NAC agent failing to popup
Dears,
I have two ISE appliances installed in a distributed deployment (primary "ISE1" and secondary "ISE2"), each node has the three personas installed on it. The servers are registered together and the replication is working properly between the nodes.
When we are working on the first node everything is fine, if I try to disconnect ISE1 and do my tests on ISE2, the cisco NAC agent doesn't popup, unless I uninstall it and reinstall it again from the ISE2. Then it will work properly.
Note: the NAC agent version is the following: nacagent-4.9.0.37.
Any idea?
Regards
Zahi
Hi Tarik,
below are my answers:
1- The content of the dACL:
ip access-list extended POSTURE-REMEDIATION
permit udp any any eq domain
permit ip any host 10.10.10.125 >>>> antivirus server
permit ip any 10.10.240.0 0.0.0.255 >>>> voice subnet
permit ip any 10.10.31.0 0.0.0.255 >>>> quarantine vlan subnet
permit ip any host 10.10.10.238 >>>> ip add of ISE1
permit ip any host 10.10.10.239 >>>> ip add of ISE2
permit ip any host 10.10.10.206 >>>> wsus server
permit ip any host 10.10.10.10 >>>> domain 1
permit ip any host 10.10.10.100 >>>> domain 2
2- When I open a web browser, yes I get redirected to the nac agent download page
3- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:
sw#sho authentication sessions int fast 0/12
Interface: FastEthernet0/12
MAC Address: b8ac.6fc9.b26f
IP Address: 10.10.31.2
User-Name: RJ\15592
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 31
ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://RJ-ISE-1.rj.com:8443/guestportal/gateway?session
Id=0A0A0C86000000186ADBBD8B&action=cpp
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0C86000000186ADBBD8B
Acct Session ID: 0x00000023
Handle: 0x31000018
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
sw#sho authentication sessions int fast 0/12
Interface: FastEthernet0/12
MAC Address: b8ac.6fc9.b26f
IP Address: 10.10.30.12
User-Name: RJ\15592
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 30
ACS ACL: xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0C86000000186ADBBD8B
Acct Session ID: 0x00000023
Handle: 0x31000018
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE2:
sw#sho auth sessions int fast 0/12
Interface: FastEthernet0/12
MAC Address: 0025.6458.8409
IP Address: 10.10.31.8
User-Name: RJ\15946
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: 31
ACS ACL: xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
URL Redirect ACL: ACL-POSTURE-REDIRECT
URL Redirect: https://RJ-ISE-2.rj.com:8443/guestportal/gateway?session
Id=0A0A0C86000000206AF3FAC1&action=cpp
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A0C86000000206AF3FAC1
Acct Session ID: 0x0000002B
Handle: 0x2C000020
Runnable methods list:
Method State
dot1x Authc Success
mab Not run
you may find attached also the pcap file of the client machine when it is authenticating with the ISE2.
Thank you in advance
Zahi
Message was edited by: ZAHI BOU KHALIL
Similar Messages
-
NAC agent don't popup on some computer
Hi
I use
ISE version : 1.1.1.2 and NAC agent version : 4.9.0.42
NAC agent does not run on some computers and run on other(windows 7).
What can be these problems?
Please help
RegardsPlease look in to this , it might help you
Agent Login Dialog Not Appearing
Symptoms or Issue
The agent login dialog box does not appear to the user following client provisioning.
Conditions
This issue can generally take place during the posture assessment phase of any user authentication session.
Possible Causes
There are multiple possible causes for this type of issue. See the following Resolution descriptions for details.
Resolution
•Ensure that the agent is running on the client machine.
•Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
•Ensure that the discovery host address on the Cisco NAC agent or Mac OS X agent is pointing to the Cisco ISE FQDN. (Right-click the NAC agent icon, choose Properties, and check the discovery host.)
•Ensure that the access switch allows Swiss communication between Cisco ISE and the end client machine. Limited access ACL applied for the session should allow Swiss ports:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
•If the agent login dialog still does not appear, it could be a certificate issue. Ensure that the certificate that is used for Swiss communication on the end client is in the Cisco ISE certificate trusted list.
•Ensure that the default gateway is reachable from the client machine. -
Dear ,
i install nac system and working fine, but when the user loging in , the agent delay about 10 minutes before popup to the user, i don't know why the agent don't appear immedaitly after the pc finish startup.I only use OOB configurations, so I haven't tested IB configurations. However, you may see some issues in both configurations since the agent needs send user/PC information to the CAM.
