NAC Problem

Similar Messages

• NAC problem with Samsung Galaxy Grand (Android)...!!!

  I tried accessing wifi though my Android mobile in my college, which is NAC installed. The mac address of my device was successfully added to the portal, but I'm not able to connect my device to the respective wifi network.
  Can anyone suggest what's the problem.

  It is probably issue with your NAC config.
  If issue with all android devicea then look into this:
  https://supportforums.cisco.com/message/3889346#3889346
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Cisco NAC problem

  Hi Friends,
  I am facing problems in our NAC implementation. AV popup is not whowing. Also the rules could not be downloaded. A screenshot is provided.
  Please suggest
  regards,
  Rajiv

  Rajiv,
  No screen shot attached to the post. If you haven't reviewed the posture assessment chalktalk/PDF already, that is also a very good place to start and check your setup against!
  Link for VODs: http://bit.ly/chalktalks Look at number 5
  HTH,
  Faisal

• NAC Problem with Samsung Galaxy Tab

  I have campus running cisco clean access. My problem is this. When my wireless tablet w/ android connects to the network and tries to access the internet it takes me to the login page. Now I can put normal guest information in and then gain access to the interent for 5 secs, then no more access. When I check the summary logs on the CAS it shows my device being added to the certified list as well as mac address list. I then check device management and confirm that my device is there under the guest role.
  I am not using any NAC agent.
  If I want to reconnect I have to remove the device from device management and then i can restart the process with the same results as above. If I add an exemption to allow this device, then it can access the entire network/internet.
  My questions are these. Am I missing something obvious? Are android devices not supported? Where would I go to further trouble shoot this?
  Thanks for any help.

  Are you running inband or out of band. I am thinking you are running inband since you mentioned the filter but i just wanted to make sure. Also what version of clean access are you currently running.
  You mentioned that you are able to access the internet for 5 seconds, what does that mean and how did you verify this?
  thanks,
  Tarik

• OOB Wirless NAC Problem

  All,
  I have a strange problem that I was wondering if anyone can shed any light on?
  I have a 4400 WLC that is authenticating users against a Cisco 3310 Guest server. Once authenticated they are not being moved from the Authentication VLAN on the CAM.
  I see the users created on the CAM. I see the Device identified on the CAM from the SNMP trap sent by the WLC. I see the radius accounting package sent from the CAS to the CAM and the user listed under active users on the CAS. However I never see any users listed on the CAM or indentified in the OOB users list?
  I have Role mapping setup, but allthough I get successfully logged in, it would seem that the CAS/CAM does not recognise this and switch the user from auth VLAN to access VLAN. If I check the client status on the WLC I see all Authentication correct, just state set to Quaranteen.
  I am going round in circles here.

  All,
  I have a strange problem that I was wondering if anyone can shed any light on?
  I have a 4400 WLC that is authenticating users against a Cisco 3310 Guest server. Once authenticated they are not being moved from the Authentication VLAN on the CAM.
  I see the users created on the CAM. I see the Device identified on the CAM from the SNMP trap sent by the WLC. I see the radius accounting package sent from the CAS to the CAM and the user listed under active users on the CAS. However I never see any users listed on the CAM or indentified in the OOB users list?
  I have Role mapping setup, but allthough I get successfully logged in, it would seem that the CAS/CAM does not recognise this and switch the user from auth VLAN to access VLAN. If I check the client status on the WLC I see all Authentication correct, just state set to Quaranteen.
  I am going round in circles here.

• NAC problem. Cant add server.

  Hi all!
  I cant add a nac server to CAM. Error: Failed to add server: Conflicting Clean Access Server with IP address <10.52.244.146> must first be removed.
  I add server with ip: 10.52.244.194. I checked all the settings. This address is not use in the settings of server whit IP - 10.52.244.146.
  In the logs I dont see useful information.
  Why do I have this error on the CAM???

  Jennifer. In CSCtd27095 says: The repair updates only the CAS file locally. The fix/repair should update the CAM's database with the CAS's new SSKey. I reconfigure perfigo service with right SSkey on my CAS (10.52.244.194). Does not help. I cant reconfigure perfigo on my CAM, because 10 servers in work.
  P.S.
  When i delete CAS with IP 10.52.244.146, then i can add CAS (10.52.244.194). But when i just change CAS IP - 10.52.244.194 on, for example, 10.52.244.154 anyway i see this error.
  What create a conflict of these servers?

