NAC Agent 4.9 issue while remediation with in ISE
We are installed NAC agent 4.9 where we have configured posture policy for Symantec Endpoint Protection version 11x in ISE 1.1.1. Where when enduser fallen down to remediation and try to remediate to collect the latest anti virus definitions from Local Antivirus, when clicking on the update button we get a message stating
"The Remediation you are attempting is reporting an access denied error. This is usually due to a privileg issue. Please contact your system
administrator"
It continuosly asking that prompt and giving that priviligae message.
Are we need to have administrator rights for remediation ? and this prompt is appearing again and again till the remediation timer and then it fallen down to Non-compliant (Restricted ) profile.
Please find attached screen shots for the same
I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
Select Keychain Access -> Preferences from the menu at the top of the screen
Choose the Certificates tab
Change the OCSP option from Best Effort to Off
Close the Preferences dialog and quit Keychain Access
You should be able to NAC now
Similar Messages
-
Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4
Hi
My Cisco NAC Agent (version 4.9.1.682) doesn't work since I upgraded my Mac OS X 4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
Any update on when a new version is going to be released - Its getting really frustrating?I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
Select Keychain Access -> Preferences from the menu at the top of the screen
Choose the Certificates tab
Change the OCSP option from Best Effort to Off
Close the Preferences dialog and quit Keychain Access
You should be able to NAC now -
Facing issue in integrating with Cisco ISE
We are trying to integrate our product(Cisco Prime Infrastructure) with Cisco ISE for Authentication and Authorizations. We already support PAP/CHAP, and not trying to add support for EAP-TLS.
Currently during our integration, facing TLS payload errors. We are using jradius library for talk to Cisco ISE for authentication and facing the below TLS error in ISE logs. Tried with Cisco ISE 1.2 and 1.3 versions.
Event 5400 Authentication failed
Failure Reason 11500 Invalid or unexpected EAP payload received
DetailedInfo TLS packet parsing failed: total accumulated size plus this last fragment size is greater than expected total TLS message size
Any pointers to resolve this problem or any other free java based client library instead of jradius which is tried out successfully with Cisco ISE would also be great.
Regards
ChandrakumarDECLARE
CURSOR s_cur
IS
SELECT eno FROM emp;
TYPE fetch_array IS TABLE OF s_cur%ROWTYPE;
s_array fetch_array;
BEGIN
OPEN s_cur;
FETCH s_cur
BULK COLLECT INTO s_array;
CLOSE s_cur;
FORALL i IN 1 .. s_array.COUNT
INSERT INTO (select eno from emp_temp)
VALUES s_array (i);
END;
Its working, but not understood the concept.
INSERT INTO (select eno from emp_temp)
VALUES s_array (i);
How it works? -
Apple Cinema Display 23" brightness issue while using with Microsoft Vista
Hello there,
I have the following issue and was wondering if someone has an idea what the reason is or what can I do to fix this:
I have a 23" Apple Cinema Display running with a MacPro 2,8 GHz. When I switch to PC using BootCamp 2.1 with Windows Vista Service Pack 1 32bit the screen becomes extremely dark.
At first, on the PC side, the display has the correct brightness but after two seconds it switches to a very low brightness setting.
When I go back to the Mac side the brightness setting on my Cinema Display has changed to the lowest point.
I also have a MacBookPro, with Microsoft XP installed also using BootCamp (I cannot find the version of this Boot Camp, but it is an earlier version) to change to PC. In XP, there is a driver installed that allows me to use a slider on the PC to control the monitor brightness. But with Vista this slider is nonexistent.
I already tried changing the graphic's card NVIDIA 8800 driver to see if I can manipulate the brightness on the monitor. I realized there is brigthness slider on the Nvidia driver, but when you make brighter, the colors just get messed up, and the brightness stays as dark as before.
We have lately upgraded to Snow Leopard and had installed Spyder on the Mac side to create a monitor profile for the Cinema Display. I already deleted the profile to see if there is a change. Nothing. I already went back in time on my PC (Restore Point), also nothing.
Could I download a driver for Vista, so that I have a brightness slider on the PC side, so that I can adequately change the brightness to its correct setting.
