NAC Agent Login Trouble

Similar Messages

• NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

  Agent Fails to Initiate Posture Assessment
  The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
  The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
  The redirected URL is working fine (SEE Evidence)
  We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
  The operations status remains with postering status pending forever and nothing else happens.
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
  authentication session.
  Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
  Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
  CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
  Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
  • Ensure that the Cisco IOS release on the switch is equal to or more recent than
  Cisco IOS Release 12.2.(53)SE. - OK
  • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
  agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
  choose Properties, and check the discovery host.) - OK (See evidence)
  • Ensure that the access switch allows Swiss communication between Cisco ISE
  and the end client machine. Limited access ACL applied for the session should
  allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
  • If the agent login dialog still does not appear, it could be a certificate issue.
  Ensure that the certificate that is used for Swiss communication on the end client
  is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
  • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• Urgent- Login disabled for NAC Agent

  Hi All,
  Not able to Login NAC Agent after downloading and installing in windows XP machine.
  Please find the  attached Logs collected through cisco log packager.
  Please help us in trouble shooting this issue.
  An early response is apprciable.
  Note:
  Thanks,
  Abuzar

  Hi Abuzar,
  Is this a L2 or L3 setup?
  Is the CAS in VGW or Real-IP mode?
  On the NAC Agent logs I see that the client tries first TCP/8905 discovery to 10.0.0.1 (default GW) and 192.168.1.10 (Discovery Host), then UDP discovery both in L2 to address 10.0.0.1 (on port 8905) and in L3 to the address 192.168.1.10 (on port 906), but none of these discovery methods returned a response from the CAS.
  Make sure that the discovery traffic hits the CAS, and then that the SSL certificate installed on the CAS points correctly to the IP address of the CAS (the service IP if you're in HA mode).
  In L2, the discovery should succeed with the attempt to contact the default gateway, as the CAS is either going to be the default gateway itself (in case of L2/Real-IP) or it's going to intercept this traffic (in L2/VGW).
  If you're in L3 (meaning that you have at least 1 hop between the client machine and the CAS) make sure that L3 support is enabled on the CAS and that the traffic to the discovery host crosses or hits the CAS (the discovery host may be the CAS itself or a host on the trusted side of the network..); in this case you will need to configure policy based routing accordingly.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Run NAC agent before user login - Win7?

  Greetings all and thx in advance for any advice! Environment details - ISE 1.2. Patch 5 and cisco NAC agent 4.9.3.
  I have all of the authen/authz policies working and functioning properly, however, I have run into an issue with the NAC agent running posture only after user login.  This is causing some grief, mainly that users required login scripts can't run successfully until posture is compliant and the more permissive dACL is applied.  I was hoping that posture would complete long before windows login was even an option for the user but for some reason I appear to require an interactive login to get the NAC agent to run posturing.  Any thoughts or ideas on this?  I tried the NAC agent installation with a couple of different user accounts on the windows hosts but without success, it will only posture once I have interactive login.  I went pretty deep on the removal of the posture conditions to simply checking a single windows service but it didn't make any difference.  Thanks for any advice!!
  IA

  Thanks for the reply Saurav, I should have clarified a design point.  I am not doing any user authentication, only doing a machine authen.  As I mentioned I can't seem to posture pre-user authentication even though I am not doing any user authentication.
  IA

• Use NAC Web Agent login with Ipad

  Hello Guys,
  I'm using NAC 4.8, and I'd like to login using NAC Web Agent on Ipad.
  When I'm trying to do that, I'm receiving a message on Ipad that I need to install Java Plug-In, but there is no JavaPlug-in available for Ipad.
  Does anyone know if there is any aditional configuration that I have to do on NAC Manager to be able to access the network using NAC Web Login on Ipad ?
  Best Regards

  Hi Luciano,
  Unfortunately, the NAC Web Agent and the persistant Agent are not supported for the iPad operating system. (It is called iOS). The following table documents this fact under footnote 3:
  http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html#wp125630
  Only normal Web Login with Safari browser is enabled.
  Hope this helps.
  -Shrikant
  P.S.: Please mark this question as answered if it has been resolved. Do rate helpful posts. Thanks.

