pdf
plugin.importedState: true
privacy.sanitize.migrateFx3Prefs: true
storage.vacuum.last.index: 1
storage.vacuum.last.places.sqlite: 1420584204
Important Locked Preferences
JavaScript
Incremental GC: true
Accessibility
Activated: false
Prevent Accessibility: 0
Library Versions
NSPR
Expected minimum version: 4.10.7
Version in use: 4.10.7
NSS
Expected minimum version: 3.17.2 Basic ECC
Version in use: 3.17.2 Basic ECC
NSSSMIME
Expected minimum version: 3.17.2 Basic ECC
Version in use: 3.17.2 Basic ECC
NSSSSL
Expected minimum version: 3.17.2 Basic ECC
Version in use: 3.17.2 Basic ECC
NSSUTIL
Expected minimum version: 3.17.2
Version in use: 3.17.2
Experimental Features
--------------------- -
Cisco NAC Agent and Windows 8 still not working
Hello. I recently upgraded the Cisco NAC Agent to the latest version (4.9.1.13) on a Windows 8 VM. The release notes state that Windows 8 support has been added, and that a patch must be downloaded. However, the information about the patch is vague. I'm not sure if it's a client or server-side patch, or perhaps if I already have it as a result of upgrading to the latest version.
I ask this because I plan to upgrade some computers to Windows 8, and have noticed that Cisco NAC Agent can't handshake with the NAC server on Windows 8 (both native and VM), and despite upgrading to the latest version, the handshake is still unsuccessful.
Thanks,
-CollinHi Collin,
The 4.9.1 Patch for Windows 8 Support can be downloaded from the following link :
http://www.cisco.com/cisco/software/release.html?mdfid=282910502&flowid=34713&softwareid=282573326&release=4.9.1&relind=AVAILABLE&rellifecycle=&reltype=latest
The patch should be applied to both 4.9.1 CAM and CAS.
Please go through the README file for patch provided in the download link provided above. It has detailed information.
Regards,
Karthik Chandran -
Different between cisco NAC agent and cisco Clean Access Agent
Hi all,
if anyone has idea about different between cisco NAC agent and cisco Clean Access Agent, please share your ideas.
thank youIn 4.6, the agent was overhauled and is now called the NAC agent. Previous versions were referred to as the Clean Access Agent. So pretty much, the 4.5 agent and 4.1.3.2 agents are Clean Access agents, and the 4.6.x and 4.7.x agents are called NAC agents.
Some of the changes made were moving a lot of the agent configuration to an XML file, redesigning the GUI, adding a service portion (so that the stub agent is no longer required), and better agent logging. -
I'm getting this problem when trying to update my iphone 3gs it says that the iphone software could not be contacted and I went on youtube got some advise to go into my hard drive to fix the error I have nothing in my host file please help me if you can this is all new to me.
Read this: iOS 4: Updating your device to iOS 5 or later
... oh I think it is a 3gs or a 3
This makes a difference. What does it say in Settings > General > About? -
Can't update iOS 8 on my iPhone5 through iTunes on Windows 8 (error 3004, 3194). Updated host file, opened port 80, 443; turned off security system and firewall, etc. But nothing works. How to solve this problem?
Hi the_mad_movies,
It seems like this article will be the best option for addressing this issue:
Error 3194, Error 17, or "This device isn't eligible for the requested build"
http://support.apple.com/kb/ts4451
Thanks for coming to the Apple Support Communities!
Cheers,
Braden
Maybe you are looking for
-
While installing OS X 10.9.2, my MacBook Pro suddenly "shut down because of a problem" (which isn't the first time that happened). Checking the Apple menu and "About this Mac" it says I have 10.9.2 installed. I tried to see if I could reinstall the u
-
I just downloaded the newest version of Firefox today because it is required for some of the websites I need for my college courses. However, every single website I go to (even the Mozilla site, Google, etc.) says that there's an "untrusted connectio
-
Google Maps in OBIEE 11g (7.1)
Hi Alll, I know there are lots of posts/blogs on this over net but most of them show examples with either 10g or use API v2. Following is my requirement 1. To be able to show multiple data points (Locations) on a single map and to be able to zoom in.
-
Can't access Internet via Ethernet port of 'n' Express in 'Extend' mode
I just purchased the new Airport Express (AXp) n version for the purpose of extending my Airport Extreme (AXt) n version wireless network so that I can connect my old MacBook Pro (MBP) 17" core duo, running Mac OS X 10.5.2, to the AXp via an Ethernet
-
Hi everybody, I'm new at labview and was hoping if someone could help with a basic question. I have to make a program that checks capacitors, the program uses a Velleman card VM110N or K8055. I try to give is short and simple: -Measure time. -send 5