Nac agent delayed befor popup

Dear ,
i install nac system and working fine, but when the user loging in , the agent delay about 10 minutes before popup to the user, i don't know why the agent don't appear immedaitly after the pc finish startup.

I only use OOB configurations, so I haven't tested IB configurations. However, you may see some issues in both configurations since the agent needs send user/PC information to the CAM.
In our setup, the fact that the agent doesn't load until after the desktop comes up has produced a delay in total login time that can reach 20 minutes (I've timed it), depending on the situation. I haven't yet been able to determine what MSoft is trying talk to that it can't (the delay is waiting for a bunch of things to time out).
Now, if the desktop is loaded and all user programs are running and it still takes 10 minutes for the popup, then the issue is probably with the discovery host (or lack of one) as you have been discussing with Faisal.

Similar Messages

  • NAC agent failing to popup

                       Dears,
    I have two ISE appliances installed in a distributed deployment (primary "ISE1" and secondary "ISE2"), each node has the three personas installed on it. The servers are registered together and the replication is working properly between the nodes.
    When we are working on the first node everything is fine, if I try to disconnect ISE1 and do my tests on ISE2, the cisco NAC agent doesn't popup, unless I uninstall it and reinstall it again from the ISE2. Then it will work properly.
    Note: the NAC agent version is the following: nacagent-4.9.0.37.
    Any idea?
    Regards
    Zahi

    Hi Tarik,
    below are my answers:
    1- The content of the dACL:
    ip access-list extended POSTURE-REMEDIATION
    permit udp any any eq domain
    permit ip any host 10.10.10.125         >>>> antivirus server
    permit ip any 10.10.240.0 0.0.0.255   >>>> voice subnet
    permit ip any 10.10.31.0 0.0.0.255    >>>> quarantine vlan subnet
    permit ip any host 10.10.10.238        >>>> ip add of ISE1
    permit ip any host 10.10.10.239        >>>> ip add of ISE2
    permit ip any host 10.10.10.206        >>>> wsus server
    permit ip any host 10.10.10.10          >>>> domain 1
    permit ip any host 10.10.10.100          >>>> domain 2
    2- When I open a web browser, yes I get redirected to the nac agent download page
    3- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:
    sw#sho authentication sessions int fast 0/12
                Interface:  FastEthernet0/12
              MAC Address:  b8ac.6fc9.b26f
               IP Address:  10.10.31.2
                User-Name:  RJ\15592
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  31
                  ACS ACL:  xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
         URL Redirect ACL:  ACL-POSTURE-REDIRECT
             URL Redirect:  https://RJ-ISE-1.rj.com:8443/guestportal/gateway?session
    Id=0A0A0C86000000186ADBBD8B&action=cpp
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A0C86000000186ADBBD8B
          Acct Session ID:  0x00000023
                   Handle:  0x31000018
    Runnable methods list:
           Method   State
           dot1x    Authc Success
           mab      Not run
    sw#sho authentication sessions int fast 0/12
                Interface:  FastEthernet0/12
              MAC Address:  b8ac.6fc9.b26f
               IP Address:  10.10.30.12
                User-Name:  RJ\15592
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  30
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A0C86000000186ADBBD8B
          Acct Session ID:  0x00000023
                   Handle:  0x31000018
    Runnable methods list:
           Method   State
           dot1x    Authc Success
           mab      Not run
    outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE2:
    sw#sho auth sessions int fast 0/12
                Interface:  FastEthernet0/12
              MAC Address:  0025.6458.8409
               IP Address:  10.10.31.8
                User-Name:  RJ\15946
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  31
                  ACS ACL:  xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
         URL Redirect ACL:  ACL-POSTURE-REDIRECT
             URL Redirect:  https://RJ-ISE-2.rj.com:8443/guestportal/gateway?session
    Id=0A0A0C86000000206AF3FAC1&action=cpp
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A0C86000000206AF3FAC1
          Acct Session ID:  0x0000002B
                   Handle:  0x2C000020
    Runnable methods list:
           Method   State
           dot1x    Authc Success
           mab      Not run
    you may find attached also the pcap file of the client machine when it is authenticating with the ISE2.
    Thank you in advance
    Zahi
    Message was edited by: ZAHI BOU KHALIL

  • NAC agent don't popup on some computer

    Hi
    I use
    ISE version : 1.1.1.2 and NAC agent version : 4.9.0.42
    NAC agent  does not run on some computers and run on other(windows 7).
    What can be these problems?
    Please help
    Regards