• NAC AGENT WEB Your Login session Failed { status = 5 }

  Hi,
  I have a problem with NAC agent web, did someone seen this error before ?
  Your Login session Failed  { status = 5 }
  I tested all these following , and all are Ok :
  • Test using another browser, Firefox for example
  • Test using another operating syste
  • Check if there any restrictions between the user vlan and nac vlans
  Thnx

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• NAC Agent only prompts for username and login on wireless

  Another question for the smart people of the world.
  I have had a couple laptops where the cisco NAC agent will prompt for a password and verify the computer via the wirless network but when I try to do that on the wired network, it sends me to the download page for the NAC agent. It doesnt seem to register that the NAC agent is installed and working even though it is.
  Any thoughts?
  Thanks

  Hi Jonathan,
  The NAC agent communicates with the CAS usiing the SWISS protocol. This protocol uses port 8095 for L2 adjacent devices to the CAS and 8096 protocol for L3 adjacent devices to the CAS.  Have you checked if these ports are allowed through to the CAS for the wired clients?  Do check the support logs on the CAM and CAS suggest something. If you can post the agent logs from the wired clients I could analize and let you know where the process is failing.
  Do let me know if this helps.
  Regards,
  Som

• Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

  Hi
  My Cisco NAC Agent  (version 4.9.1.682) doesn't work since I upgraded my Mac OS X  4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
  The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
  Any update on when a new version is going to be released - Its getting really frustrating?

  I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
      Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
      Select Keychain Access -> Preferences from the menu at the top of the screen
      Choose the Certificates tab
      Change the OCSP option from Best Effort to Off
      Close the Preferences dialog and quit Keychain Access
      You should be able to NAC now

• NAC Agent reporting never shows a failure

  I seem to only get reports for successful agent logins under Device MGMT>Clean Access>Clean Access Agent>Reports.  Am I missing a setting somewhere?  Even though I have had many failures (testing, etc) I never see a failed report.  Any ideas?

  Hello,
  Could you please confirm what error message you are getting on the NAC agent (if using the NAC agent for posture validation)?  The NAC agent will display the standard stuff such as 'temporary access', etc.  The message displayed is based upon which requirement is failing, for example a standard AV installation check/rule.
  Also, for this failing client, do you see a passed report or no report at all? Well, for the agents that ultimately pass posture assessment (even if a particular check/rule fails) we see a passed report.  If the agent never gains access, IE never gets out of 'Temporary Access' we don't see any report.  I am hoping that when a Agent fails posture assessment we will see a failed report.  IE, we need a way for the service desk to be able to monitor failed sessions proactively, and with the minimal external alerts available (no email, etc) these failed reports would be key. 
  If we can't see no report at all, there may be something that breaks before that. I have pages and pages of successful reports, but not a single failed report.
  A quick way to verify would be to collect the NAC agent's logs after a failure, under
  Start > Program Files > Cisco > Client Utilities > Cisco Log Packager I don't see this installed on any of the machines with an agent?  Please adivse where I can download it.  Thanks.

• ISE 1.2 nac agent provision

  Hi,
  Is there any way to do a nac agent auto provision?
  I know it can be achieve by cwa portal(web redirect) and user have to install nac agent manually. But we would like to see nac agent be installed right afeter user successfully login using 802.1x.

  I dont follow your thought process but this is how i have most of my deployments are setup. 
  CWA < NSP < COA < 802.1x < Posture Status Unknown *In this state either client does or doesnt have nac agent in which ISE will proceed to install it or continue probing to for the NAC agent. 
  Remove CWA < NSP < COA from the picture and you have your exact scenario. What is your work flow look like that it is not "automatic" and define what you mean by "manually"?

• After install NAC agent I must remove cable before open windows session normaly

  Hi
  I use ISE 1.1 and NAC agent 4.9
  I have configure my catalyst 2960 port with dot1x and install NAC agent on many computer
  But I observed that I am unable to open windows session on some computer (windows 7)
  When I enter login and password, then I got black screen and nothing else, then if I remove the network cable on my computer, the black screen change and move to the windows desktop normaly
  Why do I need to remove network cable before get to my desktop normaly ?
  Please How can I fixed this issue ?
  Thanks in advance for your help

  Hi
  The given link might be helpful regarding your issue:
  http://www.cisco.com/en/US/netsol/ns466/index.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html

• NAC agent don't popup on some computer

  Hi
  I use
  ISE version : 1.1.1.2 and NAC agent version : 4.9.0.42
  NAC agent  does not run on some computers and run on other(windows 7).
  What can be these problems?
  Please help
  Regards

