NAC Remediation issue

Similar Messages

• ISE Posture Remediation issue with AV client installation

  Problem: If  user start AV client installation in pc via AV link remediation after some time (while AV client  installation not completed yet) trend micro Update windows gets pop up but not start automatic AV or AS def  remediation and Cisco NAC agent shows the message AV definition is not up to date.
  Also some time NAC agent give message automatic remediation failed or required user intervention to press ok so NAC can complete remediation process.
  I am facing this issues when users don’t have Antivirus client in pc and performing client installation.
  We have the following posture policies,
  1      AV installation check: if AV is not installed in PC then perform link remediation and let user to download the Antivirus client from provided link.
  2      AV definition & AS definition version check (both remediation requirement I putted in one policy): if AV or AS definition version found old then perform automatic remediation.
  3.     WSUS check
  4      SP   check
  Actually I want, first user install AV client via link remediation once installation complete then move to AV & AS def remediation if required (because in first time AV client installation it automatically download all update from the AV server) otherwise def remediate policy wait for AV client installation completion.
  Please can anybody let me know how remediation work internally ? like if  "AV inst" remediation start  so nac agent wait for it completion and don't start other remediation process e.g AS & AV def?
  Second question:what is remediation process sequence ?
  Third question: is there anyway we can configure timer in remediation process e.g 5 min for AV inst then 3 min for AV & AS def remediation and then go to other posture remediations ?

  Please check the below guide for Posture Configuration:
  http://www.cisco.com/en/US/products/ps11640/products_tech_note09186a0080c15540.shtml

• NAC Agent Issue

  Hi
  I have implemented Cisco NAC for remote VPN users. As part of this they go through 3 checks:
  1. Antivirus installation check
  2. Antivirus definition check
  3. File check
  I have configured the definition check to remediate via internal update servers if 30 days or more out of date.
  The issue I'm seeing is that the end user recieves the following Cisco Agent error during the remediation process (while in the temporary role):
  "The remediation you are attempting is reporting an access denied error. This is usually due to a privilege issue. Please contact your system administrator."
  The definition update happens in the background though (I have allowed the required access through the NAC server) and once complete places the user in the correct role. Therefore It's no so much an issue, just a misleading message displayed to the user.
  Has anyone seen this before or know where this is configure?
  Kind Regards
  Terry

  Hi Faisal,
  I am still having this problem.
  Even though the agent displays that error message, the AV still updates in the background. The problem then is that the agent fails to realise that the definitions are then fully up to date and does not re-check posture automaticly. therefore i am having to disconnect and re-connect the network cable for the agent to realise that I am not fully compliant.
  Is there anything that i can do to make this posture / remediation process, automatic and seemless?
  Mario

• Nac remediation failed

  Hi All,
  Anyone encountered this issue. Recently upgraded to 4.9. Using L2 OOB wireless. Symantec endpoint protection ver 11, virus definition is out of date, when user clicked repair, takes a long time to remediate and then gave a failed error. "The remediation you are attempting had a failure. If the problem persist contact the system admin"
  Traffic control is allowing update in temporary role, and there's no blocking from quarantine vlan to symantec server. Also we notice that the definition gets updated after a while.
  Thanks.
  Regards
  Joachim

  Hi Joachim,
  In my enviroment, we have workstations with SEP ver 11 too and i would like to know  where your users are searching for updates during the remediation process.
  We have Symantec Endpoint Protection Manager acting as antivirus server  and when the NAC Agent calls the Symantec LiveUpdate to perform the repair, users will get updates on the Internet and not on
  Antivirus Server.
  Could you give me more information about your environment?
  regards,
  Daniel Stefani

• Creating NAC remediation rules based on MAC address

  Hi All,
  Any idea please. Is it possible to control PCs allowed on the network based on MAC address list in NAC? I.e Create a list of MAC addresses for PCs on my network in NAC; then each pc granted network access (passed NAC authentication and remediation) on the network only if its MAC address is in that list.
  So my checks will be:
  1. Have antivirus updated
  2. Have antispyware updated
  3. Have windows updates installed
  4. Have MAC address registered in the MAC list
  5. etc.
  Then after the above checks pass --> GRANT network access.
  regards,
  Stanlaus.

