NAC agent on Wireless runs everytime we switch controllers

Similar Messages

• Cisco NAC agent services not running on Windows XP

  Hi,
  I've problem with Cisco NAC agent services on Windows XP professional SP3.
  After first installation using user local administrator, the services of Cisco NAC agent on windows machine running well, but after logout, and login using another user which is registered in domain users, the services of Cisco NAC agent is going to stopped (going to Manual mode not automatic, and the status is stopped).
  This situation is not happened on all windows machines, several machines running well.
  Cisco NAC agent version 4.9.0.42
  Has anyone seen this type of problem?
  Below i attached windows machine information from ones running well and not running, Thanks
  Regards,
  Rian

  Hi thanks for your answers, dbconsole is started in services.msc and also Agent, but goes on to say that the agent is not running.
  In sysman log shows this,
  "03/20/2012 13:38:54,553 [MetricCollector: HOMETAB_THREAD600: 60] ERROR rt.DbMetricCollectorTarget _getAllData.328 - oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
  oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
  at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest_ (EMDClient.java: 1330)
  at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest (EMDClient.java: 1223)
  at oracle.sysman.emSDK.emd.comm.EMDClient.getMetrics (EMDClient.java: 640)
  at oracle.sysman.emo.perf.metric.rt.DbHomeTab._getAllData (DbHomeTab.java: 324)
  at oracle.sysman.emo.perf.metric.rt.DbHomeTab.getData (DbHomeTab.java: 139)
  at oracle.sysman.emo.perf.metric.eng.MetricCached.collectCachedData (MetricCached.java: 402)
  at
  at oracle.sysman.emo.perf.metric.eng.MetricCollectorThread.run (MetricCollectorThread.java: 320)
  at java.lang.Thread.run (Thread.java: 595)
  20/03/2012 22:00:03,335 [JobWorker 772: Thread-13] ERROR em.jobs executeCommand.161 - UpdateARUTables: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup parameters required to September."
  In event viewer shows this,
  "Agent process exited abnormally DURING initialization." but this message appears a few hours after having started the service.
  I am using the Administrator account

• ISE and NAC Agent

  Hello, we currently run NAC for our wired (OOB), wireless (IB) and VPN (IB) enviroments. We are looking at migrating over to ISE for our wireless enviroment as a first step, with follow-up projects to move the VPN and wired clients over. I have been reading that ISE will still use the NAC agent. Our current NAC enviroment is at 4.7.2 and we are running the 4.7.2.10 agent. We do not want to upgrade this enviroment, we would rather focus on migrating to ISE. So our thought was to upgrade the clients to the latest NAC agent version 4.9.1.5. This agent is supported against the 4.7.2 NAC Manager. The problem is, I do not see this agent version listed as supported in the ISE compatibility matrix. Instead, they list a NAC agent of 4.9.0.37, which ironically, is NOT listed in the NAC compatiblity matrix. So what version of NAC agent should we run in a mixed enviroment? I am hoping 4.9.1.5 is supported against ISE, and the matrix is simply not updated yet. Thank you in advance for your help.

  Not sure I understand. The 4.9.1.5 NAC agent does run against our CAM, as we have tested that and it is listed in the support matrix. So if we upgrade our NAC applainces, we would still run that agent. Does that agent tun against ISE, and if not, what is Cisco's recommendation to bring ISE into the enviroment? We have to have a migration path, and wireless seemed like a logical first step. But we need a NAC agent that will work against Clean Access AND ISE as our laptops will be wireless and wired at different times. Which Agent would be recommended?

• NAC agent don't popup on some computer

  Hi
  I use
  ISE version : 1.1.1.2 and NAC agent version : 4.9.0.42
  NAC agent  does not run on some computers and run on other(windows 7).
  What can be these problems?
  Please help
  Regards

  Please look in to this , it might help you
  Agent Login Dialog Not Appearing
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions
  This issue can generally take place during the posture assessment phase of any user authentication session.
  Possible Causes
  There are multiple possible causes for this type of issue. See the following Resolution descriptions for details.
  Resolution
  •Ensure that the agent is running on the client machine.
  •Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
  •Ensure  that the discovery host address on the Cisco NAC agent or Mac OS X  agent is pointing to the Cisco ISE FQDN. (Right-click the NAC agent icon, choose Properties, and check the discovery host.)
  •Ensure  that the access switch allows Swiss communication between Cisco ISE and  the end client machine. Limited access ACL applied for the session  should allow Swiss ports:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  •If  the agent login dialog still does not appear, it could be a certificate  issue. Ensure that the certificate that is used for Swiss communication  on the end client is in the Cisco ISE certificate trusted list.
  •Ensure that the default gateway is reachable from the client machine.

