NAC Agent Problem

Similar Messages

• Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

  Hi
  My Cisco NAC Agent  (version 4.9.1.682) doesn't work since I upgraded my Mac OS X  4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
  The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
  Any update on when a new version is going to be released - Its getting really frustrating?

  I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
      Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
      Select Keychain Access -> Preferences from the menu at the top of the screen
      Choose the Certificates tab
      Change the OCSP option from Best Effort to Off
      Close the Preferences dialog and quit Keychain Access
      You should be able to NAC now

• NAC AGENT - DISCOVERY HOST IP ADDRESS with AD

  Hi,
  We have deployed a Cisco NAC Agent in our network with GPO update... The deployment model is L3 OOB / Real IP Gateway.
  The issue is that, we need to put the IP address in each host manually to start communicating with Cisco NAC Manager.
  Is there any way to make it automatic?
  Regards,
  Mubasher

  Hi Mubashir,
  I faced the same problem with cisco ISE and Tiago's response actually helped see below.
  " You can also distribute the NACAgentCFG.xml file with that value set.
  Please find here detailed info regarding this file:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376. "
  In that link, read the section: Agent Customization Settings
  From a NAC agent that has successfully been deployed with the IP configured , go to the NAC agent installation folder 
  C:\Program Files (x86)\Cisco\Cisco NAC Agent , and copy the NACAgentCFG.xml , open with wordpad and edit the line
  IP of PDP node or ISE standalone server
  Then place the edited NACAgent.xml file in the same folder as the one where your GPO will pick the agent from. When the Agent is installed , it automatically picks the configs from the .xml file.
  Regards,
  Henry

• NAC Agent and NSP provisioning with ISE 1.1.1

  I am trying to get all workstations (OSX and Windows) to install both the Native Supplicant Wizard and NAC Agent during the On-boarding process.
  I am currently using the default guest portal in ISE.
  The environment has been setup using a Dual SSID design.
  At the moment, devices can connect to the provisioning SSID and get CWA. Device registration works, the portal runs the NSP setup which correctly sets up the network adapter.
  The problem is the portal never attempts to install the NAC Agent.
  The client provisioning policy has a separate policies for wireless/wired as well as OS. Each policy applies both a NSP and NAC Agent configuration. It appears the guest portal only checks the NSP configuration and not the NAC Agent config.
  Any ideas?

  Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.
  With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.
  Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.
  Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access
  Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.
  Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal
  Hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• ISE and NAC Agent

  Hello, we currently run NAC for our wired (OOB), wireless (IB) and VPN (IB) enviroments. We are looking at migrating over to ISE for our wireless enviroment as a first step, with follow-up projects to move the VPN and wired clients over. I have been reading that ISE will still use the NAC agent. Our current NAC enviroment is at 4.7.2 and we are running the 4.7.2.10 agent. We do not want to upgrade this enviroment, we would rather focus on migrating to ISE. So our thought was to upgrade the clients to the latest NAC agent version 4.9.1.5. This agent is supported against the 4.7.2 NAC Manager. The problem is, I do not see this agent version listed as supported in the ISE compatibility matrix. Instead, they list a NAC agent of 4.9.0.37, which ironically, is NOT listed in the NAC compatiblity matrix. So what version of NAC agent should we run in a mixed enviroment? I am hoping 4.9.1.5 is supported against ISE, and the matrix is simply not updated yet. Thank you in advance for your help.

  Not sure I understand. The 4.9.1.5 NAC agent does run against our CAM, as we have tested that and it is listed in the support matrix. So if we upgrade our NAC applainces, we would still run that agent. Does that agent tun against ISE, and if not, what is Cisco's recommendation to bring ISE into the enviroment? We have to have a migration path, and wireless seemed like a logical first step. But we need a NAC agent that will work against Clean Access AND ISE as our laptops will be wireless and wired at different times. Which Agent would be recommended?

• NAC agent don't popup on some computer

  Hi
  I use
  ISE version : 1.1.1.2 and NAC agent version : 4.9.0.42
  NAC agent  does not run on some computers and run on other(windows 7).
  What can be these problems?
  Please help
  Regards

  Please look in to this , it might help you
  Agent Login Dialog Not Appearing
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions
  This issue can generally take place during the posture assessment phase of any user authentication session.
  Possible Causes
  There are multiple possible causes for this type of issue. See the following Resolution descriptions for details.
  Resolution
  •Ensure that the agent is running on the client machine.
  •Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
  •Ensure  that the discovery host address on the Cisco NAC agent or Mac OS X  agent is pointing to the Cisco ISE FQDN. (Right-click the NAC agent icon, choose Properties, and check the discovery host.)
  •Ensure  that the access switch allows Swiss communication between Cisco ISE and  the end client machine. Limited access ACL applied for the session  should allow Swiss ports:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  •If  the agent login dialog still does not appear, it could be a certificate  issue. Ensure that the certificate that is used for Swiss communication  on the end client is in the Cisco ISE certificate trusted list.
  •Ensure that the default gateway is reachable from the client machine.

