NAC Agent Deployment

Hi All,
Is there a way to peform an unttended installation for Cisco NAC Agent. We are trying to deploy the NAC Agent using Tivoli but the administrators of this Tool asked us if the installation package of the NAC Agent has an option to perfom a silence installation.
Regards!

Marco,
Hopefully this guide will help, you can execute a script that will install the agent silently.
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1577111
Thanks,
Tarik

Similar Messages

  • NAC AGENT - DISCOVERY HOST IP ADDRESS with AD

    Hi,
    We have deployed a Cisco NAC Agent in our network with GPO update... The deployment model is L3 OOB / Real IP Gateway.
    The issue is that, we need to put the IP address in each host manually to start communicating with Cisco NAC Manager.
    Is there any way to make it automatic?
    Regards,
    Mubasher

    Hi Mubashir,
    I faced the same problem with cisco ISE and Tiago's response actually helped see below.
    " You can also distribute the NACAgentCFG.xml file with that value set.
    Please find here detailed info regarding this file:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376. "
    In that link, read the section: Agent Customization Settings
    From a NAC agent that has successfully been deployed with the IP configured , go to the NAC agent installation folder 
    C:\Program Files (x86)\Cisco\Cisco NAC Agent , and copy the NACAgentCFG.xml , open with wordpad and edit the line
    IP of PDP node or ISE standalone server
    Then place the edited NACAgent.xml file in the same folder as the one where your GPO will pick the agent from. When the Agent is installed , it automatically picks the configs from the .xml file.
    Regards,
    Henry

  • NAC Agent and NSP provisioning with ISE 1.1.1

    I am trying to get all workstations (OSX and Windows) to install both the Native Supplicant Wizard and NAC Agent during the On-boarding process.
    I am currently using the default guest portal in ISE.
    The environment has been setup using a Dual SSID design.
    At the moment, devices can connect to the provisioning SSID and get CWA. Device registration works, the portal runs the NSP setup which correctly sets up the network adapter.
    The problem is the portal never attempts to install the NAC Agent.
    The client provisioning policy has a separate policies for wireless/wired as well as OS. Each policy applies both a NSP and NAC Agent configuration. It appears the guest portal only checks the NSP configuration and not the NAC Agent config.
    Any ideas?

    Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.
    With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.
    Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.
    Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access
    Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.
    Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal
    Hope that helps,
    Tarik Admani
    *Please rate helpful posts*

  • NAC Agent does not pop up after psn fails.

    So I'm in the middle of a deployment where I have 4 ISE appliances, two in one location and two in another location.
    The first location has 2 with all personas installed, whereas the other two are only PSN. In each area, NAC agent pops up normally after connecting/swapping to wired or wireless networks. During HA tests I have encountered that when the two ISE from the remote area fail (shutdown switch port for testing of course) the client does get authenticated but it stays in the POSTURE_REQ state on wireless and the Agent fails to pop up.
    - I have tried forcing the servers on the profile on ISE (provisioning) and I can see how it is somehow updated on the xml configuration file in the remote endpoint but still the nac agent wont pop up.
    - Increased timeout timers also, no luck.
    - Reinstalled NAC agent manually and by ise auto provisioning, no luck.
    - Ran a wireshark capture and saw requests sent to the default GW with the positron thing but never get an answer, but then I try connecting to the ISE manually https://(ADMIN_NODE_FAR_FROM_ENDPOINT)/guestportal/gateway?sessionId=(gibberish)&action=cpp and it works, so it is reachable from the endpoint
    I believe there is some kind of sync problem, my ISE are in UTC time and NADs have local timezone, but then why does it work locally??
    Any thoughts on this?
    Thank you for all your kind help

    You have done a reset. What does that mean? Did you reset all settings?
    Settings>General>Reset>Reset all Settings. You will have to enter all device settings again.

