NAC upgrade 4.6.1 to 4.7.2

Similar Messages

• NAC - upgrade agent

  Hello,
  Can I upgrade NAC agent for switchs cisco 2950 and 3560 to 4.9.4.3 without upgrading the CAM without any problems ?
  the NAC version is 4.5.1.0 
  Big thanks in advance!
  ILIAS

  You can directly download the nac agent 4.9.4.3 from the below download link
  http://software.cisco.com/download/release.html?mdfid=283801620&softwareid=283802505&release=1.2&flowid=26081

• ISE 1.1.3 provisioning problem for the first DOT1x connection

  Hello all,
  I am wondering how a wired dot1x client can get the NAC agent downloaded for its very first connection from ISE ?
  Should the Agent be installed before the first connection ?
  I'have set up ISE 1.1.3 for provisioning (files have been downloaded from cisco website) (upgrade mandatory)
  I have an AuthZ rule for a correct posture assessment
  and
  another AuthZ rule for an unknown posture assessment that triggers a posture remediation (file download)
  (in that order)
  NAC agent is properly configured ( FQDN...), the users gets and nothing happen !
  no NAC upgrade
  no NAC assessment.
  Any idea ?
  Does it take a while for the new agent to be downloaded ?
  Best regards.
  V.

  In order to troubleshoot the NAC agent problem, we need to check  couples of things.like
  1.)Ensure that the discovery host address on the Cisco NAC agent or  Mac OS X agent is pointing to the Cisco ISE FQDN. (Right-click on the  NAC agent icon,
  choose Properties, and check the discovery host.)
  2.) Ensure that the access switch allows Swiss communication between  Cisco ISE and the end client machine. Limited access ACL applied for the  session should allow Swiss ports:
  permit tcp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  permit udp any host 80.0.80.2 eq 8905 --> This is for posture
  communication between NAC agent and ISE (Swiss ports)
  deny ip any any
  3.)If the agent login dialog still does not appear, it could be a  certificate issue. Ensure that the certificate that is used for Swiss  communication on the end client is in the Cisco ISE certificate trusted  list.
  4.) Ensure that the default gateway is reachable from the client  machine.
  As per your confirmation, I am going to close the case for this specific  inquiry. We strive to provide you with excellent service. Please feel  free to reach out to me or any member of the SAC team if we can be of  any further assistance or if you have any other related questions in the  future. We value your input and look forward to serving you moving  forward.

• NAC firmware upgrade from 4.1.3 to 4.7 or 4.8, anyone?

  I currently have 1 CAS 3310 Failover Bundle for Wireless user, and 1 CAM Lite Failover Bundle for management.
  ACAS, CAM and Clean Access Agents are running 4.1.3. We are considering an upgrade in particular because some end-users machine are soon to be Windows 7. Our authenticaion for users is provided by AD SSO.
  I would like to know your experience when doing such a major jump (4.1.3 to 4.8.1). Looking for gotchas and known issues. Also what the incremetal upgrade path look like.
  I was thinking we can go 4.1.3 -> 4.6.1-> 4.8.1. Any other way or recommendation. CIsco is highly recommending we go to 4.8.1 if all possioblem.
  I am also aware that we need to create new root  certificates.
  Appreciate input.
  Thanks,
  Rosa

  Hi,
  Yes, that is the correct upgrade path: 4.1.3 -> 4.6.1 -> 4.8.1.
  I would recomend you to go through the Release notes for 4.6.1 and 4.8.1 for all the known gotchas and detailed upgrade process.
  Gotchas/changes/upgrade process for 4.6.1: http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/461/461rn.html#wp65900.
  Gotchas/changes/upgrade process for 4.8.1:http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/481rn.html#wp65900.
  Regarding the certificates, you should not use the self signed certs due to security reasons, and they should only be used for lab purposes.
  This means that it still works with the self signed, but you need to import the CAS cert into the CAM trusted certification authorities and vice-versa, so that the CAM trusts the CAS cert and vice-versa.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco Nac 3310 Upgrade From 4.1.6 to 4.7.2

  Hi,
  I've to upgrade the NAC Enviroment from 4.1.6 version to 4.7.2 version.
  This is the scenario.
  2 CAM
  2 CAS
  on 3310 Platform in HA-Pairs.
  On Cisco WebSite i found that upgrading to 4.7.2 is possible by this way: 4.1.6 --> 4.1.8 --> 4.5.1 --> 4.7.2. I think that the direct upgrade 4.1.6 --> 4.5.1 is possible. Can you confirm me that?
  Well, I've some questions about this upgrade.
  1) If the upgrade fails, is there any rollback task to do? Reinstall the CAM/CAS and restore the backup or what?
  2) Can you tell me the downtime for the upgrade 4.1.8 --> 4.5.1?
  3) The downtime for the upgrade 4.5.1 --> 4.7.2 ?
  Thanks in advance for the support!!!

