NAC Agent Setup

Similar Messages

• ISE 1.2 nac agent provision

  Hi,
  Is there any way to do a nac agent auto provision?
  I know it can be achieve by cwa portal(web redirect) and user have to install nac agent manually. But we would like to see nac agent be installed right afeter user successfully login using 802.1x.

  I dont follow your thought process but this is how i have most of my deployments are setup. 
  CWA < NSP < COA < 802.1x < Posture Status Unknown *In this state either client does or doesnt have nac agent in which ISE will proceed to install it or continue probing to for the NAC agent. 
  Remove CWA < NSP < COA from the picture and you have your exact scenario. What is your work flow look like that it is not "automatic" and define what you mean by "manually"?

• NAC Agent and NSP provisioning with ISE 1.1.1

  I am trying to get all workstations (OSX and Windows) to install both the Native Supplicant Wizard and NAC Agent during the On-boarding process.
  I am currently using the default guest portal in ISE.
  The environment has been setup using a Dual SSID design.
  At the moment, devices can connect to the provisioning SSID and get CWA. Device registration works, the portal runs the NSP setup which correctly sets up the network adapter.
  The problem is the portal never attempts to install the NAC Agent.
  The client provisioning policy has a separate policies for wireless/wired as well as OS. Each policy applies both a NSP and NAC Agent configuration. It appears the guest portal only checks the NSP configuration and not the NAC Agent config.
  Any ideas?

  Just so i understand this correctly you are using both a client provisioning portal and a native supplicant provisoning portal tied into seperate authz policies.
  With that out of the way are you checking to see if the client is compliant in the client provisioning portal policy.
  Let me know if you have the following configured (example windows OS), this is assuming that the endpoint is statically assigned to RegisteredDevices after native suppliant provisioning.
  Rule 0 (endpoint group = RegisteredDevice) AND (AD:Domain user and authentication method:x509 and posturestatus:COMPLIANT) = Permit Access
  Rule 1 (endpoint group = RegisteredDevice) AND (AD:domain user AND authentication method:x509[if you deployed certs in the native supp condition] AND workstation NOT EQUAL:COMPLIANT) RESULT client provisioning portal.
  Rule 2 (endpoint group = Workstation) AND (AD:Domain User AND authentication mehod using mschapv2) RESULT windows provisioning portal
  Hope that helps,
  Tarik Admani
  *Please rate helpful posts*

• NAC Agent on MAC OSX 10.9

  Hi,
  I found on our setup, NAC Agent for MAC does not run properly on MAC OSX 10.9, even the latest MAC Nac Agent (version 4.9.0.1007)
  It does not scan, does not pop up, and the endpoint's posture status is always stucked on pending state.
  Does any one experience the same?
  When will Cisco support it.
  Best Regards,
  Tomi

  NAC Agent 4.9.0.1013 was posted to CCO yesterday and has support for Mac OS 10.9.
  NAC & ISE supports for latest OSes - Windows 8.1 and MAC OSX 10.9
  NAC:
  NAC Server patch for NAC 4.9.3 release is published on CCO. Refresh NAC and Web Agents are posted on Perfigo  and CCO sites.
  Customer may please be advised to apply Server patch, refresh Agents and  update to latest Compliance Module and Support Charts v3.6.7873.2.
  ISE:
  ISE 1.2 Patch 3 is published on CCO and Refresh Agents are posted onto provisioning-update feed file on perfigo server.
  Customer may please be advised to apply Server patch, provision refresh Agents and to do a posture-update get latest Compliance Module and Support Charts v3.6.7873.2.
  Please refer respective release notes for open caveats.
  Please rate helpful posts and mark as answered if this fixes your issue.
  Charles Moreton

• Urgent- Login disabled for NAC Agent

  Hi All,
  Not able to Login NAC Agent after downloading and installing in windows XP machine.
  Please find the  attached Logs collected through cisco log packager.
  Please help us in trouble shooting this issue.
  An early response is apprciable.
  Note:
  Thanks,
  Abuzar

