NAC Discovery host

Similar Messages

• ISE - Discovery Host

  Dear All,
  I am facing issue with automatic discovery of ISE node by NAC agent (Discovery Host). Our client was using Cisco NAC 3310 appliances which has been replaced by ISE and we have upgraded the NAC agent software as well. Now what is happening that whenever NAC agent starts on a user PC it shows ip address of old NAC manager in the discovery host field of NAC agent and due to this, posture assesment doesn't complete and user gets stuck in remediation state.
  As a work arround , I changed the ip address manually in Discovery Host option of NAC agent to point towards new ISE node and then posture assesment gets completed. So kindly advice how I can make this process automatic so that NAC agent should communicated with ISE automatically.
  Regards,
  Mujeeb

  Hi,
  It has been resolved without manual entry in NAC agent or NACAgentCFG file. Actually the redirection was not working properly for agent so I changed the redirect ACL as follows,
  ip access-list ext ACL-AGENT-REDIRECT
      #deny udp any any eq 53
      #permit tcp any any eq 80
  Kindly refer following document for the same.
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_10_universal_switch_config.pdf
  Now the agent is able to find the primary ISE node and posture is woking fine.
  Regards,
  Mujeeb

• NAC AGENT - DISCOVERY HOST IP ADDRESS with AD

  Hi,
  We have deployed a Cisco NAC Agent in our network with GPO update... The deployment model is L3 OOB / Real IP Gateway.
  The issue is that, we need to put the IP address in each host manually to start communicating with Cisco NAC Manager.
  Is there any way to make it automatic?
  Regards,
  Mubasher

  Hi Mubashir,
  I faced the same problem with cisco ISE and Tiago's response actually helped see below.
  " You can also distribute the NACAgentCFG.xml file with that value set.
  Please find here detailed info regarding this file:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376. "
  In that link, read the section: Agent Customization Settings
  From a NAC agent that has successfully been deployed with the IP configured , go to the NAC agent installation folder 
  C:\Program Files (x86)\Cisco\Cisco NAC Agent , and copy the NACAgentCFG.xml , open with wordpad and edit the line
  IP of PDP node or ISE standalone server
  Then place the edited NACAgent.xml file in the same folder as the one where your GPO will pick the agent from. When the Agent is installed , it automatically picks the configs from the .xml file.
  Regards,
  Henry

• NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

  Agent Fails to Initiate Posture Assessment
  The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
  The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
  The redirected URL is working fine (SEE Evidence)
  We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
  The operations status remains with postering status pending forever and nothing else happens.
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
  authentication session.
  Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
  Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
  CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
  Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
  • Ensure that the Cisco IOS release on the switch is equal to or more recent than
  Cisco IOS Release 12.2.(53)SE. - OK
  • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
  agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
  choose Properties, and check the discovery host.) - OK (See evidence)
  • Ensure that the access switch allows Swiss communication between Cisco ISE
  and the end client machine. Limited access ACL applied for the session should
  allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
  • If the agent login dialog still does not appear, it could be a certificate issue.
  Ensure that the certificate that is used for Swiss communication on the end client
  is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
  • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• NAC agent don't popup on some computer

  Hi
  I use
  ISE version : 1.1.1.2 and NAC agent version : 4.9.0.42
  NAC agent  does not run on some computers and run on other(windows 7).
  What can be these problems?
  Please help
  Regards

  Please look in to this , it might help you
  Agent Login Dialog Not Appearing
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions
  This issue can generally take place during the posture assessment phase of any user authentication session.
  Possible Causes
  There are multiple possible causes for this type of issue. See the following Resolution descriptions for details.
  Resolution
  •Ensure that the agent is running on the client machine.
  •Ensure that the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.
  •Ensure  that the discovery host address on the Cisco NAC agent or Mac OS X  agent is pointing to the Cisco ISE FQDN. (Right-click the NAC agent icon, choose Properties, and check the discovery host.)
  •Ensure  that the access switch allows Swiss communication between Cisco ISE and  the end client machine. Limited access ACL applied for the session  should allow Swiss ports:
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  remark ping
  permit icmp any any
  permit tcp any host 80.0.80.2 eq 443 --> This is for URL redirect
  permit tcp any host 80.0.80.2 eq www --> Provides access to internet
  permit tcp any host 80.0.80.2 eq 8443 --> This is for guest portal
  port
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  •If  the agent login dialog still does not appear, it could be a certificate  issue. Ensure that the certificate that is used for Swiss communication  on the end client is in the Cisco ISE certificate trusted list.
  •Ensure that the default gateway is reachable from the client machine.