    Please look in to this , it might help you
    Agent Login Dialog Not Appearing
    Symptoms or Issue
    The agent login dialog box does not appear to the user following client provisioning.
    Conditions
    This issue can generally take place during the posture assessment phase of any user authentication session.
    Possible Causes
    There are multiple possible causes for this type of issue. See the following Resolution descriptions for details.
    Resolution
    •Ensure that the agent is running on the client machine.
    •Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
    •Ensure  that the discovery host address on the Cisco NAC agent or Mac OS X  agent is pointing to the Cisco ISE FQDN. (Right-click the NAC agent icon, choose Properties, and check the discovery host.)
    •Ensure  that the access switch allows Swiss communication between Cisco ISE and  the end client machine. Limited access ACL applied for the session  should allow Swiss ports:
    remark Allow DHCP
    permit udp any eq bootpc any eq bootps
    remark Allow DNS
    permit udp any any eq domain
    remark ping
    permit icmp any any
    permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
    permit tcp any host 80.0.80.2 eq www --> Provides access to internet
    permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
    port
    permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    permit udp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    deny ip any any
    •If  the agent login dialog still does not appear, it could be a certificate  issue. Ensure that the certificate that is used for Swiss communication  on the end client is in the Cisco ISE certificate trusted list.
    •Ensure that the default gateway is reachable from the client machine.

  • ISe with NAC agent pop up and Posture waiting

    Hi,
    I have ISE running ver 1.1.1.268. We limited access certain services before authuenticate with ACL-DEFAULT(given below) as per the Trustsec desgin guide.
    Now the issue is that when you have ACL-DEFAULT on the port NAC agent doest not pop-up and doest not start the posture part and saying waiting for Posture validation. When the ACL-DEFAULT removed from the access port NAC agent popup and do the posture validation.
    However we do not want user to get access to network before the authorization and that is the reason we use the ACL-DEFAULT.
    Please can someone advise me how to achieve the above both task. Why the NAC agent does not popup and do the posture when ACL-DEFAULT there in the switch.
    Here is what I have configured on ACL-DEFAULT.
    ip access-list extended ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS
    permit udp any any eq domain
    permit tcp any any eq domain
    permit udp any any eq 389
    permit tcp any any eq 135
    permit tcp any any eq 445
    permit udp any any eq 445
    permit tcp any any range 135 139
    permit tcp any any eq 389
    permit tcp any any eq 3268
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Pri)
    permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Sec)
    remark Drop all the rest
    deny   ip any any log
    Appreciate if someone can give a solid resolution and explanation to this.

    Hi Saurav,
    We have already allowed those ports with another acl (ACL-POSTURE-REDIRECT). Our issue is not with the web nac agent.
    The issue is with NAC agent installed on corperate PCs connecting via wired port. With the ACL-DEFAULT it does not pop-up and does not do the posturing, however once we removed the ACL-DEFAULT from the access port, everything works fine.
    Since we do not want any user to access unwanted services before authorization we add this ACL on the access-port and as per the trustsec desgin this has to be there if you want to have ISE with closed mode.
    thanks

  • After install NAC agent I must remove cable before open windows session normaly

    Hi
    I use ISE 1.1 and NAC agent 4.9
    I have configure my catalyst 2960 port with dot1x and install NAC agent on many computer
    But I observed that I am unable to open windows session on some computer (windows 7)
    When I enter login and password, then I got black screen and nothing else, then if I remove the network cable on my computer, the black screen change and move to the windows desktop normaly
    Why do I need to remove network cable before get to my desktop normaly ?
    Please How can I fixed this issue ?
    Thanks in advance for your help

    Hi
    The given link might be helpful regarding your issue:
    http://www.cisco.com/en/US/netsol/ns466/index.html
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html

  • Run NAC agent before user login - Win7?

    Greetings all and thx in advance for any advice! Environment details - ISE 1.2. Patch 5 and cisco NAC agent 4.9.3.
    I have all of the authen/authz policies working and functioning properly, however, I have run into an issue with the NAC agent running posture only after user login.  This is causing some grief, mainly that users required login scripts can't run successfully until posture is compliant and the more permissive dACL is applied.  I was hoping that posture would complete long before windows login was even an option for the user but for some reason I appear to require an interactive login to get the NAC agent to run posturing.  Any thoughts or ideas on this?  I tried the NAC agent installation with a couple of different user accounts on the windows hosts but without success, it will only posture once I have interactive login.  I went pretty deep on the removal of the posture conditions to simply checking a single windows service but it didn't make any difference.  Thanks for any advice!!
    IA

