Question about cisco nac agent

When I deploy Cisco NAC appliance, the main different between using cisco nac appliance with or without agent? I see Cisco NAC agent has two function: scan and remediation. If Cisco NAC appliance without agent, Cisco NAC server will scan device and remediation. That is right?
Please answer me early. Thank you for your answer.

Sorry, I believe daldden is correct, without the agent you can still scan using the built-in Nessus scanner.
We don't use the Nessus scanner, but these are some things to consider if you use the scanner. These are from memory though so anyone who actively uses the scanner may be able to give more up to date or complete info:
1) You have to decide which vulnerabilities you want to scan for.
2) The more plug-ins you enable, the longer (obviously) the scan takes.
3) There are configuration steps for many of the plug-ins
4) Your users will still need to go to a login page in order to be scanned.
5) You have to configure the remediation information (URL, steps, etc) for each plug-in you enable.
From our view point, the only reason we would enable the scanner is if we were looking for a specific vulnerability, perhaps a new threat that didn't yet have a patch. If it had a patch, we would watch for the patch using the agent (installed or web based).
It was much easier for us to use the agent, to scan their system and make sure that the MS critical hot fixes were installed and/or an AV system was installed and up to date. As mentioned, if there is a patch for a vulnerability, you can use the agent to make sure that specific hot fix is installed.
Remember that there is also a web agent. The web agent is an ActiveX or Java (you pick which one you want to use) applet that is loaded onto the person's machine, the system scanned, then the applet is unloaded.
Of course, the agent is only for MSoft (with some MAC options), so if you have Linux systems, the Nessus scanner would be your only option.

Similar Messages

  • Cisco NAC Agent and Windows 8 still not working

    Hello. I recently upgraded the Cisco NAC Agent to the latest version (4.9.1.13) on a Windows 8 VM. The release notes state that Windows 8 support has been added, and that a patch must be downloaded. However, the information about the patch is vague. I'm not sure if it's a client or server-side patch, or perhaps if I already have it as a result of upgrading to the latest version.
    I ask this because I plan to upgrade some computers to Windows 8, and have noticed that Cisco NAC Agent can't handshake with the NAC server on Windows 8 (both native and VM), and despite upgrading to the latest version, the handshake is still unsuccessful.
    Thanks,
    -Collin

    Hi Collin,
    The 4.9.1 Patch for Windows 8 Support can be downloaded from the following link :
    http://www.cisco.com/cisco/software/release.html?mdfid=282910502&flowid=34713&softwareid=282573326&release=4.9.1&relind=AVAILABLE&rellifecycle=&reltype=latest
    The patch should be applied to both 4.9.1 CAM and CAS.
    Please go through the README file for patch provided in the download link provided above. It has detailed information.
    Regards,
    Karthik Chandran

  • Different between cisco NAC agent and cisco Clean Access Agent

    Hi all,
    if anyone has idea about different between cisco NAC agent and cisco Clean Access Agent, please share your ideas.
    thank you

    In 4.6, the agent was overhauled and is now called the NAC agent.  Previous versions were referred to as the Clean Access Agent.  So pretty much, the 4.5 agent and 4.1.3.2 agents are Clean Access agents, and the 4.6.x and 4.7.x agents are called NAC agents.
    Some of the changes made were moving a lot of the agent configuration to an XML file, redesigning the GUI, adding a service portion (so that the stub agent is no longer required), and better agent logging.

  • Cisco NAC Agent 4.9.1.682 Problems with Mac Os X 10.7.4

    Hi
    My Cisco NAC Agent  (version 4.9.1.682) doesn't work since I upgraded my Mac OS X  4 months ago, This happens every time with CISCO and MAC when there is a new update and it always seems to take forever to fix.
    The NAC agent just keeps asking for my login in details even though there are correct (I can log in with a PC no problem).
    Any update on when a new version is going to be released - Its getting really frustrating?

