NAC agent don't popup on some computer

Similar Messages

• Clean Acess Agent don't popup

  hello
  I use NAC for remote vpn conexion.
  I don't have any problem with vpn.
  I have the following problem:
  when the response time from the client vpn (after that it connected to the vpn server) to CAS clean access server is greater than 600ms, the clean access agent don't popup but when it is lower than that (for exemple 150ms) the clean access agent popup.
  are there any option to resolve this problem?
  thank you for your help.

  hello
  I use:
  Windows Clean Access Agent 
        Setup Version: 4.1.3.1
  also the Clean Access Server has the same version 4.1.3.1

• NAC agent failing to popup

                     Dears,
  I have two ISE appliances installed in a distributed deployment (primary "ISE1" and secondary "ISE2"), each node has the three personas installed on it. The servers are registered together and the replication is working properly between the nodes.
  When we are working on the first node everything is fine, if I try to disconnect ISE1 and do my tests on ISE2, the cisco NAC agent doesn't popup, unless I uninstall it and reinstall it again from the ISE2. Then it will work properly.
  Note: the NAC agent version is the following: nacagent-4.9.0.37.
  Any idea?
  Regards
  Zahi

  Hi Tarik,
  below are my answers:
  1- The content of the dACL:
  ip access-list extended POSTURE-REMEDIATION
  permit udp any any eq domain
  permit ip any host 10.10.10.125         >>>> antivirus server
  permit ip any 10.10.240.0 0.0.0.255   >>>> voice subnet
  permit ip any 10.10.31.0 0.0.0.255    >>>> quarantine vlan subnet
  permit ip any host 10.10.10.238        >>>> ip add of ISE1
  permit ip any host 10.10.10.239        >>>> ip add of ISE2
  permit ip any host 10.10.10.206        >>>> wsus server
  permit ip any host 10.10.10.10          >>>> domain 1
  permit ip any host 10.10.10.100          >>>> domain 2
  2- When I open a web browser, yes I get redirected to the nac agent download page
  3- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:
  sw#sho authentication sessions int fast 0/12
              Interface:  FastEthernet0/12
            MAC Address:  b8ac.6fc9.b26f
             IP Address:  10.10.31.2
              User-Name:  RJ\15592
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  31
                ACS ACL:  xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
       URL Redirect ACL:  ACL-POSTURE-REDIRECT
           URL Redirect:  https://RJ-ISE-1.rj.com:8443/guestportal/gateway?session
  Id=0A0A0C86000000186ADBBD8B&action=cpp
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A0A0C86000000186ADBBD8B
        Acct Session ID:  0x00000023
                 Handle:  0x31000018
  Runnable methods list:
         Method   State
         dot1x    Authc Success
         mab      Not run
  sw#sho authentication sessions int fast 0/12
              Interface:  FastEthernet0/12
            MAC Address:  b8ac.6fc9.b26f
             IP Address:  10.10.30.12
              User-Name:  RJ\15592
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  30
                ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A0A0C86000000186ADBBD8B
        Acct Session ID:  0x00000023
                 Handle:  0x31000018
  Runnable methods list:
         Method   State
         dot1x    Authc Success
         mab      Not run
  outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE2:
  sw#sho auth sessions int fast 0/12
              Interface:  FastEthernet0/12
            MAC Address:  0025.6458.8409
             IP Address:  10.10.31.8
              User-Name:  RJ\15946
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  31
                ACS ACL:  xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
       URL Redirect ACL:  ACL-POSTURE-REDIRECT
           URL Redirect:  https://RJ-ISE-2.rj.com:8443/guestportal/gateway?session
  Id=0A0A0C86000000206AF3FAC1&action=cpp
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A0A0C86000000206AF3FAC1
        Acct Session ID:  0x0000002B
                 Handle:  0x2C000020
  Runnable methods list:
         Method   State
         dot1x    Authc Success
         mab      Not run
  you may find attached also the pcap file of the client machine when it is authenticating with the ISE2.
  Thank you in advance
  Zahi
  Message was edited by: ZAHI BOU KHALIL

• Nac agent delayed befor popup

  Dear ,
  i install nac system and working fine, but when the user loging in , the agent delay about 10 minutes before popup to the user, i don't know why the agent don't appear immedaitly after the pc finish startup.