  Hi Abuzar,
  Is this a L2 or L3 setup?
  Is the CAS in VGW or Real-IP mode?
  On the NAC Agent logs I see that the client tries first TCP/8905 discovery to 10.0.0.1 (default GW) and 192.168.1.10 (Discovery Host), then UDP discovery both in L2 to address 10.0.0.1 (on port 8905) and in L3 to the address 192.168.1.10 (on port 906), but none of these discovery methods returned a response from the CAS.
  Make sure that the discovery traffic hits the CAS, and then that the SSL certificate installed on the CAS points correctly to the IP address of the CAS (the service IP if you're in HA mode).
  In L2, the discovery should succeed with the attempt to contact the default gateway, as the CAS is either going to be the default gateway itself (in case of L2/Real-IP) or it's going to intercept this traffic (in L2/VGW).
  If you're in L3 (meaning that you have at least 1 hop between the client machine and the CAS) make sure that L3 support is enabled on the CAS and that the traffic to the discovery host crosses or hits the CAS (the discovery host may be the CAS itself or a host on the trusted side of the network..); in this case you will need to configure policy based routing accordingly.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Cisco NAC agent services not running on Windows XP

  Hi,
  I've problem with Cisco NAC agent services on Windows XP professional SP3.
  After first installation using user local administrator, the services of Cisco NAC agent on windows machine running well, but after logout, and login using another user which is registered in domain users, the services of Cisco NAC agent is going to stopped (going to Manual mode not automatic, and the status is stopped).
  This situation is not happened on all windows machines, several machines running well.
  Cisco NAC agent version 4.9.0.42
  Has anyone seen this type of problem?
  Below i attached windows machine information from ones running well and not running, Thanks
  Regards,
  Rian

  Hi thanks for your answers, dbconsole is started in services.msc and also Agent, but goes on to say that the agent is not running.
  In sysman log shows this,
  "03/20/2012 13:38:54,553 [MetricCollector: HOMETAB_THREAD600: 60] ERROR rt.DbMetricCollectorTarget _getAllData.328 - oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
  oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
  at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest_ (EMDClient.java: 1330)
  at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest (EMDClient.java: 1223)
  at oracle.sysman.emSDK.emd.comm.EMDClient.getMetrics (EMDClient.java: 640)
  at oracle.sysman.emo.perf.metric.rt.DbHomeTab._getAllData (DbHomeTab.java: 324)
  at oracle.sysman.emo.perf.metric.rt.DbHomeTab.getData (DbHomeTab.java: 139)
  at oracle.sysman.emo.perf.metric.eng.MetricCached.collectCachedData (MetricCached.java: 402)
  at
  at oracle.sysman.emo.perf.metric.eng.MetricCollectorThread.run (MetricCollectorThread.java: 320)
  at java.lang.Thread.run (Thread.java: 595)
  20/03/2012 22:00:03,335 [JobWorker 772: Thread-13] ERROR em.jobs executeCommand.161 - UpdateARUTables: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup parameters required to September."
  In event viewer shows this,
  "Agent process exited abnormally DURING initialization." but this message appears a few hours after having started the service.
  I am using the Administrator account

• NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

  Agent Fails to Initiate Posture Assessment
  The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
  The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
  The redirected URL is working fine (SEE Evidence)
  We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
  The operations status remains with postering status pending forever and nothing else happens.
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
  authentication session.
  Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
  Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
  CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
  Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
  • Ensure that the Cisco IOS release on the switch is equal to or more recent than
  Cisco IOS Release 12.2.(53)SE. - OK
  • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
  agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
  choose Properties, and check the discovery host.) - OK (See evidence)
  • Ensure that the access switch allows Swiss communication between Cisco ISE
  and the end client machine. Limited access ACL applied for the session should
  allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
  • If the agent login dialog still does not appear, it could be a certificate issue.
  Ensure that the certificate that is used for Swiss communication on the end client
  is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
  • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?

  Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
  -My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
  -The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
  -No certificates are used.
  -I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
  -If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
  -For now I'm testing it on wired endpoints.
  Is there a way to configure ISE to fulfill the listed above requirements?
  Any ideas would be appreciated.
  Thanks,
  Val Rodionov

  Everyone who finds reads this article,
  I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
  The answer is Yes.
  After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
  ISE configuration:
  Posture General Settings - Default Posture Status = NonCompliant
  Client Provisioning Policy - no rules defined
  Posture Policy - configured per requirements
  Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
  Authorization Policies configured as regular posture policies
  The result:
  After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
  If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
  The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
  Best,
  Val Rodionov

• Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

  Hi
  My Cisco NAC Agent  (version 4.9.1.682) doesn't work since I upgraded my Mac OS X  4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
  The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
  Any update on when a new version is going to be released - Its getting really frustrating?