    I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
        Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
        Select Keychain Access -> Preferences from the menu at the top of the screen
        Choose the Certificates tab
        Change the OCSP option from Best Effort to Off
        Close the Preferences dialog and quit Keychain Access
        You should be able to NAC now

  • Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "

    Hi All,
    We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
    Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.

    Closest enhancement I could check on this is
    CSCts34764    NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
    Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines.  Many users disable this and install their own AntiSpyware product.  Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
    This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date.  Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Mac OS X 10.8.1 and Cisco Nac Agent to 4.9.1.683

    We have this problem with on of our clients:
    "Cisco NAC Agent is having a difficulty with the server. Agent user operation system
    is not supported".
    Anyone encounter this problem ?
    thanks.

    Hi Tarik,
    We have:
    Cisco Clean Access Server   Version 4.9.0
    Cisco Clean Access Lite Manager   Version 4.9.0
    I can see Your point now,  that I should start from upgrading to 4.9.1.
    Let me do  that, and see if it helps.
    thanks  very much, I will keep You posted.

  • Hide Cisco NAC agent window

    Dear all,
    We have cisco NAC version 4.9.1 and the agent version is 4.9.1.5. We want to know if there is a way to hide the cisco NAC agent window so the user do not see it, i mean run it on the background to make it a bit more transparent to the final user.
    Anyone have any ideas?
    Thanks in advance.

    Go to "Administration > User Pages" and make sure you have configured a proper login page for Windows 7.

  • Cisco NAC agent services not running on Windows XP

    Hi,
    I've problem with Cisco NAC agent services on Windows XP professional SP3.
    After first installation using user local administrator, the services of Cisco NAC agent on windows machine running well, but after logout, and login using another user which is registered in domain users, the services of Cisco NAC agent is going to stopped (going to Manual mode not automatic, and the status is stopped).
    This situation is not happened on all windows machines, several machines running well.
    Cisco NAC agent version 4.9.0.42
    Has anyone seen this type of problem?
    Below i attached windows machine information from ones running well and not running, Thanks
    Regards,
    Rian

    Hi thanks for your answers, dbconsole is started in services.msc and also Agent, but goes on to say that the agent is not running.
    In sysman log shows this,
    "03/20/2012 13:38:54,553 [MetricCollector: HOMETAB_THREAD600: 60] ERROR rt.DbMetricCollectorTarget _getAllData.328 - oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
    oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
    at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest_ (EMDClient.java: 1330)
    at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest (EMDClient.java: 1223)
    at oracle.sysman.emSDK.emd.comm.EMDClient.getMetrics (EMDClient.java: 640)
    at oracle.sysman.emo.perf.metric.rt.DbHomeTab._getAllData (DbHomeTab.java: 324)
    at oracle.sysman.emo.perf.metric.rt.DbHomeTab.getData (DbHomeTab.java: 139)
    at oracle.sysman.emo.perf.metric.eng.MetricCached.collectCachedData (MetricCached.java: 402)
    at
    at oracle.sysman.emo.perf.metric.eng.MetricCollectorThread.run (MetricCollectorThread.java: 320)
    at java.lang.Thread.run (Thread.java: 595)
    20/03/2012 22:00:03,335 [JobWorker 772: Thread-13] ERROR em.jobs executeCommand.161 - UpdateARUTables: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup parameters required to September."
    In event viewer shows this,
    "Agent process exited abnormally DURING initialization." but this message appears a few hours after having started the service.
    I am using the Administrator account

  • Basic questions about CISCO IOS

    Hi everybody, Jack here,
    I have some basic questions about the Cisco IOS, could someone help me addressing some of them please? Any feedback would be greatly appreciated.
    Basically, I have two IP addresses assigned by our Cable ISP. From what I understood you can configure a Cisco router for multiple IP addresses using the IOS, thereby allowing someone like myself to take advantage of having multiple IP addresses. This may seem unnecessary to some, but I've always wanted to put the 2nd IP address to use, since after all, I've been paying for it.
    I was just wondering if someone could confirm that what I'm hoping to accomplish is indeed within the capability of the Cisco IOS (i.e. Fully utilize my 2 IP addresses). As well, if someone could kindly suggest a decent CISCO router for online gaming home use that would be super awesome!
    Thank you all so much for reading through the wall of text:)
    Jack

