NAC Rollout

I am trying to rollout CTA and Symantec's SymSentry for posture validation on Remote Access Users. Does anyone have any suggestion on the best way to do this? I would like one stop shopping.
My goal is for a remote user to login via VPN and have the NAC process start. If you do not have CTA or SymSentry entries loaded, it would take an unknown posture validation that would redirect you to a website that basically says if you want access to the domain, you will need to click here. Once you click ont he link, it will install CTA and SymSentry agents and then do another posture validation to see if one will need ot update.
Does anyone have any other way that would be easier than this?
Thank you in advance.

Hi all,
I have had a think about this overnight and the best answer I can come up with is that the final line in my code ‘spanning-tree portfast’ is the only one that could possibly have had any impact on a port status.
I tried an experiment whereby I removed the code I added yesterday from one of the ports on the affected switch and then re-added the code (including the portfast line) but could not replicate the problem. If I had been able to replicate it then I could have checked the switchport status to see if it had been error-disabled etc.

Similar Messages

  • NAC Windows Client 4.9.3.5 issues with windows 8

    Hi, We are using NAC Client 4.9.3.5 and have had no major issues until the Client wanted to test with a Windows 8 Tablet, same issue also occurs on Windows 8 test Laptops.
    The NAC client pops up with the message that the version of Software is not supported.
    Is there a known workaround for this?
    It's currently out of scope for the NAC rollout Project but will cause issues when the client does move to Windows 8.
    Any help will be very much appreciated.
    Thanks,
    Terry

    Terry,
    Please ensure that you are using Internet Explorer in Desktop Mode and not the default Metro Mode for Tablets.
    Note In  Windows 8 Operating System, the Internet Explorer has two modes,  Desktop and Metro. In the Metro mode, the ActiveX plugins are  restricted. You cannot download NAC Agent in the Metro mode. You must  switch to Desktop mode and then launch Internet Explorer to download NAC  Agent.
    This note is found in the "Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(3)" found here:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49x/cam/m_webagt.html#wp1473153

  • NAC server is not available on the network

    I am doing a rollout of ISE 1.1.1. I am using NAC agent 4.9.0.47 for posture checking win7 x86 machines. Occassionly users are getting 'NAC server is not availble.... try disconecting and connecting to the network to start a new connection' When I  try to reproduce the issue it is not happening. It happens randomly here and there. What are the possible reasons fro this issue. Since ISE is not getting posture result, and the machine remain in in posture check 'unknown' stage. I am in half way of rollout and it is stoping me to further rollout. IIf anybody knows, please advise.........

    Hi,
    I had the same issue and upgrading to 1.1.2 made the issue quiet down a bit. I have a few reported issues but havent seen any in the past 2 weeks. Also which supplicant is the client running and do they see these on the laptops or machines that have both wired and wireless connections?
    The reason I ask is that the native windows supplicant tends to connect to both networks (wired and wireless), this can can cause some problems with the NAC agent if the link for the wired or "the lower metric route" flaps.
    the bug cisco provided me is related to "CSCuc70607".
    Hope this helps,
    Tarik Admani
    *Please rate helpful posts*

  • ACS Server hardware build for NAC/TACACS deployment

    Hi,
    We are in the pilot stage of a NAC v2 Framework rollout for our 4000 seat network and have funding available to purchase a high spec server to be deployed as the primary ACS box. The server will also handle our TACACS requirements for accessing network devices. I know I could simply go with the Cisco recommended build, however with a view to the future of managing NAC requests for 4000 PCs, I am keen to over spec the box where this would be useful. I have options to increase RAM, Processors and Disk configuration. Which of these will be advantageous?
    Cheers, SteveK.

    Enforce your organization's security policies on all devices seeking network access. Cisco Network Admission Control (NAC) allows only compliant and trusted endpoint devices, such as PCs, servers, and PDAs, onto the network, restricting the access of noncompliant devices and thereby limiting the potential damage from emerging security threats and risks. Cisco NAC gives organizations a powerful, roles-based method of preventing unauthorized access and improving network resiliencyhttp://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html.

