NAC Agent Login Trouble
I'm a student at Georgia Southern University. I use a Lenovo X200 Tablet with Windows 7 Ultimate 32-bit. Up until last week I had no trouble with NAC agent logging into my university's network. Since last monday or so, when I log in it says I have to update current windows, but Windows is totally up to date, including optional updates, everything but language packs.
I've tried system restore, I've tried fixing registry issues, I've scanned for viruses, Re-updated windows, and reinstalled NAC agent. Nothing seems to work, it just won't recognize I'm up to date. I took it to my IT department (resnet), and they didn't help at all.
Any ideas on how to fix this?
Jonas,
Sorry for the late reply. Can you ask your university IT folks, as to what the failure report shows for your PC in their CCA reports section? The key thing to look for is whether it's a particular update that CCA is hanging up on or not.
Please advise.
Thanks,
Faisal
Similar Messages
-
NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?
Agent Fails to Initiate Posture Assessment
The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
The redirected URL is working fine (SEE Evidence)
We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
The operations status remains with postering status pending forever and nothing else happens.
Symptoms or Issue
The agent login dialog box does not appear to the user following client provisioning.
Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
authentication session.
Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
• Ensure that the Cisco IOS release on the switch is equal to or more recent than
Cisco IOS Release 12.2.(53)SE. - OK
• Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
choose Properties, and check the discovery host.) - OK (See evidence)
• Ensure that the access switch allows Swiss communication between Cisco ISE
and the end client machine. Limited access ACL applied for the session should
allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
• If the agent login dialog still does not appear, it could be a certificate issue.
Ensure that the certificate that is used for Swiss communication on the end client
is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
• Ensure that the default gateway is reachable from the client machine. (TESTED OK)Hi.
Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
regards
Zubair -
Urgent- Login disabled for NAC Agent
Hi All,
Not able to Login NAC Agent after downloading and installing in windows XP machine.
Please find the attached Logs collected through cisco log packager.
Please help us in trouble shooting this issue.
An early response is apprciable.
Note:
Thanks,
AbuzarHi Abuzar,
Is this a L2 or L3 setup?
Is the CAS in VGW or Real-IP mode?
On the NAC Agent logs I see that the client tries first TCP/8905 discovery to 10.0.0.1 (default GW) and 192.168.1.10 (Discovery Host), then UDP discovery both in L2 to address 10.0.0.1 (on port 8905) and in L3 to the address 192.168.1.10 (on port 906), but none of these discovery methods returned a response from the CAS.
Make sure that the discovery traffic hits the CAS, and then that the SSL certificate installed on the CAS points correctly to the IP address of the CAS (the service IP if you're in HA mode).
In L2, the discovery should succeed with the attempt to contact the default gateway, as the CAS is either going to be the default gateway itself (in case of L2/Real-IP) or it's going to intercept this traffic (in L2/VGW).
If you're in L3 (meaning that you have at least 1 hop between the client machine and the CAS) make sure that L3 support is enabled on the CAS and that the traffic to the discovery host crosses or hits the CAS (the discovery host may be the CAS itself or a host on the trusted side of the network..); in this case you will need to configure policy based routing accordingly.
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it. -
Run NAC agent before user login - Win7?
Greetings all and thx in advance for any advice! Environment details - ISE 1.2. Patch 5 and cisco NAC agent 4.9.3.
I have all of the authen/authz policies working and functioning properly, however, I have run into an issue with the NAC agent running posture only after user login. This is causing some grief, mainly that users required login scripts can't run successfully until posture is compliant and the more permissive dACL is applied. I was hoping that posture would complete long before windows login was even an option for the user but for some reason I appear to require an interactive login to get the NAC agent to run posturing. Any thoughts or ideas on this? I tried the NAC agent installation with a couple of different user accounts on the windows hosts but without success, it will only posture once I have interactive login. I went pretty deep on the removal of the posture conditions to simply checking a single windows service but it didn't make any difference. Thanks for any advice!!
IAThanks for the reply Saurav, I should have clarified a design point. I am not doing any user authentication, only doing a machine authen. As I mentioned I can't seem to posture pre-user authentication even though I am not doing any user authentication.
IA -
Use NAC Web Agent login with Ipad
Hello Guys,
I'm using NAC 4.8, and I'd like to login using NAC Web Agent on Ipad.
When I'm trying to do that, I'm receiving a message on Ipad that I need to install Java Plug-In, but there is no JavaPlug-in available for Ipad.
Does anyone know if there is any aditional configuration that I have to do on NAC Manager to be able to access the network using NAC Web Login on Ipad ?
Best RegardsHi Luciano,
Unfortunately, the NAC Web Agent and the persistant Agent are not supported for the iPad operating system. (It is called iOS). The following table documents this fact under footnote 3:
http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html#wp125630
Only normal Web Login with Safari browser is enabled.
Hope this helps.
-Shrikant
P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks. -
NAC AGENT WEB Your Login session Failed { status = 5 }
Hi,
I have a problem with NAC agent web, did someone seen this error before ?
