NAC Issue

Similar Messages

• AD SSO NAC issue

  Dear All,
  1) I have configured AD SSO and users gets authenticated. But when the user puts his credentials in windows machines, it takes minimum 5 minutes for the person to log in and also for the nac agent popping up. I disabled the ADSSO and the user can login in less that 1 minute. Anyways to solve this issues?
  2) On a single CAS server, i am using it for both wired and wireless. Wired supports ADSSO with ldap. Can I use ADSSO with LDAP for Wireless? I have deployed the Servers with L2 OOB VGW
  Please guide me
  Prasanth Mathews

  Sorry I misunderstood. Actually, there are 2 authentication servers. One is Kerberos and the other one is AD SSO. Both are pointed to the same domain controller. The reason I created the Kerberos is for allowing user to login through web login for downloading agent at the first time. After that, AD SSO will be used for authenticating.
  Anyway, the problem is if user, laptop, does not login to the domain, the agent dialog will display and still allow user to login via the Kerberos. I do not want thing like this. How can I do? Please advice.
  Thanks,
  Nitass

• NAC issue with DHCP

  There are a few computers in the building that when they start i have to do a repair in the connection. If i put those same computers in the admin Vlan(doesn't goes through NAC) i dont need to do the repair. I think something is blocking in the unauthenticated role. But the rare thing is that i'm allowing the DHCP and Active directory servers on the unauthenticated role.

  The "Enable VLAN Pruning" option is enabled by default for CAS Virtual Gateways. Make sure that "Enable VLAN Pruning" is turned off when "VLAN Mapping" is disabled. Turning the "Enable VLAN Pruning" option on when the "VLAN Mapping" option is disabled can cause the CAS to discard all VLAN packets from passing through in either direction.

• Cisco NAC: Issue for the Wireless Users being assigned "Un-Authenticated Role" to stop accessing the Network !!!

  Hi,
  I am looking for a solution to deal with the wireless NAC users being authenticating (Web Login Only) from a particular AD group. The mapped users gets into a particular role and access VLAN but un-mapped users get the default role which is "Un-Authentication Role" but also gets the same Access VLAN. So, the un-wanted users gets also the same access which is undesired.
  I tried with one solution which is, i put those users into a role named as "Deny_Role" and Enable a Timer of 1 minute (least Time) on it, which seems working but i can see that user is disconnecting (session timeout) after 3 or 5 minutes. I want to limit this but again, i do not find this as an appropriate solution.
  We could deal with wired users easily, bounce the port and get them again in "Unauthenticated Role" and VLAN will be "Un-Auth VLAN" with no network access or rediect them into a particular role with a specific VLAN. But, this is not valid in case of "Wireless Users".
  So, I am looking for a solution to deal with the wireless users in this situation...
  Please advise or give an idea.
  BR,
  Mubasher Sultan

  Hi,
  Any idea or suggestion...
  BR,
  Mubasher Sultan

• Layer 2 OOB NAC Issue

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I had a weird problem last week we moved one of our servers from Layer 2 in-band to Layer 2 OOB mode Virtual Gateway.  We set up 9 VLANS on the server and 3 of them worked perfectly the other six did not.  Clients would get a valid IP address but our web splash page would not show up on the others.  All 9 were set up the same way, works on my test server.  We are running 4.7.0 on our Manager.  Any suggestions or anyone had this problem before?

  Thank you for feeding information back to the community to benefit others.
  That is the spirit...
  PK

• Config problem when transport

  Hi Experts,
  I created a Z output type in NACE in Dev system 200 client. and with this i create a process code to for my inbound IDOC partner profile. Along with this we created IDOC segments and other stuff. Now after transport I am not getting these changes reflected in TST System
  How can we confirm about thr TR request number in whic TR the changes saved.
  I think the possible problems are:
  1. May be saved in any other TR or
  2. Because of config changes are done in 200 client instead of 100 client.
  I have no idea about config related things.
  Can anyone please tell me about the problem and its solution
  Regards,
  Nik

  Hi John,
  Thanks for your reply. The thing is,
  I dont remember, when i created the Process code for inbound IDOC did it asked for the TR, ya it must ask, but i forget the TR number. Can you please help me how to get which TR it is saved. Also the thing is when i treed creating new Process Code it is not asking me any TR. So the Posibilities i think may be it dont ask for the TR or a TR is not Transported thats y it is not asking me for the new TR.
  In menu i am not getting any button which tell me about the TR in which the process code saved.
  For NACE issue, i am bit confused regarding the client. Can u please explain me to add an output type in NACE, which client i have to use (100 client ?).For a new output type I used the cleint i usually work on i.e 200. and things are working fine in DEV, But when i transported all my requests to TST server, i am not able to see the output type there in TST system.
  DO I NEED TO DO BOTH THINGS PROCESS CODE & NACE IN CONFIG CLIENT ??
  Regards,
  Nik