  I have been doing some of this, and while it does provide some of the functionality that is lost without the ability to apply rules only to read messages, it is not a complete solution. One of the biggest drawbacks is that it is not easy to selectively limit what new mail shows up the smart mailbox. One approach that works, sort of, is to limit the smart mailbox to only messages from people in my address book. However, not all relevant messages are from people already in my mailbox, so it requires constantly double checking to make sure that things are slipping through the cracks.
  The best thing about being able to apply rules, after receiving them, based on the status of a message is that it puts the control in the users hands. It allows you to selectively apply rules, only when you want to apply them. Rather than always/never, you have the ability to apply rules "sometimes/as needed." It allows for fuzzy logic, rather than hard conditions.

• Cisco NAC Remediation Config Assistance

  I'm deploying NAC for a large enterprise. They would like the use the NAC for posture assessments but manual remediation. If the users do not meet the windows patch and AV requirements they are expected to manually remediate their systems, not using the CCA agent.
  Is this possible? I cannot find a specific example of this. Their reasons for this design is they have multiple partners using this service but they cannot remediate systems which they do no manage, we can only enforce the policies.
  Thanks for the assistance.

  There will be three requirements:
  - a custom requirement checking for registry entries and files to determine if the system is a corporate asset or not.
  - a windows patch check
  - AV checks
  The customer does not require remediation from the NAC at all. They only wish to use the product for posture assessment only. I do not want to offer the option of remediation at all. There are two reasons for this decision:
  1) They cannot perform remediation to 3rd party systems since they do not manage the asset.
  2) They currently have software deployment farmed out to another company which do not use WSUS. They use tivoli.
  Any advice would be appreciated. Thanks!

• NAC Agent issues

  Hi guys,
  We are encountering several problems with regards to the NAC Agent. We are deploying AD SSO and for some reason, on the same switch other hosts are performing SSO correctly and others are being prompted for a user name and password by the NAC agent even though the hosts are all logging in the same domain. Do you guys have any idea on how to go about this problem?

  Hi Guys,
  I have deployed  NAC as  OOB REAL IP gateway mode and it is working fine over LAN.
  Once I enabled the L3 functionality to connect remote site after that local user is being certified through WEB LOGIN.
  But NAC pop up is not reflecting to supply the username and password.
  A problem occured when stoping the NAC agent services" Agent has been terminated due to unexpected error. please restart your machine."
  Note- No ACL is configured till yet
  I have perform following task to fix it;-
  1. Restared NAC agent services.
  2.Checked proxy settings.
  Could you please help me out to resolve this issue?
  Thanks & Regards,
  Azeem Khan

• NAC Remediation

  I am running NAC 4.5.1. Is there a way if a client fails one of the requirements to redirect them to a remediation web page?

  Absolutely - when you set up the requirement choose link distribution.

• Remedy issue URGENT!! Please help

  Hi All,
  I am not able to login to remedy client as I'm getting the below error
  *‘RPC: Miscellaneous tli error - System error (Connection refused)’*
  We tried to restart the remedy process, that dont work, Getting the below SQL errorAction Request System initializing.
  Starting Remedy AR System server
  Also I have checked the network/firewall as there is no issues with their end.
  Please anyone help me to resolve this issue.
  Error while restarting the remedy process
  Action Request System(R) Server Version 4.05.02 patch 1025
  Copyright (c) 1991 - 2001 Remedy Corporation. All Rights reserved.
  Copyright (c) 1989 - 2001 Verity, Inc. All rights reserved.
  Reproduction or disassembly of embodied programs and databases prohibited.
  Verity (r) and TOPIC (r) are registered trademarks of Verity, Inc.
  390600 : SQL database is not available -- will retry connection (ARNOTE 590)
  Notification System Server Version 4.05.02
  Copyright (c) 1994 - 2001 Remedy Corporation. All Rights reserved.
  110902110300- 24733: Initializing process 24733
  110902110300- 24733: DISPLAY_CONFIGURATION===================================
  110902110300- 24733: EXTERNAL START (-X) FALSE
  110902110300- 24733: RESTART (-r) FALSE
  110902110300- 24733: Check-Users: (-c) FALSE
  110902110300- 24733: Debug-Level: (-d) 21
  110902110300- 24733: Disable-Shared-Memory: FALSE
  110902110300- 24733: Hold-Time: (-h) 2592000 seconds = 30.0 days
  110902110300- 24733: Max-Users: (-u) 1000
  110902110300- 24733: Notifier-Outbound-Port: 0
  110902110300- 24733: Notifier-Specific-Port: 0
  110902110300- 24733: Private-RPC-Socket: 0
  110902110300- 24733: Private-Specific-Port: 0
  110902110300- 24733: Register-With-Portmapper: FALSE
  110902110300- 24733: Send-Timeout: (-t) 7
  110902110300- 24733: TCD-Specific-Port: 32768
  110902110300- 24733: ========================================================
  110902110300- 24733: AR System server: remedy01
  110902110300- 24733: AR ServerNameWithDomain: remedy01.ndc.lucent.com
  110902110300- 24733: HostnameWithDomain: remedy01.ndc.lucent.com
  110902110300- 24733: StartServerDaemons
  Notification Send Server Version 4.05.02
  Copyright (c) 1991 - 2001 Remedy Corporation. All Rights reserved.
  110902110300- 24736: Initializing process 24736
  110902110300- 24736: ProcessFiles: called with loginFd(0)=9 and notificationFd(1)=10
  110902110300- 24736: ProcessFiles: start Notifications at offset 0.
  110902110300- 24736: ProcessFiles: reopening nfyfile (new notificationFd=10)
  110902110302- 24733: StartServerDaemons daemon 0 started
  Action Request System(R) Mail Daemon Version 4.05.02
  Copyright (c) 1991 - 2001 Remedy Corporation. All Rights reserved.
  MailFileName: /usr/mail/fxbrophy
  Action Request System initialization is complete.
  390600 : Cannot initialize contact with SQL database (ARERR 551)
  Stop server
  390600 : AR System server terminated -- fatal error encountered (ARNOTE 21)
  Action Request System(R) Server Version 4.05.02 patch 1025
  Copyright (c) 1991 - 2001 Remedy Corporation. All Rights reserved.
  Copyright (c) 1989 - 2001 Verity, Inc. All rights reserved.
  Reproduction or disassembly of embodied programs and databases prohibited.
  Verity (r) and TOPIC (r) are registered trademarks of Verity, Inc.
  390600 : SQL database is not available -- will retry connection (ARNOTE 590)
  Thanks,
  Sajith

