Run NAC agent before user login - Win7?
Greetings all and thx in advance for any advice! Environment details - ISE 1.2. Patch 5 and cisco NAC agent 4.9.3.
I have all of the authen/authz policies working and functioning properly, however, I have run into an issue with the NAC agent running posture only after user login. This is causing some grief, mainly that users required login scripts can't run successfully until posture is compliant and the more permissive dACL is applied. I was hoping that posture would complete long before windows login was even an option for the user but for some reason I appear to require an interactive login to get the NAC agent to run posturing. Any thoughts or ideas on this? I tried the NAC agent installation with a couple of different user accounts on the windows hosts but without success, it will only posture once I have interactive login. I went pretty deep on the removal of the posture conditions to simply checking a single windows service but it didn't make any difference. Thanks for any advice!!
IA
Thanks for the reply Saurav, I should have clarified a design point. I am not doing any user authentication, only doing a machine authen. As I mentioned I can't seem to posture pre-user authentication even though I am not doing any user authentication.
IA
Similar Messages
-
HP ENVY x2 - 15 Detachable laptop - Stuck one step before user login
Hi, I have had some automatic window updates in progress but it was stuck on 36% for 2 days and when I did force restart, it just shows screen before user login ( Battery and wifi icons on bottom corner), touch does not work, bleautooth keyboard never connects even I attach to laptop.... so it goes nowhere! I bought it couple of months back and have never had this kind of issue on any other windows machine I had in past. Note : I had enrolled for windows 10 sometime back, not sure anything related Can anyone help? Thanks
Request service under warranty. If you live in the US/CA, contact HP info Here. If you live in another part of the world, start here>>Contact HP
-
NAC AGENT WEB Your Login session Failed { status = 5 }
Hi,
I have a problem with NAC agent web, did someone seen this error before ?
Your Login session Failed { status = 5 }
I tested all these following , and all are Ok :
• Test using another browser, Firefox for example
• Test using another operating syste
• Check if there any restrictions between the user vlan and nac vlans
ThnxHi.
Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
regards
Zubair -
Aironet - PI21AG PCI Adaptor - No Computer Auth before user login
Hi
I am running PEAP-MSCHAPv2 , all Clients are Windows Xp SP2 on an AD domain and all clients have wireless configuration assigned via Group Policy.
All machines except for 10 machines running the PI21AG PCI WLAN adaptors are able to authenticate using their computer account to the WLAN , allow login scripts , policy assignment etc to function prior to the use logging into windows. If you log in with a cached domain account , the machine will associate to the WLAN using the user account after login however scripts do not run and users who have not logged in before are unable as the PC has no network connection at the time of user login.
Affected machines have been rebuilt , settings applied manually, different driver versions have been applied, "Always wait for network" has been enabled in Group policy and registry keys have been mdified to extend timeout before policy assingment. Nothing so far has worked.
I am running the latest driver, all clients are using the XP Wireless supplicant and have common configuration. All machine including notebooks using the CB21AG PCMCIA adaptors can successfully authenticate using machine authwntication prior to user login.
I have noticed from looking at my WLC's that during boot and prior to user login that the affected machines probe for association , howver they never enter an authenticated state.
No authentication attempts passed or failed are seen in the RADIUS logs.
Any help or suggestions would be greatfully apprciated.
May Thanks
LeonThanks for the reply.
As stated I had PEAP conifgired correctly and many clients achieved the functionality that I was after.
The issue was specific to the Cisco PCI WLAN Adaptors , and after many hours on the phone to the TAC it looks like a change in driver version and a re-image of the customers SOE resolved the issue in the end. -
Script to find the list of Queries currently running in database with User Login Name and Host Name.
Hai,
How to find the list of queries currently running in the Database with User Login Information.