• EDI IDOC OUTBOUND send Purchase Orders from sap to vendors

  Hi Experts,
         I am new to EDI IDOCS, but i got object on this. So my requirement is purchase orders are send to vendors from sap (OUTBOUND) through EDI-850 format. and also i have to add some more fields to standard idoc type ORDERS05, one more condition is if vendor type is not EDI, then the POs should send through fax, email, how can we solve this condition.
  So plaese send some sample code on this object.
  Thanks in advance,
  S Reddy

  Hi ,
  You can send the purchase order to the vendors using different outytpes configurations in NACE transaction .
  If you define a particular output type where you need to give medium 6 and define partner functions within this you can also set condition which partner needs to recieve EDI output and which one FAX or email all this will be done by Functional expert.
  For adding extra segments to your basic type ORDERS05  you need to extend the idoc you can do it via WE30 and WE31 .Link you message type to basic type and extension . Please follow below tcodes for further help . Create all the requested steps in the tcodes mentioned below.
  we20:patner profile
  we21:port
  we30:idoc creation
  we30:segment creation
  we81:message type
  we82:link message with idoc type.
  we02:to status of idocs.
  Now you need to write code for filling those extra segments you have added to you extension type. For that you need to check where your new segment is placed in Idoc structure . There will be a exit avaliable to attach your code to fill those segments .
  Please go through previous SDN links to see more info.
  One the settings are done in the NACE , issue output from PO transction and once your output is processed check your Idoc in WE02 to see if the segments are coming with the desired data.
  Regards
  Vikas

• Cisco NAC server hang issue

  Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
  The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
  The CAS server was recovered after manually power cycle the hardware. 
  After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
  I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
  That will be great if any one can help me out for the same.
  Thanks,
  Eric

  Hi Bro
  This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
  If all else fail, then a hardware swap would seem like the next best thing.

• NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

  Agent Fails to Initiate Posture Assessment
  The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
  The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
  The redirected URL is working fine (SEE Evidence)
  We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
  The operations status remains with postering status pending forever and nothing else happens.
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
  authentication session.
  Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
  Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
  CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
  Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
  • Ensure that the Cisco IOS release on the switch is equal to or more recent than
  Cisco IOS Release 12.2.(53)SE. - OK
  • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
  agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
  choose Properties, and check the discovery host.) - OK (See evidence)
  • Ensure that the access switch allows Swiss communication between Cisco ISE
  and the end client machine. Limited access ACL applied for the session should
  allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
  • If the agent login dialog still does not appear, it could be a certificate issue.
  Ensure that the certificate that is used for Swiss communication on the end client
  is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
  • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair

• NAC Agent Issue

  Hi
  I have implemented Cisco NAC for remote VPN users. As part of this they go through 3 checks:
  1. Antivirus installation check
  2. Antivirus definition check
  3. File check
  I have configured the definition check to remediate via internal update servers if 30 days or more out of date.
  The issue I'm seeing is that the end user recieves the following Cisco Agent error during the remediation process (while in the temporary role):
  "The remediation you are attempting is reporting an access denied error. This is usually due to a privilege issue. Please contact your system administrator."
  The definition update happens in the background though (I have allowed the required access through the NAC server) and once complete places the user in the correct role. Therefore It's no so much an issue, just a misleading message displayed to the user.
  Has anyone seen this before or know where this is configure?
  Kind Regards
  Terry

  Hi Faisal,
  I am still having this problem.
  Even though the agent displays that error message, the AV still updates in the background. The problem then is that the agent fails to realise that the definitions are then fully up to date and does not re-check posture automaticly. therefore i am having to disconnect and re-connect the network cable for the agent to realise that I am not fully compliant.
  Is there anything that i can do to make this posture / remediation process, automatic and seemless?
  Mario

• NAC 4.7.1 CAS CAM Login issues

  Hello,
  I upgraded from 4.5.1 to 4.7.1. I am having trouble with the communication between the CAS and the CAM
  Here is an outline of the issue
  1.       After Authentication, DHCP, ACS ok, WALL !!!
  2.       Nac Online Users = 0
  3.       Ping the CAM HA service ip
            Client = NO
            CAS = Yes
  4.       Things are broken at the moment where the Agent/Web Broswer has to communicate with the Nac Manager… it just times out.
  5.       Attached are pics of where it hits the 1. wall and the 2. error that pops up.
  Notes
  Cam Service IP Web UI > Cas Service IP is connected
  Certs from the Cam imported into TCA on Cas and vice versa @ ver 4.5.1 then upgraded
  DNS working
  Login & remediation was working with ver 4.5.1
  Any help would be greatly appreciated
  Thank you Kindly

  Desperately I decided to check everything et voila FIREWALL. With 4.7.1 the CAS needs access to the DNS server. I’m not sure exactly why. It was a fast one liner in the firewall among all the logging but it was the CAS being denied access to the DNS? Added the rule BANG all is good.
  The problem was the login works (inconsistently) for a few moments right after I upgraded or changing the cert… this really was misleading. Just got hung up on the cert being the problem.
  If anyone can tell me why the CAS need to talk to the DNS server i'd appreciate it
  Cheers

