NAC Temporary Role

Folks, I am
configuring the NAC CAM 4.7.1 and I created two roles, Employ1 and
Employ2 but when that roles are into posture assessment with CCAA (Clean Access Agent) I saw that role Employ1 fall in Temporary role and Employ2 fall in Unauthenticated role, I don't know why that difference.
I want to put each profile with a specified quarantine role, How can I do this?
thanks a lot

Hi Faisal,
thanks for your attention.
Well, I saw that when I put requeriments on Employ1 for example WSUS requeriment and the client needs to update, that client fall in Unauthenticate role while Employ2 with the same WSUS requeriment fall in temporary role.
This way I had to generate ACLs in both roles Unauthenticated role and temporary role.
thanks

Similar Messages

  • NAC 4.7.1 L3 OOB - Temporary Role bugs ?

    Hi
    We have a L3 OOB routed gateway configuration (with redundant CAS and CAM), We are currently running 4.7.1 on the appliances and the agent is 4.7.10.
    We have experienced two problems:
    1. On several occasions we can abort a valid logon, but can still be allowed access to the network 'silently' ;
    a - without any indication on the CAM i.e. no online users, no certified devices
    b - the switch is still in the 'unauthenticated vlan' and the
    c - ip address of the client is on the 'untrusted' subnet.
    d - the 'unauthenticated' policy DOES NOT ALLOW web traffic.
    It would seem that the user is able to trick the system by aborting the logon with the agent i.e. closing the window etc, (the login credentials are
    correct and posture fails on an optional check and so amber) but the system DOES NOT show the user at all.
    The Temporary role does allow full access, if I disable the policy rule the traffic is stopped.
    The problem is there is no indication of this user on the system at all, this happens a couple of times a week.
    2. When a user is genuinely placed into a TEMPORARY role (as indicated by the system, note: not the same as above),
    about 50% of the time communication is blocked even though the policy allows it (repeated challenges by NAC).
    Close the agent and do it the second time and it will work.
    I think the symptoms are related as they both seem to be related to the usage of the TEMPORARY ROLE - has anyone else seen this bug ?

    Hi,
    You said not to configure a quarantine vlan, but by the time the users get connected how is gonna be the process for authentication (quarantine) and access vlan??? I mean how is it going to perform the nac process and how to control what happens if it fails (not in compliance) or if it suceed??
    It seems that the version 4.9(1) has the integration, but is not so clear:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cam/m_woob.html#wp1139585
    What versions were you running in your deployment.

  • Cisco NAC - How know why a machine is in Temporary Role?

    Hello,
    In our environment, workstatios that do not conform with the requirements remain under Temporary Role until the remediation is done.
    In Event Logs I see that the Workstation is just under Temporary Role, but do not know why it is in Temporary Role.
    How can I see this information?
    Ex:
    Authentication
    2011-01-21 11:12:26
    [00:21:9B:37:00:F0 ## x.x.x.x] user@domain - Successfully logged in temporary role, Provider: ADSSO, L2 MAC address: 00:21:9B:37:00:F0, Role: Temporary Role, OS: Windows XP Pro/Home
    Tanks
    Daniel Stefani

    Hi Daniel,
    you can check the info about this user/machine on the NAC agent reports:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_report.html#wp1481407
    There you get details about what checks failed on the client during the posture assessment phase.
    I hope this helps.
    Regards,
    Federico
    If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

  • NAC 4.7 "CAS unavailable" temporary role

    I have a VGW, OOB with layer 3 enabled pilot deployment right now. Everything looks fine. However, about
    30% of the time (and its increasing) when I log on using the 4.7 agent, the agent will give me the error that the cas is unavialbe on the network. When I check the CAM, the user can be viewed on the monitoring tab, in-band and placed in the temporary role. (highlighted quarantined)
    When i kick the user, more often than not , the user can log back in and it places him in the oob role that he is assigned to and all works fine.
    core switch -----------cas/cam
         |
    distribution switch
         |
    End user switch---------end user pc
    Any ideas as to why when placed in the temp role transitioning to the authenticated role it would lose contact???? and why would it be placed in the in-band section of the monitoring online users?