  • NAC agent failing to popup

                       Dears,
    I have two ISE appliances installed in a distributed deployment (primary "ISE1" and secondary "ISE2"), each node has the three personas installed on it. The servers are registered together and the replication is working properly between the nodes.
    When we are working on the first node everything is fine, if I try to disconnect ISE1 and do my tests on ISE2, the cisco NAC agent doesn't popup, unless I uninstall it and reinstall it again from the ISE2. Then it will work properly.
    Note: the NAC agent version is the following: nacagent-4.9.0.37.
    Any idea?
    Regards
    Zahi

    Hi Tarik,
    below are my answers:
    1- The content of the dACL:
    ip access-list extended POSTURE-REMEDIATION
    permit udp any any eq domain
    permit ip any host 10.10.10.125         >>>> antivirus server
    permit ip any 10.10.240.0 0.0.0.255   >>>> voice subnet
    permit ip any 10.10.31.0 0.0.0.255    >>>> quarantine vlan subnet
    permit ip any host 10.10.10.238        >>>> ip add of ISE1
    permit ip any host 10.10.10.239        >>>> ip add of ISE2
    permit ip any host 10.10.10.206        >>>> wsus server
    permit ip any host 10.10.10.10          >>>> domain 1
    permit ip any host 10.10.10.100          >>>> domain 2
    2- When I open a web browser, yes I get redirected to the nac agent download page
    3- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:
    sw#sho authentication sessions int fast 0/12
                Interface:  FastEthernet0/12
              MAC Address:  b8ac.6fc9.b26f
               IP Address:  10.10.31.2
                User-Name:  RJ\15592
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  31
                  ACS ACL:  xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
         URL Redirect ACL:  ACL-POSTURE-REDIRECT
             URL Redirect:  https://RJ-ISE-1.rj.com:8443/guestportal/gateway?session
    Id=0A0A0C86000000186ADBBD8B&action=cpp
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A0C86000000186ADBBD8B
          Acct Session ID:  0x00000023
                   Handle:  0x31000018
    Runnable methods list:
           Method   State
           dot1x    Authc Success
           mab      Not run
    sw#sho authentication sessions int fast 0/12
                Interface:  FastEthernet0/12
              MAC Address:  b8ac.6fc9.b26f
               IP Address:  10.10.30.12
                User-Name:  RJ\15592
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  30
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A0C86000000186ADBBD8B
          Acct Session ID:  0x00000023
                   Handle:  0x31000018
    Runnable methods list:
           Method   State
           dot1x    Authc Success
           mab      Not run
    outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE2:
    sw#sho auth sessions int fast 0/12
                Interface:  FastEthernet0/12
              MAC Address:  0025.6458.8409
               IP Address:  10.10.31.8
                User-Name:  RJ\15946
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  31
                  ACS ACL:  xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
         URL Redirect ACL:  ACL-POSTURE-REDIRECT
             URL Redirect:  https://RJ-ISE-2.rj.com:8443/guestportal/gateway?session
    Id=0A0A0C86000000206AF3FAC1&action=cpp
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A0C86000000206AF3FAC1
          Acct Session ID:  0x0000002B
                   Handle:  0x2C000020
    Runnable methods list:
           Method   State
           dot1x    Authc Success
           mab      Not run
    you may find attached also the pcap file of the client machine when it is authenticating with the ISE2.
    Thank you in advance
    Zahi
    Message was edited by: ZAHI BOU KHALIL

  • ISE - NAC agent profile

    Dears
    I want to deploy NAC agent via GPO and I need to create agent profile , I know how to create it on ISE but how i get the file in xml format to be distributed ?

    You can try installing only one PC (either by manual installation or by captive portal). If you have configured the posture rules in ISE then the NAC Agent automatically contacts the ISE server and downloads the last NACAgentcfg.xml available.
    Then you could browse the following directory and find the NACAgentcfg.xml file in your PC.
    C:\Program Files (x86)\Cisco\Cisco NAC Agent
    After that you can mass deploy the NAC agent along with the xml file. Although is not mandatory to deploy the xml file  because as a I said, every time there's a posture rule the NAC agent will download the last NACAgentcfg.xml available from ISE server.
    Please rate if it helps.