In our setup, the fact that the agent doesn't load until after the desktop comes up has produced a delay in total login time that can reach 20 minutes (I've timed it), depending on the situation. I haven't yet been able to determine what MSoft is trying talk to that it can't (the delay is waiting for a bunch of things to time out).
Now, if the desktop is loaded and all user programs are running and it still takes 10 minutes for the popup, then the issue is probably with the discovery host (or lack of one) as you have been discussing with Faisal. -
ISe with NAC agent pop up and Posture waiting
Hi,
I have ISE running ver 1.1.1.268. We limited access certain services before authuenticate with ACL-DEFAULT(given below) as per the Trustsec desgin guide.
Now the issue is that when you have ACL-DEFAULT on the port NAC agent doest not pop-up and doest not start the posture part and saying waiting for Posture validation. When the ACL-DEFAULT removed from the access port NAC agent popup and do the posture validation.
However we do not want user to get access to network before the authorization and that is the reason we use the ACL-DEFAULT.
Please can someone advise me how to achieve the above both task. Why the NAC agent does not popup and do the posture when ACL-DEFAULT there in the switch.
Here is what I have configured on ACL-DEFAULT.
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
permit tcp any any eq domain
permit udp any any eq 389
permit tcp any any eq 135
permit tcp any any eq 445
permit udp any any eq 445
permit tcp any any range 135 139
permit tcp any any eq 389
permit tcp any any eq 3268
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Pri)
permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Sec)
remark Drop all the rest
deny ip any any log
Appreciate if someone can give a solid resolution and explanation to this.Hi Saurav,
We have already allowed those ports with another acl (ACL-POSTURE-REDIRECT). Our issue is not with the web nac agent.
The issue is with NAC agent installed on corperate PCs connecting via wired port. With the ACL-DEFAULT it does not pop-up and does not do the posturing, however once we removed the ACL-DEFAULT from the access port, everything works fine.
Since we do not want any user to access unwanted services before authorization we add this ACL on the access-port and as per the trustsec desgin this has to be there if you want to have ISE with closed mode.
thanks -
Cisco ISE NAC agent and Microsoft roaming profiles
Hi there,
I have installed Identity services engine version 1.1.3 in didstributed mode. The NAC agent is installed on the end user PC joined to the domain. when a user with a roaming profile logs into the PC, the NAC agent fails to run posture assesment, but if a user with non-roaming profile logs in, the NAC agent does posture and full network access is granted.
Is there something i need to do to enable the NAC agent to perform posture for users with a roaming profile.
Regards,
HenryHello,
I found the following from the cicso doc. Hope it helps!
The following failure scenarios might cause the Cisco NAC Agent to appear following successful user authentication when the client machine roams between CASs in Layer 3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band environments. Erroneous Agent login dialogs could also appear if users roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC network:
–ARP poisoning
–Temporary loss of network connection between the client machine and the CAS
–Access to untrusted interface IP address on the CAS from non-NAC network segments on NAC-enabled client machines
Cisco offers the following recommendations to prevent this situation:
–Ensure all trusted networks (post-authentication) can reach the CAS untrusted interface IP address through the CAS trusted interface only
–Block discovery packets from all non-NAC networks to the CAS untrusted interface IP address (discovery packets that arrive on the trusted interface of the CAS are blocked by default)
For more information please refer to the following link:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html -
NAC Agent does not pop up after psn fails.
So I'm in the middle of a deployment where I have 4 ISE appliances, two in one location and two in another location.
The first location has 2 with all personas installed, whereas the other two are only PSN. In each area, NAC agent pops up normally after connecting/swapping to wired or wireless networks. During HA tests I have encountered that when the two ISE from the remote area fail (shutdown switch port for testing of course) the client does get authenticated but it stays in the POSTURE_REQ state on wireless and the Agent fails to pop up.
- I have tried forcing the servers on the profile on ISE (provisioning) and I can see how it is somehow updated on the xml configuration file in the remote endpoint but still the nac agent wont pop up.
- Increased timeout timers also, no luck.
- Reinstalled NAC agent manually and by ise auto provisioning, no luck.