• Problem SSO between VPN and NAC

  Hello
  Description of our problem : SSO doesn't work
  -on the first connexion from vpn client we insert two time the login and password :one time for the client vpn and the seconde time for CAA (clean Access agent).
  -although for the other connexion that succeed, we insert only one time the login and password (for vpn only) and for CAA the connexion is done automatiquely and a some hours later we reinsert two times login and password for vpn and CAA.
  The following steps are done to configure Cisco NAC Appliance to work with a VPN concentrator:
  Step 1 Add Default Login Page =ok
  Step 2 Configure User Roles and Clean Access Requirements for your VPN users =ok
  Step 3 Enable L3 Support on the CAS = ok
  Step 4 Verify Discovery Host =ok (CAS IP ADDRESS 192.168.2.11)
  Step 5 Add VPN Concentrator to Clean Access Server =ok (ASA IP ADDRESS 192.168.2.1)
  Step 6 Make CAS the RADIUS Accounting Server for VPN Concentrator =ok
  Step 7 Add Accounting Servers to the CAS (accounting server is CAM IP ADDRESS 192.168.20.10)
  Step 8 Map VPN Concentrator(s) to Accounting Server(s)=ok
  Step 9 Add VPN Concentrator as a Floating Device =ok
  Step 10 Configure Single Sign-On (SSO) on the CAS/CAM =ok
  the database for vpn authentication is cisco secure acs(192.168.1.30).
  Tanks to any anybody to give us a possible solution.
  FILALI Saad
  Ares Maroc

  Hi
  I have just gone the the same issues with SSO VPN with my CAS in real-ip mode.
  First thing to consider, when your testing, every time you test a user, make sure you go into the CAS or CAM and remove them as a certified device or active user before you perform your next test. I found that while I was testing that it would sometimes cache the user and I was getting successful auth attempts but due to their device being already accepted on a previous connection because the CAS was not made aware that the user had logged out correctly.
  1. Make sure you have a fully functional DNS system on the inside network, I didnt realize how important it was to have forward and reverse look ups for your CAS and CAM. Make sure that all CAS and cams are listed in dns with correct domain names.
  This in very important if your running your own CA certificates on cas and cam. Make sure that the CAM and CAS can resolve each other via dns. Make sure the CAM and CAS can perform reverse lookups of each other. Also make sure that when the user VPN's into your ASA that they can also perform DNS lookups and reverse lookups. If they cant perform dns look ups, you may need to temporarily allow the untrusted network full access while you resolve the DNS lookup problem on the client computer. One of the issues I had was that the VPN clients couldnt resolve internal DNS names and so the CCA agent would never auto pop-up and start the auto login process because it was trying to resolve the CAM name and also check that the CA certificate I had on the CAS was legitimate as I had used names in my certs and not IP addresses.
  2. Make sure your VPN group settings on the IPSEC policy of the ASA has DNS pointing to your internal DNS server.
  3. I know you already said you have done this but check to make sure that the VPN group setup on your ASA for your remote access users, has been setup with the radius accounting being directed the INSIDE interface IP address of your CAS, (if you are running your CAS in real-ip, I found that the inside interface was the only interface listening on 1813, do a 'netstat -an' on the cas to check) if your running in VGW mode then you only have 1 ip address to direct it to anyway.
  Follow from step 15 in following link
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
  3. Troubleshoot and make sure that the ASA actually sends a radius accounting message to the CAS. I did this by ssh into the CAS and doing a 'tcpdump -i any src and not tcp 22'. I then logged into the VPN client and made sure that once I entered my vpn user and pass, that the ASA authenticates the vpn user and then passes a radius accounting message to the CAS informing the CAS it has allowed a new user. If you dont see this radius accounting message hit the CAS interface go back to my step 3 and resolve.
  4. Finally check that you have not mistyped a shared secret somwhere, ie between CAM and ACS, Between ASA and ACS, Between ASA and CAS. I had all my users authenticate though radius on my ACS server, a number of times I got caught out by a simple typo in a shared secret.
  Try these things first.
  Also someone else here on the forums linked this guide to me that also helped me setup my CAS correctly.
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html
  You may find it useful too.
  Dale

• NAC SSL CERTIFICATE WARNING

  Hello there,
  I have implemented NAC on my network. I've deployed OOB Virtual Gateway. It used to work fine when i had ver 4.6. My office relocated where everything change including the IP addreses we used on LAN. During the relocation the SSL certificated also expired. Before activating NAC on the new site i decided to upgrade to the current version (4.8) and also installed new certificates (Obtained from internal Microsoft CA Server). The problem is that i'm getting the security Warning 'The certificate you are viewing does not match the name of the site you are trying to view'. I used the ETH0 IP of the CAS in the certificate request. Both ETH1 and ETH0 are having the same IP. Any assistance please. I've tried to request the certificate again, import it and reboot the CAS but the warning keeps on appearing to users.
  regards,
  Stanslaus.

