NAC Agent scan running application

Similar Messages

• Run NAC agent before user login - Win7?

  Greetings all and thx in advance for any advice! Environment details - ISE 1.2. Patch 5 and cisco NAC agent 4.9.3.
  I have all of the authen/authz policies working and functioning properly, however, I have run into an issue with the NAC agent running posture only after user login.  This is causing some grief, mainly that users required login scripts can't run successfully until posture is compliant and the more permissive dACL is applied.  I was hoping that posture would complete long before windows login was even an option for the user but for some reason I appear to require an interactive login to get the NAC agent to run posturing.  Any thoughts or ideas on this?  I tried the NAC agent installation with a couple of different user accounts on the windows hosts but without success, it will only posture once I have interactive login.  I went pretty deep on the removal of the posture conditions to simply checking a single windows service but it didn't make any difference.  Thanks for any advice!!
  IA

  Thanks for the reply Saurav, I should have clarified a design point.  I am not doing any user authentication, only doing a machine authen.  As I mentioned I can't seem to posture pre-user authentication even though I am not doing any user authentication.
  IA

• NAC agent on Wireless runs everytime we switch controllers

        Hello all, we are seeing an issue in our enviroment and wanted inquire about it. We have a Cisco wireless infrastructure in place here - 2 5508 controllers and approx 200 3502 AP's. We have the AP's split evenly between the 2 controllers. We backend this system with an in-band NAC Applaince Clean Access Server for poster assesment. What we are noticing is that when a user "roams" from one AP to another, and if the AP's are connected to 2 seperate controllers, the NAC agent will run again. The Logs in the CAM support this, as we see the user being logged out and then logged back in. We have the 2 controllers configured in a mobility group that should allow roaming. So would this be expected behavior? Does the controller still send the RADIUS Accounting Stop packets to the CAS when it hands off a wireless session to another controller even if they are in a mobility group?  Any help or thoughts would be appreciated.
  Thanks,
  Jeff      

  Jeff,
  Since you are using dot1x I found the following note in the mobility configuration guide:
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_mobility.html
  All  clients configured with 802.1X/Wi-Fi Protected Access (WPA) security  complete a full authentication in order to comply with the IEEE  standard.
  From your radius server do you see a second authentication attempt come in from the second controller? If so then most likely this is due to the radius accounting stop and start messages during the roaming.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE and NAC Agent

  Hello, we currently run NAC for our wired (OOB), wireless (IB) and VPN (IB) enviroments. We are looking at migrating over to ISE for our wireless enviroment as a first step, with follow-up projects to move the VPN and wired clients over. I have been reading that ISE will still use the NAC agent. Our current NAC enviroment is at 4.7.2 and we are running the 4.7.2.10 agent. We do not want to upgrade this enviroment, we would rather focus on migrating to ISE. So our thought was to upgrade the clients to the latest NAC agent version 4.9.1.5. This agent is supported against the 4.7.2 NAC Manager. The problem is, I do not see this agent version listed as supported in the ISE compatibility matrix. Instead, they list a NAC agent of 4.9.0.37, which ironically, is NOT listed in the NAC compatiblity matrix. So what version of NAC agent should we run in a mixed enviroment? I am hoping 4.9.1.5 is supported against ISE, and the matrix is simply not updated yet. Thank you in advance for your help.

  Not sure I understand. The 4.9.1.5 NAC agent does run against our CAM, as we have tested that and it is listed in the support matrix. So if we upgrade our NAC applainces, we would still run that agent. Does that agent tun against ISE, and if not, what is Cisco's recommendation to bring ISE into the enviroment? We have to have a migration path, and wireless seemed like a logical first step. But we need a NAC agent that will work against Clean Access AND ISE as our laptops will be wireless and wired at different times. Which Agent would be recommended?

• Cisco ISE NAC Agent RDP session

  Is there a way to get the NAC Agent to run when a user logs on a Windows machine in a RDP session?

  You have to go and check the dACL that is part of authorization profile, you will find that it is blocking your RDP access as when you do a remote desktop your authentication token is host/machine-name.domain. Now, the easiest FIX to permit RDP traffic is to modify the dACL but this won't solve your problem. Why? Because now your dACL will allow you do a remote desktop now BUT it will block rest of your communication.
  So either you permit all as soon as your machine is authenticated or you will continue to face this issue.

• Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

  Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
  -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
  -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
  -No certificates are used.
  -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
  -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
  -For now I'm testing it on wired endpoints.
  Is there a way to configure ISE to fulfill the listed above requirements?
  Any ideas would be appreciated.
  Thanks,
  Val Rodionov

  Everyone who finds reads this article,
  I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
  The answer is Yes.
  After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
  ISE configuration:
  Posture General Settings - Default Posture Status = NonCompliant
  Client Provisioning Policy - no rules defined
  Posture Policy - configured per requirements
  Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
  Authorization Policies configured as regular posture policies
  The result:
  After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
  If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
  The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
  Best,
  Val Rodionov

• NAC Agent takes long time to run

  Cisco NAC agent takes long time to popup or run on Windows 7 machine.
  The client machine is windows 7, running nac agent 4.9.0.42, against ISE 1.1.1
  Any ideas how to reduce NAC Agent timing?

  Hi Tariq,
  I'm facing the same issue with ISE 1.1.1 (268) with Agent 4.9.0.47 for Windows XP clients. I have already configured "yes" to disabled the l3 swiss delay and reduced the httpa discovery timer from 30 to 05 sec but still clients get aprox 2.30 minutes to popup and finished the posture discovery.
  Can you please advise if this is the minimum time or what is the minimum time and what are the parameters to set to a minimum time to complete agent popup and posture discovery..?
  Is there any option that we can run this on backgroup..?
  thanks in advance..

• Cisco NAC agent services not running on Windows XP

  Hi,
  I've problem with Cisco NAC agent services on Windows XP professional SP3.
  After first installation using user local administrator, the services of Cisco NAC agent on windows machine running well, but after logout, and login using another user which is registered in domain users, the services of Cisco NAC agent is going to stopped (going to Manual mode not automatic, and the status is stopped).
  This situation is not happened on all windows machines, several machines running well.
  Cisco NAC agent version 4.9.0.42
  Has anyone seen this type of problem?
  Below i attached windows machine information from ones running well and not running, Thanks
  Regards,
  Rian

  Hi thanks for your answers, dbconsole is started in services.msc and also Agent, but goes on to say that the agent is not running.
  In sysman log shows this,
  "03/20/2012 13:38:54,553 [MetricCollector: HOMETAB_THREAD600: 60] ERROR rt.DbMetricCollectorTarget _getAllData.328 - oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
  oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
  at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest_ (EMDClient.java: 1330)
  at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest (EMDClient.java: 1223)
  at oracle.sysman.emSDK.emd.comm.EMDClient.getMetrics (EMDClient.java: 640)
  at oracle.sysman.emo.perf.metric.rt.DbHomeTab._getAllData (DbHomeTab.java: 324)
  at oracle.sysman.emo.perf.metric.rt.DbHomeTab.getData (DbHomeTab.java: 139)
  at oracle.sysman.emo.perf.metric.eng.MetricCached.collectCachedData (MetricCached.java: 402)
  at
  at oracle.sysman.emo.perf.metric.eng.MetricCollectorThread.run (MetricCollectorThread.java: 320)
  at java.lang.Thread.run (Thread.java: 595)
  20/03/2012 22:00:03,335 [JobWorker 772: Thread-13] ERROR em.jobs executeCommand.161 - UpdateARUTables: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup parameters required to September."
  In event viewer shows this,
  "Agent process exited abnormally DURING initialization." but this message appears a few hours after having started the service.
  I am using the Administrator account

• NAC Agent on MAC OSX 10.9

  Hi,
  I found on our setup, NAC Agent for MAC does not run properly on MAC OSX 10.9, even the latest MAC Nac Agent (version 4.9.0.1007)
  It does not scan, does not pop up, and the endpoint's posture status is always stucked on pending state.
  Does any one experience the same?
  When will Cisco support it.
  Best Regards,
  Tomi

