NAC Agent Issue
Hi
I have implemented Cisco NAC for remote VPN users. As part of this they go through 3 checks:
1. Antivirus installation check
2. Antivirus definition check
3. File check
I have configured the definition check to remediate via internal update servers if 30 days or more out of date.
The issue I'm seeing is that the end user recieves the following Cisco Agent error during the remediation process (while in the temporary role):
"The remediation you are attempting is reporting an access denied error. This is usually due to a privilege issue. Please contact your system administrator."
The definition update happens in the background though (I have allowed the required access through the NAC server) and once complete places the user in the correct role. Therefore It's no so much an issue, just a misleading message displayed to the user.
Has anyone seen this before or know where this is configure?
Kind Regards
Terry
Hi Faisal,
I am still having this problem.
Even though the agent displays that error message, the AV still updates in the background. The problem then is that the agent fails to realise that the definitions are then fully up to date and does not re-check posture automaticly. therefore i am having to disconnect and re-connect the network cable for the agent to realise that I am not fully compliant.
Is there anything that i can do to make this posture / remediation process, automatic and seemless?
Mario
Similar Messages
-
Hi guys,
We are encountering several problems with regards to the NAC Agent. We are deploying AD SSO and for some reason, on the same switch other hosts are performing SSO correctly and others are being prompted for a user name and password by the NAC agent even though the hosts are all logging in the same domain. Do you guys have any idea on how to go about this problem?Hi Guys,
I have deployed NAC as OOB REAL IP gateway mode and it is working fine over LAN.
Once I enabled the L3 functionality to connect remote site after that local user is being certified through WEB LOGIN.
But NAC pop up is not reflecting to supply the username and password.
A problem occured when stoping the NAC agent services" Agent has been terminated due to unexpected error. please restart your machine."
Note- No ACL is configured till yet
I have perform following task to fix it;-
1. Restared NAC agent services.
2.Checked proxy settings.
Could you please help me out to resolve this issue?
Thanks & Regards,
Azeem Khan -
NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?
Agent Fails to Initiate Posture Assessment
The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
The redirected URL is working fine (SEE Evidence)
We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
The operations status remains with postering status pending forever and nothing else happens.
Symptoms or Issue
The agent login dialog box does not appear to the user following client provisioning.
Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
authentication session.
Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
• Ensure that the Cisco IOS release on the switch is equal to or more recent than
Cisco IOS Release 12.2.(53)SE. - OK
• Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
choose Properties, and check the discovery host.) - OK (See evidence)
• Ensure that the access switch allows Swiss communication between Cisco ISE
and the end client machine. Limited access ACL applied for the session should
allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
• If the agent login dialog still does not appear, it could be a certificate issue.
Ensure that the certificate that is used for Swiss communication on the end client
is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
• Ensure that the default gateway is reachable from the client machine. (TESTED OK)Hi.
Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
regards
Zubair -
NAC Agent 4.9 issue while remediation with in ISE
We are installed NAC agent 4.9 where we have configured posture policy for Symantec Endpoint Protection version 11x in ISE 1.1.1. Where when enduser fallen down to remediation and try to remediate to collect the latest anti virus definitions from Local Antivirus, when clicking on the update button we get a message stating
"The Remediation you are attempting is reporting an access denied error. This is usually due to a privileg issue. Please contact your system
administrator"
It continuosly asking that prompt and giving that priviligae message.
Are we need to have administrator rights for remediation ? and this prompt is appearing again and again till the remediation timer and then it fallen down to Non-compliant (Restricted ) profile.
Please find attached screen shots for the sameI figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
Select Keychain Access -> Preferences from the menu at the top of the screen
Choose the Certificates tab
Change the OCSP option from Best Effort to Off
Close the Preferences dialog and quit Keychain Access
You should be able to NAC now -
CPP - NAC agent upgrade issue - NAC to ISE migration
Hi,
I am currently working on a project to migraate NAC to ISE. Existing version of NACagent running on client macine is 4.8.2.1. CPP is pushing upgarde to required version 4.9.4.3. I can't locate upgrade matrix for this version. Could anyone guide me on this?You can directly download the nac agent 4.9.4.3 from the below download link
http://software.cisco.com/download/release.html?mdfid=283801620&softwareid=283802505&release=1.2&flowid=26081 -
NAC Agent takes long time to run
Cisco NAC agent takes long time to popup or run on Windows 7 machine.