It is amazing how the lack of correct brightness in a monitor, can ruin your entire working day! Very frustrating!
It would be greatly appreciated if someone has a solution for this issue! Thanks a lot!
EmilOkay, I came across a thread that implies there is a problem with using the Apple ADC-to-DVI adapter to attach the older "acrylic" 23" Cinema Display to a Mac Pro DVI graphics card. Basically, the workaround is to NOT use the USB part of the adapter (disconnect it).
1) In OS X, set the desired display brightness.
2) Disconnect the USB cable coming from the converter to the Mac.
3) Restart into Windows.
The brightness setting should now remain as it was under OS X.
Confirmed to work on my Mac Pro v1,1 (dual 2.66 Core 2 Duo) with nVidia GeForce 7300 GT video card running Windows 7 x64.
Link here: <http://forums.macrumors.com/showthread.php?t=790910> for credit to resolution.
Of course, you lose the functionality of the 2-port built-in USB hub in the Cinema Display, but an external USB hub can make up for that. -
Exchange 2010 ambiguous URL'S issue while coexist with exchange 2013
Hi ,
Please correct me if i am wrong and also all of you tell me your valuable suggestions.
Like as said in the below article we are having an exchange 2010 ambiguous url's in place.
Referred
article :
http://blogs.technet.com/b/exchange/archive/2013/05/23/ambiguous-urls-and-their-effect-on-exchange-2010-to-exchange-2013-migrations.aspx
As said in this article, if we have exchange 2010 ambiguous url's in place we will face issues during exchange 2013 coexistence.I agree with that point .
Question : On such case why don't we use a separate namespace for internal and external outlook anywhere settings in exchange 2013 which is different from cas array name and also there is no need to disturb the existing exchange 2010
environment by changing the rpc client access attribute in exchange 2010 databases or by forcing the exchange 2010 internal outlook clients to connect via OA. Please clarify my doubt and say whether the mentioned scenario is possible or not ?
Note : Same time please consider the new namespace which is going to be utilized on exchange 2013 outlook anywhere settings is available on SAN certificate.
Regards
S.NithyanandhamHi ,
Please someone shed light on this case.
Regards
S.Nithyanandham
Thanks & Regards S.Nithyanandham -
Performance issue while working with large files.
Hello Gurus,
I have to upload about 1 million keys from a CSV file on the application server and then delete the entries from a DB table containing 18 million entries. This is causing performance problems and my programm is very slow. Which approach will be better?
1. First read all the data in the CSV and then use the delete statement?
2. Or delete each line directly after reading the key from the file?
And another program has to update about 2 million entries in a DB table containing 20 million entries. Here I also have very big performance problems(the program has been running for more the 14 hours). Which is the best way to work with such a large amount?
I tried to rewrite the program so that it will run parallel but since this program will only run once the costs of implementing a aRFC parallization are too big. Please help, maybe someone doing migration is good at this
Regards,
Ioan.Hi,
I would suggest, you should split the files and then process each set.
lock the table to ensure it is available all time.
After each set ,do a commit and then proceed.
This would ensure there is no break in middle and have to start again by deleteing the entries from files which are already processed.
Also make use of the sorted table and keys when deleting/updating DB.
In Delete, when multiple entries are involved , use of an internal table might be tricky as some records may be successfully deleted and some maynot.
To make sure, first get the count of records from DB that are matching in Internal table set 1
Then do the delete from DB with the Internal tabel set 1
Again check the count from DB that are matching in Internal table set 1 and see the count is zero.
This would make sure the entire records are deleted. but again may add some performance
And the goal here is to reduce the execution time.
Gurus may have a better idea..
Regards
Sree -
NAC AGENT - DISCOVERY HOST IP ADDRESS with AD
Hi,
We have deployed a Cisco NAC Agent in our network with GPO update... The deployment model is L3 OOB / Real IP Gateway.
The issue is that, we need to put the IP address in each host manually to start communicating with Cisco NAC Manager.
Is there any way to make it automatic?
Regards,
MubasherHi Mubashir,
I faced the same problem with cisco ISE and Tiago's response actually helped see below.