• ISE reimage 1.1.4 on NAC 3355 Server Issues

  g'day All,
  I'm having trouble with an ISE re-image of a NAC 3355 server presently. I have successfully download the iso for 1.1.4 ise and burnt it to dvd, I've gone through the remiage process, with all the packages being installed successfully (or so it appears) there were no issues during the packages being uploaded and installed from the DVD.
  My issue is, when the box reboots and I am presented with the login prompt where I can type 'setup' to start the initial config script, I can enter all the relevant details and the system brings up the newtork interface, pings the default gateway and nameserver successfully (I don't see any errors that the pings have failed) and it appears to start installing ISE.
  I get the on screen message about not using "Ctrl C from this point", then I see the 'installing applications....' on screen message, but rather than seeing the 'Installing ISE' on screen message as detailed in the 1.1.x hardware installation guide, my install jumps straight to on screen message 'generating configurations' then the box reboots.
  Once the box reboots, I am able to log in with the username/password combo I entered in the intial setup script, but I don't get any further on screen messages or prompts to create a database password, etc. I only get the cli prompt. I am able to navigate around the cli fine, I can ping gateway and nameservers from the CLI fine, but if I do a show application, it comes back with nothing. If I do a application configure ise, the cli states that ise is not installed.
  help please guys.
  Cheers,
  JS.

  Hello James,
  How do you made your install ? Using KVM or Serial port ?
  I had same problems with serial install : I was imaging (1.1.4) some appliance (3315 & 3395) at the same time with one PC/console cable that I plug & unplug from one appliance to another for following the install progress. But on several appliance, I was not prompt for the admin & user database passwords.
  The result was the same than you : The appliance booted, but ISE application was not installed.
  I have got no problems the next time when I have try to reimage the appliance with serial cable but WITHOUT UNPLUG IT from the begining to the end ! The database users/admin DB password were asked and the install was successfull on all my appliances.
  Also you have to check the system time/date/timezone in the BIOS setting of Appliance as describe on the hardware install guide.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_install_guide.html
  Have you check the MD5 or your ISO ?
  Hope you'll able to finish properly your install.

• NAC Agent 4.9 issue while remediation with in ISE

  We are installed NAC agent 4.9 where we have configured posture policy for Symantec Endpoint Protection version 11x  in ISE 1.1.1. Where when enduser fallen down to remediation and try to remediate to collect the latest anti virus definitions from Local Antivirus, when clicking on the update button we get a message stating
  "The Remediation you are attempting is reporting an access denied error.  This is usually due to a privileg issue.  Please contact your system
  administrator"
  It continuosly asking that prompt and giving that priviligae message.
  Are we need to have administrator rights for remediation ? and  this prompt is appearing again and again till the remediation timer and then it fallen down to Non-compliant (Restricted ) profile.
  Please find attached screen shots for the same

  I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
      Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
      Select Keychain Access -> Preferences from the menu at the top of the screen
      Choose the Certificates tab
      Change the OCSP option from Best Effort to Off
      Close the Preferences dialog and quit Keychain Access
      You should be able to NAC now

• NAC guest server with RADIUS authentication for guests issue.

  Hi all,
  We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
  The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
  https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
  -----START QUOTE-----
  Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
  •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
  •Self Service—This option allows guest self service. After selection proceed to Step 8.
  •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
  ----- END QUOTE-----
  Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
  Regards
  Kevin Woodhouse

  Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
  Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

• NAC 4.7.2 OOB SNMP issues

  Hello,
  I am setting up a NAC CAM and CAS 4.7.2 OOB setup in a test environment (NAC failover for CAM and CAS), and I am seeing some strange SNMP issues.  I am testing with a 3750 switch (12.2(53)SE1) using SNMP v2 and v3 since v3 and accessing the switch port configuration in the NAC manager is extremely slow.  I click OOB Management -> devices -> switch XXX and it takes several minutes for the port listing to display.  Then sometimes it comes up quickly but a 'show debug snmp' on the switch shows that it isn't polling the switch so it apparently starts pulling the ports page from cache, but I can see now logic in how it does this.
  Q1) When and why does the ports page pull cached info?
  Q2) Why is SNMP queries operating so slowly with NAC 4.7.2 OOB?
  Here is my test switch/NAC SNMP config (with pseudo names and fake passwords):
  snmp-server community switch_read ro   (matches OOB Management -> Profiles -> Device -> SNMP Read v2 settings)
  snmp-server view v1default iso included
  snmp-server user switch_write switch_group v3 auth md5 <my-password>  (matches OOB Management -> Profiles -> Device -> SNMP Write v3 settings)
  snmp-server group switch_group v3 auth read v1default write v1default
  snmp-server user cam_notify cam_group v3 auth md5 <my-password>
  snmp-server host 10.200.11.100 traps version 3 auth cam_notify mac-notification snmp  (matches OOB Management ->  Profiles -> SNMP Receiver v3 settings)
  snmp-server group cam_group v3 auth read v1default write v1default notify v1default
  What is wrong with my setup?  Any help is appreciated.

  Did anyone ever find a solution to this issue? I'm having the same problem.... it takes minutes to open the ports on a switch in the CAM. It shouldn't take minutes to manage ports for each switch, it should take less than 10 seconds...