Your Login session Failed { status = 5 }
I tested all these following , and all are Ok :
• Test using another browser, Firefox for example
• Test using another operating syste
• Check if there any restrictions between the user vlan and nac vlans
ThnxHi.
Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
regards
Zubair -
NAC Agent only prompts for username and login on wireless
Another question for the smart people of the world.
I have had a couple laptops where the cisco NAC agent will prompt for a password and verify the computer via the wirless network but when I try to do that on the wired network, it sends me to the download page for the NAC agent. It doesnt seem to register that the NAC agent is installed and working even though it is.
Any thoughts?
ThanksHi Jonathan,
The NAC agent communicates with the CAS usiing the SWISS protocol. This protocol uses port 8095 for L2 adjacent devices to the CAS and 8096 protocol for L3 adjacent devices to the CAS. Have you checked if these ports are allowed through to the CAS for the wired clients? Do check the support logs on the CAM and CAS suggest something. If you can post the agent logs from the wired clients I could analize and let you know where the process is failing.
Do let me know if this helps.
Regards,
Som -
Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4
Hi
My Cisco NAC Agent (version 4.9.1.682) doesn't work since I upgraded my Mac OS X 4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
Any update on when a new version is going to be released - Its getting really frustrating?I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
Select Keychain Access -> Preferences from the menu at the top of the screen
Choose the Certificates tab
Change the OCSP option from Best Effort to Off
Close the Preferences dialog and quit Keychain Access
You should be able to NAC now -
NAC Agent reporting never shows a failure
I seem to only get reports for successful agent logins under Device MGMT>Clean Access>Clean Access Agent>Reports. Am I missing a setting somewhere? Even though I have had many failures (testing, etc) I never see a failed report. Any ideas?
Hello,
Could you please confirm what error message you are getting on the NAC agent (if using the NAC agent for posture validation)? The NAC agent will display the standard stuff such as 'temporary access', etc. The message displayed is based upon which requirement is failing, for example a standard AV installation check/rule.
Also, for this failing client, do you see a passed report or no report at all? Well, for the agents that ultimately pass posture assessment (even if a particular check/rule fails) we see a passed report. If the agent never gains access, IE never gets out of 'Temporary Access' we don't see any report. I am hoping that when a Agent fails posture assessment we will see a failed report. IE, we need a way for the service desk to be able to monitor failed sessions proactively, and with the minimal external alerts available (no email, etc) these failed reports would be key.
If we can't see no report at all, there may be something that breaks before that. I have pages and pages of successful reports, but not a single failed report.
A quick way to verify would be to collect the NAC agent's logs after a failure, under
Start > Program Files > Cisco > Client Utilities > Cisco Log Packager I don't see this installed on any of the machines with an agent? Please adivse where I can download it. Thanks. -
ISE 1.2 nac agent provision
Hi,
Is there any way to do a nac agent auto provision?
I know it can be achieve by cwa portal(web redirect) and user have to install nac agent manually. But we would like to see nac agent be installed right afeter user successfully login using 802.1x.I dont follow your thought process but this is how i have most of my deployments are setup.
CWA < NSP < COA < 802.1x < Posture Status Unknown *In this state either client does or doesnt have nac agent in which ISE will proceed to install it or continue probing to for the NAC agent.
Remove CWA < NSP < COA from the picture and you have your exact scenario. What is your work flow look like that it is not "automatic" and define what you mean by "manually"? -
After install NAC agent I must remove cable before open windows session normaly
Hi
I use ISE 1.1 and NAC agent 4.9
I have configure my catalyst 2960 port with dot1x and install NAC agent on many computer
But I observed that I am unable to open windows session on some computer (windows 7)
When I enter login and password, then I got black screen and nothing else, then if I remove the network cable on my computer, the black screen change and move to the windows desktop normaly
Why do I need to remove network cable before get to my desktop normaly ?
Please How can I fixed this issue ?
Thanks in advance for your helpHi
The given link might be helpful regarding your issue:
http://www.cisco.com/en/US/netsol/ns466/index.html
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html -
NAC agent don't popup on some computer
Hi
I use
ISE version : 1.1.1.2 and NAC agent version : 4.9.0.42
NAC agent does not run on some computers and run on other(windows 7).
What can be these problems?
Please help
RegardsPlease look in to this , it might help you
Agent Login Dialog Not Appearing
Symptoms or Issue
The agent login dialog box does not appear to the user following client provisioning.
Conditions
This issue can generally take place during the posture assessment phase of any user authentication session.
Possible Causes
There are multiple possible causes for this type of issue. See the following Resolution descriptions for details.
Resolution
•Ensure that the agent is running on the client machine.
•Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
•Ensure that the discovery host address on the Cisco NAC agent or Mac OS X agent is pointing to the Cisco ISE FQDN. (Right-click the NAC agent icon, choose Properties, and check the discovery host.)