- Ran a wireshark capture and saw requests sent to the default GW with the positron thing but never get an answer, but then I try connecting to the ISE manually https://(ADMIN_NODE_FAR_FROM_ENDPOINT)/guestportal/gateway?sessionId=(gibberish)&action=cpp and it works, so it is reachable from the endpoint
I believe there is some kind of sync problem, my ISE are in UTC time and NADs have local timezone, but then why does it work locally??
Any thoughts on this?
Thank you for all your kind helpYou have done a reset. What does that mean? Did you reset all settings?
Settings>General>Reset>Reset all Settings. You will have to enter all device settings again. -
NAC AGENT WEB Your Login session Failed { status = 5 }
Hi,
I have a problem with NAC agent web, did someone seen this error before ?
Your Login session Failed { status = 5 }
I tested all these following , and all are Ok :
• Test using another browser, Firefox for example
• Test using another operating syste
• Check if there any restrictions between the user vlan and nac vlans
ThnxHi.
Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
regards
Zubair -
NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?
Agent Fails to Initiate Posture Assessment
The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
The redirected URL is working fine (SEE Evidence)
We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
The operations status remains with postering status pending forever and nothing else happens.
Symptoms or Issue
The agent login dialog box does not appear to the user following client provisioning.
Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
authentication session.
Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
• Ensure that the Cisco IOS release on the switch is equal to or more recent than
Cisco IOS Release 12.2.(53)SE. - OK
• Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
choose Properties, and check the discovery host.) - OK (See evidence)
• Ensure that the access switch allows Swiss communication between Cisco ISE
and the end client machine. Limited access ACL applied for the session should
allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
• If the agent login dialog still does not appear, it could be a certificate issue.
Ensure that the certificate that is used for Swiss communication on the end client
is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
• Ensure that the default gateway is reachable from the client machine. (TESTED OK)Hi.
Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
regards
Zubair -
Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
-My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
-The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
-No certificates are used.
-I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
-If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
-For now I'm testing it on wired endpoints.
Is there a way to configure ISE to fulfill the listed above requirements?
Any ideas would be appreciated.
Thanks,
Val RodionovEveryone who finds reads this article,
I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
The answer is Yes.
After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
ISE configuration:
Posture General Settings - Default Posture Status = NonCompliant
Client Provisioning Policy - no rules defined
Posture Policy - configured per requirements
Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
Authorization Policies configured as regular posture policies
The result:
After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
Best,
Val Rodionov -
NAC Agent takes long time to run
Cisco NAC agent takes long time to popup or run on Windows 7 machine.
The client machine is windows 7, running nac agent 4.9.0.42, against ISE 1.1.1
Any ideas how to reduce NAC Agent timing?Hi Tariq,
I'm facing the same issue with ISE 1.1.1 (268) with Agent 4.9.0.47 for Windows XP clients. I have already configured "yes" to disabled the l3 swiss delay and reduced the httpa discovery timer from 30 to 05 sec but still clients get aprox 2.30 minutes to popup and finished the posture discovery.
Can you please advise if this is the minimum time or what is the minimum time and what are the parameters to set to a minimum time to complete agent popup and posture discovery..?
Is there any option that we can run this on backgroup..?
thanks in advance.. -
Hi
I have implemented Cisco NAC for remote VPN users. As part of this they go through 3 checks:
1. Antivirus installation check
2. Antivirus definition check
3. File check
I have configured the definition check to remediate via internal update servers if 30 days or more out of date.
The issue I'm seeing is that the end user recieves the following Cisco Agent error during the remediation process (while in the temporary role):
"The remediation you are attempting is reporting an access denied error. This is usually due to a privilege issue. Please contact your system administrator."
The definition update happens in the background though (I have allowed the required access through the NAC server) and once complete places the user in the correct role. Therefore It's no so much an issue, just a misleading message displayed to the user.
Has anyone seen this before or know where this is configure?
Kind Regards
TerryHi Faisal,
I am still having this problem.
Even though the agent displays that error message, the AV still updates in the background. The problem then is that the agent fails to realise that the definitions are then fully up to date and does not re-check posture automaticly. therefore i am having to disconnect and re-connect the network cable for the agent to realise that I am not fully compliant.
Is there anything that i can do to make this posture / remediation process, automatic and seemless?