" You can also distribute the NACAgentCFG.xml file with that value set.
Please find here detailed info regarding this file:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376. "
In that link, read the section: Agent Customization Settings
From a NAC agent that has successfully been deployed with the IP configured , go to the NAC agent installation folder
C:\Program Files (x86)\Cisco\Cisco NAC Agent , and copy the NACAgentCFG.xml , open with wordpad and edit the line
IP of PDP node or ISE standalone server
Then place the edited NACAgent.xml file in the same folder as the one where your GPO will pick the agent from. When the Agent is installed , it automatically picks the configs from the .xml file.
Regards,
Henry -
ISe with NAC agent pop up and Posture waiting
Hi,
I have ISE running ver 1.1.1.268. We limited access certain services before authuenticate with ACL-DEFAULT(given below) as per the Trustsec desgin guide.
Now the issue is that when you have ACL-DEFAULT on the port NAC agent doest not pop-up and doest not start the posture part and saying waiting for Posture validation. When the ACL-DEFAULT removed from the access port NAC agent popup and do the posture validation.
However we do not want user to get access to network before the authorization and that is the reason we use the ACL-DEFAULT.
Please can someone advise me how to achieve the above both task. Why the NAC agent does not popup and do the posture when ACL-DEFAULT there in the switch.
Here is what I have configured on ACL-DEFAULT.
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
permit tcp any any eq domain
permit udp any any eq 389
permit tcp any any eq 135
permit tcp any any eq 445
permit udp any any eq 445
permit tcp any any range 135 139
permit tcp any any eq 389
permit tcp any any eq 3268
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Pri)
permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Sec)
remark Drop all the rest
deny ip any any log
Appreciate if someone can give a solid resolution and explanation to this.Hi Saurav,
We have already allowed those ports with another acl (ACL-POSTURE-REDIRECT). Our issue is not with the web nac agent.
The issue is with NAC agent installed on corperate PCs connecting via wired port. With the ACL-DEFAULT it does not pop-up and does not do the posturing, however once we removed the ACL-DEFAULT from the access port, everything works fine.
Since we do not want any user to access unwanted services before authorization we add this ACL on the access-port and as per the trustsec desgin this has to be there if you want to have ISE with closed mode.
thanks -
NAC Agent - Loop in Remediation WSUS
Hello,
I´m implementing WSUS Posture in my ISE environment.
When NAC Agent detect a new Windows Update, the Remediation Action is Automatic. I configured Show UI the Wizard Interface and this is working well.
But, after the windows update instalation, the NAC Agent stay in Remediation Process. Looking for WindowsUpdate.log file, I see repetitive messages like:
Updates Found = 0 OR Found 0 Updates and X categories in search.
If I use the Windows Update from Windows to Search and Install the Updates, work very well too.
The image attached, ilustrate my problem(In this point, The Windows Update instalation was done):Updating..
Approximately after 30 minutes, NAC Agent finished the process of Remediation. (Only 1 Windows Update package)
apparently the station sends many reports to WSUS and while it does, the NAC Agent continues Remediation on the process, even after installing the update.
I'm sure there are how to optimize it, but if anyone has any tips I'd appreciate it.
Best Regards,
Daniel Stefani -
Issue while installing FatWire on weblogic server
I was trying to install CS with Weblogic as the Application server.
During the installation of CS, I faced an issue while integrating with LDAP. In log it showed "Could not connect to the application server.Error in creating LDIF file.
I had given the valid credentials.
Have anyone faced this issue previously, if so please guide me thorugh.
And also, Is it mandatory to use LDAP ?
Thanks,
Rahul NairIt sounds like the application server was turned off whilst you were running the LDAP configuration tool. The tool needs the application server to be running.
It's not mandatory to have LDAP integration with CS, from what I have seen most existing customers don't use it. There are also some performance benefits to avoiding LDAP integration.
If you do want LDAP integration then you don't need to configure it immediately after install. The LDAP configuration tool can be run separately, e.g. after you are happy the fresh install is working as expected.
Phil -
Buffer table not up-to-date error while working with local SRM PO
Hi all,
We are working in SRM 7.0 with extended classic scenario.