Since my database application is running slow, to find the slow queries.Try the below query
SELECT r.start_time [Start Time],r.session_id [SPID],
DB_NAME(database_id) [Database],
s.host_name,
s.program_name,
s.login_name,
SUBSTRING(t.text,(r.statement_start_offset/2)+1,
CASE WHEN statement_end_offset=-1 OR statement_end_offset=0
THEN (DATALENGTH(t.Text)-r.statement_start_offset/2)+1
ELSE (r.statement_end_offset-r.statement_start_offset)/2+1
END) [Executing SQL],
r.status,command,wait_type,wait_time,wait_resource,
last_wait_type
FROM sys.dm_exec_requests r
OUTER APPLY sys.dm_exec_sql_text(sql_handle) t
inner join sys.dm_exec_sessions s
on s.session_id = r.session_id
WHERE r.session_id !=@@SPID -- don't show this query
AND r.session_id > 50 -- don't show system queries
ORDER BY r.start_time
Regards, Ashwin Menon My Blog - http:\\sqllearnings.com -
NAC Agent takes long time to run
Cisco NAC agent takes long time to popup or run on Windows 7 machine.
The client machine is windows 7, running nac agent 4.9.0.42, against ISE 1.1.1
Any ideas how to reduce NAC Agent timing?Hi Tariq,
I'm facing the same issue with ISE 1.1.1 (268) with Agent 4.9.0.47 for Windows XP clients. I have already configured "yes" to disabled the l3 swiss delay and reduced the httpa discovery timer from 30 to 05 sec but still clients get aprox 2.30 minutes to popup and finished the posture discovery.
Can you please advise if this is the minimum time or what is the minimum time and what are the parameters to set to a minimum time to complete agent popup and posture discovery..?
Is there any option that we can run this on backgroup..?
thanks in advance.. -
[EDIT 20140207]:
I found that the default domain policy sets "run these programs at user logon" and (other than I expected) not BOTH GPO settings become active, but the setting from the default domain policy overrides the setting from my new GPO. So I think I have
found the answer myself.
When on our W2k8-R2 DC I create a new GPO and configure
"Computer Configuration/Policies/Windows Settings/Administrative Templates/System/Logon/run these programs at user logon" to "c:\windows\system32\notepad.exe" (just for testing) it won't take effect on Win 7 SP1, no matter what the Security
Filtering options are.
It seems other settings (in the very same GPO) become active but "run these programs at user login" from the computer policies section doesn't. I configure the very same setting in the section "user policies" instead and add "Authenticated
Users" to Security Filtering, the program will be started. But that's not what I need.
I can reproduce the issue, here are the exact steps:
create a new group "group-a" for later security filtering
create a new GPO
in the new GPO set "Computer Configuration/Policies/Windows Settings/Administrative Templates/System/Logon/run these programs at user logon" to "c:\windows\system32\notepad.exe"
for setting the scope remove "authenticated users" from Security Filtering and add "group-a" instead
link the GPO to the domain root
make "test computer" a member of "group-a"
on "test computer" run "gpupdate /force", reboot, log in
Issue: notepad is not being started.
What I'm aiming for is obvious: Depending on the membership of group-a I want to configure certain programs that should be started whenever a user logs in.
gpresult /R returns that it would be applying the GPO. (It actually is but the setting "run these programs at user login" is not being applied.)
For debugging I started MMC / RSoP on one of the machines on which the GPO should have been applied and found that "run these programs at user login" is not set (which seems to be the reason why the GPO won't work on the machines).
Searching the web I found similar reports
[1] [2] but no solution was found and the user used a workaround instead.
If I change the GPO so that I use the very same setting in "user configuration" instead of "computer configuration" it works as long as I add "authenticated users" to the Security Filtering. But then the GPO is applied to all users
and not only to the ones using computers which are members of group-a. According to this howto [3] I should not remove "authenticated users" but alter the security setting instead. However, the howto seems to be aimed ad w2k3 and using Win2k8 I cannot
find security settings "apply" for "authenticated users" so I cannot remove that setting, there's only "read" or "read and modify".