    Thanks for the reply Saurav, I should have clarified a design point.  I am not doing any user authentication, only doing a machine authen.  As I mentioned I can't seem to posture pre-user authentication even though I am not doing any user authentication.
    IA

  • NAC Agent AD SSO delayed 10 minutes to logon

    Hi,
    I installed NAC in OOB layer 2 with AD SSO and the NAC AD SSO process is very slow (about 10 minutes)
    I first logon on Windows with username and password in the domain.
    After about of 1-2 minutes, the NAC Agent stays in the system tray and shows to me the certificate message:
    I click in yes and after about 5 minutes, the NAC Agent shows to me the certificate message again. I click in yes again then the Nac Agent popup with the message: "Executing automatic login Windows Domain for NAC":
    After about 3 minutes the Nac Agent gives me access to network:
    I configured rules for Unauthenticated Role to allow:
    TCP - 88,135,139,389,445,636,1025,1026,3268,49152-65535
    UDP - 88,123,137,389,636
    ICMP - Allowed ICMP to Domain Controller
    Its about 10 minutes to logon, I tested in Windows XP, Windows Vista and Windows 7 machines.
    Thanks
    Moises Araujo

    Tarik Adman,
    I executed the nslookup in the machine that I am testing and in the NAC Server, there are three AD Servers, and they are the same in the machine and in the NAC Server.
    I already added the policy to permit the requested ports in the Unauthenticated Role for the three AD Servers:
    TCP: 88,135,139,389,445,636,1025,1026,3268,49152-65535
    UDP: 88,123,137,389,636
    ICMP to the three AD (I can ping the three AD from de cmd testing machine when I am waiting for authenticate)
    The NAC Agent is still showing  two times the certificate and after about 5minutes he try to logon in the Windows Domain (about 3 minutes to logon)
    Thanks
    Moises

  • NAC Agent takes long time to run

    Cisco NAC agent takes long time to popup or run on Windows 7 machine.
    The client machine is windows 7, running nac agent 4.9.0.42, against ISE 1.1.1
    Any ideas how to reduce NAC Agent timing?

    Hi Tariq,
    I'm facing the same issue with ISE 1.1.1 (268) with Agent 4.9.0.47 for Windows XP clients. I have already configured "yes" to disabled the l3 swiss delay and reduced the httpa discovery timer from 30 to 05 sec but still clients get aprox 2.30 minutes to popup and finished the posture discovery.
    Can you please advise if this is the minimum time or what is the minimum time and what are the parameters to set to a minimum time to complete agent popup and posture discovery..?
    Is there any option that we can run this on backgroup..?
    thanks in advance..

  • NAC Agent reporting never shows a failure

    I seem to only get reports for successful agent logins under Device MGMT>Clean Access>Clean Access Agent>Reports.  Am I missing a setting somewhere?  Even though I have had many failures (testing, etc) I never see a failed report.  Any ideas?

    Hello,
    Could you please confirm what error message you are getting on the NAC agent (if using the NAC agent for posture validation)?  The NAC agent will display the standard stuff such as 'temporary access', etc.  The message displayed is based upon which requirement is failing, for example a standard AV installation check/rule.
    Also, for this failing client, do you see a passed report or no report at all? Well, for the agents that ultimately pass posture assessment (even if a particular check/rule fails) we see a passed report.  If the agent never gains access, IE never gets out of 'Temporary Access' we don't see any report.  I am hoping that when a Agent fails posture assessment we will see a failed report.  IE, we need a way for the service desk to be able to monitor failed sessions proactively, and with the minimal external alerts available (no email, etc) these failed reports would be key. 
    If we can't see no report at all, there may be something that breaks before that. I have pages and pages of successful reports, but not a single failed report.
    A quick way to verify would be to collect the NAC agent's logs after a failure, under
    Start > Program Files > Cisco > Client Utilities > Cisco Log Packager I don't see this installed on any of the machines with an agent?  Please adivse where I can download it.  Thanks.