  Thanks you very much, really appreciate your help!
  I will follow the procedures that Cisco indicates and i hope that everything will work fine!
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/418/418rn.html#wp75888
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/45/45rn.html#wp75888
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/472rn.html#wp75888
  I noticed that the tar.gz for the 4.7.2 frome 4.5.x upgrade is an ISO file. Is this the correct file?
  The attach image shows the content of the file: cca_upgrade-4.7.2-from-4.5.x-4.6.x.tar.gz
  Is right?

• ISE nac Agent automatic upgrade possible ?

  Hello all,
  I have this :
  802.1x windows with NacAgent version (let's say 1) <----> 802.1x Enabled Switch (aaa radius OK) <------> ISE and AD on the same LAN
  ISE is configured for client provisionning with material (NacAgent version 2) downloaded from Cisco website (as depicted in the documentation)
  I've a basic authentication and authorization scheme that let me in properly but I expect the NACAgent to be upgraded.
  No profiling is configured for the time being.
  Is anybody can help ?
  Best regards ?

  Hi Tarik,
  Your are right regarding that option "upgrade is mandatory"
  However, my case was that you do need to enter the ISE's FQDN on the NAC Client and make sure that DNS operates properly.
  Once authenticated, the NAC agent shows an upgrade message.
  It works.
  Thank you all.

• NAC 4.7.2 upgrade to 4.7.5 - How to Lab.

  I will (finally) be upgrading to NAC 4.7.5 from 4.7.2.
  Before I do it in my production environment I want to lab it, just to practice and have some expectation of will happen.
  My production environment is an OOB VG build and is highly available.
  For lab purposes I have 4 - 3310 appliances. I can definitely build the HA-CAS pair and I believe I can build the HA-CAM pair.
  The only concern that I have is that the 3310 appears to be capable of support NAC Lite from a licensing perspective. Will I still be able to build and test the upgrade process for the CAMs?

  Did anyone ever find a solution to this issue? I'm having the same problem.... it takes minutes to open the ports on a switch in the CAM. It shouldn't take minutes to manage ports for each switch, it should take less than 10 seconds...

• NAC version upgrade from 4.5.x to 4.7.1-in different geographical location

  I have more than fifteen CAS’s in different geographical location (state) and controlled by CAM HA that is located in another location (state). I’m currently running NAC version 4.5 and planning to upgrade to 4.7.1. due to Windows 7 compatibility problem. My question is that, what is the easiest way to upgrade to 4.7.1  without visiting each location to upgrade CAS’s? Is there away to push the new version from the CAM? Visiting each location is not that convenient. Please let me know.
  Thanks,

  Dereje,
  Unfortunately for upgrading to this version you need the CD in the box and to reboot from that CD. Reason is that we're changing the underlying OS from Fedora Core to CentOS and that requires a complete re-install of a lot of RPMs which isn't possible without booting from the CD.
  HTH,
  Faisal

• NAC/Clean Access Server no longer intercepting Clients after upgrade

  We recently upgraded our CISCO Clean Access Manager and Server to version 4.8.2 from 4.8.0.  Everything seemed to be working fine but I had a user log in without having the NAC Agent running and they had full access.  We didn't change anything other than upgrading to the new version.  We have found that the user has access even before the Windows Agent is completed with the assessement of the client.  It worked fine before the upgrade....Again, we made no changes other than upgrading to the new version (no route changes, etc).
  I even tried an explicit deny for the user's workstation's mac and the NAC SErver still let him through....I am a bit perplexed...Thanks for any assistance.

  Hmm, i removed the line but it does not help me ?
  I did run following command in terminal:
  sudo pico /Library/Server/Mail/Config/postfix/main.cf
  Removed the "reject_non_fqdn_helo_hostname" from the line smtpd_helo_restrictions.
  Saved the file and restarted Mail service
  get this in  log when i try to send from a windows client with Outlook2010:
  Aug 15 17:42:09 lundmark.jetoma.se log[236]: auth: Error: od(annicalundmark,192.168.20.103): Authentication server failed to complete the requested operation.
  Aug 15 17:42:09 lundmark.jetoma.se log[236]: auth: Error: od(annicalundmark,192.168.20.103): authentication failed for user=annicalundmark, method=DIGEST-MD5
  Have tryed different ports like 25 and 587 with SSL, TLS and "none" in SMTP advanced settings on klient.
  I did use the same instructions before in Lion server and there it did work ?!
  Any more ideas ?
  regards
  Jörgen

• NAC Profiler database utility for upgrade

  I am trying to upgrade NAC Profiler Lite by following the following Cisco Doc
  http://www.cisco.com/en/US/customer/docs/security/nac/profiler/release_notes/310/310rn.html#wp102045
  In section Upgrading 2.1.8 Cisco NAC Profiler Server and Profiler Lite Standalone Systems to 3.1.0.
  I'm trying to run the database migration utility. Utility is showing in the home/beacon directory. When I run the command specified in the Doc to untar the utility package (tar xvfz DB-utility_218to31x.tgz) I receive the followinig errors:
  gzip: stdin: not in gzip format
  tar: Child returned status 1
  tar: Error exit delayed from previous errors
  Any suggestions?