  I only use OOB configurations, so I haven't tested IB configurations. However, you may see some issues in both configurations since the agent needs send user/PC information to the CAM.
  In our setup, the fact that the agent doesn't load until after the desktop comes up has produced a delay in total login time that can reach 20 minutes (I've timed it), depending on the situation. I haven't yet been able to determine what MSoft is trying talk to that it can't (the delay is waiting for a bunch of things to time out).
  Now, if the desktop is loaded and all user programs are running and it still takes 10 minutes for the popup, then the issue is probably with the discovery host (or lack of one) as you have been discussing with Faisal.

• ISe with NAC agent pop up and Posture waiting

  Hi,
  I have ISE running ver 1.1.1.268. We limited access certain services before authuenticate with ACL-DEFAULT(given below) as per the Trustsec desgin guide.
  Now the issue is that when you have ACL-DEFAULT on the port NAC agent doest not pop-up and doest not start the posture part and saying waiting for Posture validation. When the ACL-DEFAULT removed from the access port NAC agent popup and do the posture validation.
  However we do not want user to get access to network before the authorization and that is the reason we use the ACL-DEFAULT.
  Please can someone advise me how to achieve the above both task. Why the NAC agent does not popup and do the posture when ACL-DEFAULT there in the switch.
  Here is what I have configured on ACL-DEFAULT.
  ip access-list extended ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS
  permit udp any any eq domain
  permit tcp any any eq domain
  permit udp any any eq 389
  permit tcp any any eq 135
  permit tcp any any eq 445
  permit udp any any eq 445
  permit tcp any any range 135 139
  permit tcp any any eq 389
  permit tcp any any eq 3268
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Pri)
  permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Sec)
  remark Drop all the rest
  deny   ip any any log
  Appreciate if someone can give a solid resolution and explanation to this.

  Hi Saurav,
  We have already allowed those ports with another acl (ACL-POSTURE-REDIRECT). Our issue is not with the web nac agent.
  The issue is with NAC agent installed on corperate PCs connecting via wired port. With the ACL-DEFAULT it does not pop-up and does not do the posturing, however once we removed the ACL-DEFAULT from the access port, everything works fine.
  Since we do not want any user to access unwanted services before authorization we add this ACL on the access-port and as per the trustsec desgin this has to be there if you want to have ISE with closed mode.
  thanks

• After install NAC agent I must remove cable before open windows session normaly

  Hi
  I use ISE 1.1 and NAC agent 4.9
  I have configure my catalyst 2960 port with dot1x and install NAC agent on many computer
  But I observed that I am unable to open windows session on some computer (windows 7)
  When I enter login and password, then I got black screen and nothing else, then if I remove the network cable on my computer, the black screen change and move to the windows desktop normaly
  Why do I need to remove network cable before get to my desktop normaly ?
  Please How can I fixed this issue ?
  Thanks in advance for your help

  Hi
  The given link might be helpful regarding your issue:
  http://www.cisco.com/en/US/netsol/ns466/index.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html

• Nac Agent Not Working on Windows 64 Bit

                     Hi All ,
  I have a Cisco ISE 3315 With Version 1.1.4 .
  We have Windows Work Station and we have some issue with Windows 7 64 Bit users !!
  On Some 64 Bit Workstation the nac Agent is getting about 25 Minute to start Checking the Posture Statu !!
  I don't Havec that Proble With 32 Bit Workstation . We are using Nac Agent 4.9.0.37 and Nac agent 4.9.0.42!!
  Here is log that i get From the 64 bit Workstation

  Hi
  Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to or from supplicant. Verify that supplicant or network access server (NAS) does not have a short timeout for EAP conversations. Check the network that connects the NAS to ISE. If the external ID store is used for the authentication, it may be not responding fast enough for current timeouts.
  Check whether the proper server certificate is installed and configured for EAP by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant.
  Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more information

• NAC Agent does not pop up after psn fails.