    the cn name on the cas was indeed wrong. the IP address was that of the CAM.
    However, that still hasnt fully fixed the problem.
    I took all the checks away from the auth role assigned and it seems to fix the problem.
    Yes, Faisal all the end points are Layer 2, no hops in between. I have a 6509E as the core switch. Each vlan on the switch, apart from the Auth vlans have a SVI.
    ie. on the core switch
    interface GigabitEthernet2/28
    description trusted
    no ip address
    switchport
    switchport trunk native vlan 997
    switchport trunk allowed vlan 5,100,110,120,130,140,150,160,250,298 >>>Access Vlans
    switchport mode trunk
    interface GigabitEthernet2/29
    description untrusted
    no ip address
    switchport
    switchport trunk native vlan 996
    switchport trunk allowed vlan 9,10,20,30,40,50,60,400 >>>> Auth Vlans
    switchport mode trunk
    Example SVI for access VLANS
    interface Vlan110
    description StaffLowerPT
    ip address 1.1.1.1 255.255.255.0
    ip helper-address 1.1.1.4
    ip pim sparse-dense-mode
    ipx network 8
    no SVI's for auth vlans.
    I remember reading somewhere that if no checks are done (ie if the agent is not running any rules on it) then it moves straight from authenitcation (phase1) to authenticated role (phase 3) without ever hitting the temp user role. Could it be that a rule would cause the CAS to become unavailable if it could not remediate?
    I have a AV check rule, and two sus/WSUS rules.

  • How to get Celan Access (NAC) reports about users stucked in Temporary role?

    I am using Clean Access 4.7.2.
    If a user does not mett a requirement and is unable to remediate, he is stucked in the Temporary role.
    I checked the "Device Management > Clean Access y Reports" but this does not show any user with failed status with red flag.
    The report shows successfull connection with green flag only.
    How can I obtain report on the CAM about failed checks?
    Thanks
    Csaba

    We had this problem and were told to press Cancel (and then confirm) in the top right corner of the Agent after failing posture assessment. When we did that, the complete report showed up in CAM within seconds and could then be used to manually remediate the machine.
    Hope that helps!

  • OIM 11g support for Temporary roles with expiration date

    Dear All,
    Is there a support provided for temporary roles in OIM 11g?
    If not, what is the recommendation as for implementation?
    Kind regards
    Maria Adair

    I'm also interested if someone has any recommendation as for how to implement such a feature. Anyone has any ideas?

  • NAC Agent Issue

    Hi
    I have implemented Cisco NAC for remote VPN users. As part of this they go through 3 checks:
    1. Antivirus installation check
    2. Antivirus definition check
    3. File check
    I have configured the definition check to remediate via internal update servers if 30 days or more out of date.
    The issue I'm seeing is that the end user recieves the following Cisco Agent error during the remediation process (while in the temporary role):
    "The remediation you are attempting is reporting an access denied error. This is usually due to a privilege issue. Please contact your system administrator."
    The definition update happens in the background though (I have allowed the required access through the NAC server) and once complete places the user in the correct role. Therefore It's no so much an issue, just a misleading message displayed to the user.
    Has anyone seen this before or know where this is configure?
    Kind Regards
    Terry

    Hi Faisal,
    I am still having this problem.
    Even though the agent displays that error message, the AV still updates in the background. The problem then is that the agent fails to realise that the definitions are then fully up to date and does not re-check posture automaticly. therefore i am having to disconnect and re-connect the network cable for the agent to realise that I am not fully compliant.
    Is there anything that i can do to make this posture / remediation process, automatic and seemless?
    Mario