  NAC Agent 4.9.0.1013 was posted to CCO yesterday and has support for Mac OS 10.9.
  NAC & ISE supports for latest OSes - Windows 8.1 and MAC OSX 10.9
  NAC:
  NAC Server patch for NAC 4.9.3 release is published on CCO. Refresh NAC and Web Agents are posted on Perfigo  and CCO sites.
  Customer may please be advised to apply Server patch, refresh Agents and  update to latest Compliance Module and Support Charts v3.6.7873.2.
  ISE:
  ISE 1.2 Patch 3 is published on CCO and Refresh Agents are posted onto provisioning-update feed file on perfigo server.
  Customer may please be advised to apply Server patch, provision refresh Agents and to do a posture-update get latest Compliance Module and Support Charts v3.6.7873.2.
  Please refer respective release notes for open caveats.
  Please rate helpful posts and mark as answered if this fixes your issue.
  Charles Moreton

• CSA agent and NAC agent together

  Hi, do you have experience of CSA agent and NAC agent together on the same pc ?
  Does one include the other ?
  Which one have I to test first ?
  thank you in advance
  greatings
  RS

  Cisco Trust Agent collects security posture information from the NAC-compliant applications running on the network client and reports them to the Cisco Secure Access Control Server (ACS). These are some NAC-compliant applications:
  - Antivirus applications
  - Personal firewalls
  - Host-based intrusion protection applications, such as Cisco Security Agent (CSA)
  Cisco NAC is a strategic element of the Self-Defending Network. Working together with other Self-Defending Network components such as Cisco Security Agent and the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS), Cisco NAC helps organizations achieve more accurate threat identification and prevention while increasing patch management efficiency.

• NAC Agent cannot "see" virus defs (Symantec Endpoint version 12) (PIC included)

  Can anyone help?  This prevents the PC from passing posture assement and places it in a "temporary role".  I know how to disable the scan, but we would like it to work correctly.
  Same results on several PCs, Windows Xp SP2 or SP3, Windows 7 (32 or 64-bit).  See screenshot.
  Thanks,
  -=Mike G.
  Michael A. Gloomis
  Sr. Infrastructure Engineer
  NAITS - DENSO International America
  Desk: (248) 372-8158
  Fax: (248) 213-2469

  Hey Federic... thanks for messaging.
  We are running the 4.7.4.2 NAC Agent, however I cannot find any info on the "compliance module".  ???
  -=Mike G.

• NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

  Agent Fails to Initiate Posture Assessment
  The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
  The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
  The redirected URL is working fine (SEE Evidence)
  We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
  The operations status remains with postering status pending forever and nothing else happens.
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
  authentication session.
  Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
  Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
  CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
  Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
  • Ensure that the Cisco IOS release on the switch is equal to or more recent than
  Cisco IOS Release 12.2.(53)SE. - OK
  • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
  agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
  choose Properties, and check the discovery host.) - OK (See evidence)
  • Ensure that the access switch allows Swiss communication between Cisco ISE
  and the end client machine. Limited access ACL applied for the session should
  allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
  • If the agent login dialog still does not appear, it could be a certificate issue.
  Ensure that the certificate that is used for Swiss communication on the end client
  is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
  • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• Content repository FD does not exist :user agent sap web application server