So two questions:
1. Why doesn't it work when using "computer settings"
2. What about that Security Filtering with removing "authenticated users" and using group-a instead?
T.
[1] http://social.technet.microsoft.com/Forums/windows/en-US/0e280490-fba6-4ced-aba5-ae49c60e44bd/computer-gpo-run-these-programs-at-user-logon-not-working-as-intended-on-win7-clients?forum=w7itproinstall
[2] http://social.technet.microsoft.com/Forums/windows/en-US/8cb78bf8-33ec-461e-8604-32d82d016685/run-these-programs-at-user-logon?forum=winserverGP
[3] http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/Hi,
sounds like you find the answer already.
If you have any further question, please feel free to let me know.
Have a nice day!
If you have any feedback on our support, please click
here
Alex Zhao
TechNet Community Support -
Custormizing the NAC agent profile
Hi,
We need to have very minimal user intervention while doing the completing the posture part on NAC agent on user PC.
Can someone please advise how to achieve the below task.
1) Automatically accept the Network usage policy before its timeout (50 sec) expired (if the timeout expired it will go to "Deny Network Access" state as it assume that clicking "Reject" button (attached screen1)
2) we need to keep all the posture pop-up, verification timings.
ThanksHi,
Currently this isn't possible. If you have an account team, please ping them to get this added to the feature request list.
HTH,
Faisal -
NAC Agent Customization Distribution
Looks like the NAC agent customizations can be done only when the client PC pulls
the install from the CAM. Our PCs do not have admin rights and the software will be pushed through a software
distribution tool. Is there any way to distribute the software with the customization file , just like there is an option
to install with the agent configuration file?
Thanks
ShaffeelHi Shaffel,
You cannot include the branding files on the MSI installation package of the Agent.
I have not much experience with the centralized client management tools, but you could try a workaround by pushing those files to the client at the appropriate location and then restart the Agent.
The files to be pushed are the ones you prepared on the branding file to be uploaded to the CAM.
The location of the files is documented at this page:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1606140
Specifically:
In a system that has NAC Agent installed, you can find the "nac_login.xml" file in the "C:\Program Files\Cisco\Cisco NAC Agent\UI\nac_divs\login" directory.
The "nacStrings_xx.xml" file is available in the supported location. The "xx" indicates the locale. In the system that has NAC Agent installed, you can find a complete list of the files in the "C:\Program Files\Cisco\Cisco NAC Agent\UI\cues_utility" directory.
The files are available in the directories mentioned above when the Agent is installed at the default location. If the Agent is installed at a different location, then the files would be available at "\Cisco\Cisco NAC Agent\UI\nac_divs\login" and "\Cisco\Cisco NAC Agent\cues_utility".
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it. -
NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?
Agent Fails to Initiate Posture Assessment
The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
The redirected URL is working fine (SEE Evidence)
We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
The operations status remains with postering status pending forever and nothing else happens.
Symptoms or Issue
The agent login dialog box does not appear to the user following client provisioning.
Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
authentication session.
Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
• Ensure that the Cisco IOS release on the switch is equal to or more recent than
Cisco IOS Release 12.2.(53)SE. - OK
• Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
choose Properties, and check the discovery host.) - OK (See evidence)
• Ensure that the access switch allows Swiss communication between Cisco ISE
and the end client machine. Limited access ACL applied for the session should
allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
• If the agent login dialog still does not appear, it could be a certificate issue.
Ensure that the certificate that is used for Swiss communication on the end client
is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
• Ensure that the default gateway is reachable from the client machine. (TESTED OK)Hi.
Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
regards
Zubair -
Cisco NAC agent services not running on Windows XP
Hi,
I've problem with Cisco NAC agent services on Windows XP professional SP3.
After first installation using user local administrator, the services of Cisco NAC agent on windows machine running well, but after logout, and login using another user which is registered in domain users, the services of Cisco NAC agent is going to stopped (going to Manual mode not automatic, and the status is stopped).