  • NAC SSO in Windows 7 not Working

    Hello,
    I'm having problems with SSO process on workstations with Windows 7 and I need help to solve it.
    ENVIRONMENT:
    Clean Access Manager: 4.9.0
    Clean Access Server: 4.9.0
    Clean Access Agent: 4.9.0.33
    Compliance Module: 3.4.27.1
    Windows Domain : Windows 2003 Server Full Functional Level
    Status of Active Directory SSO: Started
    More Informations:
    In Windows Domain Controller, i ran the follow command with no errors:
    ktpass  –princ NAC_USER/[email protected] -mapuser NAC_USER –pass mypass –out c:\nac_user.keytab –ptype  KRB5_NT_PRINCIPAL
    The file nac_user.keytab was created in c:\ of DC.
    in Windows XP Workstations, SSO is working correctly
    in Windows 7 workstations work when i manually enable DES in "Start > Control Panel > System and Security > Administrative Tools > Local Security Policy > Local Policies/Security > Options >  Network security > Configure encryption types allowed"
    I have many workstations running Windows 7 and can not do this manual procedure in all of them.
    running tail -f /perfigo/access/tomcat/logs/nac_server.log command in CAS, i see the follow messages during an attempt to do SSO with unchanged Windows 7:
    2012-03-09 11:45:21.231 +0100  RMI TCP Connection(481)-10.5.32.248 WARN  com.perfigo.wlan.jmx.adsso.GSSServer               - Server was not running ...
    2012-03-09 11:45:21.231 +0100  RMI TCP Connection(481)-10.5.32.248 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - Server starting server ...
    2012-03-09 11:45:21.329 +0100  RMI TCP Connection(481)-10.5.32.248 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - Server is now running ...
    2012-03-09 11:45:21.329 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - SPN : [NAC_USER/[email protected]]
    2012-03-09 11:45:21.329 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - building kdc list for domain mydomain.net
    2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - done building kdc list for domain mydomain.net
    2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - KDC(s) :[srvslsdc001.mydomain.net, srvpnpdc001.mydomain.net, srvpnpdc002.mydomain.net, srvalvdc001.mydomain.net, srvtatdco001.mydomain.net, srvtatdco002.mydomain.net, srvpaldc002.mydomain.net, srvmurdc001.mydomain.net, srvnundc001.mydomain.net]
    2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - writeKrbFile: writing to file ../conf/krb.txt
    2012-03-09 11:45:21.469 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
    2012-03-09 11:45:21.470 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - creating login context ...
    2012-03-09 11:45:21.470 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - GSSServer - created login context ...javax.security.auth.login.LoginContext@b55e97
    2012-03-09 11:45:21.631 +0100  Thread-88 INFO  com.perfigo.wlan.jmx.adsso.GSSServer               - Notifying GSSServer status Started
    2012-03-09 11:45:21.807 +0100  Thread-88 DEBUG com.perfigo.wlan.jmx.adsso.GSSServer               - accepting ADSSO socket ...
    2012-03-09 11:45:42.285 +0100 10.5.112.140 SWissServer Thread INFO  com.perfigo.wlan.jmx.swiss.SWissUtil               - opswat=3.5.2.1 dm_opswat=3.5.2.1
    2012-03-09 11:45:42.329 +0100 10.5.112.140 SWissServer Thread INFO  com.perfigo.wlan.jmx.swiss.SWissUtil               - SWissServer: OPSWAT SDK Path=https://10.5.33.10/perfigo_download/CCAA/opswat-win.zip
    As we can see, I restarted the AD SSO service and the two bold lines are the records while trying to SSO with Windows 7, but without success.
    NAC Agent pop-up request for manual authentication.
    does anyone know how to solve this trouble?
    If you need more information please let me know .....
    Regards,
    Daniel Stefani

    Hi Guys,
    When I changed the files /perfigo/access/tomcat/conf/krb.txt and /perfigo/access/bin/starttomcat in CAS according to the configuration guide:
    /perfigo/access/tomcat/conf/krb.txt
    [libdefaults]
    kdc_timeout = 20000
    default_tkt_enctypes = RC4-HMAC
    default_tgs_enctypes = RC4-HMAC
    permitted_enctypes = RC4-HMAC
    and
    /perfigo/access/bin/starttomcat
    CATALINA_OPTS="-server ... -DKRB_OVERRIDE=true"
    an error was generated in nac_server.log when i tried run SSO Service.
    ERROR:
    2012-03-07 11:52:50.655 +0100  Thread-77 ERROR com.perfigo.wlan.jmx.adsso.GSSServer               - Unable to start server ... KDC has no support for encryption type (14)
    But I remembered that during the changes, I checked the options for the user account I'm using to run the service to Use DES encryption types for this account.
    When i uncheck this option in user account options and kept the changes to files krb.txt and starttomcat,  the SSO service started with no errors and Windows 7 users now do the SSO too.
    tks,
    Daniel Stefani

  • Use of NACE after creating print program n smart form

    Wat's d purpose of NACE?I hav created my own print program n smart form according to my own requirement.If NACE is necessary 4 my smart from.How can i use NACE i mean navigation steps.
    Please help me out.Its urgent.
    Thanks & Regards,
    Santhosh.