  So I'm in the middle of a deployment where I have 4 ISE appliances, two in one location and two in another location.
  The first location has 2 with all personas installed, whereas the other two are only PSN. In each area, NAC agent pops up normally after connecting/swapping to wired or wireless networks. During HA tests I have encountered that when the two ISE from the remote area fail (shutdown switch port for testing of course) the client does get authenticated but it stays in the POSTURE_REQ state on wireless and the Agent fails to pop up.
  - I have tried forcing the servers on the profile on ISE (provisioning) and I can see how it is somehow updated on the xml configuration file in the remote endpoint but still the nac agent wont pop up.
  - Increased timeout timers also, no luck.
  - Reinstalled NAC agent manually and by ise auto provisioning, no luck.
  - Ran a wireshark capture and saw requests sent to the default GW with the positron thing but never get an answer, but then I try connecting to the ISE manually https://(ADMIN_NODE_FAR_FROM_ENDPOINT)/guestportal/gateway?sessionId=(gibberish)&action=cpp and it works, so it is reachable from the endpoint
  I believe there is some kind of sync problem, my ISE are in UTC time and NADs have local timezone, but then why does it work locally??
  Any thoughts on this?
  Thank you for all your kind help

  You have done a reset. What does that mean? Did you reset all settings?
  Settings>General>Reset>Reset all Settings. You will have to enter all device settings again.

• ISE redirect to install NAC Agent for Anyconnect users with Split Tunnel?

  Due to management directive I am not able to disable SPLIT TUNNEL for our VPN users. For this reason, I can not figure out how to enforce the REDIRECT to ISE for forcing the VPN users to install the NAC AGENT.
  Is this possible? If so can we get some documentation on how this is done? Screenshots would be great.
  Thanks,
  Dirk

  I couldn't find the answer that I seek in that doc.
  I am trying to see if I can force traffic to the redirect for installing the NAC agent, even on split tunnel traffic....perhaps forcing the first webpage the user opens forces the user to the redirect page if the NAC agent isn't detected.
  Thanks,
  Dirk

• Question about cisco nac agent

  When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
  Please answer me early. Thank you for your answer.

  Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
  We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
  1) You have to decide which vulnerabilities you want to scan for.
  2) The more plug-ins you enable, the longer (obviously) the scan takes.
  3) There are configuration steps for many of the plug-ins
  4) Your users will still need to go to a login page in order to be scanned.
  5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
  From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
  It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
  Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
  Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

• Safari question here... Can I purchase a browser update for my mac book? I have OSX 10.6.8 and the "update softdate" function won't let me get past Safari 5.1.10. Please tell me I don't need a new computer just yet... Thx!!

  Safari question here... Can I purchase a browser update for my mac book? I have OSX 10.6.8 and the "update software" function won't let me get past Safari 5.1.10. Please tell me I don't need a new computer just yet... Thx!!

  You need to upgrade OS X.
  Upgrading to Yosemite
  You can upgrade to Yosemite from Lion or directly from Snow Leopard. Yosemite can be downloaded from the Mac App Store for FREE.
  Upgrading to Yosemite
  To upgrade to Yosemite you must have Snow Leopard 10.6.8 or Lion installed. Download Yosemite from the App Store. Sign in using your Apple ID. Yosemite is free. The file is quite large, over 5 GBs, so allow some time to download. It would be preferable to use Ethernet because it is nearly four times faster than wireless.
      OS X Mavericks/Yosemite- System Requirements
        Macs that can be upgraded to OS X Yosemite
           1. iMac (Mid 2007 or newer) - Model Identifier 7,1 or later
           2. MacBook (Late 2008 Aluminum, or Early 2009 or newer) - Model Identifier 5,1 or later
           3. MacBook Pro (Mid/Late 2007 or newer) - Model Identifier 3,1 or later
           4. MacBook Air (Late 2008 or newer) - Model Identifier 2,1 or later
           5. Mac mini (Early 2009 or newer) - Model Identifier 3,1 or later
           6. Mac Pro (Early 2008 or newer) - Model Identifier 3,1 or later
           7. Xserve (Early 2009) - Model Identifier 3,1 or later
  To find the model identifier open System Profiler in the Utilities folder. It's displayed in the panel on the right.
       Are my applications compatible?
           See App Compatibility Table - RoaringApps.
  Upgrading to Lion
  If your computer does not meet the requirements to install Mavericks, it may still meet the requirements to install Lion.
  You can purchase Lion at the Online Apple Store. The cost is $19.99 (as it was before) plus tax.  It's a download. You will get an email containing a redemption code that you then use at the Mac App Store to download Lion. Save a copy of that installer to your Downloads folder because the installer deletes itself at the end of the installation.
       Lion System Requirements
         1. Mac computer with an Intel Core 2 Duo, Core i3, Core i5, Core i7,
             or Xeon processor
         2. 2GB of memory
         3. OS X v10.6.6 or later (v10.6.8 recommended)
         4. 7GB of available space
         5. Some features require an Apple ID; terms apply.

