NAC Agent Distribution on Endusers w/o Administrative priviliges
Im looking for options for distributing NAC agent. I would like as many options as possible to see if it fits any of my scenarios.
Any ideas or current use cases anyone has done?
Thanks in advance
David,
Currently not possible. NAC agent runs as a program and has to run under user credentials for it to be able to identify the user correctly that is being NAC'd. In later versions there's a service component of the agent, but the SSO functionality still relies on the Agent being loaded correctly. Your option is to run a delay script (detailed here: http://tinyurl.com/25d2aua ) and once that passes, then call your other scripts which do the mapping.
Also if you're having such inordinate delays in the initial SSO process, ensure you have all the ports open that need to be open, including the IP FRAGMENTS and ICMP to all your DCs in the Unauthenticated Role.
HTH,
Faisal
Similar Messages
-
Hello,
I have updated NAC from 4.7 to 4.8, I wanna distribute Nac agent throughtout the campus on 1000 PC,how can i do it,i have downloaded a nac agent from cisco site nacagentsetup-win-4.8.0.32 Is it right agent patch that i have to distribute ????????????????????
I can distribute through BigFix or Microsoft System Management Server (SMS), DO anybody have a step by step procedure to do that.
ThanksHi,
Because it is initial deployment, there is another reason to use the automatic method to install the Agent on each PC directly from the CAM.
For it to happen, you only need to configure the CAM login page to "Require use of Agent":
So, then every client that doesn't have the Agent, just needs to open a web browser, it gets redirected to the NAC login page (assuming everything is working fine), and after login, the agent is offered to download and install.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
NAC Agent Customization Distribution
Looks like the NAC agent customizations can be done only when the client PC pulls
the install from the CAM. Our PCs do not have admin rights and the software will be pushed through a software
distribution tool. Is there any way to distribute the software with the customization file , just like there is an option
to install with the agent configuration file?
Thanks
ShaffeelHi Shaffel,
You cannot include the branding files on the MSI installation package of the Agent.
I have not much experience with the centralized client management tools, but you could try a workaround by pushing those files to the client at the appropriate location and then restart the Agent.
The files to be pushed are the ones you prepared on the branding file to be uploaded to the CAM.
The location of the files is documented at this page:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1606140
Specifically:
In a system that has NAC Agent installed, you can find the "nac_login.xml" file in the "C:\Program Files\Cisco\Cisco NAC Agent\UI\nac_divs\login" directory.
The "nacStrings_xx.xml" file is available in the supported location. The "xx" indicates the locale. In the system that has NAC Agent installed, you can find a complete list of the files in the "C:\Program Files\Cisco\Cisco NAC Agent\UI\cues_utility" directory.
The files are available in the directories mentioned above when the Agent is installed at the default location. If the Agent is installed at a different location, then the files would be available at "\Cisco\Cisco NAC Agent\UI\nac_divs\login" and "\Cisco\Cisco NAC Agent\cues_utility".
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it. -
Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
-My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
-The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
-No certificates are used.
-I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
-If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
-For now I'm testing it on wired endpoints.
Is there a way to configure ISE to fulfill the listed above requirements?
Any ideas would be appreciated.
Thanks,
Val RodionovEveryone who finds reads this article,
I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
The answer is Yes.
After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
ISE configuration:
Posture General Settings - Default Posture Status = NonCompliant
Client Provisioning Policy - no rules defined
Posture Policy - configured per requirements
Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
Authorization Policies configured as regular posture policies
The result:
After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
Best,
Val Rodionov -
Nac Agent Not Working on Windows 64 Bit
Hi All ,
I have a Cisco ISE 3315 With Version 1.1.4 .
We have Windows Work Station and we have some issue with Windows 7 64 Bit users !!
On Some 64 Bit Workstation the nac Agent is getting about 25 Minute to start Checking the Posture Statu !!
I don't Havec that Proble With 32 Bit Workstation . We are using Nac Agent 4.9.0.37 and Nac agent 4.9.0.42!!
Here is log that i get From the 64 bit WorkstationHi
Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to or from supplicant. Verify that supplicant or network access server (NAS) does not have a short timeout for EAP conversations. Check the network that connects the NAS to ISE. If the external ID store is used for the authentication, it may be not responding fast enough for current timeouts.
Check whether the proper server certificate is installed and configured for EAP by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant.
Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more information -
NAC Agent 4.9 issue while remediation with in ISE
We are installed NAC agent 4.9 where we have configured posture policy for Symantec Endpoint Protection version 11x in ISE 1.1.1. Where when enduser fallen down to remediation and try to remediate to collect the latest anti virus definitions from Local Antivirus, when clicking on the update button we get a message stating
"The Remediation you are attempting is reporting an access denied error. This is usually due to a privileg issue. Please contact your system
administrator"
It continuosly asking that prompt and giving that priviligae message.
Are we need to have administrator rights for remediation ? and this prompt is appearing again and again till the remediation timer and then it fallen down to Non-compliant (Restricted ) profile.
Please find attached screen shots for the sameI figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
Select Keychain Access -> Preferences from the menu at the top of the screen
Choose the Certificates tab
Change the OCSP option from Best Effort to Off
Close the Preferences dialog and quit Keychain Access
You should be able to NAC now -
NAC Agent scan running application
Dear colleagues,
My customer is being on ISE PoC. They want to test the Posture feature for running application.
I would like to ask: what is the scan interval of NAC agent. If I want to use NAC Agent to scan an illegal application on PC, but at first, when logging in, the application is not running. After NAC agent notify that the client is compliant, user start that application. So the question is, can NAC Agent detect that?
Please kindly share your experience on it. Thank you for your support.
Kind regards,
HiepHiep,
The feature you are asking for is passive reassessment and is done on intervals configured by the administrator.
www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1482451
Thanks,
Tarik Admani
*Please rate helpful posts* -
Dear all,
We have cisco NAC version 4.9.1 and the agent version is 4.9.1.5. We want to know if there is a way to hide the cisco NAC agent window so the user do not see it, i mean run it on the background to make it a bit more transparent to the final user.
Anyone have any ideas?
Thanks in advance.Go to "Administration > User Pages" and make sure you have configured a proper login page for Windows 7.
-
Anybody know the Roadmap for combining NAC Agent and Cisco AnyConnect?
Heard a rumor that Cisco is going to combine the functionality of the NAC Agent and Cisco AnyConnect as far as being an 802.1x supplicant, does anyone have any information about this? Like is it true and if so, any idea when it will happen?
Hi ,
There is no comitted plan for NAC and Anyconnect integration. But Anyconnect now comes with a module called NAM ( network access module) which can do dot1x as well.
Here is the link for that :
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html
Thanks
Waris -
Cisco NAC agent services not running on Windows XP
Hi,
I've problem with Cisco NAC agent services on Windows XP professional SP3.
After first installation using user local administrator, the services of Cisco NAC agent on windows machine running well, but after logout, and login using another user which is registered in domain users, the services of Cisco NAC agent is going to stopped (going to Manual mode not automatic, and the status is stopped).
This situation is not happened on all windows machines, several machines running well.
Cisco NAC agent version 4.9.0.42
Has anyone seen this type of problem?
Below i attached windows machine information from ones running well and not running, Thanks
Regards,
RianHi thanks for your answers, dbconsole is started in services.msc and also Agent, but goes on to say that the agent is not running.
In sysman log shows this,
"03/20/2012 13:38:54,553 [MetricCollector: HOMETAB_THREAD600: 60] ERROR rt.DbMetricCollectorTarget _getAllData.328 - oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest_ (EMDClient.java: 1330)
at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest (EMDClient.java: 1223)
at oracle.sysman.emSDK.emd.comm.EMDClient.getMetrics (EMDClient.java: 640)
at oracle.sysman.emo.perf.metric.rt.DbHomeTab._getAllData (DbHomeTab.java: 324)
at oracle.sysman.emo.perf.metric.rt.DbHomeTab.getData (DbHomeTab.java: 139)
at oracle.sysman.emo.perf.metric.eng.MetricCached.collectCachedData (MetricCached.java: 402)
at
at oracle.sysman.emo.perf.metric.eng.MetricCollectorThread.run (MetricCollectorThread.java: 320)
at java.lang.Thread.run (Thread.java: 595)
20/03/2012 22:00:03,335 [JobWorker 772: Thread-13] ERROR em.jobs executeCommand.161 - UpdateARUTables: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup parameters required to September."
In event viewer shows this,
"Agent process exited abnormally DURING initialization." but this message appears a few hours after having started the service.
I am using the Administrator account -
NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?
Agent Fails to Initiate Posture Assessment
The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
The redirected URL is working fine (SEE Evidence)
We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
The operations status remains with postering status pending forever and nothing else happens.