• Manage size of DHCP-Clinet Event log SIZE

  While troubleshooting DHCP –NAC problem i had to enable and increase  the size of the Microsoft-Windows-Dhcp-Client/Admin , Microsoft-Windows-Dhcp-Client/Operational, Microsoft-Windows-DNS-Client/Operational
  Because when NAC event course default size of 1MB of the log is to short, and it fills up in a seconds, and it  overwrite  first event.
  Is there any why, how to increase log size, from GPO.

  Hi,
  Where are these events logged? If these events are logged in Event Viewer, we can utilize Group Policy to change the maximum size of the log.
  The path for this policy setting is:
  GPO_name\Computer Configuration\Windows Settings\Security Settings\Event Log\
  Regarding this point, the following article and blog can be referred to for more information.
  Event Log Policy Settings
  http://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx
  Group Policy Settings - Security Settings - Event Log
  http://vanstechelman.eu/windows/group_policy_settings/security_settings/event_log
  Please Note: Since the second website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of
  this information.
  Best regards,
  Frank Shen

• Problem while assigning smartform in NACE

  Hi all,
  I am getting the following error while trying to assign a Z-smartform in NACE transaction. Rewards assured
  <b>Diagnosis</b>
  For output type NEU and transmission medium 8 an entry has been maintained in the table of processing programs, but in this entry no processing program has been specified.
  <b>System Response</b>
  When the output will be processed later on, it cannot be issued.
  <b>Procedure</b>
  Specify at least one processing program and one processing routine in this program.

  Hello Jai,
  I just received the same error while updating our PO. 
  In my case, the problem was that medium "Special function" had an entry line with no program assigned.  This was set up in the original configuration of the system, and since I had only changed the "Print output" entry, I wasn't sure what was causing the message. 
  Since the "Special function" entry was blank, I tested that to see if it was the issue.  Removing that entry did eliminate the message.
  Since the message I received was an informational message, an alternative method to proceed was by simply hitting "Enter" when the message appeared.  I don't see why a blank entry would be required, but since I didn't do the original system configuration, this was the method I chose so as to not change any existing settings other than for the Smartform on which I was working.
  This is an old thread, but I thought I would add this information in case anyone stumbles across it while searching for information about this error (which is how I found the thread.)
  Blaine

• Problem add CAS in CAM NAC 4.7 SSL certificate

  Hello,
  I have a problem with NAC 4.7, I cant add CAS in CAM, I imported the certified of www.perfigo.com and it doesnt work, i reboot the NAM and NAS and nothing.
  Any suggest?
  Best Regards

  Hi,
  Do this.
  Go to the CAM GUI. Browse to CCA Manager -> SSL. Check the box marked CCA Manager Certificate and click on Export. Save this file as CAMCert.pem
  Go to the CAS admin page by going to https://IP_ADDRESS_OF_CAS/admin Click on SSL. Check the box marked CCA Server Certificate and click Export. Save this file as CASCert.pem
  On the CAS page, click on Trusted Certificate Authorities, click on Browse, and choose the CAMCert.pem. Click on Import
  On the CAM page, click on CCA Manager -> SSL -> Trusted Certificate Authorities, click on Browse, and choose the CASCert.pem. Click on Import.
  Now try to add one to the other.
  HTH,
  Faisal

• Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

  Hi
  My Cisco NAC Agent  (version 4.9.1.682) doesn't work since I upgraded my Mac OS X  4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
  The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
  Any update on when a new version is going to be released - Its getting really frustrating?

  I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
      Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
      Select Keychain Access -> Preferences from the menu at the top of the screen
      Choose the Certificates tab
      Change the OCSP option from Best Effort to Off
      Close the Preferences dialog and quit Keychain Access
      You should be able to NAC now

• NAC OOB VIRTUAL GW PROBLEM

  Hi,
  I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):
  Switch: 3550 (ios 12.2(46) adv ip serv)
  NAC 4130 appliances: v4.1.6 (also tried v4.5)
  Switch Configuration of the trunks to the CAS):
  - int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)
  - int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)
  - SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)
  The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:
  - Login Page
  - Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
  - Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)
  - vlan mapping between untrusted vlan 100 and trusted vlan 10
  - tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)
  - also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets
  Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.
  I would be very thankful for any hints to help me solve this issue.
  Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?
  Thanks in advance for any help.