The client machine is windows 7, running nac agent 4.9.0.42, against ISE 1.1.1
Any ideas how to reduce NAC Agent timing?Hi Tariq,
I'm facing the same issue with ISE 1.1.1 (268) with Agent 4.9.0.47 for Windows XP clients. I have already configured "yes" to disabled the l3 swiss delay and reduced the httpa discovery timer from 30 to 05 sec but still clients get aprox 2.30 minutes to popup and finished the posture discovery.
Can you please advise if this is the minimum time or what is the minimum time and what are the parameters to set to a minimum time to complete agent popup and posture discovery..?
Is there any option that we can run this on backgroup..?
thanks in advance.. -
NAC AGENT - DISCOVERY HOST IP ADDRESS with AD
Hi,
We have deployed a Cisco NAC Agent in our network with GPO update... The deployment model is L3 OOB / Real IP Gateway.
The issue is that, we need to put the IP address in each host manually to start communicating with Cisco NAC Manager.
Is there any way to make it automatic?
Regards,
MubasherHi Mubashir,
I faced the same problem with cisco ISE and Tiago's response actually helped see below.
" You can also distribute the NACAgentCFG.xml file with that value set.
Please find here detailed info regarding this file:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376. "
In that link, read the section: Agent Customization Settings
From a NAC agent that has successfully been deployed with the IP configured , go to the NAC agent installation folder
C:\Program Files (x86)\Cisco\Cisco NAC Agent , and copy the NACAgentCFG.xml , open with wordpad and edit the line
IP of PDP node or ISE standalone server
Then place the edited NACAgent.xml file in the same folder as the one where your GPO will pick the agent from. When the Agent is installed , it automatically picks the configs from the .xml file.
Regards,
Henry -
After install NAC agent I must remove cable before open windows session normaly
Hi
I use ISE 1.1 and NAC agent 4.9
I have configure my catalyst 2960 port with dot1x and install NAC agent on many computer
But I observed that I am unable to open windows session on some computer (windows 7)
When I enter login and password, then I got black screen and nothing else, then if I remove the network cable on my computer, the black screen change and move to the windows desktop normaly
Why do I need to remove network cable before get to my desktop normaly ?
Please How can I fixed this issue ?
Thanks in advance for your helpHi
The given link might be helpful regarding your issue:
http://www.cisco.com/en/US/netsol/ns466/index.html
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html -
Determining which NAC Agent to use for ISE
We are planning an upgrade to our ISE environment from 1.1.4 to 1.2. I have downloaded the agent that is recommended for 1.2 (NAC Agent 4.9.4.3) to begin testing with it. Unfortunately the first test I run is using that client against our ISE 1.1.4 servers. It doesn't work! It runs sporadically at best, taking up to 3 minutes to pop up and posture the system. Other times, I give up, after 20 minutes of waiting, and it never runs. This is quite a spot, I do not want to upgrade the ISE system to 1.2, then run into an issue and have to mass upgrade over 2000 clients all at once to get them running. My hope was to upgrade to the NAC Agent prior to the ISE upgrade but unfortunately that has been short circuited.
So my question is, has anyone run ISE 1.2 with NAC Agent 4.9.1.6? That is what we are currently using, as it runs well against both ISE 1.1.4, and NAC 4.9.1 (which is still used for our wired environment). We need to find an agent we can use to bridge us from the time we upgrade ISE to 1.2, and the time we bring our wired environment into the ISE fold and remove NAC appliance. I should note, ironically, that 4.9.4.3 NAC Agent runs flawlessly against the NAC 4.9.1 appliance. The issue is running that NAC Agent against ISE 1.1.4. That is ecactly the opposite of what I would have guessed! Please help!
