NAC agent-multiple antivirus version

Hi,
customer has two version of McAfee antivirus. What I need is - user get the same role when login to PC with version X or PC with version Y. Is it possible to create AV install rule with OR logic? Something like if on PC is installed version X OR version Y pass check and give user Role USER.
Thanks for help.

1] What are the different category checks that NAC can implement? (for example, anti-virus, operating system, registry check, …)
Faisal: All of the above. It would take a good sized chapter to detail all you're asking for above in Q1, so I would therefore suggest a book for you to pick up and read. The title is "Cisco NAC Appliance: Enforcing Host Security with Clean Access (Paperback)" ISBN for this book is 1587053063.
Also see the Video-On-Demand which explains all the requirement/rules etc. VODs are located here: http://tinyurl.com/d74t9u and you're looking for VOD 5
2] Service/Warranty: how much is it to renew the software licenses after the warranty expires?
Also, how much is it for the Yearly Subscription/maintenance of Licenses?
Suppose if we didn't renew the service, will our NAC work without updates?
Faisal: Your account team is the best resource for this. I don't know the pricing. NAC will continue to work without renewal of service - you just won't get support for it.
3] Can we enforce updates using a PC placed in quarantine/inside/trusted area instead of using the internet (remediation server)?
Faisal: Yes, you can have your internal remediation servers you can point your clients to.
4] Application check of end point: does it check for Evaluation, trail, licensed, or un-licensed version of any application (for example, anti virus, OS, …)?
Faisal: Yes to all. The rule/requirement capabilities of CCA are very flexible and you can get quite creative
5] Let's say we configured the appliance to be VPN, thereafter is it possible to change it to wireless? If yes, how difficult it is?
Faisal: Same CAS can work for both wireless and VPN. How difficult? Depends on your network. Your account team again would be the best resource to get you a design
6] After implementing the NAC VPN solution in a single-sign-on, how much time delay will it add to authenticating a remote user? In other words, will there be a considerable delay?
Faisal: Delay for authentication is minimal (two seconds to five seconds) If you client however needs rememdiation, that delay is separate.

Similar Messages

  • Different between cisco NAC agent and cisco Clean Access Agent

    Hi all,
    if anyone has idea about different between cisco NAC agent and cisco Clean Access Agent, please share your ideas.
    thank you

    In 4.6, the agent was overhauled and is now called the NAC agent.  Previous versions were referred to as the Clean Access Agent.  So pretty much, the 4.5 agent and 4.1.3.2 agents are Clean Access agents, and the 4.6.x and 4.7.x agents are called NAC agents.
    Some of the changes made were moving a lot of the agent configuration to an XML file, redesigning the GUI, adding a service portion (so that the stub agent is no longer required), and better agent logging.

  • Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "

    Hi All,
    We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
    Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.

    Closest enhancement I could check on this is
    CSCts34764    NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
    Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines.  Many users disable this and install their own AntiSpyware product.  Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
    This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date.  Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • NAC Agent cannot "see" virus defs (Symantec Endpoint version 12) (PIC included)

    Can anyone help?  This prevents the PC from passing posture assement and places it in a "temporary role".  I know how to disable the scan, but we would like it to work correctly.
    Same results on several PCs, Windows Xp SP2 or SP3, Windows 7 (32 or 64-bit).  See screenshot.
    Thanks,
    -=Mike G.
    Michael A. Gloomis
    Sr. Infrastructure Engineer
    NAITS - DENSO International America
    Desk: (248) 372-8158
    Fax: (248) 213-2469

    Hey Federic... thanks for messaging.
    We are running the 4.7.4.2 NAC Agent, however I cannot find any info on the "compliance module".  ???
    -=Mike G.

  • NAC agent don't popup on some computer

    Hi
    I use
    ISE version : 1.1.1.2 and NAC agent version : 4.9.0.42
    NAC agent  does not run on some computers and run on other(windows 7).
    What can be these problems?
    Please help
    Regards