I faced an issue while working with local SRM PO. Iam getting a dump while doing changes in SRM PO.
Dump says that "Buffer table not up-to-date". Please find the detail dump error below :
http://cscgsapndc34.nwk.amer.csc.com:8114/sap/bc/webdynpro/sapsrm/wda_l_fpm_oif/
UNCAUGHT_EXCEPTION
Buffer table not up-to-date
Function: BBP_PD_ABORT of program SAPLBBP_PDH
Form: ABORT of program SAPLBBP_PDACC
Form: ACCOUNT_INTERNAL_SAVE of program SAPLBBP_PDACC
Function: BBP_ACCOUNT_INTERNAL_SAVE of program SAPLBBP_PDACC
Form: PROCDOC_INTERNAL_SAVE of program SAPLBBP_PD
Form: STATUS_SET_AND_INTERNAL_SAVE of program SAPLBBP_PD
Form: PROCDOC_UPDATE of program SAPLBBP_PD
Function: BBP_PROCDOC_UPDATE of program SAPLBBP_PD
Method: /SAPSRM/IF_PDO_UPDATE_BUFFER~SUBMIT of program /SAPSRM/CL_PDO_UPDATE_BUFF_PO=CP
Method: /SAPSRM/IF_PDO_BASE~SUBMIT_UPDATE of program /SAPSRM/CL_PDO_BASE===========CP
http://cscgsapndc34.nwk.amer.csc.com:8114/sap/bc/webdynpro/sapsrm/wda_l_fpm_oif/
If anyone of you already came across this type of dump error can you please let me know what might be the possible reasons for the same . Request your kind help in this regard.
Thanks in advance.
Regards,
KalyaniThere could be many issues..
or some data issue.
can you recreate the same issue you can fix it.
it could only one incident so you should thoroghly check what piece of data is wrong.
what actions are you doing in the purchase order.
Note 1580496 - Purchase order Buffer table not upto date dump in change ver
Symptom
1.Create a change version on any Purchase order.
2. Edit quantity of any item
3. Dont press 'Enter key'
4. Clickk on Order button.
Application gves dump 'Buffer table not upto date'
but it is very difficult to say what is the issue. request your technical resource to look your dump.
if you recreate the issue half of the problem resolved. -
Hello, we currently run NAC for our wired (OOB), wireless (IB) and VPN (IB) enviroments. We are looking at migrating over to ISE for our wireless enviroment as a first step, with follow-up projects to move the VPN and wired clients over. I have been reading that ISE will still use the NAC agent. Our current NAC enviroment is at 4.7.2 and we are running the 4.7.2.10 agent. We do not want to upgrade this enviroment, we would rather focus on migrating to ISE. So our thought was to upgrade the clients to the latest NAC agent version 4.9.1.5. This agent is supported against the 4.7.2 NAC Manager. The problem is, I do not see this agent version listed as supported in the ISE compatibility matrix. Instead, they list a NAC agent of 4.9.0.37, which ironically, is NOT listed in the NAC compatiblity matrix. So what version of NAC agent should we run in a mixed enviroment? I am hoping 4.9.1.5 is supported against ISE, and the matrix is simply not updated yet. Thank you in advance for your help.
Not sure I understand. The 4.9.1.5 NAC agent does run against our CAM, as we have tested that and it is listed in the support matrix. So if we upgrade our NAC applainces, we would still run that agent. Does that agent tun against ISE, and if not, what is Cisco's recommendation to bring ISE into the enviroment? We have to have a migration path, and wireless seemed like a logical first step. But we need a NAC agent that will work against Clean Access AND ISE as our laptops will be wireless and wired at different times. Which Agent would be recommended?
-
Cisco ISE NAC agent and Microsoft roaming profiles
Hi there,
I have installed Identity services engine version 1.1.3 in didstributed mode. The NAC agent is installed on the end user PC joined to the domain. when a user with a roaming profile logs into the PC, the NAC agent fails to run posture assesment, but if a user with non-roaming profile logs in, the NAC agent does posture and full network access is granted.
Is there something i need to do to enable the NAC agent to perform posture for users with a roaming profile.