    Jack
    Certainly using multiple IP addresses is in the capability of Cisco IOS routers. How they can be used depends on the relationship of the IP addresses. I am assuming that we are talking about IP addresses assigned for the user to use and that the IP address for the ISP connection is not one of these that we are talking about.
    If both of the IP addresses that you have been assigned are within the same subnet then you would assign one of the addresses to the router interface to establish IP communication between the router and the ISP and to enable Internet connectivity for the devices inside your network that will use the router as their gateway to the Internet. The other address that is assigned can be used for address translation and in particular for static address translation which would make one of your devices inside to be reachable for connections initiated from the Internet (if that is something that you might want to do).
    If the addresses that are assigned to you are in different subnets then you could assign one address to the outside router interface and assign the other address to the router inside interface. Or you could use the second address for address translation.
    I do not have much expertise with online gaming, but I would think that either the Cisco 881 router or the 890 router might be appropriate for you. If 100 Mb connection is sufficient then probably the 881 would be the one to look at. If you need Gig connection then look at the 890.
    HTH
    Rick

  • Some question about Cisco Prime Infrastructure

    Dear all
    I have some question about using Cisco prime Infrastructure:
    - Can I show how many user access to one Access Point (AP) ?
    - If I can. What is display information of user ? etc Ip address, MAC, username access, name of device (notebook, tablet, phone ..)
    - How many time do Cisco Prime Infrastructure refesh user  informantion .?
    Please help me and send picture about it if you can.
    Thank you so much.

    Hi,
    I don't have the Prime Infrastructure to post you image, but you can simply find all the answers you want on the config guide:
    http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.2/configuration/guide/clientmgmt.html#wp1232242
    1- You can surely find how many clients associated to a specific AP.
    - Informaiton of the client usually includes username, SSID, ip address, mac address, RSSI, device vendor...etc. I don't think it contains the device type (ipad or iphone both appear as apple vendor. it does not destinguish between this and that.
    3- The time of the refreshment is configurable. You need to configure the corresponding background task for the poll period. (this is also metnioned in the link above).
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • How Cisco NAC and Cisco NAC Agent works

    HI,
    Can anyone help in explaining in detail for Cisco NAC will work in L2 OOB mode?
    Also, what is the path from the time the end user connects to the network till he gets access to the network?
    Please reply soon.Its urgent.

    I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
    Here is the link that will help you with the basics.
    http://www.cisco.com/en/US/netsol/ns466/index.html
    We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
    Thanks,
    Tarik

  • Quick Question about Cisco 3560 and the Web Device Manager

    Alright, I have a quick question that I am curious about but I haven't found any information
    about it.
    When I log into my Cisco 3560 using the web portal to get to the Device Manager. Below the
    diagram of the switch, then under the Dashboard there is section called Switch
    Health, Port Utilization.
    Under the Switch Health there is Bandwidth Used, Packet Error. Those two options just sit
    at zero and do not move. The Port tilization graph is also sitting at zero.
    Is there a way to make them functional?

    Anyone notice performance increase or decrease of their HD when using the nVidia IDE SW drivers?  particularly with a 74GB Raptor?  I've also heard of burner issues when installing the IDE SW but have not used my burner yet.

  • Question about Cisco Tec support Rep Live chat issue .