  Ok, it looks like your IE security settings are very tight.
  When the agent starts it will try discover the CAS using the discovery host sending HTTP to the discovery host IP address.
  What happens is that the CAS will spoof this communication and reply to the agent itself. It seems that this action is making your PC to trigger this alarm.
  I guess this is anoying...
  These was see first internally in 4.6 version and was supposed to be fixed in 4.7 and later versions.
  I would advise you to open a TAC case and we can follow up on you to check if there is anything to be done on the agent or PC to get rid of this.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC WLC OOB integration

  I am trying to get NAC integration with WLC working for wireless users in OOB and can't get it to work. I followed directions step by step from the Configuration Example on the Cisco web site. Without enabling NAC on the WLC I am able to associate and work fine. With NAC enabled, association works but the client stays on Quarantive VLAN and never gets switched. I can see the client as Discovered client on the CAM only when I turn off 802.1x for layer 2 security on the WLAN but still it does not get switched to Access VLAN nor do I get a web login screen. The DHCP for wireless clients is provided by the WLC itself so that traffic does not pass through the CAS. Am I doing anything wrong?

  Faisal
  I haven't tried to browse to the CAS IP. I will try that when I am there next time. The laptop did have a NAC agent with a discovery host of the CAM IP as it was used as a wired client before. Looking at the routing table, I would think routing should not be an issue as the Guest subnet correctly points to the untrusted interface with no GW and that should take VLAN 201 pathw hich is the quarantine VLAN ID for WLC Guest WLAN. Just FYI the 172.16.8.0 subnet which is the guest subnet is not being routed internally for security reasons and is jus a L2 VLAN on the core switch
  10.8.21.11/32           -               0 0
  10.8.21.1/32            -               1 0
  10.8.21.0/24            -               2 0
  0.0.0.0/0               10.8.21.1       1 0
  10.8.17.0/24            -               2 8
  10.8.15.0/24            -               2 8
  172.16.8.0/24           -               2 8
  10.8.21.10/32           -               0 2
  10.8.17.169/32          10.8.21.1       1 0
  10.8.17.152/32          10.8.21.1       1 0
  10.8.17.182/32          10.8.21.1       1 0
  10.8.17.128/32          10.8.21.1       1 0
  10.8.17.119/32          10.8.21.1       1 0
  10.8.17.137/32          10.8.21.1       1 0
  10.8.17.188/32          10.8.21.1       1 0
  10.8.17.200/32          10.8.21.1       1 0
  10.8.17.165/32          10.8.21.1       1 0
  10.8.17.124/32          10.8.21.1       1 0
  10.8.17.113/32          10.8.21.1       1 0
  10.8.17.197/32          10.8.21.1       1 0
  10.8.17.206/32          10.8.21.1       1 0
  Thanks
  Shaffeel

• Nac agent delayed befor popup

  Dear ,
  i install nac system and working fine, but when the user loging in , the agent delay about 10 minutes before popup to the user, i don't know why the agent don't appear immedaitly after the pc finish startup.

  I only use OOB configurations, so I haven't tested IB configurations. However, you may see some issues in both configurations since the agent needs send user/PC information to the CAM.
  In our setup, the fact that the agent doesn't load until after the desktop comes up has produced a delay in total login time that can reach 20 minutes (I've timed it), depending on the situation. I haven't yet been able to determine what MSoft is trying talk to that it can't (the delay is waiting for a bunch of things to time out).
  Now, if the desktop is loaded and all user programs are running and it still takes 10 minutes for the popup, then the issue is probably with the discovery host (or lack of one) as you have been discussing with Faisal.

• NAC layer 3 Virtual Gateway Setup

  I am running the NAC Appliance currently in virtual gateway mode for layer 2 inband and it works great. I wanted to add layer 3 virtual gateway inband to this same NAC server, but I can't seem to find enough documentation on this. I do have layer 3 enabled and a static route to the layer 3 network in place. I don't think I understand how to get the network to go through the NAC. Do I need to run the Agent on the layer 3 network or can it still somehow go through just the web page authentication?
  Thanks.

  Policy route the unauthenticated traffic so it forces the layer 3 network in question through your CAS layer 3 device. Your discovery host address should be on the other side of the clean access server trusted side. Theres a NAC Chalk talk pdf that steps this through for you
  Search "NAC Chalktalk"

• Urgent- Login disabled for NAC Agent

  Hi All,
  Not able to Login NAC Agent after downloading and installing in windows XP machine.
  Please find the  attached Logs collected through cisco log packager.
  Please help us in trouble shooting this issue.
  An early response is apprciable.
  Note:
  Thanks,
  Abuzar