• Cisco ISE NAC agent and Microsoft roaming profiles

  Hi there,
  I have installed Identity services engine version 1.1.3 in didstributed mode. The NAC agent is installed on the end user PC joined to the domain. when a user with a roaming profile logs into the PC, the NAC agent fails to run posture assesment, but if a user with non-roaming profile logs in, the NAC agent does posture and full network access is granted.
  Is there something i need to do to enable the NAC agent to perform posture for users with a roaming profile.
  Regards,
  Henry

  Hello,
  I found the following from the cicso doc. Hope it helps!
  The following failure  scenarios might cause the Cisco NAC Agent to appear following successful  user authentication when the client machine roams between CASs in Layer  3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band  environments. Erroneous Agent login dialogs could also appear if users  roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC  network:
  –ARP poisoning
  –Temporary loss of network connection between the client machine and the CAS
  –Access to untrusted interface IP address on the CAS from non-NAC network segments on NAC-enabled client machines
  Cisco offers the following recommendations to prevent this situation:
  –Ensure  all trusted networks (post-authentication) can reach the CAS untrusted  interface IP address through the CAS trusted interface only
  –Block  discovery packets from all non-NAC networks to the CAS untrusted  interface IP address (discovery packets that arrive on the trusted  interface of the CAS are blocked by default)
  For more information please refer to the following link:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html

• Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

  Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
  -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
  -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
  -No certificates are used.
  -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
  -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
  -For now I'm testing it on wired endpoints.
  Is there a way to configure ISE to fulfill the listed above requirements?
  Any ideas would be appreciated.
  Thanks,
  Val Rodionov

  Everyone who finds reads this article,
  I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
  The answer is Yes.
  After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
  ISE configuration:
  Posture General Settings - Default Posture Status = NonCompliant
  Client Provisioning Policy - no rules defined
  Posture Policy - configured per requirements
  Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
  Authorization Policies configured as regular posture policies
  The result:
  After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
  If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
  The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
  Best,
  Val Rodionov

• NAC Agent takes long time to run

  Cisco NAC agent takes long time to popup or run on Windows 7 machine.
  The client machine is windows 7, running nac agent 4.9.0.42, against ISE 1.1.1
  Any ideas how to reduce NAC Agent timing?

  Hi Tariq,
  I'm facing the same issue with ISE 1.1.1 (268) with Agent 4.9.0.47 for Windows XP clients. I have already configured "yes" to disabled the l3 swiss delay and reduced the httpa discovery timer from 30 to 05 sec but still clients get aprox 2.30 minutes to popup and finished the posture discovery.
  Can you please advise if this is the minimum time or what is the minimum time and what are the parameters to set to a minimum time to complete agent popup and posture discovery..?
  Is there any option that we can run this on backgroup..?
  thanks in advance..

• Run NAC agent before user login - Win7?

  Greetings all and thx in advance for any advice! Environment details - ISE 1.2. Patch 5 and cisco NAC agent 4.9.3.
  I have all of the authen/authz policies working and functioning properly, however, I have run into an issue with the NAC agent running posture only after user login.  This is causing some grief, mainly that users required login scripts can't run successfully until posture is compliant and the more permissive dACL is applied.  I was hoping that posture would complete long before windows login was even an option for the user but for some reason I appear to require an interactive login to get the NAC agent to run posturing.  Any thoughts or ideas on this?  I tried the NAC agent installation with a couple of different user accounts on the windows hosts but without success, it will only posture once I have interactive login.  I went pretty deep on the removal of the posture conditions to simply checking a single windows service but it didn't make any difference.  Thanks for any advice!!
  IA

  Thanks for the reply Saurav, I should have clarified a design point.  I am not doing any user authentication, only doing a machine authen.  As I mentioned I can't seem to posture pre-user authentication even though I am not doing any user authentication.
  IA

• NAC Agent scan running application

  Dear colleagues,
  My customer is being on ISE PoC. They want to test the Posture feature for running application.
  I would like to ask: what is the scan interval of NAC agent. If I want to use NAC Agent to scan an illegal application on PC, but at first, when logging in, the application is not running. After NAC agent notify that the client is compliant, user start that application. So the question is, can NAC Agent detect that?
  Please kindly share your experience on it. Thank you for your support.
  Kind regards,
  Hiep

  Hiep,
  The feature you are asking for is passive reassessment and is done on intervals configured by the administrator.
  www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1482451
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• I have two wireless networks that I switch back and forth.  Everytime I switch the network zone my macbook pro hangs and I have to do a hard shutdown and restart.  What is the fix?

  I have two wireless networks that I switch back and forth.  Everytime I switch the network zone my macbook pro hangs and I have to do a hard shutdown and restart.  What is the fix?