  • NAC Agent/ActiveX/Java applet

    Hi,
    For L3 OOB deployment , does any one know how the NAC agent/ActiveX/Java applet refresh the IP address for the client??
    i know that In the Login Page configuration, two options need to be checked to use the ActiveX/Applet webclient to
    refresh the client’s IP address:
    - Use web client to detect client MAC address and Operating System
    - Use web client to release and renew IP address when necessary (OOB) .
    But what i need to know how the agent/ActiveX/Java applet refresh the IP address for the client???
    are these programs ( agent/ActiveX/Java applet ) triggers the client machine to do that???
    regards
    MAM

    MAM,
    You're right. The applets do indeed trigger a dhcp refresh on the machines. This is to avoid bouncing the port which can be problematic when you have IP phones.
    More info on this in the docs here: http://tinyurl.com/yhnskdf
    HTH,
    Faisal

  • Question about cisco nac agent

    When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
    Please answer me early. Thank you for your answer.

    Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
    We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
    1) You have to decide which vulnerabilities you want to scan for.
    2) The more plug-ins you enable, the longer (obviously) the scan takes.
    3) There are configuration steps for many of the plug-ins
    4) Your users will still need to go to a login page in order to be scanned.
    5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
    From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
    It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
    Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
    Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

  • NAC Agent Distribution

    Hello,
    I have updated NAC from 4.7 to 4.8, I wanna distribute Nac agent throughtout the campus on 1000 PC,how can i do it,i have downloaded a nac agent from cisco site nacagentsetup-win-4.8.0.32 Is it right agent patch that i have to distribute ????????????????????
    I can distribute through BigFix or Microsoft System Management Server (SMS), DO anybody have a step by step procedure to do that.
    Thanks

    Hi,
    Because it is initial deployment, there is another reason to use the automatic method to install the Agent on each PC directly from the CAM.
    For it to happen, you only need to configure the CAM login page to "Require use of Agent":
    So, then every client that doesn't have the Agent, just needs to open a web browser, it gets redirected to the NAC login page (assuming everything is working fine), and after login, the agent is offered to download and install.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • NAC Agent issues

    Hi guys,
    We are encountering several problems with regards to the NAC Agent. We are deploying AD SSO and for some reason, on the same switch other hosts are performing SSO correctly and others are being prompted for a user name and password by the NAC agent even though the hosts are all logging in the same domain. Do you guys have any idea on how to go about this problem?

    Hi Guys,
    I have deployed  NAC as  OOB REAL IP gateway mode and it is working fine over LAN.
    Once I enabled the L3 functionality to connect remote site after that local user is being certified through WEB LOGIN.
    But NAC pop up is not reflecting to supply the username and password.
    A problem occured when stoping the NAC agent services" Agent has been terminated due to unexpected error. please restart your machine."
    Note- No ACL is configured till yet
    I have perform following task to fix it;-
    1. Restared NAC agent services.
    2.Checked proxy settings.
    Could you please help me out to resolve this issue?
    Thanks & Regards,
    Azeem Khan

  • Cisco ISE & NAC Agent in a Vmware View VDI Environment

    Hi,
    Anyone deployed Cisco ISE NAC agent on a vmware view virtual desktop environment (VDI)?

    There are no known issues regarding VMWare view that would cause this.
    For AV see -> http://www.novell.com/support/kb/doc.php?id=7007545
    I find ProcMon for Sysinternals useful to see if other prcesses such as
    AV are hitting those files unexpectedly. A few times I have seen AV
    Exclusions not quite working as expected until tweaked.
    The ZMD-Messages.log may show if the agent is doing something....
    On 9/30/2014 9:36 PM, harrymsg wrote:
    >
    > We have been running 11.2.4 in our View VDI environment and overall been
    > very successful. We just rolled Win 7 and are seeing approx. 10% of the
    > VMs with the zenworkswindowsservice.exe running steadily around 50% for
    > hours. Any thoughts? One thing I just set to try was excluding that
    > from Microsoft FEP AV. Anything other thoughts to resolve? Thanks.
    >
    >
    Going to Brainshare 2014?
    http://www.brainshare.com
    Use Registration Code "nvlcwilson" for $300 off!
    Craig Wilson - MCNE, MCSE, CCNA
    Novell Technical Support Engineer
    Novell does not officially monitor these forums.
    Suggestions/Opinions/Statements made by me are solely my own.
    These thoughts may not be shared by either Novell or any rational human.