  • NAC Agent is not responding to ISE

    Hi All,
    Cisco NAC Agent got downloaded to the client during client provisioning. After that also Posture status is showing as 'Not applicable'.
    Also Redirection is only happening if i type any ip address ex.1.1.1.1 on the browser. if i type google.com, its not redirecting.
    ISE is in Cluster mode 1 Admin, 1 Monitor, 1 PSN. Version 1.2.1.198.
    Note: Before the upgrade it was showing 'Posture Pending' status. 

    what is the NAC version?
    could be a bug CSCuq52821

  • NAC Agent Installation "loop"

    Hello Guys, me again
    I'm seeing an issue when the client tries to install the NAC agent on his PC.
    The client reports that an update is available for which I click OK, then it appears to download the new agent (really fast btw) and then it starts installing it. Once that's done it reports again that an update is available and the process starts all over and keeps going on indefinetely.
    The only way I managed to get around it was by disabling the "upgrade mandatory" setting on the client provisioning policy. Still I get the "an upgrade is available" message only that with that setting disabled I can hit cancel and continue.
    Another thing that I'm seeing is that client that I'm seeing as installed on the client is 4.9.0.36 but the ISE only has 4.9.0.37 so I dont know where the .36 is coming from if nothing has been previously installed on the client.
    Has anybody else run into this issue before?
    Thanks in advance,
    Luis Raga

    I'm getting the same issue. I have agents running version 4.7.2.10 and the new version that they are being prompted to install is version 4.9.2.8. The install starts and seems to complete, but when the NAC agent restarts the user is prompted to reinstall the new agent. When you check the version of the NAC installed it is still 4.7.2.10.
    Sachin

  • Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "

    Hi All,
    We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
    Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.

    Closest enhancement I could check on this is
    CSCts34764    NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
    Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines.  Many users disable this and install their own AntiSpyware product.  Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
    This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date.  Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Clean Acess Agent don't popup

    hello
    I use NAC for remote vpn conexion.
    I don't have any problem with vpn.
    I have the following problem:
    when the response time from the client vpn (after that it connected to the vpn server) to CAS clean access server is greater than 600ms, the clean access agent don't popup but when it is lower than that (for exemple 150ms) the clean access agent popup.
    are there any option to resolve this problem?
    thank you for your help.

    hello
    I use:
    Windows Clean Access Agent 
          Setup Version: 4.1.3.1
    also the Clean Access Server has the same version 4.1.3.1

  • NAC Agent Distribution on Endusers w/o Administrative priviliges

    Im looking for options for distributing NAC agent. I would like as many options as possible to see if it fits any of my scenarios.
    Any ideas or current use cases anyone has done?
    Thanks in advance

    David,
    Currently not possible. NAC agent runs as a program and has to run under user credentials for it to be able to identify the user correctly that is being NAC'd. In later versions there's a service component of the agent, but the SSO functionality still relies on the Agent being loaded correctly. Your option is to run a delay script (detailed here: http://tinyurl.com/25d2aua ) and once that passes, then call your other scripts which do the mapping.
    Also if you're having such inordinate delays in the initial SSO process, ensure you have all the ports open that need to be open, including the IP FRAGMENTS and ICMP to all your DCs in the Unauthenticated Role.
    HTH,
    Faisal

  • Custormizing the NAC agent profile

    Hi,
    We need to have very minimal user intervention while doing the completing the posture part on NAC agent on user PC.
    Can someone please advise how to achieve the below task.
    1) Automatically accept the Network usage policy before its timeout (50 sec) expired (if the timeout expired it will go to "Deny Network Access" state as it assume that clicking "Reject" button (attached screen1)
    2) we need to keep all the posture pop-up, verification timings.
    Thanks

    Hi,
    Currently this isn't possible. If you have an account team, please ping them to get this added to the feature request list.
    HTH,
    Faisal

Maybe you are looking for

  • TS3694 iPod Touch and error "21"

    I have tried to restore my son's iPod touch twice and get error message "21". I have updated the iPod and have restarted the computer. The iPod was purchased in Nov 2011 and is a 32 GB iPod Touch. All I get now is the screen with an image of a USB po

  • IPhoto 9.4.3-keyword "" not working correctly in smart albums

    Every May I work on the 5th Grade recognition slideshow (using Keynote) for our 5th grade students.  In iPhoto, I always give photos the checkmark keyword after I've placed that photo so that I know it's been added/used.  I have many smart photo albu

  • Is there a way to fade video to black and keep audio going?

    I'm using iMovie 09. What I'm attempting to do is have a long fade to black transition at the end of the project that will obscure the last couple of seconds of video, yet keep the audio going during the fade till it ends. To put it another way, I'm

  • N73 v3.0638.0.0.1 bugs

    Noticed the following bugs: - With 3D Tones on, while listening to music, you get a missed call. Click Show Missed Call from the main screen (goes to Missed Calls in the Log), Dial, phone reboots (but manages to connect and ring once while rebooting)

  • Text Cursor never shown

    Hi, as the titel says. I never see a Text Cursor or the Caret in any kind of Textbox, -input, -area and so on. Even in the simplest application there is no text cursor shown!? <mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" width="100%" hei