  Hi All
  i am using 3rd party software(dms SERVER) and connecting it using archive link interface SAP HTTP 4.5 AL
  i have created a new repository with name FD using tcode OAC0.when i give inputs in OACO and click on test connection it gives me information Content repository FD does not exist
  here is my HTTP trace at receiver content server side
  TRACE:(5) - GET /Default.aspx?serverInfo&pVersion=0045&contRep=FD HTTP/1.0
  TRACE:(5) - user-agent: SAP Web Application Server (1.0;700)
  TRACE:(5) - host: SERVERIP:PORT
  TRACE:(5) - accept-encoding: gzip
  TRACE:(5) -
  --> C05 --> S06 ==== (15.583) Request <GET /Default.aspx?serverInfo&pVersion=0045&contRep=FD HTTP/1.0>
  --> C05 --> S06 GET /Default.aspx?serverInfo&pVersion=0045&contRep=FD HTTP/1.0
  --> C05 --> S06 user-agent: SAP Web Application Server (1.0;700)
  --> C05 --> S06 host: SERVERIP:PORT
  --> C05 --> S06 accept-encoding: gzip
  --> C05 --> S06 ==== Body 0 bytes
  --> C05 --> S06 Body =>
  Sockets 6 of 4,5,6 need checking ####
  TRACE:(6) - HTTP/1.1 200 OK
  TRACE:(6) - Cache-Control: private
  TRACE:(6) - Content-Length: 189
  TRACE:(6) - Content-Type: text/plain; charset=utf-8
  TRACE:(6) - Server: Microsoft-IIS/7.5
  TRACE:(6) - X-AspNet-Version: 2.0.50727
  TRACE:(6) - boundary:
  TRACE:(6) - X-dateC: 2010-10-22
  TRACE:(6) - X-timeC: 07:07:23
  TRACE:(6) - X-dateM: 2010-10-22
  TRACE:(6) - X-timeM: 07:07:23
  TRACE:(6) - X-contentRep: FD
  TRACE:(6) - X-numberComps: 1
  TRACE:(6) - X-docId: 0
  TRACE:(6) - X-docStatus: online
  TRACE:(6) - X-pVersion: 0045
  TRACE:(6) - X-ContentServer: contentServer=Server ip;contentServerPort='9025;pVersion='0045';id='DMSSRV1'
  TRACE:(6) - X-Powered-By: ASP.NET
  TRACE:(6) - Date: Fri, 22 Oct 2010 13:37:23 GMT
  TRACE:(6) - Connection: close
  TRACE:(6) -
  TRACE:(6) - serverType='DMSSRV1';1;serverVersion=12;serverPatch=0;serverBuild=180;pVersion='0045';serverStatus=running;serverStatusDescription=;serverDate='2010-10-22';serverTime='07:07:23';startUpDate='2010-10-22';startUpTime='07:07:23';lastAccessDate='2010-10-22';lastAccessTime='07:07:23';contRep='FD';contRepStatus=defined;contRepStatusDescription=;contRepDescription=Content-Repository Test;contentStorageHost=localhost;contentStorageName=FD;secKeyVerification=y;defaultDocProt=rucd;
  one change which i have observed in this trace is .. this trace is showing trace agent as SAP Web application server ... ideally it should show user agent :SAP HTTP
  Please suggest me some solution.
  Thanks
  sandeep

  Dear all,
  my issue is resolved.I solved my issue myself
  solution: SAP sends HTTP request in the form of URL like
  http://serverip:port/GET /Default.aspx?serverInfo&pVersion=0045&contRep=FD HTTP/1.0
  Now your response should contain string  contRep="FD"
  dont forget double quotes on repository name coz SAP program matches string with double quotes. if you will return value like this contRep=FD
  this will through error.
  Thanks
  sandeep sharma

• Scan to Application will not stop and cannot close

  I recently scanned a phot to my mac and then imported to iphoto .
  I scanned using a HP deskjet 3050.
  The scan to application appears to still be running in the background as a moving cog appears in the top right hand menu bar next to network preferences, sync and time machine icons. When I right click on the cog it brings up stop scan to application but this has no effect.
  Any ideas on how to quit.
  Tiny Biny

  Try rebooting the iPad by pressing and holding the on/off and home buttons simultaneously until the screen goes blank and you see the apple logo. It should take about 10-15 seconds to reboot.

• NAC Agent and NSP provisioning with ISE 1.1.1

  I am trying to get all workstations (OSX and Windows) to install both the Native Supplicant Wizard and NAC Agent during the On-boarding process.
  I am currently using the default guest portal in ISE.
  The environment has been setup using a Dual SSID design.
  At the moment, devices can connect to the provisioning SSID and get CWA. Device registration works, the portal runs the NSP setup which correctly sets up the network adapter.
  The problem is the portal never attempts to install the NAC Agent.
  The client provisioning policy has a separate policies for wireless/wired as well as OS. Each policy applies both a NSP and NAC Agent configuration. It appears the guest portal only checks the NSP configuration and not the NAC Agent config.
  Any ideas?

  Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.
  With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.
  Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.
  Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access
  Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.
  Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal
  Hope that helps,
  Tarik Admani
  *Please rate helpful posts*