This situation is not happened on all windows machines, several machines running well.
Cisco NAC agent version 4.9.0.42
Has anyone seen this type of problem?
Below i attached windows machine information from ones running well and not running, Thanks
Regards,
RianHi thanks for your answers, dbconsole is started in services.msc and also Agent, but goes on to say that the agent is not running.
In sysman log shows this,
"03/20/2012 13:38:54,553 [MetricCollector: HOMETAB_THREAD600: 60] ERROR rt.DbMetricCollectorTarget _getAllData.328 - oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
oracle.sysman.emSDK.emd.comm.CommException: Exception in sending Request :: null
at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest_ (EMDClient.java: 1330)
at oracle.sysman.emSDK.emd.comm.EMDClient.getResponseForRequest (EMDClient.java: 1223)
at oracle.sysman.emSDK.emd.comm.EMDClient.getMetrics (EMDClient.java: 640)
at oracle.sysman.emo.perf.metric.rt.DbHomeTab._getAllData (DbHomeTab.java: 324)
at oracle.sysman.emo.perf.metric.rt.DbHomeTab.getData (DbHomeTab.java: 139)
at oracle.sysman.emo.perf.metric.eng.MetricCached.collectCachedData (MetricCached.java: 402)
at
at oracle.sysman.emo.perf.metric.eng.MetricCollectorThread.run (MetricCollectorThread.java: 320)
at java.lang.Thread.run (Thread.java: 595)
20/03/2012 22:00:03,335 [JobWorker 772: Thread-13] ERROR em.jobs executeCommand.161 - UpdateARUTables: Oracle MetaLink credentials are incorrect or missing. Click Patching Setup parameters required to September."
In event viewer shows this,
"Agent process exited abnormally DURING initialization." but this message appears a few hours after having started the service.
I am using the Administrator account -
Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?
-My customer does not want to push NAC Agent installation on BYOD type of computers (non-managed by the company computers).
-The requirement is to check for posture only company owned wired, wireless, and VPN connected Windows computers. The rest of the endpoints should be considered as posture incompliant, and limited access to the network should be allowed.
-No certificates are used.
-I’ve configured the required posture check, and it all works fine if a PC has NAC Agent manually installed (without ISE Client Provisioning). However, when I use a PC without NAC Agent, it is redirected to Client Provisioning Portal and is stuck there as Client Provisioning is deliberately not configured in ISE.
-If I remove Posture Remediation Authorization Profile that does URL redirect, the posture does not work.
-For now I'm testing it on wired endpoints.
Is there a way to configure ISE to fulfill the listed above requirements?
Any ideas would be appreciated.
Thanks,
Val RodionovEveryone who finds reads this article,
I'm answering my own quesiton "Is it possible to run Posture using ISE 1.2 without NAC Agent provisioning?"
The answer is Yes.
After doing research and configuration testing I came up with a solution, and it works fine for wired and VPN connections. I expect it to work on wireless endpoints as well.
ISE configuration:
Posture General Settings - Default Posture Status = NonCompliant
Client Provisioning Policy - no rules defined
Posture Policy - configured per requirements
Client Provisioning (under Administration > Settings) - Enable Provisioning = Enable (it was disabled in my first test)
Authorization Policies configured as regular posture policies
The result:
After successful dot1x authentication posture redirect happens. If the PC does not have NAC Agent preinstalled, the browser is redirected to Client Provisioning Portal and a default ISE message is displayed (ISE is not able to apply and access policy... wait one minute and try to connect again...). At the same time, the endpoint is assigned NonCompliant posture status and proper authorization policy is applied. This is what I wanted to achieve.
If NAC Agent was preinstalled on the PC, after successful dot1x authentication the NAC Agent pops up and performs posture check. If posture is successful, posture compliant authorization policy is applied. If posture check fails, NonCompliant posture status is assigned and posture non-compliant authorization policy is applied. Which is the expected and needed result.