    Please look in to this , it might help you
    Agent Login Dialog Not Appearing
    Symptoms or Issue
    The agent login dialog box does not appear to the user following client provisioning.
    Conditions
    This issue can generally take place during the posture assessment phase of any user authentication session.
    Possible Causes
    There are multiple possible causes for this type of issue. See the following Resolution descriptions for details.
    Resolution
    •Ensure that the agent is running on the client machine.
    •Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
    •Ensure  that the discovery host address on the Cisco NAC agent or Mac OS X  agent is pointing to the Cisco ISE FQDN. (Right-click the NAC agent icon, choose Properties, and check the discovery host.)
    •Ensure  that the access switch allows Swiss communication between Cisco ISE and  the end client machine. Limited access ACL applied for the session  should allow Swiss ports:
    remark Allow DHCP
    permit udp any eq bootpc any eq bootps
    remark Allow DNS
    permit udp any any eq domain
    remark ping
    permit icmp any any
    permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
    permit tcp any host 80.0.80.2 eq www --> Provides access to internet
    permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
    port
    permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    permit udp any host 80.0.80.2 eq 8905 --> This is for posture
    communication between NAC agent and ISE (Swiss ports)
    deny ip any any
    •If  the agent login dialog still does not appear, it could be a certificate  issue. Ensure that the certificate that is used for Swiss communication  on the end client is in the Cisco ISE certificate trusted list.
    •Ensure that the default gateway is reachable from the client machine.

  • NAC Agent 4.9 issue while remediation with in ISE

    We are installed NAC agent 4.9 where we have configured posture policy for Symantec Endpoint Protection version 11x  in ISE 1.1.1. Where when enduser fallen down to remediation and try to remediate to collect the latest anti virus definitions from Local Antivirus, when clicking on the update button we get a message stating
    "The Remediation you are attempting is reporting an access denied error.  This is usually due to a privileg issue.  Please contact your system
    administrator"
    It continuosly asking that prompt and giving that priviligae message.
    Are we need to have administrator rights for remediation ? and  this prompt is appearing again and again till the remediation timer and then it fallen down to Non-compliant (Restricted ) profile.
    Please find attached screen shots for the same

    I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
        Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
        Select Keychain Access -> Preferences from the menu at the top of the screen
        Choose the Certificates tab
        Change the OCSP option from Best Effort to Off
        Close the Preferences dialog and quit Keychain Access
        You should be able to NAC now

  • NAC agent failing to popup

                       Dears,
    I have two ISE appliances installed in a distributed deployment (primary "ISE1" and secondary "ISE2"), each node has the three personas installed on it. The servers are registered together and the replication is working properly between the nodes.
    When we are working on the first node everything is fine, if I try to disconnect ISE1 and do my tests on ISE2, the cisco NAC agent doesn't popup, unless I uninstall it and reinstall it again from the ISE2. Then it will work properly.
    Note: the NAC agent version is the following: nacagent-4.9.0.37.
    Any idea?
    Regards
    Zahi

    Hi Tarik,
    below are my answers:
    1- The content of the dACL:
    ip access-list extended POSTURE-REMEDIATION
    permit udp any any eq domain
    permit ip any host 10.10.10.125         >>>> antivirus server
    permit ip any 10.10.240.0 0.0.0.255   >>>> voice subnet
    permit ip any 10.10.31.0 0.0.0.255    >>>> quarantine vlan subnet
    permit ip any host 10.10.10.238        >>>> ip add of ISE1
    permit ip any host 10.10.10.239        >>>> ip add of ISE2
    permit ip any host 10.10.10.206        >>>> wsus server
    permit ip any host 10.10.10.10          >>>> domain 1
    permit ip any host 10.10.10.100          >>>> domain 2
    2- When I open a web browser, yes I get redirected to the nac agent download page
    3- outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE1:
    sw#sho authentication sessions int fast 0/12
                Interface:  FastEthernet0/12
              MAC Address:  b8ac.6fc9.b26f
               IP Address:  10.10.31.2
                User-Name:  RJ\15592
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  31
                  ACS ACL:  xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
         URL Redirect ACL:  ACL-POSTURE-REDIRECT
             URL Redirect:  https://RJ-ISE-1.rj.com:8443/guestportal/gateway?session
    Id=0A0A0C86000000186ADBBD8B&action=cpp
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A0C86000000186ADBBD8B
          Acct Session ID:  0x00000023
                   Handle:  0x31000018
    Runnable methods list:
           Method   State
           dot1x    Authc Success
           mab      Not run
    sw#sho authentication sessions int fast 0/12
                Interface:  FastEthernet0/12
              MAC Address:  b8ac.6fc9.b26f
               IP Address:  10.10.30.12
                User-Name:  RJ\15592
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  30
                  ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-4f57e406
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A0C86000000186ADBBD8B
          Acct Session ID:  0x00000023
                   Handle:  0x31000018
    Runnable methods list:
           Method   State
           dot1x    Authc Success
           mab      Not run
    outputs of the show authentication session interface fast 0/12, when the agent pops up with ISE2:
    sw#sho auth sessions int fast 0/12
                Interface:  FastEthernet0/12
              MAC Address:  0025.6458.8409
               IP Address:  10.10.31.8
                User-Name:  RJ\15946
                   Status:  Authz Success
                   Domain:  DATA
          Security Policy:  Should Secure
          Security Status:  Unsecure
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
              Vlan Policy:  31
                  ACS ACL:  xACSACLx-IP-POSTURE-REMEDIATION-4fe82900
         URL Redirect ACL:  ACL-POSTURE-REDIRECT
             URL Redirect:  https://RJ-ISE-2.rj.com:8443/guestportal/gateway?session
    Id=0A0A0C86000000206AF3FAC1&action=cpp
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  0A0A0C86000000206AF3FAC1
          Acct Session ID:  0x0000002B
                   Handle:  0x2C000020
    Runnable methods list:
           Method   State
           dot1x    Authc Success
           mab      Not run
    you may find attached also the pcap file of the client machine when it is authenticating with the ISE2.
    Thank you in advance
    Zahi
    Message was edited by: ZAHI BOU KHALIL

  • NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

    Agent Fails to Initiate Posture Assessment
    The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
    The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
    The redirected URL is working fine (SEE Evidence)
    We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
    The operations status remains with postering status pending forever and nothing else happens.
    Symptoms or Issue
    The agent login dialog box does not appear to the user following client provisioning.
    Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
    authentication session.
    Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
    Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
    CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
    Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
    • Ensure that the Cisco IOS release on the switch is equal to or more recent than
    Cisco IOS Release 12.2.(53)SE. - OK
    • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
    agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
    choose Properties, and check the discovery host.) - OK (See evidence)
    • Ensure that the access switch allows Swiss communication between Cisco ISE
    and the end client machine. Limited access ACL applied for the session should
    allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
    • If the agent login dialog still does not appear, it could be a certificate issue.
    Ensure that the certificate that is used for Swiss communication on the end client
    is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
    • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

    Hi.
    Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
    regards
    Zubair

  • Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

    Hi
    My Cisco NAC Agent  (version 4.9.1.682) doesn't work since I upgraded my Mac OS X  4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
    The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
    Any update on when a new version is going to be released - Its getting really frustrating?

    I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
        Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
        Select Keychain Access -> Preferences from the menu at the top of the screen
        Choose the Certificates tab
        Change the OCSP option from Best Effort to Off
        Close the Preferences dialog and quit Keychain Access
        You should be able to NAC now

  • ISE and NAC Agent

    Hello, we currently run NAC for our wired (OOB), wireless (IB) and VPN (IB) enviroments. We are looking at migrating over to ISE for our wireless enviroment as a first step, with follow-up projects to move the VPN and wired clients over. I have been reading that ISE will still use the NAC agent. Our current NAC enviroment is at 4.7.2 and we are running the 4.7.2.10 agent. We do not want to upgrade this enviroment, we would rather focus on migrating to ISE. So our thought was to upgrade the clients to the latest NAC agent version 4.9.1.5. This agent is supported against the 4.7.2 NAC Manager. The problem is, I do not see this agent version listed as supported in the ISE compatibility matrix. Instead, they list a NAC agent of 4.9.0.37, which ironically, is NOT listed in the NAC compatiblity matrix. So what version of NAC agent should we run in a mixed enviroment? I am hoping 4.9.1.5 is supported against ISE, and the matrix is simply not updated yet. Thank you in advance for your help.

    Not sure I understand. The 4.9.1.5 NAC agent does run against our CAM, as we have tested that and it is listed in the support matrix. So if we upgrade our NAC applainces, we would still run that agent. Does that agent tun against ISE, and if not, what is Cisco's recommendation to bring ISE into the enviroment? We have to have a migration path, and wireless seemed like a logical first step. But we need a NAC agent that will work against Clean Access AND ISE as our laptops will be wireless and wired at different times. Which Agent would be recommended?

  • ISE nac Agent automatic upgrade possible ?

    Hello all,
    I have this :
    802.1x windows with NacAgent version (let's say 1) <----> 802.1x Enabled Switch (aaa radius OK) <------> ISE and AD on the same LAN
    ISE is configured for client provisionning with material (NacAgent version 2) downloaded from Cisco website (as depicted in the documentation)
    I've a basic authentication and authorization scheme that let me in properly but I expect the NACAgent to be upgraded.
    No profiling is configured for the time being.
    Is anybody can help ?
    Best regards ?

    Hi Tarik,
    Your are right regarding that option "upgrade is mandatory"
    However, my case was that you do need to enter the ISE's FQDN on the NAC Client and make sure that DNS operates properly.
    Once authenticated, the NAC agent shows an upgrade message.
    It works.
    Thank you all.