• NAC Agent does not pop up after psn fails.

  So I'm in the middle of a deployment where I have 4 ISE appliances, two in one location and two in another location.
  The first location has 2 with all personas installed, whereas the other two are only PSN. In each area, NAC agent pops up normally after connecting/swapping to wired or wireless networks. During HA tests I have encountered that when the two ISE from the remote area fail (shutdown switch port for testing of course) the client does get authenticated but it stays in the POSTURE_REQ state on wireless and the Agent fails to pop up.
  - I have tried forcing the servers on the profile on ISE (provisioning) and I can see how it is somehow updated on the xml configuration file in the remote endpoint but still the nac agent wont pop up.
  - Increased timeout timers also, no luck.
  - Reinstalled NAC agent manually and by ise auto provisioning, no luck.
  - Ran a wireshark capture and saw requests sent to the default GW with the positron thing but never get an answer, but then I try connecting to the ISE manually https://(ADMIN_NODE_FAR_FROM_ENDPOINT)/guestportal/gateway?sessionId=(gibberish)&action=cpp and it works, so it is reachable from the endpoint
  I believe there is some kind of sync problem, my ISE are in UTC time and NADs have local timezone, but then why does it work locally??
  Any thoughts on this?
  Thank you for all your kind help

  You have done a reset. What does that mean? Did you reset all settings?
  Settings>General>Reset>Reset all Settings. You will have to enter all device settings again.

• NAC Agent - Loop in Remediation WSUS

  Hello,
  I´m implementing WSUS Posture in my ISE environment.
  When NAC Agent detect a new Windows Update, the Remediation Action is Automatic. I configured Show UI the Wizard Interface and this is working well. 
  But, after the windows update instalation, the NAC Agent stay in Remediation Process. Looking for WindowsUpdate.log file, I see repetitive messages like: 
  Updates Found = 0 OR Found 0 Updates and X categories in search.
  If I use the Windows Update from Windows to Search and Install the Updates, work very well too.
  The image attached, ilustrate my problem(In this point, The Windows Update instalation was done):

  Updating..
  Approximately after 30 minutes, NAC Agent finished the process of Remediation. (Only 1 Windows Update package)
  apparently the station sends many reports to WSUS and while it does, the NAC Agent continues Remediation on the process, even after installing the update. 
  I'm sure there are how to optimize it, but if anyone has any tips I'd appreciate it.
  Best Regards,
  Daniel Stefani

• Mac OS X 10.8.1 and Cisco Nac Agent to 4.9.1.683

  We have this problem with on of our clients:
  "Cisco NAC Agent is having a difficulty with the server. Agent user operation system
  is not supported".
  Anyone encounter this problem ?
  thanks.

  Hi Tarik,
  We have:
  Cisco Clean Access Server   Version 4.9.0
  Cisco Clean Access Lite Manager   Version 4.9.0
  I can see Your point now,  that I should start from upgrading to 4.9.1.
  Let me do  that, and see if it helps.
  thanks  very much, I will keep You posted.

• NAC Agent 4.5.2 and hosts files

  Hi
  since the PC are managed by NAC, some users met problems with the "host" file (file empty).
  Does the NAC agent have any influence on this mechanism?
  Is it possible to reload this file?
  Thanks for your help

  Murielle,
  NAC wouldn't do anything to the hosts file on your client machines. There's something else at play here.
  HTH,
  Faisal

• Nac Agent do not execute remediation

  Hi to all,
  in a lab enviroment i have configured a CAM/CAS solution on 3310 server and I have installed 2 pc (one windows Vista and one XP) with nac client 4.6.2.133 version.
  My problem is auto-remediation and manual-remediation, client get me a temporaney access but do not start a live update programa (i use symantec endpoint protection 11).
  I have admin right on both pc.
  Why I can solve the problem?
  Thanks for help