    Hi Santhosh,
    Nace is for message control settings. Say if u want to trigger a Smartform or an Idoc or any other customized program u can do the message control settings.
    Say at the time of Sales Order creation or updation u want to trigger a Smartform, then u have to follow the following steps:
    Goto NACE
    Select application V1 and then click Output Type.
    create a new Output type or copy the existing one abd save it with new name
    then in Processing Routine Mention the driver program name and in Form routine mention the main subroutine name.
    In Smartform mention your SMartform name and also the layout if u have ceated.
    Again go to NACE and Select application V1 and press Procedures.
    here out of the many procedures u have to select the right one and attach your Output Type to it.
    You can also create a condition record..Say if u want to trigger this Smartforms for Sales Order of particular type.
    Hope this helps.
    Reward Points if useful.
    Thanks.

  • NAC firmware upgrade from 4.1.3 to 4.7 or 4.8, anyone?

    I currently have 1 CAS 3310 Failover Bundle for Wireless user, and 1 CAM Lite Failover Bundle for management.
    ACAS, CAM and Clean Access Agents are running 4.1.3. We are considering an upgrade in particular because some end-users machine are soon to be Windows 7. Our authenticaion for users is provided by AD SSO.
    I would like to know your experience when doing such a major jump (4.1.3 to 4.8.1). Looking for gotchas and known issues. Also what the incremetal upgrade path look like.
    I was thinking we can go 4.1.3 -> 4.6.1-> 4.8.1. Any other way or recommendation. CIsco is highly recommending we go to 4.8.1 if all possioblem.
    I am also aware that we need to create new root  certificates.
    Appreciate input.
    Thanks,
    Rosa

    Hi,
    Yes, that is the correct upgrade path: 4.1.3 -> 4.6.1 -> 4.8.1.
    I would recomend you to go through the Release notes for 4.6.1 and 4.8.1 for all the known gotchas and detailed upgrade process.
    Gotchas/changes/upgrade process for 4.6.1: http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/461/461rn.html#wp65900.
    Gotchas/changes/upgrade process for 4.8.1:http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/481rn.html#wp65900.
    Regarding the certificates, you should not use the self signed certs due to security reasons, and they should only be used for lab purposes.
    This means that it still works with the self signed, but you need to import the CAS cert into the CAM trusted certification authorities and vice-versa, so that the CAM trusts the CAS cert and vice-versa.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Cisco Nac 3310 Upgrade From 4.1.6 to 4.7.2

    Hi,
    I've to upgrade the NAC Enviroment from 4.1.6 version to 4.7.2 version.
    This is the scenario.
    2 CAM
    2 CAS
    on 3310 Platform in HA-Pairs.
    On Cisco WebSite i found that upgrading to 4.7.2 is possible by this way: 4.1.6 --> 4.1.8 --> 4.5.1 --> 4.7.2. I think that the direct upgrade 4.1.6 --> 4.5.1 is possible. Can you confirm me that?
    Well, I've some questions about this upgrade.
    1) If the upgrade fails, is there any rollback task to do? Reinstall the CAM/CAS and restore the backup or what?
    2) Can you tell me the downtime for the upgrade 4.1.8 --> 4.5.1?
    3) The downtime for the upgrade 4.5.1 --> 4.7.2 ?
    Thanks in advance for the support!!!

    Thanks you very much, really appreciate your help!
    I will follow the procedures that Cisco indicates and i hope that everything will work fine!
    http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/418/418rn.html#wp75888
    http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/45/45rn.html#wp75888
    http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/472rn.html#wp75888
    I noticed that the tar.gz for the 4.7.2 frome 4.5.x upgrade is an ISO file. Is this the correct file?
    The attach image shows the content of the file: cca_upgrade-4.7.2-from-4.5.x-4.6.x.tar.gz
    Is right?

  • NAC 4.5 ADSSO on multiple AD servers not working, how to troubleshoot?