  Create two locations in Network, one for one and one for the other.
  WiFi, Internet problems, possible solutions
  WiFi security issues, at home and WiFi hotspots

• NAC Agent only prompts for username and login on wireless

  Another question for the smart people of the world.
  I have had a couple laptops where the cisco NAC agent will prompt for a password and verify the computer via the wirless network but when I try to do that on the wired network, it sends me to the download page for the NAC agent. It doesnt seem to register that the NAC agent is installed and working even though it is.
  Any thoughts?
  Thanks

  Hi Jonathan,
  The NAC agent communicates with the CAS usiing the SWISS protocol. This protocol uses port 8095 for L2 adjacent devices to the CAS and 8096 protocol for L3 adjacent devices to the CAS.  Have you checked if these ports are allowed through to the CAS for the wired clients?  Do check the support logs on the CAM and CAS suggest something. If you can post the agent logs from the wired clients I could analize and let you know where the process is failing.
  Do let me know if this helps.
  Regards,
  Som

• NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

  Agent Fails to Initiate Posture Assessment
  The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
  The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
  The redirected URL is working fine (SEE Evidence)
  We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
  The operations status remains with postering status pending forever and nothing else happens.
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
  authentication session.
  Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
  Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
  CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
  Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
  • Ensure that the Cisco IOS release on the switch is equal to or more recent than
  Cisco IOS Release 12.2.(53)SE. - OK
  • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
  agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
  choose Properties, and check the discovery host.) - OK (See evidence)
  • Ensure that the access switch allows Swiss communication between Cisco ISE
  and the end client machine. Limited access ACL applied for the session should
  allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
  • If the agent login dialog still does not appear, it could be a certificate issue.
  Ensure that the certificate that is used for Swiss communication on the end client
  is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
  • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• NAC Agent and NSP provisioning with ISE 1.1.1

  I am trying to get all workstations (OSX and Windows) to install both the Native Supplicant Wizard and NAC Agent during the On-boarding process.
  I am currently using the default guest portal in ISE.
  The environment has been setup using a Dual SSID design.
  At the moment, devices can connect to the provisioning SSID and get CWA. Device registration works, the portal runs the NSP setup which correctly sets up the network adapter.
  The problem is the portal never attempts to install the NAC Agent.
  The client provisioning policy has a separate policies for wireless/wired as well as OS. Each policy applies both a NSP and NAC Agent configuration. It appears the guest portal only checks the NSP configuration and not the NAC Agent config.
  Any ideas?

  Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.
  With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.
  Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.
  Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access
  Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.
  Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal
  Hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• ISe with NAC agent pop up and Posture waiting

  Hi,
  I have ISE running ver 1.1.1.268. We limited access certain services before authuenticate with ACL-DEFAULT(given below) as per the Trustsec desgin guide.
  Now the issue is that when you have ACL-DEFAULT on the port NAC agent doest not pop-up and doest not start the posture part and saying waiting for Posture validation. When the ACL-DEFAULT removed from the access port NAC agent popup and do the posture validation.
  However we do not want user to get access to network before the authorization and that is the reason we use the ACL-DEFAULT.
  Please can someone advise me how to achieve the above both task. Why the NAC agent does not popup and do the posture when ACL-DEFAULT there in the switch.
  Here is what I have configured on ACL-DEFAULT.
  ip access-list extended ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS
  permit udp any any eq domain
  permit tcp any any eq domain
  permit udp any any eq 389
  permit tcp any any eq 135
  permit tcp any any eq 445
  permit udp any any eq 445
  permit tcp any any range 135 139
  permit tcp any any eq 389
  permit tcp any any eq 3268
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Pri)
  permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Sec)
  remark Drop all the rest
  deny   ip any any log
  Appreciate if someone can give a solid resolution and explanation to this.

  Hi Saurav,
  We have already allowed those ports with another acl (ACL-POSTURE-REDIRECT). Our issue is not with the web nac agent.
  The issue is with NAC agent installed on corperate PCs connecting via wired port. With the ACL-DEFAULT it does not pop-up and does not do the posturing, however once we removed the ACL-DEFAULT from the access port, everything works fine.
  Since we do not want any user to access unwanted services before authorization we add this ACL on the access-port and as per the trustsec desgin this has to be there if you want to have ISE with closed mode.
  thanks

• NAC Agent does not pop up after psn fails.

  So I'm in the middle of a deployment where I have 4 ISE appliances, two in one location and two in another location.
  The first location has 2 with all personas installed, whereas the other two are only PSN. In each area, NAC agent pops up normally after connecting/swapping to wired or wireless networks. During HA tests I have encountered that when the two ISE from the remote area fail (shutdown switch port for testing of course) the client does get authenticated but it stays in the POSTURE_REQ state on wireless and the Agent fails to pop up.
  - I have tried forcing the servers on the profile on ISE (provisioning) and I can see how it is somehow updated on the xml configuration file in the remote endpoint but still the nac agent wont pop up.
  - Increased timeout timers also, no luck.
  - Reinstalled NAC agent manually and by ise auto provisioning, no luck.
  - Ran a wireshark capture and saw requests sent to the default GW with the positron thing but never get an answer, but then I try connecting to the ISE manually https://(ADMIN_NODE_FAR_FROM_ENDPOINT)/guestportal/gateway?sessionId=(gibberish)&action=cpp and it works, so it is reachable from the endpoint
  I believe there is some kind of sync problem, my ISE are in UTC time and NADs have local timezone, but then why does it work locally??
  Any thoughts on this?
  Thank you for all your kind help

  You have done a reset. What does that mean? Did you reset all settings?
  Settings>General>Reset>Reset all Settings. You will have to enter all device settings again.