    Hello guys, I recently just tried to do a session of live tech support on cisco web site about a issue trying to get my router to change the speed of the wireless connection from 54mbps to the potiental maxium of 300mbps. Well This is my second time using the live chat feature and the 2nd time, the guy was asking for my router name and passowrd. I didnt feel to comformtable doing that since my first time using the live chat , the tech guy didnt ask for my operating system, or my passowrds or anything of that nature? Is that normal for a live chat guy to do that? I figured hes was trying to do a remoate access to my computer and I was thinking, they probably dont do that for free especially over a live chat. Anyeone thoughts or am i being over crictical. thanks

    if you are not comfortable then dont give them the info.
    i have not had a reason to ask then to do this, however back in the day i had a sony live rep (we were on the phone too) remote into my router to allow me to setup my sony base station (think slingbox but its made by sony) so i could get it to work when away form the home. this was a few years ago so it happens today. some businesses/stores even offer it as a solution. so dont freak out that they asked you that. dell does this for example...
    give them a call and have them on the phone with you instead.just have them give you the directions on what to do.... if not, come here and ask the questions...

  • Cisco Nac Agent Requirement type Audit

    Hi experts,
    i can configure a requirement type as audit (opposed to mandatory or optional), so the client will still access the network, the user will not be notified, and the information will be sent to the cas.
    It is possibile to generate an email or similar automated process to notify administrators on these audits?
    (version in use 4.7.2)
    Thanks
    Andrea

    Hi Andrea,
    In 4.7.2 there wasn't much you could do within the CAM itself - really you could just export them from the GUI into a spreadsheet and analyze based on that.
    The CAM does have an API however that would allow you to export reports via scripting interfaces and give you all that information which you could then manipulate. You can access the CAM API documentation by browsing to:
    https:///admin/api/cisco_api_doc.jsp
    (The "getreports" function is likely what you would want to look into).
    In version 4.8 and later there was a new "Reporting" section of the GUI that you can see more details about passed and failed requirements:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_report.html#wp1495842
    Thanks,
    Nate

  • Question about Grid Control Agents on a Veritas Cluster (or any cluster)

    Hi, I'm seeking advice on how to setup Grid Control agents on a Veritas Cluster.
    My cluster is made up of two Sun M4000 servers running Solaris 10 x64 (node1 and node2), and 8 virtual hosts setup to fail between the nodes. Each of these virtual hosts has several mount points from a SAN, and contain Oracle 9 and 10 homes as well as databases. The versions are 9.2.0.8 and 10.2.0.3.
    I have a full grid control agent install on each node to mount points that don't fail over to the other nodes. These agents monitor the nodes themselves.
    Now for my question, is it better to do full intalls of the grid agent in each virtual host or to use the "emctl deploy agent" from the full installs already on node1 and node2 to the virtual hosts? Or is there some other, better way to do this.
    Either method results in 9 grid control agents on a node if all the virtual hosts are on that box. I've experimented with both agent deploys and installs a bit and found that the cpu usage goes though the roof with that many agents on one server. Maybe I don't have them configured correctly, but every now and then they spike cpu usage to 100%, and these servers have 8, dual core processors in them with 32GB of RAM.
    Thanks for any tips!
    Currently, my setup looks something like this, if it helps:
    ORANODE1...........................................ORANODE2
    user: oracle..........................................user: oracle
    full agent install....................................full agent install
    VirtualHost1
    user: ora_user1
    Oracle 10G Home
    repository database
    OMS install
    full agent install
    VirtualHost2
    user: ora_user2
    Oracle 9i Home
    production database
    full agent install
    VirtualHost3
    user: ora_user3
    Oracle 9i Home
    production database
    full agent install
    VirtualHost4
    user: ora_user4
    Oracle10g Home
    production database
    full agent install
    VirtualHost5
    user: ora_user5
    Oracle10g Home
    production database
    full agent install
    VirtualHost6
    user ora_user6
    Oracle10G Home
    production database
    full agent install
    VirtualHost7
    user: ora_user7
    Oracle10G Home
    production database
    full agent install
    VirtualHost8
    User: ora_user8
    Oracle10G Home
    production database
    full agent install

    Will the agent 10.2.0.3 work with Grid Control 10.2.0.1
    Yes.

Maybe you are looking for