  • Oracle Enterprise Manager Agent deployment (Installation and Configuration) Error

    Hello,
    I am trying to create an agent on a linux server using Oracle Enterprise Manager 12.1.0.3. The user is created with root privilege on the server, by change /etc/sudoers entry username the same as the root entry. After that I tried to add host target by clicking Setup->Add Target->Add target Manually->Add Host Targets in the Oracle Enterprise Manager.
    In the Add Target view: I clicked on add, then I entry host and platform information. After that I click next. Then I provided the Linux x86-64 : Installation Details for
    Installation Base Directory, Instance Directory, Name Credential ... then click next. then click Deploy Agent.
    In the Add Host Status view: stages Initialization and Remote Prerequisite Check successfully passed, but in the stage Agent Deployment, it failed in the Installation and Configuration phrase of the Agent Deployment stage.
    The log content is shown below. There are numerous SEVERE Errors. But I don't have much experience in dealing with these type of problems. I thank you in advance for all the helps.
    lf
    WARNING: Validation of XML schema is disabled because AggregateDescriptions.xsd could not be found
    INFO: Creating new CFM connection
    INFO: Creating a new logger for oracle.sysman.top.agent
    INFO: Unmarshalling /users/ncgf/em_agent/core/12.1.0.3.0/inventory/ContentsXML/ConfigXML/oracle.sysman.top.agent.12_1_0_3_0.xml
    INFO: Creating a new logger for OuiConfigVariables
    INFO: Unmarshalling /users/ncgf/em_agent/core/12.1.0.3.0/inventory/ContentsXML/ConfigXML/OuiConfigVariables.1_0_0_0_0.xml
    INFO: Aggregate Description oracle.sysman.top.agent:12.1.0.3.0:common successfully loaded
    INFO: Aggregate Description OuiConfigVariables:1.0.0.0.0:common successfully loaded
    INFO: Successfully returning from CfmFactory.connect()
    INFO: Cfm.save() was called
    INFO: Cfm.save(): 2 aggregate instances saved
    INFO: oracle.sysman.top.agent:IAction.perform() was called on {Action state:configuration in CfmAggregateInstance: oracle.sysman.top.agent:12.1.0.3.0:common:family=CFM:oh=/users/ncgf/em_agent/core/12.1.0.3.0:label=1}
    INFO: Framework waiting for Action to complete at 15:08:10.272
    INFO: CfwProgressMonitor:actionProgress:About to perform Action=configuration Status=is running with ActionStep=0 stepIndex=0 microStep=0
    WARNING: Skipping environment variable line: "}": oracle.sysman.emCfg.common.CfwException: A non-empty environment line must contain "=": }
    WARNING: Failed to read environment variable file /users/ncgf/em_agent/core/12.1.0.3.0/install/envVars.properties: java.io.FileNotFoundException: /users/ncgf/em_agent/core/12.1.0.3.0/install/envVars.properties (No such file or directory)
    INFO: oracle.sysman.top.agent:About to execute plug-in Agent Configuration Assistant
    INFO: oracle.sysman.top.agent:The plug-in Agent Configuration Assistant is running
    INFO: oracle.sysman.top.agent:Internal PlugIn Class: oracle.sysman.agent.config.AgentConfiguration
    INFO: oracle.sysman.top.agent:Classpath = /users/ncgf/em_agent/core/12.1.0.3.0/oui/jlib/srvm.jar:/users/ncgf/em_agent/core/12.1.0.3.0/jlib/agentConfig.jar:/users/ncgf/em_agent/core/12.1.0.3.0/jlib/emConfigInstall.jar:/users/ncgf/em_agent/core/12.1.0.3.0/sysman/jlib/emagentSDK.jar:/users/ncgf/em_agent/core/12.1.0.3.0/modules/oracle.http_client_11.1.1.jar:/users/ncgf/em_agent/core/12.1.0.3.0/sysman/jlib/log4j-core.jar