    Hi All,
         I'm handling a NAC (CAS and CAM ver 4.5) to be implemented to a network on production.  The network has two working AD servers, one acting as back-up.  We want to configure the NAC to be able to run ADSSO even if the active AD fails, so we configured NAC to run ADSSO on multiple servers.  I followed the documents, run ktpass for multiple ADs, installed kerbtray to see Kerb tickets, but still I'm puzzled of the problem.  My CAS shows the the ADSSO service is already started, but my workstation cannot perform Single-sign On.  After the "performing AD authentication" window, the agent then reverts back to as a local account.  Please help guys.  I'm willing to share other details about this.  Thanks.
    Regards,
    Dan

    Hi Faisal,
         The Unauthorized role is already in all trafic enabled policy.  My problem is that the KT that is shown in the workstation is different from the one I created using ktpass, although I matched the cases of the domain and the one in the ktpass.  I deeply appreciate if you can help.  Thanks.
    Regards,
    Dan

  • NAC Guest Server, How to change the password for a single user?

    We have a NAC Guest Server which creates a complex password for all new users created.
    We would like to have normal/simple password for a single user. How can I get this done on a NAC Guest Server.
    Thanks in advance.

    Hi,
    You can setup 3 different flavours of passwords:
    http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_guestpol.html#wp1063249.
    a. Username Policy 1 - Email address as username
    Use the guest's email address as the username. If an overlapping account with the same email address exists, a random number is added to the end of the email address to make the username unique. Overlapping accounts are accounts that have the same email address and are valid for an overlapping period of time.
    b. Username Policy 2 - Create username based on first and last names
    Create a username based on combining the first name and last name of the guest. You can set a Minimum username length for this username from 1 to 20 characters (default is 10). User names shorter than the minimum length are padded up to the minimum specified length with a random number.
    c. Username Policy 3 - Create random username
    Create a username based upon a random mixture of Alphabetic, Numeric or Other characters. Type the characters to include to generate the random characters and the number to use from each set of characters.
    Note: The total length of the username is determined by the total number of characters included.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Guest Wireless Users Not Able to Get to NAC Guest Server

    First of all, I appreciate any of the help that can be offered on the post.  Your solutions and suggestions have been valuable, in the past!
    Here's the scenario.  I have two internal WLC's, and one anchor mobility server, in the DMZ.  The internal controllers are part of the 10.x.x.x range, while the DMZ WLC is in the 192.168.1.x range.  We also have a NAC Guest Server, in the DMZ that has a 192.168.1.x address.  Here's the problem, when a guest user uses our guest SSID, they're assigned a 172.16.x.x address, their traffic is intercepted, and they're presented with a login page.  If they don't have login credentials, there's a "Register Here" link that takes them to the NAC Guest Server to self-register.  When they click the "Register Here" link, for some reason they can't get to the NAC guest server.  If I bring up a command prompt, and type in "telnet 192.168.1.x 80", it connects.  The odd thing is that when I was testing, if I login with guest credentials, and then try to go to the NAC Guest Server self-service page, I can get to it with no problem.  Would anyone have any ideas as to why?

    I may have missed something here, but isn't the point of the guest portal that you can't get anywhere on the network (except the guest portal) until you have authenticated?

  • NAC and AD, Machine GPOs, Roaming Profiles = Chaos

    I've just observed a hapless Cisco consultant try to make NAC 4.1 work on computers with machine GPOs, roaming profiles, logon scripts within user GPOs, and for that matter legacy logon scripts with "run logon scripts synchronously" enabled. All of these technologies seem to fail on a NAC-enforced connection.
    We assign software on machine GPOs and we use roaming user profiles, and it seems we either need to have a domain controller and profile share on the isolation VLAN, which defeats the purpose of NAC, or perform some kind of machine authentication, which can occur before GPO processing and net logons can happen.
    While I'm not the Cisco consultant, it wasn't hard to recognize this problem.
    Everything I've read about NAC and CAA suggests this is a per-user compliance solution and not a per-machine solution. Surely others have observed this, and I think this is what machine authentication (802.1x) NAC, as opposed to user authentication NAC, is all about. At the risk of sounding like a total n00b, where can I start researching a NAC solution that supports what I want and lets us use the Cisco NAC gear we've already invested in?