Regards,
HenryHello,
I found the following from the cicso doc. Hope it helps!
The following failure scenarios might cause the Cisco NAC Agent to appear following successful user authentication when the client machine roams between CASs in Layer 3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band environments. Erroneous Agent login dialogs could also appear if users roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC network:
–ARP poisoning
–Temporary loss of network connection between the client machine and the CAS
–Access to untrusted interface IP address on the CAS from non-NAC network segments on NAC-enabled client machines
Cisco offers the following recommendations to prevent this situation:
–Ensure all trusted networks (post-authentication) can reach the CAS untrusted interface IP address through the CAS trusted interface only
–Block discovery packets from all non-NAC networks to the CAS untrusted interface IP address (discovery packets that arrive on the trusted interface of the CAS are blocked by default)
For more information please refer to the following link:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html -
NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?
Agent Fails to Initiate Posture Assessment
The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
The redirected URL is working fine (SEE Evidence)
We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
The operations status remains with postering status pending forever and nothing else happens.
Symptoms or Issue
The agent login dialog box does not appear to the user following client provisioning.
Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
authentication session.
Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
• Ensure that the Cisco IOS release on the switch is equal to or more recent than
Cisco IOS Release 12.2.(53)SE. - OK
• Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
choose Properties, and check the discovery host.) - OK (See evidence)
• Ensure that the access switch allows Swiss communication between Cisco ISE
and the end client machine. Limited access ACL applied for the session should
allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
• If the agent login dialog still does not appear, it could be a certificate issue.
Ensure that the certificate that is used for Swiss communication on the end client
is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
• Ensure that the default gateway is reachable from the client machine. (TESTED OK)Hi.
Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
regards
Zubair -
Nac Agent do not execute remediation
Hi to all,
in a lab enviroment i have configured a CAM/CAS solution on 3310 server and I have installed 2 pc (one windows Vista and one XP) with nac client 4.6.2.133 version.
My problem is auto-remediation and manual-remediation, client get me a temporaney access but do not start a live update programa (i use symantec endpoint protection 11).
I have admin right on both pc.
Why I can solve the problem?
Thanks for helpThere is not automatic remediation for all products. You must launch the endpoint protection, click live-update, then re-scan on the NAC agent and you will pass.
Quote from Cisco Doc (http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_agent.html):
"â¢Not all product versions of a particular vendor may support the Clean Access Agent launching the automatic update of the product. In this case, you can provide instructions (via the Description field of the AV or AS Definition Update requirement) to have users update their AV or AS definition files from the interface of their installed AV or AS product."
If you have verified that your requirement-rule is specifically for Symantec Endpoint Protection 11, and the rule has automatic remediation configured, then it may fall into this scenario. You may also have it configured where the endpoint protection is not accessible to the end-user and requires admin rights to launch. Please put the client in debug and send the results to TAC for analysis, as it would be the best bet for you to get a clear answer.
Hope that helps, rate if it does.
Cheers,
Tim
Maybe you are looking for
-
Is there any way to print from an iPad to a stand alone non-networked printer?
Is their a way to cable from an iPad to a printer that does not have any connectivity?
-
Gneration of multiple Production Order from multi level BOM
Hi Experts, My customer has multi level BOM. meaning child item also has its own BOM - 4 Level. FG-Pack - Make FG - Make SFG - Make RM - Buy Their process is once they create Production Order for final Finished Good,
-
HT5312 I have forgotten my security questions
I was trying to buy an app for my iphone but i had forgotten my security questions / answers. I tried to contact apple support regarding this via the website (frustrating!!!!) I read how to create a rescue email .... So I went to my account ..... Pre
-
On change-of giving error in SLIN
hi all, i have used on chane of statement in my code. Im getting the following <b>error</b> in the SLIN check. Can anyone help me?? The current ABAP command is obsolete "ON CHANGE OF ... ENDON" is not supported in the OO context. Internal Message Cod
-
Hi people, I have following mapping rule in mappings file: in-chan=*;out-chan=tcp_intranet;convert $C$:T$EYes,Channel=tcp_keeper The $T is used to find user conversion tag, but it seem that it not working, at the same time it does work with mailDomai