  Hi Abuzar,
  Is this a L2 or L3 setup?
  Is the CAS in VGW or Real-IP mode?
  On the NAC Agent logs I see that the client tries first TCP/8905 discovery to 10.0.0.1 (default GW) and 192.168.1.10 (Discovery Host), then UDP discovery both in L2 to address 10.0.0.1 (on port 8905) and in L3 to the address 192.168.1.10 (on port 906), but none of these discovery methods returned a response from the CAS.
  Make sure that the discovery traffic hits the CAS, and then that the SSL certificate installed on the CAS points correctly to the IP address of the CAS (the service IP if you're in HA mode).
  In L2, the discovery should succeed with the attempt to contact the default gateway, as the CAS is either going to be the default gateway itself (in case of L2/Real-IP) or it's going to intercept this traffic (in L2/VGW).
  If you're in L3 (meaning that you have at least 1 hop between the client machine and the CAS) make sure that L3 support is enabled on the CAS and that the traffic to the discovery host crosses or hits the CAS (the discovery host may be the CAS itself or a host on the trusted side of the network..); in this case you will need to configure policy based routing accordingly.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Pc cannot authenticate to nac

  hi,
  i have a failover nac cam and server, my discovery host point to service ip of my untrusted interface but when i use that untrusted service ip in my internet explorer it is not it is not authenticating. what might be the problem of this?
  thanks,

  to be clearer, i'm getting the error message:
  The login information is not valid for this server.
  the server failed to accept the login information you provided. check the name and password and try to log in again or contact your network administrator
  i tried to check /var/log/system.log but there wasn't anything logged.  is there another log i can check, maybe an LDAP log or something? 

• NAC deployment on Remote Branch

  Hello guys,
  I need help for deploying Cisco NAC on remote branch. i did all the necesary steps & configs but still no luck, On main site we have OOB-Real IP Gateway deployment. all the campus is deployed but for remote branch it is not working, we have inbetween firewalls & routers(offcorse) i have allowed IP any to NAC Server & Manager. but still no luck.
  Is there any point i am missing do i have to do some extra config for remote branch ?

  Did you generate the certificate on the CAS so it resolved to the untrusted interface?
  You can find the managed subnet configuration here:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_addSrvr.html#wp1060206
  Also keep in mind, any changes you make related to certificates or network settings, you must reboot the CAS for thoses changes to take into effect. Please reboot the CAS and see if that restore your issue.
  I also wanted to verify how you were able to get the download page? The reason is that if you are not being automatically redirected to the page then most likely all the client traffic isnt being redirect either. For troubleshooting you may want to change the discovery host of the agent to the untrusted ip of the CAS and see if that causes the agent to pop up.
  Thanks,
  Tarik Admani

• NAC OOB-Logoff

  Hi
  How is the host communicating wiht the NAC server ?
  In OOB L2 VG, the agent is using swiss protocol (L2 8905 towards  default-gateway or L3 8906 towards discovery host), but the nac server  does not have an IP in the access-vlan, it only has a management adress  i another vlan...
  And the discovery host is commonly the CAM, so the agent wont reach the server on the trusted side.
  Cisco sais that acl, pbr or vrf is the answer - but in and L2 oob  non of these solutions would not work, because the nac server only has a  management adress and no L3 conectivity to access vlan.
  If discovery host should be used - how is multible nac servers then supportet ??
  Can the cam tell the agent anything or forward the swiss packets ??
  Am i missing something ??
  Regards Henrik

  Hi
  How is the host communicating wiht the NAC server ?
  In OOB L2 VG, the agent is using swiss protocol (L2 8905 towards  default-gateway or L3 8906 towards discovery host), but the nac server  does not have an IP in the access-vlan, it only has a management adress  i another vlan...
  And the discovery host is commonly the CAM, so the agent wont reach the server on the trusted side.
  Cisco sais that acl, pbr or vrf is the answer - but in and L2 oob  non of these solutions would not work, because the nac server only has a  management adress and no L3 conectivity to access vlan.
  If discovery host should be used - how is multible nac servers then supportet ??
  Can the cam tell the agent anything or forward the swiss packets ??
  Am i missing something ??
  Regards Henrik

• NAC Design Issue

  Dear All,
  We will use CAS 1 for Local users (wired/wireless) as L2 OOB virtual GW.
  We will use CAS 2 for VPN users as L3 In-band virtual GW with VPN router.
  Now we have one remote site connecting to our ASA DMZ and other remote sites connecting to our WAN router to access our resources.
  So can I use existing CAS1 or 2 for these two entry points?

  just for clarification, i attached a quick sketchup. is this somewhat the topology you had in mind?
  If so then you should be able to use CAS 2 for the ASA and WAN router. The NAC agents installed in the remote locations should have a discovery host in the trusted network and you have to force the incoming traffic through the CAS. But it should be possible as far as i can see.
  Only thing to keep in mind is the 1Gbit throughput limit on the CAS, depending on the amount of traffic coming from remote sites and VPN users it may or may not be an issue.