    I have had similar issues and have solved many with a custom script that runs at log on. It is a compiled script and works great, AutoIT3.
    The policy part takes care of itself if you leave machines logged in long enough or do a gpupdate /force. This will force the group policy to synchronize but you will need to log off and on again.
    The roaming profile is much tougher. I am still trying to get this working. If anyone has any info on EXACTLY what takes place on a roaming profile synchronization, I would be grateful. If I can I will replicate that process in my script and solve this issue also.
    I have fixed the log in script stuff with a delayscript that I use (ironically) clean access to install. You have to launch it with the users credentials, though and not from Clean Access which uses the SYSTEM users credentials in its stub agent!
    This is a known issue to Cisco but any prodding of them to get it working would help. Their solution is braindead, just give unremediated machines full access! If they fail remediation, kick them off then. Gee, that gives the unremediated machine a mere two to three minutes to attack your AD DCs on each log in attempt. Not good.
    Anyway, that's where I am at. Most of this can be dealt with, some is still problematical.
    Dan S.

  • Error While Creating Sales Document - on a new rollout

    Dear Friends,
            While going for new Plant Creation on a Rollout, i am getting the following error while creating Sales Order,
    Kindly suggest the needy to me,
    " _Template and one-time material processing is not activated                                                                               
    No determination routine is specified for the SD documents for the 
    permitted combinations                                                                               
    The combination of sales organization, document category, and      
    document type or delivery type for the SD document is not permitted_ "
    Thanks & Regards
    T.Arulvanan

    Dear Freind,
    Have you assigned the Sales Area to the Document types
    T-code : OVAZ.
    Also Check the Sales Applications  V/c2
    Can you double click on the error and See what is the datails of the error appearing?
    Regards,
    Amlan Sarkar

  • Assigning Smartform in NACE

    hi,
    i've developed a smartform for purchase order i've configured in nace .instead of MEDRUCK i have given the Smartform name as ZPURC  im getting the error as 'ERROR IN OPEN_FORM'.
    what should i do for this where should i configure the smartform.
    thanks and regards,
    siri

    Hi Sirisha,
    Please check ur logic.
    Assigning form in NACE.
    Goto NACE Transaction.
    select EF application and then click on Output types Push button.
    Now select output types NEU or NEUS and double click on Processing routines folder on the left side on the screen.
    Now in Medium Print output remove the form in PDF/Smartform Form  field and assign ur own form name which u have created.
    Best regards,
    raam

  • Problem while assigning smartform in NACE

    Hi all,
    I am getting the following error while trying to assign a Z-smartform in NACE transaction. Rewards assured
    <b>Diagnosis</b>
    For output type NEU and transmission medium 8 an entry has been maintained in the table of processing programs, but in this entry no processing program has been specified.
    <b>System Response</b>
    When the output will be processed later on, it cannot be issued.
    <b>Procedure</b>
    Specify at least one processing program and one processing routine in this program.

    Hello Jai,
    I just received the same error while updating our PO. 
    In my case, the problem was that medium "Special function" had an entry line with no program assigned.  This was set up in the original configuration of the system, and since I had only changed the "Print output" entry, I wasn't sure what was causing the message. 
    Since the "Special function" entry was blank, I tested that to see if it was the issue.  Removing that entry did eliminate the message.
    Since the message I received was an informational message, an alternative method to proceed was by simply hitting "Enter" when the message appeared.  I don't see why a blank entry would be required, but since I didn't do the original system configuration, this was the method I chose so as to not change any existing settings other than for the Smartform on which I was working.
    This is an old thread, but I thought I would add this information in case anyone stumbles across it while searching for information about this error (which is how I found the thread.)
    Blaine

Maybe you are looking for

  • Unable to preview Contract Terms for Standard Purchase Order

    Unable to preview View Contract Terms for Standard Purchase Order,displays error We have defined the same contract terms and Document type layouts to documents Contract Purchase Order and Standard Purchase Order. Created a Contract PO,Attached a temp

  • I-tunes is downloading my purchase from scratch every time I open it up...

    Why is i-tunes downloading my purchase from scratch every time I open it up? This means I can't watch the episode as it freezes after 10 minutes and says it has 12 hours to go until download is complete... I have also found that the words get out of

  • ATM to Gigabit Ethernet Migration

    Hi, How do you migrate from ATM to GE running a parallel backbone, from ELAN TO VLANS ? The ATM switches are Madge switches and the GE switches are 6509s. Any help is much appreciated. Thanks, Paul

  • Cant open dcp files on ACR 8

    Hi im trying to load vsco presets dcp files on ACR 8 but the only option there is cameraraw.xmp. How would I be able to do it? Thanks in advance..

  • ALE WE19 ERROR

    I am trying to post a FI document using transaction code we19. Below are the steps that I have performed. The message type is FIDCC2. SCENARIO 1 - Without entering the business area. I enter the data into the segments and after checking the partner p