• Getting the NAC agent out of the system tray.

  I am installing a NAC solution for a customer and they don't want users to have the NAC agent in the sytem tray. Is there any way to do this because they are pretty adamant about it.

  Hi,
  Currently this isn't possible. If you have an account team, please ping them to get this added to the feature request list.
  HTH,
  Faisal

• NAC Agent takes long time to run

  Cisco NAC agent takes long time to popup or run on Windows 7 machine.
  The client machine is windows 7, running nac agent 4.9.0.42, against ISE 1.1.1
  Any ideas how to reduce NAC Agent timing?

  Hi Tariq,
  I'm facing the same issue with ISE 1.1.1 (268) with Agent 4.9.0.47 for Windows XP clients. I have already configured "yes" to disabled the l3 swiss delay and reduced the httpa discovery timer from 30 to 05 sec but still clients get aprox 2.30 minutes to popup and finished the posture discovery.
  Can you please advise if this is the minimum time or what is the minimum time and what are the parameters to set to a minimum time to complete agent popup and posture discovery..?
  Is there any option that we can run this on backgroup..?
  thanks in advance..

• NAC Agent reporting never shows a failure

  I seem to only get reports for successful agent logins under Device MGMT>Clean Access>Clean Access Agent>Reports.  Am I missing a setting somewhere?  Even though I have had many failures (testing, etc) I never see a failed report.  Any ideas?

  Hello,
  Could you please confirm what error message you are getting on the NAC agent (if using the NAC agent for posture validation)?  The NAC agent will display the standard stuff such as 'temporary access', etc.  The message displayed is based upon which requirement is failing, for example a standard AV installation check/rule.
  Also, for this failing client, do you see a passed report or no report at all? Well, for the agents that ultimately pass posture assessment (even if a particular check/rule fails) we see a passed report.  If the agent never gains access, IE never gets out of 'Temporary Access' we don't see any report.  I am hoping that when a Agent fails posture assessment we will see a failed report.  IE, we need a way for the service desk to be able to monitor failed sessions proactively, and with the minimal external alerts available (no email, etc) these failed reports would be key. 
  If we can't see no report at all, there may be something that breaks before that. I have pages and pages of successful reports, but not a single failed report.
  A quick way to verify would be to collect the NAC agent's logs after a failure, under
  Start > Program Files > Cisco > Client Utilities > Cisco Log Packager I don't see this installed on any of the machines with an agent?  Please adivse where I can download it.  Thanks.

• NAC Agent - Loop in Remediation WSUS

  Hello,
  I´m implementing WSUS Posture in my ISE environment.
  When NAC Agent detect a new Windows Update, the Remediation Action is Automatic. I configured Show UI the Wizard Interface and this is working well. 
  But, after the windows update instalation, the NAC Agent stay in Remediation Process. Looking for WindowsUpdate.log file, I see repetitive messages like: 
  Updates Found = 0 OR Found 0 Updates and X categories in search.
  If I use the Windows Update from Windows to Search and Install the Updates, work very well too.
  The image attached, ilustrate my problem(In this point, The Windows Update instalation was done):

  Updating..
  Approximately after 30 minutes, NAC Agent finished the process of Remediation. (Only 1 Windows Update package)
  apparently the station sends many reports to WSUS and while it does, the NAC Agent continues Remediation on the process, even after installing the update. 
  I'm sure there are how to optimize it, but if anyone has any tips I'd appreciate it.
  Best Regards,
  Daniel Stefani