  Please look in to this , it might help you
  Agent Login Dialog Not Appearing
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions
  This issue can generally take place during the posture assessment phase of any user authentication session.
  Possible Causes
  There are multiple possible causes for this type of issue. See the following Resolution descriptions for details.
  Resolution
  •Ensure that the agent is running on the client machine.
  •Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
  •Ensure  that the discovery host address on the Cisco NAC agent or Mac OS X  agent is pointing to the Cisco ISE FQDN. (Right-click the NAC agent icon, choose Properties, and check the discovery host.)
  •Ensure  that the access switch allows Swiss communication between Cisco ISE and  the end client machine. Limited access ACL applied for the session  should allow Swiss ports:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  •If  the agent login dialog still does not appear, it could be a certificate  issue. Ensure that the certificate that is used for Swiss communication  on the end client is in the Cisco ISE certificate trusted list.
  •Ensure that the default gateway is reachable from the client machine.

• Cisco ISE NAC agent and Microsoft roaming profiles

  Hi there,
  I have installed Identity services engine version 1.1.3 in didstributed mode. The NAC agent is installed on the end user PC joined to the domain. when a user with a roaming profile logs into the PC, the NAC agent fails to run posture assesment, but if a user with non-roaming profile logs in, the NAC agent does posture and full network access is granted.
  Is there something i need to do to enable the NAC agent to perform posture for users with a roaming profile.
  Regards,
  Henry

  Hello,
  I found the following from the cicso doc. Hope it helps!
  The following failure  scenarios might cause the Cisco NAC Agent to appear following successful  user authentication when the client machine roams between CASs in Layer  3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band  environments. Erroneous Agent login dialogs could also appear if users  roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC  network:
  –ARP poisoning
  –Temporary loss of network connection between the client machine and the CAS
  –Access to untrusted interface IP address on the CAS from non-NAC network segments on NAC-enabled client machines
  Cisco offers the following recommendations to prevent this situation:
  –Ensure  all trusted networks (post-authentication) can reach the CAS untrusted  interface IP address through the CAS trusted interface only
  –Block  discovery packets from all non-NAC networks to the CAS untrusted  interface IP address (discovery packets that arrive on the trusted  interface of the CAS are blocked by default)
  For more information please refer to the following link:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html

• NAC Agent Problem

  Hi,
  recently i am facing a probelm with NAC agent , it does not check for the updates when the user is login , there is a massege come ( please check the attchments ) .
  please help me !!!

  Recently , when the user is loging off & loging on , the NAC agent proceed for checking again & again , this problem is
  strain the user of every time his faceing this check & time waste . 
  what i know the NAC is proceed for check if the user is rebooting the machine , but for login & logoff !!!!!!!!.
  there is any solution to prevent this issue .

• NAC Agent AD SSO delayed 10 minutes to logon

  Hi,
  I installed NAC in OOB layer 2 with AD SSO and the NAC AD SSO process is very slow (about 10 minutes)
  I first logon on Windows with username and password in the domain.
  After about of 1-2 minutes, the NAC Agent stays in the system tray and shows to me the certificate message:
  I click in yes and after about 5 minutes, the NAC Agent shows to me the certificate message again. I click in yes again then the Nac Agent popup with the message: "Executing automatic login Windows Domain for NAC":
  After about 3 minutes the Nac Agent gives me access to network:
  I configured rules for Unauthenticated Role to allow:
  TCP - 88,135,139,389,445,636,1025,1026,3268,49152-65535
  UDP - 88,123,137,389,636
  ICMP - Allowed ICMP to Domain Controller
  Its about 10 minutes to logon, I tested in Windows XP, Windows Vista and Windows 7 machines.
  Thanks
  Moises Araujo

  Tarik Adman,
  I executed the nslookup in the machine that I am testing and in the NAC Server, there are three AD Servers, and they are the same in the machine and in the NAC Server.
  I already added the policy to permit the requested ports in the Unauthenticated Role for the three AD Servers:
  TCP: 88,135,139,389,445,636,1025,1026,3268,49152-65535
  UDP: 88,123,137,389,636
  ICMP to the three AD (I can ping the three AD from de cmd testing machine when I am waiting for authenticate)
  The NAC Agent is still showing  two times the certificate and after about 5minutes he try to logon in the Windows Domain (about 3 minutes to logon)
  Thanks
  Moises