JeffYes sir, I am aware of that recommendation, however once I downloaded and started testing several clients with that version, none of them run well, if at all, against 1.1.4 which is the current production version we run in our environment. So I would have to either upgrade all 2000 clients immediately after we upgrade or ISE system to 1.2, or take a chance that our current agent (4.9.1.6) will run against ISE 1.2. I was hoping to find a recommendation of an agent version that runs well against both ISE 1.1.4 and ISE 1.2 so we could upgrade the clients at a controlled rate prior to upgrading ISE to 1.2
-
NAC agent don't popup on some computer
Hi
I use
ISE version : 1.1.1.2 and NAC agent version : 4.9.0.42
NAC agent does not run on some computers and run on other(windows 7).
What can be these problems?
Please help
RegardsPlease look in to this , it might help you
Agent Login Dialog Not Appearing
Symptoms or Issue
The agent login dialog box does not appear to the user following client provisioning.
Conditions
This issue can generally take place during the posture assessment phase of any user authentication session.
Possible Causes
There are multiple possible causes for this type of issue. See the following Resolution descriptions for details.
Resolution
•Ensure that the agent is running on the client machine.
•Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
•Ensure that the discovery host address on the Cisco NAC agent or Mac OS X agent is pointing to the Cisco ISE FQDN. (Right-click the NAC agent icon, choose Properties, and check the discovery host.)
•Ensure that the access switch allows Swiss communication between Cisco ISE and the end client machine. Limited access ACL applied for the session should allow Swiss ports:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
•If the agent login dialog still does not appear, it could be a certificate issue. Ensure that the certificate that is used for Swiss communication on the end client is in the Cisco ISE certificate trusted list.
•Ensure that the default gateway is reachable from the client machine. -
ISe with NAC agent pop up and Posture waiting
Hi,
I have ISE running ver 1.1.1.268. We limited access certain services before authuenticate with ACL-DEFAULT(given below) as per the Trustsec desgin guide.
Now the issue is that when you have ACL-DEFAULT on the port NAC agent doest not pop-up and doest not start the posture part and saying waiting for Posture validation. When the ACL-DEFAULT removed from the access port NAC agent popup and do the posture validation.
However we do not want user to get access to network before the authorization and that is the reason we use the ACL-DEFAULT.
Please can someone advise me how to achieve the above both task. Why the NAC agent does not popup and do the posture when ACL-DEFAULT there in the switch.
Here is what I have configured on ACL-DEFAULT.
ip access-list extended ACL-DEFAULT
remark DHCP
permit udp any eq bootpc any eq bootps
remark DNS
permit udp any any eq domain
permit tcp any any eq domain
permit udp any any eq 389
permit tcp any any eq 135
permit tcp any any eq 445
permit udp any any eq 445
permit tcp any any range 135 139
permit tcp any any eq 389
permit tcp any any eq 3268
permit icmp any any
remark PXE / TFTP
permit udp any any eq tftp
permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Pri)
permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Sec)
remark Drop all the rest
deny ip any any log
Appreciate if someone can give a solid resolution and explanation to this.Hi Saurav,
We have already allowed those ports with another acl (ACL-POSTURE-REDIRECT). Our issue is not with the web nac agent.
The issue is with NAC agent installed on corperate PCs connecting via wired port. With the ACL-DEFAULT it does not pop-up and does not do the posturing, however once we removed the ACL-DEFAULT from the access port, everything works fine.
Since we do not want any user to access unwanted services before authorization we add this ACL on the access-port and as per the trustsec desgin this has to be there if you want to have ISE with closed mode.
thanks -
Nac Agent Not Working on Windows 64 Bit
Hi All ,
I have a Cisco ISE 3315 With Version 1.1.4 .
We have Windows Work Station and we have some issue with Windows 7 64 Bit users !!
On Some 64 Bit Workstation the nac Agent is getting about 25 Minute to start Checking the Posture Statu !!