  I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
      Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
      Select Keychain Access -> Preferences from the menu at the top of the screen
      Choose the Certificates tab
      Change the OCSP option from Best Effort to Off
      Close the Preferences dialog and quit Keychain Access
      You should be able to NAC now

• Wilyhost Agent setup finished successfully with limitations - SMD SPS15

  Dear all,
  we have connected different SAP J2EE systems to our Solution Manager Diagnostics without any problems. Now we are trying to connect the corresponding ABAP backend systems to the SMD. The Setup Wizard for these systems are completed with a warning. Everything seems to work fine, but the warning are spurious (we get only the yellow light, not a green one).
  Did anyone has the same "problems" with ABAP managed systems and has anyone a solution for the yellow light ?
  Thanks and best regards
  Patrick
  Error/Warning Message -
  Wilyhost Agent setup finished successfully with limitations. Data of at least one action is not available in Enterprise Manager.
  Created destination RT5|s3p5012_RT5_00
  Created action RT5 - RT5 AbapSystem
  Created action RT5|s3p5012_RT5_00 - RT5|s3p5012_RT5_00 AbapInstance
  Created 2 action(s).
  1 Wilyhost Agent(s) and 0 EP Agent(s) from host s3p2012 are connected to the EM.
  90 seconds after restarting the WilyHostAgent the data of the following action is still missing in EM: RT5
  90 seconds after restarting the WilyHostAgent the data of the following action is still missing in EM: RT5|s3p5012_RT5_00
  Wilyhost Agent setup finished successfully with limitations. Data of at least one action is not available in Enterprise Manager.
  Error/Warning Message -

  Hi to all,
  I have addition information about the Wily HostAgent problem. Here are some other alerts/warnigs from another SAP portal :
  ============================================================================
  Jul 15, 2008 10:34:15 AM [Thread[SAP GC|FB7_J02_server3,5,main]] Error      com.sap.smd.wily.hostagent.action.GcScannerAction - scanInitial(): scan for file /usr/sap/FB7/J02/j2ee/../work/std_server3.outterminated: /usr/sap/FB7/J02/j2ee/../work/std_server3.out (No such file or directory)
  Jul 15, 2008 10:34:15 AM [Thread[SAP GC|FB7_J02_server3,5,main]] Error      com.sap.smd.wily.hostagent.action.GcScannerAction - doRun(): Action temporarily stopped: SAP GC|FB7_J02_server3
  [EXCEPTION]
  com.sap.smd.wily.hostagent.TransientException: java.io.FileNotFoundException: /usr/sap/FB7/J02/j2ee/../work/std_server3.out (No such file or directory)
          at com.sap.smd.wily.hostagent.action.AbstractAction.handleError(AbstractAction.java:259)
          at com.sap.smd.wily.hostagent.action.GcScannerAction.scanInitial(GcScannerAction.java:391)
          at com.sap.smd.wily.hostagent.action.GcScannerAction.doRun(GcScannerAction.java:135)
          at com.sap.smd.wily.hostagent.action.AbstractAction.run(AbstractAction.java:52)
          at com.wily.EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:725)
          at java.lang.Thread.run(Thread.java:534)
  Caused by: java.io.FileNotFoundException: /usr/sap/FB7/J02/j2ee/../work/std_server3.out (No such file or directory)
          at java.io.RandomAccessFile.open(Native Method)
          at java.io.RandomAccessFile.<init>(RandomAccessFile.java:204)
          at com.sap.smd.wily.hostagent.action.GcScannerAction.scanInitial(GcScannerAction.java:372)
          ... 4 more
  Jul 15, 2008 10:35:15 AM [Thread[Thread-364,5,main]] Warning    com.sap.smd.wily.hostagent.action.AbstractAction - run(): Action SAP GC|FB7_J02_server2 not running because status is WAITING_FOR_DESTINATION
  Jul 15, 2008 10:35:15 AM [Thread[Thread-366,5,main]] Warning    com.sap.smd.wily.hostagent.action.AbstractAction - run(): Action SAP GC|FB7_J02_server1 not running because status is WAITING_FOR_DESTINATION
  ============================================================================

• Getting the NAC agent out of the system tray.

  I am installing a NAC solution for a customer and they don't want users to have the NAC agent in the sytem tray. Is there any way to do this because they are pretty adamant about it.

  Hi,
  Currently this isn't possible. If you have an account team, please ping them to get this added to the feature request list.
  HTH,
  Faisal

• NAC Agent takes long time to run

  Cisco NAC agent takes long time to popup or run on Windows 7 machine.
  The client machine is windows 7, running nac agent 4.9.0.42, against ISE 1.1.1
  Any ideas how to reduce NAC Agent timing?