  It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.
  Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
  For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
  Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.
  For further details, refer to switch IOS caveat CSCdu27506:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdu27506
  See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).
  Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
  Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
  Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature
  Cisco Catalyst Switch Model Virtual Gateway
  Central Deployment
  (both interfaces into same switch) Edge Deployment
  (each interface into different switch)
  6000/6500 Yes Yes
  4000/4500 Yes Yes
  3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1
  Yes
  3550 (L3 switch) No 1
  Yes
  3750/3560 (L2 switch) Yes Yes
  3550 (L2 switch) Yes Yes
  2950/2960 Yes Yes
  2900XL No 2
  Yes
  3500XL Yes Yes
  28xx NME Yes with 12.2(25) SEE and higher 1
  Yes
  1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
  2 2900 XL does not support removing VLAN 1 from switch trunks.

• Problem SSO between VPN and NAC

  Hello
  Description of our problem : SSO doesn't work
  -on the first connexion from vpn client we insert two time the login and password :one time for the client vpn and the seconde time for CAA (clean Access agent).
  -although for the other connexion that succeed, we insert only one time the login and password (for vpn only) and for CAA the connexion is done automatiquely and a some hours later we reinsert two times login and password for vpn and CAA.
  The following steps are done to configure Cisco NAC Appliance to work with a VPN concentrator:
  Step 1 Add Default Login Page =ok
  Step 2 Configure User Roles and Clean Access Requirements for your VPN users =ok
  Step 3 Enable L3 Support on the CAS = ok
  Step 4 Verify Discovery Host =ok (CAS IP ADDRESS 192.168.2.11)
  Step 5 Add VPN Concentrator to Clean Access Server =ok (ASA IP ADDRESS 192.168.2.1)
  Step 6 Make CAS the RADIUS Accounting Server for VPN Concentrator =ok
  Step 7 Add Accounting Servers to the CAS (accounting server is CAM IP ADDRESS 192.168.20.10)
  Step 8 Map VPN Concentrator(s) to Accounting Server(s)=ok
  Step 9 Add VPN Concentrator as a Floating Device =ok
  Step 10 Configure Single Sign-On (SSO) on the CAS/CAM =ok
  the database for vpn authentication is cisco secure acs(192.168.1.30).
  Tanks to any anybody to give us a possible solution.
  FILALI Saad
  Ares Maroc

  Hi
  I have just gone the the same issues with SSO VPN with my CAS in real-ip mode.
  First thing to consider, when your testing, every time you test a user, make sure you go into the CAS or CAM and remove them as a certified device or active user before you perform your next test. I found that while I was testing that it would sometimes cache the user and I was getting successful auth attempts but due to their device being already accepted on a previous connection because the CAS was not made aware that the user had logged out correctly.
  1. Make sure you have a fully functional DNS system on the inside network, I didnt realize how important it was to have forward and reverse look ups for your CAS and CAM. Make sure that all CAS and cams are listed in dns with correct domain names.
  This in very important if your running your own CA certificates on cas and cam. Make sure that the CAM and CAS can resolve each other via dns. Make sure the CAM and CAS can perform reverse lookups of each other. Also make sure that when the user VPN's into your ASA that they can also perform DNS lookups and reverse lookups. If they cant perform dns look ups, you may need to temporarily allow the untrusted network full access while you resolve the DNS lookup problem on the client computer. One of the issues I had was that the VPN clients couldnt resolve internal DNS names and so the CCA agent would never auto pop-up and start the auto login process because it was trying to resolve the CAM name and also check that the CA certificate I had on the CAS was legitimate as I had used names in my certs and not IP addresses.
  2. Make sure your VPN group settings on the IPSEC policy of the ASA has DNS pointing to your internal DNS server.
  3. I know you already said you have done this but check to make sure that the VPN group setup on your ASA for your remote access users, has been setup with the radius accounting being directed the INSIDE interface IP address of your CAS, (if you are running your CAS in real-ip, I found that the inside interface was the only interface listening on 1813, do a 'netstat -an' on the cas to check) if your running in VGW mode then you only have 1 ip address to direct it to anyway.
  Follow from step 15 in following link
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
  3. Troubleshoot and make sure that the ASA actually sends a radius accounting message to the CAS. I did this by ssh into the CAS and doing a 'tcpdump -i any src and not tcp 22'. I then logged into the VPN client and made sure that once I entered my vpn user and pass, that the ASA authenticates the vpn user and then passes a radius accounting message to the CAS informing the CAS it has allowed a new user. If you dont see this radius accounting message hit the CAS interface go back to my step 3 and resolve.
  4. Finally check that you have not mistyped a shared secret somwhere, ie between CAM and ACS, Between ASA and ACS, Between ASA and CAS. I had all my users authenticate though radius on my ACS server, a number of times I got caught out by a simple typo in a shared secret.
  Try these things first.
  Also someone else here on the forums linked this guide to me that also helped me setup my CAS correctly.
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_vpncon.html
  You may find it useful too.
  Dale