•Ensure that the access switch allows Swiss communication between Cisco ISE and the end client machine. Limited access ACL applied for the session should allow Swiss ports:
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
remark ping
permit icmp any any
permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
permit tcp any host 80.0.80.2 eq www --> Provides access to internet
permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
port
permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
permit udp any host 80.0.80.2 eq 8905 --> This is for posture
communication between NAC agent and ISE (Swiss ports)
deny ip any any
•If the agent login dialog still does not appear, it could be a certificate issue. Ensure that the certificate that is used for Swiss communication on the end client is in the Cisco ISE certificate trusted list.
•Ensure that the default gateway is reachable from the client machine. -
Cisco ISE NAC agent and Microsoft roaming profiles
Hi there,
I have installed Identity services engine version 1.1.3 in didstributed mode. The NAC agent is installed on the end user PC joined to the domain. when a user with a roaming profile logs into the PC, the NAC agent fails to run posture assesment, but if a user with non-roaming profile logs in, the NAC agent does posture and full network access is granted.
Is there something i need to do to enable the NAC agent to perform posture for users with a roaming profile.
Regards,
HenryHello,
I found the following from the cicso doc. Hope it helps!
The following failure scenarios might cause the Cisco NAC Agent to appear following successful user authentication when the client machine roams between CASs in Layer 3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band environments. Erroneous Agent login dialogs could also appear if users roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC network:
–ARP poisoning
–Temporary loss of network connection between the client machine and the CAS
–Access to untrusted interface IP address on the CAS from non-NAC network segments on NAC-enabled client machines
Cisco offers the following recommendations to prevent this situation:
–Ensure all trusted networks (post-authentication) can reach the CAS untrusted interface IP address through the CAS trusted interface only
–Block discovery packets from all non-NAC networks to the CAS untrusted interface IP address (discovery packets that arrive on the trusted interface of the CAS are blocked by default)
For more information please refer to the following link:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html -
Hi,
recently i am facing a probelm with NAC agent , it does not check for the updates when the user is login , there is a massege come ( please check the attchments ) .
please help me !!!Recently , when the user is loging off & loging on , the NAC agent proceed for checking again & again , this problem is
strain the user of every time his faceing this check & time waste .
what i know the NAC is proceed for check if the user is rebooting the machine , but for login & logoff !!!!!!!!.
there is any solution to prevent this issue . -
NAC Agent AD SSO delayed 10 minutes to logon
Hi,
I installed NAC in OOB layer 2 with AD SSO and the NAC AD SSO process is very slow (about 10 minutes)
I first logon on Windows with username and password in the domain.
After about of 1-2 minutes, the NAC Agent stays in the system tray and shows to me the certificate message:
I click in yes and after about 5 minutes, the NAC Agent shows to me the certificate message again. I click in yes again then the Nac Agent popup with the message: "Executing automatic login Windows Domain for NAC":
After about 3 minutes the Nac Agent gives me access to network:
I configured rules for Unauthenticated Role to allow:
TCP - 88,135,139,389,445,636,1025,1026,3268,49152-65535
UDP - 88,123,137,389,636
ICMP - Allowed ICMP to Domain Controller
Its about 10 minutes to logon, I tested in Windows XP, Windows Vista and Windows 7 machines.
Thanks
Moises AraujoTarik Adman,
I executed the nslookup in the machine that I am testing and in the NAC Server, there are three AD Servers, and they are the same in the machine and in the NAC Server.
I already added the policy to permit the requested ports in the Unauthenticated Role for the three AD Servers:
TCP: 88,135,139,389,445,636,1025,1026,3268,49152-65535
UDP: 88,123,137,389,636
ICMP to the three AD (I can ping the three AD from de cmd testing machine when I am waiting for authenticate)
The NAC Agent is still showing two times the certificate and after about 5minutes he try to logon in the Windows Domain (about 3 minutes to logon)
Thanks
Moises
Maybe you are looking for
-
In SNote transaction i want to download a SAP Note which is not present in my system. For example i tried with Note :427325 But its giving an error . No log exists for SAP Note 427325. How to do this. I went through the help. There it has been mentio
-
Crystal Report using Stored Proc in JSP problem
Hello, I am running a simple report using a stored proc(oracle). It runs fine when I run the report through Crystal. But when I tried running it using JSP it gives me this exception - com.crystaldecisions.report.web.viewer.CrystalRepo rtViewer Error
-
2.0.2 GPS is now really slow to locate me, and now my reception is worse
ever since i updated to 2.0.2 my gps takes a while to locate me sometimes it wont i just get the crosshair. my phone reception is much worse it gets broken up a few minutes into a call. everything was fine on the original and the 2.0.1 firmware but 2
-
I've just downloaded your XML Schema for Java software are have been systematically testing it with a relatively simple document. A few bugs: 1. the use="required" attribute of the attribute element doesn't have any effect (doesn't show any error mes
-
Error on installation of CR XI R2 SP6
Hello, I'm getting an error message about a missing CrystalReports.msi file when trying to open a report after upgrading to CR XI R2 SP6. Here is further information - this is on a windows XP system CR XI Professional had been installed. To upgrade,