  Hi Tariq,
  I'm facing the same issue with ISE 1.1.1 (268) with Agent 4.9.0.47 for Windows XP clients. I have already configured "yes" to disabled the l3 swiss delay and reduced the httpa discovery timer from 30 to 05 sec but still clients get aprox 2.30 minutes to popup and finished the posture discovery.
  Can you please advise if this is the minimum time or what is the minimum time and what are the parameters to set to a minimum time to complete agent popup and posture discovery..?
  Is there any option that we can run this on backgroup..?
  thanks in advance..

• NAC AGENT - DISCOVERY HOST IP ADDRESS with AD

  Hi,
  We have deployed a Cisco NAC Agent in our network with GPO update... The deployment model is L3 OOB / Real IP Gateway.
  The issue is that, we need to put the IP address in each host manually to start communicating with Cisco NAC Manager.
  Is there any way to make it automatic?
  Regards,
  Mubasher

  Hi Mubashir,
  I faced the same problem with cisco ISE and Tiago's response actually helped see below.
  " You can also distribute the NACAgentCFG.xml file with that value set.
  Please find here detailed info regarding this file:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376. "
  In that link, read the section: Agent Customization Settings
  From a NAC agent that has successfully been deployed with the IP configured , go to the NAC agent installation folder 
  C:\Program Files (x86)\Cisco\Cisco NAC Agent , and copy the NACAgentCFG.xml , open with wordpad and edit the line
  IP of PDP node or ISE standalone server
  Then place the edited NACAgent.xml file in the same folder as the one where your GPO will pick the agent from. When the Agent is installed , it automatically picks the configs from the .xml file.
  Regards,
  Henry

• NAC Agent reporting never shows a failure

  I seem to only get reports for successful agent logins under Device MGMT>Clean Access>Clean Access Agent>Reports.  Am I missing a setting somewhere?  Even though I have had many failures (testing, etc) I never see a failed report.  Any ideas?

  Hello,
  Could you please confirm what error message you are getting on the NAC agent (if using the NAC agent for posture validation)?  The NAC agent will display the standard stuff such as 'temporary access', etc.  The message displayed is based upon which requirement is failing, for example a standard AV installation check/rule.
  Also, for this failing client, do you see a passed report or no report at all? Well, for the agents that ultimately pass posture assessment (even if a particular check/rule fails) we see a passed report.  If the agent never gains access, IE never gets out of 'Temporary Access' we don't see any report.  I am hoping that when a Agent fails posture assessment we will see a failed report.  IE, we need a way for the service desk to be able to monitor failed sessions proactively, and with the minimal external alerts available (no email, etc) these failed reports would be key. 
  If we can't see no report at all, there may be something that breaks before that. I have pages and pages of successful reports, but not a single failed report.
  A quick way to verify would be to collect the NAC agent's logs after a failure, under
  Start > Program Files > Cisco > Client Utilities > Cisco Log Packager I don't see this installed on any of the machines with an agent?  Please adivse where I can download it.  Thanks.

• ISE and NAC Agent

  Hello, we currently run NAC for our wired (OOB), wireless (IB) and VPN (IB) enviroments. We are looking at migrating over to ISE for our wireless enviroment as a first step, with follow-up projects to move the VPN and wired clients over. I have been reading that ISE will still use the NAC agent. Our current NAC enviroment is at 4.7.2 and we are running the 4.7.2.10 agent. We do not want to upgrade this enviroment, we would rather focus on migrating to ISE. So our thought was to upgrade the clients to the latest NAC agent version 4.9.1.5. This agent is supported against the 4.7.2 NAC Manager. The problem is, I do not see this agent version listed as supported in the ISE compatibility matrix. Instead, they list a NAC agent of 4.9.0.37, which ironically, is NOT listed in the NAC compatiblity matrix. So what version of NAC agent should we run in a mixed enviroment? I am hoping 4.9.1.5 is supported against ISE, and the matrix is simply not updated yet. Thank you in advance for your help.

  Not sure I understand. The 4.9.1.5 NAC agent does run against our CAM, as we have tested that and it is listed in the support matrix. So if we upgrade our NAC applainces, we would still run that agent. Does that agent tun against ISE, and if not, what is Cisco's recommendation to bring ISE into the enviroment? We have to have a migration path, and wireless seemed like a logical first step. But we need a NAC agent that will work against Clean Access AND ISE as our laptops will be wireless and wired at different times. Which Agent would be recommended?