I don't Havec that Proble With 32 Bit Workstation . We are using Nac Agent 4.9.0.37 and Nac agent 4.9.0.42!!
Here is log that i get From the 64 bit WorkstationHi
Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to or from supplicant. Verify that supplicant or network access server (NAS) does not have a short timeout for EAP conversations. Check the network that connects the NAS to ISE. If the external ID store is used for the authentication, it may be not responding fast enough for current timeouts.
Check whether the proper server certificate is installed and configured for EAP by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant.
Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more information -
Hello Guys, me again
I'm seeing an issue when the client tries to install the NAC agent on his PC.
The client reports that an update is available for which I click OK, then it appears to download the new agent (really fast btw) and then it starts installing it. Once that's done it reports again that an update is available and the process starts all over and keeps going on indefinetely.
The only way I managed to get around it was by disabling the "upgrade mandatory" setting on the client provisioning policy. Still I get the "an upgrade is available" message only that with that setting disabled I can hit cancel and continue.
Another thing that I'm seeing is that client that I'm seeing as installed on the client is 4.9.0.36 but the ISE only has 4.9.0.37 so I dont know where the .36 is coming from if nothing has been previously installed on the client.
Has anybody else run into this issue before?
Thanks in advance,
Luis RagaI'm getting the same issue. I have agents running version 4.7.2.10 and the new version that they are being prompted to install is version 4.9.2.8. The install starts and seems to complete, but when the NAC agent restarts the user is prompted to reinstall the new agent. When you check the version of the NAC installed it is still 4.7.2.10.
Sachin -
Run NAC agent before user login - Win7?
Greetings all and thx in advance for any advice! Environment details - ISE 1.2. Patch 5 and cisco NAC agent 4.9.3.
I have all of the authen/authz policies working and functioning properly, however, I have run into an issue with the NAC agent running posture only after user login. This is causing some grief, mainly that users required login scripts can't run successfully until posture is compliant and the more permissive dACL is applied. I was hoping that posture would complete long before windows login was even an option for the user but for some reason I appear to require an interactive login to get the NAC agent to run posturing. Any thoughts or ideas on this? I tried the NAC agent installation with a couple of different user accounts on the windows hosts but without success, it will only posture once I have interactive login. I went pretty deep on the removal of the posture conditions to simply checking a single windows service but it didn't make any difference. Thanks for any advice!!
IAThanks for the reply Saurav, I should have clarified a design point. I am not doing any user authentication, only doing a machine authen. As I mentioned I can't seem to posture pre-user authentication even though I am not doing any user authentication.
IA -
Hi,
recently i am facing a probelm with NAC agent , it does not check for the updates when the user is login , there is a massege come ( please check the attchments ) .
please help me !!!Recently , when the user is loging off & loging on , the NAC agent proceed for checking again & again , this problem is
strain the user of every time his faceing this check & time waste .
what i know the NAC is proceed for check if the user is rebooting the machine , but for login & logoff !!!!!!!!.
there is any solution to prevent this issue .
Maybe you are looking for
-
I am unable to import pictures from my iphone to my computer. Can anyone help?
I am unable to import pics.
-
Consolidation of my photos scattered on my c drive and my h drive
Please help me! How do I consolidate my photos into one folder? I have Lightroom 3. All of my photos have been imported already but some are on my C drive and others are on my H drive. How do I consolidate those on my C drive into one pre- existing f
-
How to create a link to Excel, from Bex Web 3.x
I need to create a link, from Bex Web 3.x, to Excel or PDF, how can i do this? I only do a link with another PAge in internet explorer. Thanks Romina
-
Production order settlement (co88/ko88)
when we settle the production order variances , it will take one account from OBYC(t-code)/PRD-PRF. But how does systemdetermines the other account? and what should be the GL entry? Like Credit which balnce sheet account /P&l account Or debit which b
-
Apex generating javascript to disable button onClick
I have navigational buttons in a region to go, for example, to the "Next" page. APEX is including: onClick="javascript:this.disabled=true;" as part of the "Next" buttons attributes. So that after the user clicks the "Next" button and goes to the next