    INFO: oracle.sysman.top.agent:AgentConfiguration:agent configuration has been started
    INFO: oracle.sysman.top.agent:Parametes passed to agent configuration are:
    1.ORACLE_HOME=/users/ncgf/em_agent/core/12.1.0.3.0
    2.AGENT_PORT=3872
    3.ORACLE_HOSTNAME=nsn175-89.us.oracle.com
    4.b_doDiscovery=false
    5.AGENT_BASE_DIR=/users/ncgf/em_agent
    6.AGENT_INSTANCE_HOME=/users/ncgf/em_agent/agent_inst
    7.s_hostname=nsn175-89.us.oracle.com
    8.OMS_HOST=nsn175-105.us.oracle.com
    9.b_startAgent=false
    10.b_secureAgent=true
    11.b_chainedInstall=false
    12.b_forceConfigure=false
    13.EM_UPLOAD_PORT=4904
    14.b_forceAgentDefaultPort=false
    15.s_staticPorts=
    16.PROPERTIES_FILE=
    b_skipValidation=false
    INFO: oracle.sysman.top.agent:Validating OMS_HOST and EM_UPLOAD_PORT
    INFO: oracle.sysman.top.agent:Validating with http protocol ...
    INFO: oracle.sysman.top.agent:URL framed is:http://nsn175-105.us.oracle.com:4904/empbs/genwallet
    SEVERE: oracle.sysman.top.agent:Connection refusedUnexpected end of file from server
    INFO: oracle.sysman.top.agent:Validating with https protocol ...
    INFO: oracle.sysman.top.agent:URL framed is:https://nsn175-105.us.oracle.com:4904/empbs/genwallet
    SEVERE: oracle.sysman.top.agent:The EM_UPLOAD_PORT passed is a secure port. Hence AGENT_REGISTRATION_PASSWORD or s_encrSecurePwd should be passed
    INFO: oracle.sysman.top.agent:EM Protocol Switch determined: https
    INFO: oracle.sysman.top.agent:Performing free port detection..
    INFO: oracle.sysman.top.agent:Trying for host : nsn175-89/10.134.175.89 and port : 3872
    INFO: oracle.sysman.top.agent: Trying for host : /127.0.0.1 and port : 3872
    INFO: oracle.sysman.top.agent:** Agent Port Check completed successfully.**
    INFO: oracle.sysman.top.agent:Agent Port from User Passed Port3872
    INFO: oracle.sysman.top.agent:Paths after canonical format conversions are :
    1. state_dir=/users/ncgf/em_agent/agent_inst
    2. agentBaseDir=/users/ncgf/em_agent
    3. oraHome=/users/ncgf/em_agent/core/12.1.0.3.0
    INFO: oracle.sysman.top.agent:Parent directory of agent instance home:/users/ncgf/em_agent
    INFO: oracle.sysman.top.agent:AgentConfiguration:perform:AgentPortHandler for /users/ncgf/em_agent/core/12.1.0.3.0 and hosts=nsn175-89.us.oracle.com returned Port to Use=3872
    INFO: oracle.sysman.top.agent:Instantiating emctl.template file #DEFAULT_EMSTATE# with /users/ncgf/em_agent/agent_inst
    INFO: oracle.sysman.top.agent:Writing the following contents into /users/ncgf/em_agent/core/12.1.0.3.0/install/oragchomelist
    INFO: oracle.sysman.top.agent:/users/ncgf/em_agent/core/12.1.0.3.0:/users/ncgf/em_agent/agent_inst
    INFO: oracle.sysman.top.agent:Both /etc/oragchomelist and /var/opt/oracle/oragchomelist does not exist.
    INFO: oracle.sysman.top.agent:Executing emctl deploy agent command...
    INFO: oracle.sysman.top.agent:AgentConfiguration: Executing emctl deploy agent command...
    INFO: oracle.sysman.top.agent:Executing the command: /users/ncgf/em_agent/core/12.1.0.3.0/bin/emctl deploy agent -L -o nsn175-105.us.oracle.com:4904 -N /users/ncgf/em_agent/agent_inst nsn175-89.us.oracle.com:3872 nsn175-89.us.oracle.com