• NAC Agent Problem

  Hi,
  recently i am facing a probelm with NAC agent , it does not check for the updates when the user is login , there is a massege come ( please check the attchments ) .
  please help me !!!

  Recently , when the user is loging off & loging on , the NAC agent proceed for checking again & again , this problem is
  strain the user of every time his faceing this check & time waste . 
  what i know the NAC is proceed for check if the user is rebooting the machine , but for login & logoff !!!!!!!!.
  there is any solution to prevent this issue .

• NAC OOB problem - moving users between ports

  Hi,
  I have a problem with an OOB deployment I am currently working on: when I move an authenticated OOB client from one switch to another, it remains stuck in the auth VLAN. It seems that NAC doesn't detect the new port correctly.
  This is what I did to replicate the issue, in detail:
  1) A computer is connected to port 'a' on switch 'A' (A[a]). The port is automatically changed to auth VLAN and authentication and posture assessment are performed.
  2) The computer passes both, and the port is changed back to the designated Access VLAN. OOB user appears in the Online Users list, and the computer is added to the Discovered (Wired) Clients list. All the detailed information on both pages is correct.
  3) The computer is disconnected. OOB user is removed from the Online Users list, but the computer remains in the Discovered Clients list.
  4) The computer is connected to port 'b' on switch 'B' (B[b]). It is automatically changed to auth VLAN and authentication and posture assessment passes successfully one more time. However, the information in the Discovered Clients list is not updated and, moreover, OOB user appears once again in the Online Users list - but the specified location is port A[a]!
  The end result is taht the computer remains stuck in the Auth VLAN and NAC Agent Authentication dialogue keeps popping out.
  I tried the reverse scenario (port B[b] to port A[a]) after manually clearing all user and client information, and the result was pretty much the same...
  Thanks,
  Boris

  Faisal,
  The configuration includes the following lines (on both switches I used for access):
    snmp-server community *** RW
    snmp-server community *** RO
    snmp-server trap-source Vlan2 (management subnet)
    snmp-server location 10.0.0.101 (NAM IP address)
    snmp-server enable traps snmp linkdown linkup
    snmp-server enable traps mac-notification change move threshold
    snmp-server host 10.0.0.101 version 2c cisco  mac-notification snmp
  Also, NAC added the following line on monitored interfaces:
    snmp trap mac-notification change added
  Is this all that is required to send MAC-change and MAC-move traps?
  I captured SNMP traps with a 'tcpdump' on the NAM and I can confirm it receives traps from both switches, with correct source IP addresses. I will try to look into a "raw" dump to see the exact traps it received...
  Regards,
  Boris

• NGS + NAC Time profiles problem

  Hi, we have NAC v4.7.2 and NGS v2.0.1 integrated with each other. The problem is when creating users with time profiles (From First Login and Time Used) in NGS where it doesn't create corresponding users in NAC automatically via API. The time profile (Start End and From Creation) works perfectly. May I know what seems to be the problem? I have attached sample picture of NGS and NAC.
  Regards,
  Dave

  Hany,
  Can you post a screenshot of what your report looks like when it should be failing but shows up as passed (green)?
  Faisal