  Why are you posting this on the Oracle forums, shouldn't you be talking to Remedy or BMC or whoever provides support for the product?
  Also this (or other public forums) is generally not the place for urgent production issues. There are paid support channels for such issues.
  Anyway, a hint:
  I would probably dig into the very vague "SQL database is not available" message. Does the system have details in logs? What clues does the actual/underlying error messages provide? Is the database in question actually up and reachable from the client (i.e. app server) host?
  Edited by: orafad on Sep 26, 2011 2:20 PM

• Dot1x NAC reauthentication issue

  Hi,
  i setup a test LAB with NAC Dot1x Framework, and i facing an issue where by the port keep on repeating triger reauthntication, althought the next reauthentication is not yet reach, i try configure re-authperiod to using local rather than radious server or event disable the reauthentication but the result is still the same
  my lab is using a Cat3560 event upgrade with latest IOS ver c3560-advipservicesk9-mz.122-40.SE but is still the same
  when show dot1x interface detail i notise the next re-auth is still alot of sec, but out of sudden the port juz reauthenticed, whereby the CAT detail show status reauthenticating,
  CAT version 2.1.103.o with supplicant bundle.
  i event try to modify the ctad.ini
  SQTimer and all this make no difference
  thx

  Hi jafrazie,
  i didn't saw EAPOL-Start or EAPOL-Logoff Request from the debug dot1x packet
  in debug dot1x all it show
  .Sep 15 12:16:43: dot1x-ev:dot1x_exec_reauth_client: Reauthenticating Authenticator instance on GigabitEthernet0/41
  .Sep 15 12:16:43: dot1x-sm:Posting REAUTHENTICATE on Client=31CC01C
  .Sep 15 12:16:43: dot1x_auth Gi0/41: during state auth_authenticated, got event 18(reAuthenticate)
  .Sep 15 12:16:43: @@@ dot1x_auth Gi0/41: auth_authenticated -> auth_restart
  .Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_authenticated_exit called
  .Sep 15 12:16:43: dot1x-sm:dot1x_auth_stop_reauth_timer called for 000b.db1b.9eac
  .Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_restart_enter called
  .Sep 15 12:16:43: dot1x-ev:Sending create new context event to EAP for 000b.db1b.9eac
  .Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_authenticated_restart_action called
  .Sep 15 12:16:43: dot1x-sm:Posting !EAP_RESTART on Client=31CC01C
  .Sep 15 12:16:43: dot1x_auth Gi0/41: during state auth_restart, got event 6(no_eapRestart)
  .Sep 15 12:16:43: @@@ dot1x_auth Gi0/41: auth_restart -> auth_connecting
  .Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_connecting_enter called
  .Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_restart_connecting_action called
  .Sep 15 12:16:43: dot1x-packet:Received an EAP request packet from EAP for mac 000b.db1b.9eac
  .Sep 15 12:16:43: dot1x-sm:Posting RX_REQ on Client=31CC01C
  .Sep 15 12:16:43: dot1x_auth Gi0/41: during state auth_connecting, got event 11(eapReq_no_reAuthMax)
  .Sep 15 12:16:43: @@@ dot1x_auth Gi0/41: auth_connecting -> auth_authenticating
  .Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_authenticating_enter called
  .Sep 15 12:16:43: dot1x-sm:Gi0/41:000b.db1b.9eac:auth_connecting_authenticating_action called
  .Sep 15 12:16:43: dot1x-sm:Posting AUTH_START on Client=31CC01C
  iz switch itself genarate the re-auth itself
  what could cos this?
  could it be something wrong with my config, i do try without NAC, just purely dot1x authentication with original winXP SP2 is still the same
  thx,
  LIMCS