    INFO: oracle.sysman.top.agent:Creating shared install...
    INFO: oracle.sysman.top.agent:Source location: /users/ncgf/em_agent/core/12.1.0.3.0
    INFO: oracle.sysman.top.agent:Destination (shared install) : /users/ncgf/em_agent/agent_inst
    INFO: oracle.sysman.top.agent:Secure Mode: No
    INFO: oracle.sysman.top.agent:DeployMode : agent
    INFO: oracle.sysman.top.agent:
    INFO: oracle.sysman.top.agent:Creating directories...
    INFO: oracle.sysman.top.agent:Creating private.properties...
    INFO: oracle.sysman.top.agent:Creating blackouts.xml...
    INFO: oracle.sysman.top.agent:Creating targets.xml...
    INFO: oracle.sysman.top.agent:Creating emctl control program...
    INFO: oracle.sysman.top.agent:Creating emtgtctl control program...
    INFO: oracle.sysman.top.agent:Agent will not be secured.
    INFO: oracle.sysman.top.agent:Secure REPOSITORY_URL found. New agent should be configured for secure mode
    INFO: oracle.sysman.top.agent:Secure emdWalletSrcUrl found. New agent should be configured for secure mode
    INFO: oracle.sysman.top.agent:Oracle Enterprise Manager Cloud Control 12c Release 3
    INFO: oracle.sysman.top.agent:Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
    INFO: oracle.sysman.top.agent:Property 'agentTZRegion' is  missing from /users/ncgf/em_agent/agent_inst/sysman/config/emd.properties. Updating it...
    INFO: oracle.sysman.top.agent:An agentTZregion of 'US/Pacific' is installed in /users/ncgf/em_agent/agent_inst/sysman/config/emd.properties.
    INFO: oracle.sysman.top.agent:The command: /users/ncgf/em_agent/core/12.1.0.3.0/bin/emctl deploy agent -L -o nsn175-105.us.oracle.com:4904 -N /users/ncgf/em_agent/agent_inst nsn175-89.us.oracle.com:3872 nsn175-89.us.oracle.com completed with status=0
    SEVERE: oracle.sysman.top.agent:Securing of agent step will be skipped because of the following reasons:
    1. Agent Registration Password was not passed.
    2. b_secureAgent was passed as false
    3. The flag -forceConfigure was assed from agentDeploy.sh
    INFO: oracle.sysman.top.agent:Plugin File:/users/ncgf/em_agent/plugins.txt
    INFO: oracle.sysman.top.agent:Plugin Homes found.
    INFO: oracle.sysman.top.agent:Executing command :/users/ncgf/em_agent/core/12.1.0.3.0/perl/bin/perl /users/ncgf/em_agent/core/12.1.0.3.0/bin/AgentPluginDeploy.pl -oracleHome /users/ncgf/em_agent/core/12.1.0.3.0 -agentDir /users/ncgf/em_agent -pluginIdsInfoFile /users/ncgf/em_agent/plugins.txt -action configure -emStateDir /users/ncgf/em_agent/agent_inst
    INFO: oracle.sysman.top.agent:
    INFO: oracle.sysman.top.agent:
    INFO: oracle.sysman.top.agent:The Agent emStateDir location passed is /users/ncgf/em_agent/agent_inst
    INFO: oracle.sysman.top.agent: The log file is /users/ncgf/em_agent/agent_inst/install/logs/agentplugindeploy_2013_10_16_15_08_11.log
    INFO: oracle.sysman.top.agent: The temp file created to check R/W permissions in Oraclehome: /users/ncgf/em_agent/core/12.1.0.3.0 is /users/ncgf/em_agent/core/12.1.0.3.0/rwFile
    INFO: oracle.sysman.top.agent:Plugin command completed with status=0
    INFO: oracle.sysman.top.agent:Executing command :/users/ncgf/em_agent/agent_inst/bin/emctl listplugins agent -type all