Symptoms or Issue
The agent login dialog box does not appear to the user following client provisioning.
Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
authentication session.
Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
• Ensure that the Cisco IOS release on the switch is equal to or more recent than
Cisco IOS Release 12.2.(53)SE. - OK
• Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
choose Properties, and check the discovery host.) - OK (See evidence)
• Ensure that the access switch allows Swiss communication between Cisco ISE
and the end client machine. Limited access ACL applied for the session should
allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
• If the agent login dialog still does not appear, it could be a certificate issue.
Ensure that the certificate that is used for Swiss communication on the end client
is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
• Ensure that the default gateway is reachable from the client machine. (TESTED OK)Hi.
Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
regards
Zubair -
Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4
Hi
My Cisco NAC Agent (version 4.9.1.682) doesn't work since I upgraded my Mac OS X 4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
Any update on when a new version is going to be released - Its getting really frustrating?I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
Select Keychain Access -> Preferences from the menu at the top of the screen
Choose the Certificates tab
Change the OCSP option from Best Effort to Off
Close the Preferences dialog and quit Keychain Access
You should be able to NAC now -
Getting the NAC agent out of the system tray.
I am installing a NAC solution for a customer and they don't want users to have the NAC agent in the sytem tray. Is there any way to do this because they are pretty adamant about it.
Hi,
Currently this isn't possible. If you have an account team, please ping them to get this added to the feature request list.
HTH,
Faisal -
NAC Agent takes long time to run
Cisco NAC agent takes long time to popup or run on Windows 7 machine.
The client machine is windows 7, running nac agent 4.9.0.42, against ISE 1.1.1
Any ideas how to reduce NAC Agent timing?Hi Tariq,
I'm facing the same issue with ISE 1.1.1 (268) with Agent 4.9.0.47 for Windows XP clients. I have already configured "yes" to disabled the l3 swiss delay and reduced the httpa discovery timer from 30 to 05 sec but still clients get aprox 2.30 minutes to popup and finished the posture discovery.
Can you please advise if this is the minimum time or what is the minimum time and what are the parameters to set to a minimum time to complete agent popup and posture discovery..?
Is there any option that we can run this on backgroup..?
thanks in advance.. -
NAC AGENT - DISCOVERY HOST IP ADDRESS with AD
Hi,
We have deployed a Cisco NAC Agent in our network with GPO update... The deployment model is L3 OOB / Real IP Gateway.
The issue is that, we need to put the IP address in each host manually to start communicating with Cisco NAC Manager.
Is there any way to make it automatic?
Regards,
MubasherHi Mubashir,
I faced the same problem with cisco ISE and Tiago's response actually helped see below.
" You can also distribute the NACAgentCFG.xml file with that value set.
Please find here detailed info regarding this file:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376. "
In that link, read the section: Agent Customization Settings
From a NAC agent that has successfully been deployed with the IP configured , go to the NAC agent installation folder
C:\Program Files (x86)\Cisco\Cisco NAC Agent , and copy the NACAgentCFG.xml , open with wordpad and edit the line
IP of PDP node or ISE standalone server
Then place the edited NACAgent.xml file in the same folder as the one where your GPO will pick the agent from. When the Agent is installed , it automatically picks the configs from the .xml file.
Regards,
Henry
Maybe you are looking for
-
Error while posting payroll to accounting
Hello, In a payroll I have two seperate cost centers with different profit centers. While posting to accounting there is an error "Balancing field profit center not found in line item 001" Please Help. Regards Vijay
-
I try to download the new version of ITunes but i won't work
i just got a new i pod and my media playlist won't recognize it so i tried i tunes. but i need a newer version of i tunes so i went to download the newer version and it tells me that quicktime couldnt be deleted. So i then went to remove programs and
-
What is the differnce of AGP 3.0( 8X ) and AGP2.0( 4X )
I test some Nvidia graphic cards that support AGP 8X and test them in 3d mark 2001 (with AGP 8x and 4x) and I have not seen any difference on this 3d mark version. I know that AGP 8x is 2.1 GB/s and AGP 4x is 1.05 GB/s but the differece of them
-
I'm running Lion 10.7.4 on my MacBook. Can I upload Mountain Lion? Thanks.
-
How does one open something in a new window rather than a new tab, when browsing?
I much prefer how this used to be before I upgraded to the latest iOS, in this sense. I do not like dealing with multiple tabs; there are times that a new window is just needed. I am assuming that it is possible to open new windows and I just haven't