Mario -
NAC Agent reporting never shows a failure
I seem to only get reports for successful agent logins under Device MGMT>Clean Access>Clean Access Agent>Reports. Am I missing a setting somewhere? Even though I have had many failures (testing, etc) I never see a failed report. Any ideas?
Hello,
Could you please confirm what error message you are getting on the NAC agent (if using the NAC agent for posture validation)? The NAC agent will display the standard stuff such as 'temporary access', etc. The message displayed is based upon which requirement is failing, for example a standard AV installation check/rule.
Also, for this failing client, do you see a passed report or no report at all? Well, for the agents that ultimately pass posture assessment (even if a particular check/rule fails) we see a passed report. If the agent never gains access, IE never gets out of 'Temporary Access' we don't see any report. I am hoping that when a Agent fails posture assessment we will see a failed report. IE, we need a way for the service desk to be able to monitor failed sessions proactively, and with the minimal external alerts available (no email, etc) these failed reports would be key.
If we can't see no report at all, there may be something that breaks before that. I have pages and pages of successful reports, but not a single failed report.
A quick way to verify would be to collect the NAC agent's logs after a failure, under
Start > Program Files > Cisco > Client Utilities > Cisco Log Packager I don't see this installed on any of the machines with an agent? Please adivse where I can download it. Thanks. -
Nac Agent Not Working on Windows 64 Bit
Hi All ,
I have a Cisco ISE 3315 With Version 1.1.4 .
We have Windows Work Station and we have some issue with Windows 7 64 Bit users !!
On Some 64 Bit Workstation the nac Agent is getting about 25 Minute to start Checking the Posture Statu !!
I don't Havec that Proble With 32 Bit Workstation . We are using Nac Agent 4.9.0.37 and Nac agent 4.9.0.42!!
Here is log that i get From the 64 bit WorkstationHi
Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to or from supplicant. Verify that supplicant or network access server (NAS) does not have a short timeout for EAP conversations. Check the network that connects the NAS to ISE. If the external ID store is used for the authentication, it may be not responding fast enough for current timeouts.
Check whether the proper server certificate is installed and configured for EAP by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant.
Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more information -
Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "
Hi All,
We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.Closest enhancement I could check on this is
CSCts34764 NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines. Many users disable this and install their own AntiSpyware product. Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date. Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
~BR
Jatin Katyal
**Do rate helpful posts** -
NAC Agent only prompts for username and login on wireless
Another question for the smart people of the world.
I have had a couple laptops where the cisco NAC agent will prompt for a password and verify the computer via the wirless network but when I try to do that on the wired network, it sends me to the download page for the NAC agent. It doesnt seem to register that the NAC agent is installed and working even though it is.
Any thoughts?
ThanksHi Jonathan,
The NAC agent communicates with the CAS usiing the SWISS protocol. This protocol uses port 8095 for L2 adjacent devices to the CAS and 8096 protocol for L3 adjacent devices to the CAS. Have you checked if these ports are allowed through to the CAS for the wired clients? Do check the support logs on the CAM and CAS suggest something. If you can post the agent logs from the wired clients I could analize and let you know where the process is failing.
Do let me know if this helps.
Regards,
Som
Maybe you are looking for
-
I know that this topic has been submitted a million times, but I need personal attention now. The topic discussions have been really helpful except for the fact that my ichat video STILL DOESN'T WORK. I read and do all the sets of advice and instruct
-
In Business Catalyst: I have uploaded two versions of a website I am working on
I want to be able to see both versions (uploaded with separate sitenames), but I only see the latest upload. I also want my client to be able to see both. What do I do? Kindly Dunc
-
Does this sound like a good design for simple db lookup?
I want to separate the gui form the behind the scenes stuff so 2 classes. One for the gui (gui.java) and one for the database stuff (dbQuery.java). I know the syntex is not accurate but it's sort of pseudo-code - Here's how it looks: public class gui
-
For some reason when I went to make a DVD (over time) I went back to imovie and my project was gone. I guess I was supposed to copy it before going over to iDVD. I want to take it to Final Cut. How do I get there from iDVD? Thanks for any help!
-
Email retrieval not working (2)
Sorry to re-post this, my first message somehow got a [solved!] label added to it,, when in fact it has not been solved. I am new at this site, so please forgive me: I purchased my Palm TX in January 2088. During the month of January, I could go dow