    INFO: oracle.sysman.top.agent:Oracle Enterprise Manager Cloud Control 12c Release 3
    INFO: oracle.sysman.top.agent:Oracle Enterprise Manager Cloud Control 12c Release 3
    INFO: oracle.sysman.top.agent:Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
    INFO: oracle.sysman.top.agent:Copyright (c) 1996, 2013 Oracle Corporation.  All rights reserved.
    INFO: oracle.sysman.top.agent:---------------------------------------------------------------
    INFO: oracle.sysman.top.agent:---------------------------------------------------------------
    SEVERE: oracle.sysman.top.agent:ERROR: The Management Agent configuration failed. The plug-in configuration for the oracle.sysman.oh monitoring plug-in may have failed, or this plug-in may not be present in the Management Agent software. Ensure that the Management Agent software has the oracle.sysman.oh monitoring plug-in, if not then retry the operation. If the agent software has the oracle.sysman.oh monitoring plug-in, view the plug-in deployment log /users/ncgf/em_agent/agent_inst/install/logs to check if the plug-in configuration for the oracle.sysman.oh monitoring plug-in failed.
    SEVERE: oracle.sysman.top.agent:Agent configuration has failed
    INFO: oracle.sysman.top.agent:AgentConfiguration:agent configuration finished with status = false
    INFO: oracle.sysman.top.agent:AgentConfiguration:agent configuration finished with status = false
    INFO: oracle.sysman.top.agent:The plug-in Agent Configuration Assistant has failed its perform method
    INFO: Cfm.save() was called
    INFO: Cfm.save(): 2 aggregate instances saved
    INFO: done waiting for Action from 15:08:10.272
    Thank you for your help AkankshaSheoranKaler. I have executed the following command based on your request. If there is any issue, please let me know. Thanks!
    "Can you run this command to make sure that the agents bits were downloaded correctly : oms home /bin /emcli verify_updates
    Share the output of the command. I am suspecting this is a know issue (Bug 17300008) but i will wait for your output.  Also if you can open an SR with oracle support to track this issue and its resolution. "
    [ncgf@nsn175-105 bin]$ ./emcli setup -url=https://nsn175-105.us.oracle.com:7803/em -u sername=SYSMAN
    Oracle Enterprise Manager 12c 3.
    Copyright (c) 1996, 2013 Oracle Corporation and/or its affiliates. All rights reserve d.
    The configuration directory "/users/ncgf" may not be local. See the "dir" option in t he help for the setup command.
    Do you want to continue using this directory? [yes/no] yes
    Enter password
    Emcli setup successful
    [ncgf@nsn175-105 bin]$ ./emcli verify_updates
    Verifying updates. Starting validation...
    Type       : Plug-in
    Description: Demo Hostsample Test Plugin
    Attributes
            Version: 1201000100
            Revision: 0
            OS Platform: Generic Platform
            Plug-in Name: Demo Host Sample Plugin
    Archives are missing from the Software Library. Unable to determine the URL for downloading the update. The update might not have come from Oracle Enterprise Manager Store.
    For each update with missing archives, emcli import_update can be used with a -force option to re-upload the archives to the Software Library.