  • Nac remediation failed

    Hi All,
    Anyone encountered this issue. Recently upgraded to 4.9. Using L2 OOB wireless. Symantec endpoint protection ver 11, virus definition is out of date, when user clicked repair, takes a long time to remediate and then gave a failed error. "The remediation you are attempting had a failure. If the problem persist contact the system admin"
    Traffic control is allowing update in temporary role, and there's no blocking from quarantine vlan to symantec server. Also we notice that the definition gets updated after a while.
    Thanks.
    Regards
    Joachim

    Hi Joachim,
    In my enviroment, we have workstations with SEP ver 11 too and i would like to know  where your users are searching for updates during the remediation process.
    We have Symantec Endpoint Protection Manager acting as antivirus server  and when the NAC Agent calls the Symantec LiveUpdate to perform the repair, users will get updates on the Internet and not on
    Antivirus Server.
    Could you give me more information about your environment?
    regards,
    Daniel Stefani

  • NAC posture assessment error?

    Hi experts
    i have a NAC with 4.8.3 IOS installed. Everything works perfect if i am not putting any posture assesment like WSUS or AV check. Ican authenticate successfully and VLAN shifts ok. but if i put any posture assesment rule than NAC windows agent says NAC server is not available at network. And user goes to temporary role.
    any suggestions?
    Sent from Cisco Technical Support iPhone App

    Please check the links for the Configuration and Troubleshoot of NAC
    www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
    www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860

  • NAC Clean Access Agent Issue

    Hi,
    Can anyone tell me that If I want my user to download clean access agent so how can I achieve that...I have uploaded agent to my CAM but Im confused that should my user use web agent first then download the agent over network or he can download Clean agent directly ?

    Unlike the Clean Access Agent, the Cisco NAC Web Agent is not a "persistent" entity, thus it only exists on the client machine long enough to accommodate a single user session. Instead of downloading and installing an Agent application, once the user opens a browser window, logs in to the NAC Appliance web login page, and chooses to launch the temporal Cisco NAC Web Agent, an ActiveX control or Java applet (you specify the preferred method using the Web Client (ActiveX/Applet) option in the Administration > User Pages > Login Page configuration page) initiates a self-extracting Agent Stub installer on the client machine to install Agent files in a client's temporary directory, perform posture assessment/scan the system to ensure security compliance, and report compliance status back to the NAC Appliance system. During this period, the user is granted access only to the Temporary Role and if the client machine is not compliant for one or more reasons, the user is informed of the issues preventing network access and may do one of the following as mentioned in the below URL:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_cca.html#wp1130212

  • NAC Agent cannot "see" virus defs (Symantec Endpoint version 12) (PIC included)

    Can anyone help?  This prevents the PC from passing posture assement and places it in a "temporary role".  I know how to disable the scan, but we would like it to work correctly.
    Same results on several PCs, Windows Xp SP2 or SP3, Windows 7 (32 or 64-bit).  See screenshot.
    Thanks,
    -=Mike G.
    Michael A. Gloomis
    Sr. Infrastructure Engineer
    NAITS - DENSO International America
    Desk: (248) 372-8158
    Fax: (248) 213-2469

    Hey Federic... thanks for messaging.
    We are running the 4.7.4.2 NAC Agent, however I cannot find any info on the "compliance module".  ???
    -=Mike G.

  • NAC Host-Based Policies Issue

    Hi
    I have a problem... when I try to permit in a temporary role a web page (for example www.microsoft.com) the user can't open it and display security message but when i add the web ip the users can access.... the nac is working on real-ip layer 3...
    thanks for your help

    Hi
    The result of the dns lookup in the host is the next:
    *** Can't find server name for address 172.16.48.253: Non-existent domain
    *** Default servers are not available
    Server: UnKnown
    Address: 172.16.48.253
    Non-authoritative answer:
    Name: com.com.mx
    Address: 74.52.164.242
    Aliases: www.cisco.com.com.mx
    The result of the nslookup in the CAS is the next
    [root@CAS-MTY ~]# nslookup www.cisco.com
    Server: 172.16.48.253
    Address: 172.16.48.253#53
    Non-authoritative answer:
    Name: www.cisco.com
    Address: 198.133.219.25
    Help me