• NAC Design Issue

  Dear All,
  We will use CAS 1 for Local users (wired/wireless) as L2 OOB virtual GW.
  We will use CAS 2 for VPN users as L3 In-band virtual GW with VPN router.
  Now we have one remote site connecting to our ASA DMZ and other remote sites connecting to our WAN router to access our resources.
  So can I use existing CAS1 or 2 for these two entry points?

  just for clarification, i attached a quick sketchup. is this somewhat the topology you had in mind?
  If so then you should be able to use CAS 2 for the ASA and WAN router. The NAC agents installed in the remote locations should have a discovery host in the trusted network and you have to force the incoming traffic through the CAS. But it should be possible as far as i can see.
  Only thing to keep in mind is the 1Gbit throughput limit on the CAS, depending on the amount of traffic coming from remote sites and VPN users it may or may not be an issue.

• Remediation issue

  I'm using remediation, which is working basically fine, except there is a pause on the "next" button the first time it is hit (before the user is taken back to it after taking the quiz).
  It only happens on the first of three remediations in the project. The other two are fine, and also the second time the user hits the "next" button on that slide there is no pause.
  I have tried recreating the project and still, it happens on the first "next" button.
  Is this a bug?

  1 between them.
  Sent from my iPhone

• Guest Nac & WLC issues

  Hello,
  I have Guest Nac Appliance & WLC 5508, but I want to know,
  1.  IF CAN I USE THE SAME USERNAME AND PASWORD AUTHENTICATED IN GUEST NAC  IN 3 DEVICES? example: Lap Top, MAC, Iphone.
  2. How many usernames can be stored in Guest Nac: NAC3310-GUEST-K9??
  Thanks a lot

  Hi,
  1. Don't see a problem with that, or perhaps I'm not understanding the question right?
  2. No limit in the software, so as many as you like, until your database fills up your hard drive.
  Faisal

• NAC license issue

  I am trying to setup a CCA CAM server, but the initial web page which instructs to install the license file isn't working. Has anyone else had trouble installing licenses on these machines? If so, any tips would be greatly appreciated.
  Thanks

  I had the same problem and ended up opening a TAC case.
  The problem is the licensing is not very intuitive, and is tied to the MAC address you enter. In fact, I'd call it counter-intuitive. When you enter the MAC during the licensing you tie that license to that MAC and none other.
  If you've got problems with the license, it just may be the only way to resolve is through a TAC case or direct contact with Cisco Licensing.
  When I had the problem they needed to reset the license and were very helpful in walking me through the process.
  If you can ping and not connect, check your DNS entry. If the DNS entry is not made (or wrong), you could face connection issues, because the pages are called by the CAM software by server name and not IP.
  HTH

• DRAC/ILO on Nac 3355 issue

  Anyone know how to setup drac on this server ?

  Hello James,
  How do you made your install ? Using KVM or Serial port ?
  I had same problems with serial install : I was imaging (1.1.4) some appliance (3315 & 3395) at the same time with one PC/console cable that I plug & unplug from one appliance to another for following the install progress. But on several appliance, I was not prompt for the admin & user database passwords.
  The result was the same than you : The appliance booted, but ISE application was not installed.
  I have got no problems the next time when I have try to reimage the appliance with serial cable but WITHOUT UNPLUG IT from the begining to the end ! The database users/admin DB password were asked and the install was successfull on all my appliances.
  Also you have to check the system time/date/timezone in the BIOS setting of Appliance as describe on the hardware install guide.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_install_guide.html
  Have you check the MD5 or your ISO ?
  Hope you'll able to finish properly your install.