       Hello AkankshaSheoranKaler
    We have done the following, but we aren't able to resolve this issue. Thank you for your help!
    lf
    “This  happen if the software library is not accessible, readable or unmounted (if it is in shared file system).”
    On Enterprise Manager server [nsn175-105], we did the following:
    1. we modified /etc/exports to include this line: /export *(rw,no_root_squash,sync)
    we start nfs service by executing command “service nfs start”.  
    On Management Agent server (nsn175-89), we verified that we are able to mount /export directory of EM server.
    On Management Agent server, we started firefox browser and were able to run successfully https://nsn175-105.us.oracle.com:4904/empbs/genwallet
    After making this change, we ran agent deployment again. We encountered the same error as shown above.
    “You can fix the software library or you can download the agent bits in offline mode.”
    For fixing the software library, select Setup->Provision and Patching->Offline Patching, then select Offline Patching radio button, download: https://updates.oracle.com/download/em_catalog.zip. Next upload this zip file.
    “Try downloading the bits again”
    We are not sure what agent bits are. Would you please explain this and provide procedure how we can download this?
    (Here I have attempted to fix the software library, but I am new to Enterprise Manager and not sure how to interpret this).

  • NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

    Agent Fails to Initiate Posture Assessment
    The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
    The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
    The redirected URL is working fine (SEE Evidence)
    We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
    The operations status remains with postering status pending forever and nothing else happens.
    Symptoms or Issue
    The agent login dialog box does not appear to the user following client provisioning.
    Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
    authentication session.
    Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
    Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
    CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
    Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
    • Ensure that the Cisco IOS release on the switch is equal to or more recent than
    Cisco IOS Release 12.2.(53)SE. - OK
    • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
    agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
    choose Properties, and check the discovery host.) - OK (See evidence)
    • Ensure that the access switch allows Swiss communication between Cisco ISE
    and the end client machine. Limited access ACL applied for the session should
    allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
    • If the agent login dialog still does not appear, it could be a certificate issue.
    Ensure that the certificate that is used for Swiss communication on the end client
    is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
    • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

    Hi.
    Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
    regards
    Zubair

  • Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

    Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
    -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
    -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
    -No certificates are used.
    -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
    -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
    -For now I'm testing it on wired endpoints.
    Is there a way to configure ISE to fulfill the listed above requirements?
    Any ideas would be appreciated.
    Thanks,
    Val Rodionov

    Everyone who finds reads this article,
    I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
    The answer is Yes.
    After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
    ISE configuration:
    Posture General Settings - Default Posture Status = NonCompliant
    Client Provisioning Policy - no rules defined
    Posture Policy - configured per requirements
    Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
    Authorization Policies configured as regular posture policies
    The result:
    After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
    If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
    The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
    Best,
    Val Rodionov

  • Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

    Hi
    My Cisco NAC Agent  (version 4.9.1.682) doesn't work since I upgraded my Mac OS X  4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
    The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
    Any update on when a new version is going to be released - Its getting really frustrating?

    I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
        Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
        Select Keychain Access -> Preferences from the menu at the top of the screen
        Choose the Certificates tab
        Change the OCSP option from Best Effort to Off
        Close the Preferences dialog and quit Keychain Access
        You should be able to NAC now

Maybe you are looking for

  • DVI to S-Video TV out no longer working

    I have a Macbook Pro 2.4ghz Core 2 Duo, bought mid 2007. Up until December last year I have been able to use an Apple DVI to TV adapter to display on a TV. For some unknown reason this no longer works. To find a solution I have tried plugging things

  • Script to select file source

    basically what i'm looking for is a command to: identify the open file (in any application) select that file in finder so that i can do with it what i want through automator /applescript i want this to be available under the "service" tab in the appl

  • Embedded OC4J not starting, not accessible

    Hello Oracle folks, I have JDeveloper 9.0.5.2 (1618) and had a Struts project. Trying to lauch it in the embedded OC4J does not work anymore (for my colleagues it works). I tried any combination of re-installs and re-imports of the project from CVS.

  • What is adobe doing about its world wide Reader xi failure?

    I have tried every solution offered on this forum to get adobe reader to open and read pdf's again. Funny - but i started having problems shortly after i recieved an email on dec 6 from adobe about the october hacking incident - in that email they sa

  • Help.  display has gone permanently dim!

    i was downloading some things, fell asleep, i remember seeing the screen saver activated at some point. When i awoke the screen was black, the computer had gone to sleep. When i moved the mouse the screen activated yet it only returned to the dim scr