The only part that is not perfect it the message displayed to the end-user when posture is about to fail. I did not find a place to change the text of that message. I might need to open TAC case, so this file can be manually found and edited from CLI (root access).
Best,
Val Rodionov -
After install NAC agent I must remove cable before open windows session normaly
Hi
I use ISE 1.1 and NAC agent 4.9
I have configure my catalyst 2960 port with dot1x and install NAC agent on many computer
But I observed that I am unable to open windows session on some computer (windows 7)
When I enter login and password, then I got black screen and nothing else, then if I remove the network cable on my computer, the black screen change and move to the windows desktop normaly
Why do I need to remove network cable before get to my desktop normaly ?
Please How can I fixed this issue ?
Thanks in advance for your helpHi
The given link might be helpful regarding your issue:
http://www.cisco.com/en/US/netsol/ns466/index.html
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html -
NAC Agent scan running application
Dear colleagues,
My customer is being on ISE PoC. They want to test the Posture feature for running application.
I would like to ask: what is the scan interval of NAC agent. If I want to use NAC Agent to scan an illegal application on PC, but at first, when logging in, the application is not running. After NAC agent notify that the client is compliant, user start that application. So the question is, can NAC Agent detect that?
Please kindly share your experience on it. Thank you for your support.
Kind regards,
HiepHiep,
The feature you are asking for is passive reassessment and is done on intervals configured by the administrator.
www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1482451
Thanks,
Tarik Admani
*Please rate helpful posts* -
Launchd system agent before login for an onscreen keyboard.
Hi everyone. I'm investigating the possibility of starting an onscreen keyboard for people to use to log into their user accounts with. I work for a company that deals with people with disabilities, and their computer problems.
So far I've used Lingon to create a system level launchd agent for the keyboard program we're using which is 'Assistiveware Keystrokes'. Any onscreen keyboard would be fine, but this is the only one I could successfully start with launchd so far, but it's starting after login rather than beforehand as I'd like.
I couldn't figure out how to lauch the default Mac KeyboardViewer, as I couldn't find a way to launch it from a script.
Anybody know what I should do?
,DamonThanks for your help guys. Also I find it rather interesting that OSX doesn't have a way to bring up an onscreen keyboard (at least without a lot of knowlege and effort). As it would prevent Mac users who wanted to use touch screen comptuers from being able to log in.
Are there no Mac touch screen computers I wonder? I think this will be my next obvious area to investigate, as although twtwtw pointed out that it's probably possible to run GUI apps in the login screen, it seems as though it's a depricated function that will be phased out:
"Warning: Apple plans to disable the global window server service in a future release of Mac OS X. Do not write any new code that uses the global window server service. If you have existing code that uses this service, you must eliminate that dependency in order to be compatible in the long term."
Maybe you are looking for
-
Top 3 maximum values in a table
Dear Friends, I'm just looking for a query to get the top 3 maximum values from a table. For example is a table contains the salary of employees, I would like to get the top 3 maximum salary. Can you please help? Thank you in advance. Regards, Senthi
-
Sales orders ans reservations not taken into account on MPS / MRP
Hello, I am implementing the MPS / MRP and I have the following problem: I have modified the necessary material master fields to take into account some materials on the MPS / MRP execution. These fields are MRP type, Lot Size, Strategy group and Avai
-
Nothing in firefox displays properly unless in full screen
I started up my computer today and a norton window popped up informing me that a new version of the product was available. I went along with it and updated. Afterwards i opened up firefox to browse the web but instead of my home page i got a glitched
-
I cannot add an e-mail account (Cox communications) on my iPhone 5S that is in the "Other" category and is a POP account. Yhje phone automatically creares the account as IMAP. How do I create a POP account?
-
Joining tables : Smart Access Connection
Here's my scenario... I have data from 1 system existing as standard HANA tables. I have data from a second system, coming into HANA as a Smart Access Connection. My task is to build queries against each system's tables to obtain relevant data from e