  • Traffic Policies IN NAC

    Hello friends,
    For host remediation we shld allow for access to a particular destination or by default it is accessible?????
    OR
    traffic policies are applied after a host passes posture assessment and remediation.??? to limit network access.
    Thanks

    Hello Faisal,
    Thanks for reponse,
    My setup is IN-band virtual mode.
    From ur mail what i understand is if the host want to succeed posture assesment he has to be permited for the particular destination.
    for example: host is not updated with full AV then he has to permit access to AV server for the updates in the temporary role,
    access-list will be like : permit tcp any host 10.10.10.10 (AV Server) eq (port)
    correct me if i m wrong  ?????
    2) After host get success in host posture assessment after that also we can limit the host for a particular destination.
    where is option that we can specify such access-list.
    Thanks

  • NAC - Slow download of Certification Requirements

    We originally posted files (Antivirus, Patches, SPs) in the requirements section but when files got too big it was not feasible.
    So we developed a web server solely to serve the certification zip files for students to meet the requirements.
    After they authenticate to the agent, they are IN-BAND in the TEMPORARY Role. At this point they try and download the cert file from a link off the agent and it is so slow that IE/Firefox acts like it is Not Responding.
    If I open up the Role Filters to give access to that same webserver in the UNAUTHENTICATED Role (before they login to the agent) the file downloads fine.
    We are in testing phase so we do not have many users hitting the system.
    Why is this so slow? How else could we serve the files while the students are logged into the agent?

    Was able to narrow this down further.
    Given a requirement for Vista SP1, if the Requirement is a link directly to the file, it will fail (or download at 2k/sec):
    http://cert/cert/vistasp1.zip
    If the requirement is a link to an HTML file that contains the same link above, the user downloads the HTML file to the desktop, clicks on the link and it will succeed and download normally.
    ODD!! Any ideas?

  • NAC feature included in 1841 router with security IOS

    I'm looking for some guidance, documentation regarding the capabilitys and configuration of NAC on an 1841 router. It looks like it's a software version of NAC that ties to a policy server, maybe an ACS server, or IAS server for example. Is that all it does, in other words, is the capability found mostly on the backend policy server and not the router itself? In that case, what is the router doing, I mean how does it work in relation to NAC? Is it only capable of blocking traffic at layer 3 rather than layer 2 as does 802.1x authentication on a switch of the Clean Access appliance offerred by Cisco?
    thank you very much,
    Bill

    For NAC, the role of a device depends on your network security policy. You can have security applied to any device(s) or you can have it on a policy server which can ensure the security policy. Following link may help you
    http://www.cisco.com/application/pdf/en/us/guest/netsol/ns466/c654/cdccont_0900aecd80217e26.pdf

Maybe you are looking for

  • Should I buy a Zen Tou

    I'm thinking of getting a refund for my 30 GB zen xtra because it doesn't play audiobooks with the proper length and buying a Zen Touch. Is this audiobook problem just with Zen Xtra or with all Creative players? Does anybody know of this problem disa

  • ICloud calendar problem

    I recently made a new iCloud account and apple ID account with a different email address. Problem is that now iCloud won't turn on and merge my calendar with my iPhone 5. everything else merged and works fine. when I click the box in icloud for calen

  • Using DVD player or Itunes with lid shut

    Is it possible to to use the dvd player or itunes with the lid shut? When I hook the computer up to my tv to watch a movie I would prefer to close the lid. But when I close the lid the system goes to sleep and the player stops. thanks for your help.

  • New Tab is missing

    I downloaded something and obviously somewhere it downloaded some website too put it as a home page, put a toolbar and so on but that's ok I took them off BUT the new tab appears now with this site and I can't bring back to appear with the sites that

  • Can't get Netflix to recognize an iTunes purchase keeps coming us with "the credit card information that you entered does not appear to be valid

    Can't get Netflix to recognize an iTunes purchase keeps coming us with "the credit card information that you entered does not appear to be valid'? Netflix says not them?