  The file name is DB-utility_219to31x.tgz and the MD5 on the download page is 335b7ca5215394ccc94c7b48ca242a3b.
  I'm not sure if it is changing during the download to my workstation or not. I had our IA Security guy look at it and he said there is no way for him to check the MD5 of the file on my workstation. Once I put it on the profiler, the MD5 is
  d9093b0525e904f94e19825a57589ac1

• CPP - NAC agent upgrade issue - NAC to ISE migration

  Hi,
  I am currently working on a project to migraate NAC to ISE. Existing version of NACagent running on client macine is 4.8.2.1. CPP is pushing upgarde to required version 4.9.4.3. I can't locate upgrade matrix for this version. Could anyone guide me on this?

  You can directly download the nac agent 4.9.4.3 from the below download link
  http://software.cisco.com/download/release.html?mdfid=283801620&softwareid=283802505&release=1.2&flowid=26081

• Upgrade for NAC to ISE - Config Changes

  Hi,
  I've a ready and wroking setup for Cisco NAC and i need to upgrade it to the new ISE, other than dot1x changes n the switches configurations, what else will need to be configured
  does the upgrade makes it a fresh installation?

  Yes, the NAC portion in ISE looks totally different from NAC since it's now working over Radius.
  So I suggest you build a new setup with ISE in parrallel with your current production environment and test your config before doing the switchover.

• NAC CAM HA not working since upgrade to 4.8

  Hi,
  I have just upgraded my two NAC CAM servers to 4.8. They were previously running on 4.6. They are configured with eth0 on one LAN (fully routed), and eth1 and eth2 sitting on totally private LANs, each with a small /30 subnet to use. These are just a couple of small VLANs between two 4848 switches. It's basically configured as:
  Server -- Switch -- Portchannel group -- Switch -- Server. Other VLANs also traverse the link and are fine. Portchannel is up and happily passing traffic. The VLANs appear active too (they are simply layer 2 VLANs - no routing or anything. Literally point to point).
  I followed the upgrade instructions as per the release notes. However, since they have been unable to see eachother for HA. Pings between the HA interfaces produce no reply. I have found if I run tcpdump on one server, and fire a ping at it from the other, a ARP will arrive asking who has the IP, and it will reply, but it goes no further. Nothing has changed on the network side, so I'm a little flummoxed now.
  Consequentially, one box will load up happily, the second will always tell me:
  [root@xxxxxxxx bin]# ./fostate.sh
  My node is dead, peer node is unknown
  The 'working' node will show:
  [root@xxxxxxxx bin]# ./fostate.sh
  My node is active, peer node is dead
  Ifconfig shows the interfaces as up - they can ping themselves after all.
  Any help most gratefully received!

  Hi:
  I have an iPhone 3G (16GB) that I upgraded a couple weeks ago with the iOS 4.0 and although I haven't had any problems with those applications that I use regularly, I have not tried out the ones I don't use regularly. The problem I've been experiencing is that when I use the start button on the front to boot up, the slider to unlock won't move--I have to use the top edge button to boot up and slide/unlock. Even then, sometimes the application icons won't respond and I have to start all over again. Anyone else have this irritating deficiency?
  Medren

• Process to upgrade Certs in NAC 4.7.2 OOB VG HA environment

  I am in the process of replacing the CCA manager certificate which is about to expire. My environment is HA and as such consists of two CAM servers and two pairs of HA-CAS servers.
  First - I have submitted and generated the CAM server certificate (Easy enough as the CAM SSL is accessible via the GUI.) I think, although I'm not sure that I need to generate a new cert for the CAS(S).
  If I do I need to access at least one CAS in an HA pair via the GUI. Does it matter which one? When I attempt to GUI to the "secondary" CAS in a pair I am of course being treated like a device that need to be "NAC'd".
  To access the CAS I think I need to stop perfigo services which should drop me out of the HA pair. True?
  Will I need to take each server out of "service" to update the cert.
  If there is a document sequence of events I would love to see it.
  Thanks!
  Bob

  Did anyone ever find a solution to this issue? I'm having the same problem.... it takes minutes to open the ports on a switch in the CAM. It shouldn't take minutes to manage ports for each switch, it should take less than 10 seconds...

• NAC 4.7.2 version, upgrading to?

  Hi,
  We´ve got installed two CAM 3310 + two CAS 3310 and they are configured in HA and working in InBand mode to authenticate wireless client (against auth LDAP Server, Active Directory SSO  and RADIUS Server).
  We´re wondering what new version is better upgrade to?  Last release of 4.8.x or directly to the last one (4.9.0)?
  Thaks a lot.

  Did anyone ever find a solution to this issue? I'm having the same problem.... it takes minutes to open the ports on a switch in the CAM. It shouldn't take minutes to manage ports for each switch, it should take less than 10 seconds...