  There is not automatic remediation for all products. You must launch the endpoint protection, click live-update, then re-scan on the NAC agent and you will pass.
  Quote from Cisco Doc (http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_agent.html):
  "•Not all product versions of a particular vendor may support the Clean Access Agent launching the automatic update of the product. In this case, you can provide instructions (via the Description field of the AV or AS Definition Update requirement) to have users update their AV or AS definition files from the interface of their installed AV or AS product."
  If you have verified that your requirement-rule is specifically for Symantec Endpoint Protection 11, and the rule has automatic remediation configured, then it may fall into this scenario. You may also have it configured where the endpoint protection is not accessible to the end-user and requires admin rights to launch. Please put the client in debug and send the results to TAC for analysis, as it would be the best bet for you to get a clear answer.
  Hope that helps, rate if it does.
  Cheers,
  Tim

• NAC OOB problem - moving users between ports

  Hi,
  I have a problem with an OOB deployment I am currently working on: when I move an authenticated OOB client from one switch to another, it remains stuck in the auth VLAN. It seems that NAC doesn't detect the new port correctly.
  This is what I did to replicate the issue, in detail:
  1) A computer is connected to port 'a' on switch 'A' (A[a]). The port is automatically changed to auth VLAN and authentication and posture assessment are performed.
  2) The computer passes both, and the port is changed back to the designated Access VLAN. OOB user appears in the Online Users list, and the computer is added to the Discovered (Wired) Clients list. All the detailed information on both pages is correct.
  3) The computer is disconnected. OOB user is removed from the Online Users list, but the computer remains in the Discovered Clients list.
  4) The computer is connected to port 'b' on switch 'B' (B[b]). It is automatically changed to auth VLAN and authentication and posture assessment passes successfully one more time. However, the information in the Discovered Clients list is not updated and, moreover, OOB user appears once again in the Online Users list - but the specified location is port A[a]!
  The end result is taht the computer remains stuck in the Auth VLAN and NAC Agent Authentication dialogue keeps popping out.
  I tried the reverse scenario (port B[b] to port A[a]) after manually clearing all user and client information, and the result was pretty much the same...
  Thanks,
  Boris

  Faisal,
  The configuration includes the following lines (on both switches I used for access):
    snmp-server community *** RW
    snmp-server community *** RO
    snmp-server trap-source Vlan2 (management subnet)
    snmp-server location 10.0.0.101 (NAM IP address)
    snmp-server enable traps snmp linkdown linkup
    snmp-server enable traps mac-notification change move threshold
    snmp-server host 10.0.0.101 version 2c cisco  mac-notification snmp
  Also, NAC added the following line on monitored interfaces:
    snmp trap mac-notification change added
  Is this all that is required to send MAC-change and MAC-move traps?
  I captured SNMP traps with a 'tcpdump' on the NAM and I can confirm it receives traps from both switches, with correct source IP addresses. I will try to look into a "raw" dump to see the exact traps it received...
  Regards,
  Boris

• Cisco ISE NAC Agent RDP session

  Is there a way to get the NAC Agent to run when a user logs on a Windows machine in a RDP session?

  You have to go and check the dACL that is part of authorization profile, you will find that it is blocking your RDP access as when you do a remote desktop your authentication token is host/machine-name.domain. Now, the easiest FIX to permit RDP traffic is to modify the dACL but this won't solve your problem. Why? Because now your dACL will allow you do a remote desktop now BUT it will block rest of your communication.
  So either you permit all as soon as your machine is authenticated or you will continue to face this issue.

• NAC AGENT WEB Your Login session Failed { status = 5 }

  Hi,
  I have a problem with NAC agent web, did someone seen this error before ?
  Your Login session Failed  { status = 5 }
  I tested all these following , and all are Ok :
  • Test using another browser, Firefox for example
  • Test using another operating syste
  • Check if there any restrictions between the user vlan and nac vlans
  Thnx

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• NAC Agent issues

  Hi guys,
  We are encountering several problems with regards to the NAC Agent. We are deploying AD SSO and for some reason, on the same switch other hosts are performing SSO correctly and others are being prompted for a user name and password by the NAC agent even though the hosts are all logging in the same domain. Do you guys have any idea on how to go about this problem?

  Hi Guys,
  I have deployed  NAC as  OOB REAL IP gateway mode and it is working fine over LAN.
  Once I enabled the L3 functionality to connect remote site after that local user is being certified through WEB LOGIN.
  But NAC pop up is not reflecting to supply the username and password.
  A problem occured when stoping the NAC agent services" Agent has been terminated due to unexpected error. please restart your machine."
  Note- No ACL is configured till yet
  I have perform following task to fix it;-
  1. Restared NAC agent services.
  2.Checked proxy settings.
  Could you please help me out to resolve this issue?
  Thanks & Regards,
  Azeem Khan