  • Determining which NAC Agent to use for ISE

    We are planning an upgrade to our ISE environment from 1.1.4 to 1.2. I have downloaded the agent that is recommended for 1.2 (NAC Agent 4.9.4.3) to begin testing with it. Unfortunately the first test I run is using that client against our ISE 1.1.4 servers. It doesn't work! It runs sporadically at best, taking up to 3 minutes to pop up and posture the system. Other times, I give up, after 20 minutes of waiting, and it never runs. This is quite a spot, I do not want to upgrade the ISE system to 1.2, then run into an issue and have to mass upgrade over 2000 clients all at once to get them running. My hope was to upgrade to the NAC Agent prior to the ISE upgrade but unfortunately that has been short circuited.
    So my question is, has anyone run ISE 1.2 with NAC Agent 4.9.1.6? That is what we are currently using, as it runs well against both ISE 1.1.4, and NAC 4.9.1 (which is still used for our wired environment). We need to find an agent we can use to bridge us from the time we upgrade ISE to 1.2, and the time we bring our wired environment into the ISE fold and remove NAC appliance. I should note, ironically, that 4.9.4.3 NAC Agent runs flawlessly against the NAC 4.9.1 appliance. The issue is running that NAC Agent against ISE 1.1.4. That is ecactly the opposite of what I would have guessed! Please help!
    Jeff

    Yes sir, I am aware of that recommendation, however once I downloaded and started testing several clients with that version, none of them run well, if at all, against 1.1.4 which is the current production version we run in our environment. So I would have to either upgrade all 2000 clients immediately after we upgrade or ISE system to 1.2, or take a chance that our current agent (4.9.1.6) will run against ISE 1.2. I was hoping to find a recommendation of an agent version that runs well against both ISE 1.1.4 and ISE 1.2 so we could upgrade the clients at a controlled rate prior to upgrading ISE to 1.2

  • Nac Agent Not Working on Windows 64 Bit

                       Hi All ,
    I have a Cisco ISE 3315 With Version 1.1.4 .
    We have Windows Work Station and we have some issue with Windows 7 64 Bit users !!
    On Some 64 Bit Workstation the nac Agent is getting about 25 Minute to start Checking the Posture Statu !!
    I don't Havec that Proble With 32 Bit Workstation . We are using Nac Agent 4.9.0.37 and Nac agent 4.9.0.42!!
    Here is log that i get From the 64 bit Workstation

    Hi
    Verify that supplicant is configured properly to conduct a full EAP conversation with ISE. Verify that NAS is configured properly to transfer EAP messages to or from supplicant. Verify that supplicant or network access server (NAS) does not have a short timeout for EAP conversations. Check the network that connects the NAS to ISE. If the external ID store is used for the authentication, it may be not responding fast enough for current timeouts.
    Check whether the proper server certificate is installed and configured for EAP by going to the Local Certificates page (Administration > System > Certificates > Local Certificates ). Also ensure that the certificate authority that signed this server certificate is correctly installed in client's supplicant.
    Check the previous steps in the log for this EAP-TLS conversation for a message indicating why the handshake failed. Check OpenSSLErrorMessage and OpenSSLErrorStack for more information

  • NAC Agent is not responding to ISE

    Hi All,
    Cisco NAC Agent got downloaded to the client during client provisioning. After that also Posture status is showing as 'Not applicable'.
    Also Redirection is only happening if i type any ip address ex.1.1.1.1 on the browser. if i type google.com, its not redirecting.
    ISE is in Cluster mode 1 Admin, 1 Monitor, 1 PSN. Version 1.2.1.198.
    Note: Before the upgrade it was showing 'Posture Pending' status. 

    what is the NAC version?
    could be a bug CSCuq52821

  • NAC Agent Installation "loop"

    Hello Guys, me again
    I'm seeing an issue when the client tries to install the NAC agent on his PC.
    The client reports that an update is available for which I click OK, then it appears to download the new agent (really fast btw) and then it starts installing it. Once that's done it reports again that an update is available and the process starts all over and keeps going on indefinetely.
    The only way I managed to get around it was by disabling the "upgrade mandatory" setting on the client provisioning policy. Still I get the "an upgrade is available" message only that with that setting disabled I can hit cancel and continue.
    Another thing that I'm seeing is that client that I'm seeing as installed on the client is 4.9.0.36 but the ISE only has 4.9.0.37 so I dont know where the .36 is coming from if nothing has been previously installed on the client.
    Has anybody else run into this issue before?
    Thanks in advance,
    Luis Raga

    I'm getting the same issue. I have agents running version 4.7.2.10 and the new version that they are being prompted to install is version 4.9.2.8. The install starts and seems to complete, but when the NAC agent restarts the user is prompted to reinstall the new agent. When you check the version of the NAC installed it is still 4.7.2.10.
    Sachin

Maybe you are looking for