ISE - profile of the NAC agent

Similar Questions

• The NAC Agent running application scan

  Ladies and gentlemen,

  My client is to be on ISE PoC. They want to test the functionality of Posture to run the application.

  I would like to ask: what is the NAC agent scan interval. If I want to use Agent NAC to scan the PC, an illegal demand, but initially, during the connection, the application is not running. After NAC agent notify that it respects the customer, user start this application. The question therefore, Agent NAC detectable by whom?

  Kindly share your experience about it. Thank you for your support.

  Kind regards

  Hiep

  Hiep,

  The feature you requested is passive revaluation and is made on intervals configured by the administrator.

  www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#...

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Profiler in the NAC 2.1 to 3.1 upgrade

  Hi guys,.

  I'm setting up a Profiler from the NAC that accompanies 2.1 installed. I upgraded to 3.1, prayed and installed the license without any problems, but I always get this message: "ERROR: [2010-12-08 09:25:01 (main: 668)] valid no key not found [no such file or directory]" "

  The license file exists, and on the interface Web Profiler from the NAC, the State of the license is OK.

  A single line in the license file gives me this information: 'cisco 2.1 INCREMENT CCA-MANAGER countless Permanent '.

  Does anyone know if the license is linked with the version of Profiler?

  The upgrade from 2.1 to 3.1 is allowed or it is necessary to purchase a new license 3.1?

  Best regards

  Hello

  So I guess you spotted the problem here...

  You have a collector's license?

  You need 2 licenses: 1 to the server profile, and one for the collector.

  Basically, the mac address you provide is the same (eth0 ot Server Profiler), but you need a PAK Server Profiler to generate the license Server Profiler (the one you already have) and a PAK for license collector (which is missing).

  You have the collector PAK?

  If Yes, then just go to the license page and submit this PAK and the mac address.

  HTH,
  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Connection disabled for the Nac Agent

  Hello

  After installing the NAC Agent on Windows XP.

  The login window does not appear.

  Please see the attached support cisco report.

  Please suggest to overcome this problem.

  Thank you

  Abuzar

  Well, the default gw is an L3 device you have on your network, and if there is a firewall you will need to open the communication to these ports.

  What is the configuration of VLANS on the switch where the client is connected?

  Do you have an organizational chart?

  See you soon,.

  Tiago

• The NAC Agent autoUpgrade ISE possible?

  Hi all

  I have this:

  802.1 x-window with the NacAgent version (say 1) <---->802. 1 x switch active (RADIUS aaa OK) <------>ISE and AD on the same LAN

  ISE is configured for client provisioning with hardware (NacAgent version 2) downloaded from Cisco's Web site (as described in the documentation)

  I have a basic plan of authentication and authorization that allow me to well but I expect the NACAgent to be upgraded.

  No profiling is configured at the moment.

  Is that someone can help?

  Best regards?

  Hello

  In the ISE settings provisioning client, activate you the option where the NAC upgrade agent is required. However, it is to you to run updates perioidic and map the most recent agent in the configuration of the parameters of the client.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Problem of the NAC - Agent is a disconnect

  Hello

  We have a problem with the NAC in mode virtual outofband.

  AD SSO, sanitation, everything is working, but the strange things happening: after awhile, when downloading large files, Agent connects to the formula of network users, and the registration process is restarted.

  I disabled the pulsation clocks and timers, session, but we still have a problem.

  Also, while sniffing traffic on the switch port, I noticed that after have correctly connected you to the own Cisco Agent network always send traffic to UDP Port 8905. Is this a normal behavior?

  I noticed problems with this version of the agent causing connections to give up intermittently. I would upgrade to agent v4.1.3.1.

• Question commissioning of the ISE NAC agent

  I downloaded the NAC agents and modules of conformity to the ISE and configured the client provisioning rules. The user guide is not really explain very good next steps.

  I guess because the identity of the user groups are used in politics, commissioning is used with webauth, is that correct?

  Jeppe,

  The commissioning customer is done with any authentication method. Whether via dot1x or webauth, it is the authorization policy that starts this process. You redirect your customers customer provisioning portal using the authorization policy. Then, you determine which agent (web agent, agent nac or no agent) through the client provisioning policy.

  Hope that helps,

  Tarik Admani
  * Please note the useful messages *.

• The Stub of the NAC for 4.7 Agent options

  Hello

  Does anyone know if Cisco provides an option of replacement for the role of the NAC Agent of the Stub in version 4.7?

  Thank you.

  Dennis,

  The service is installed as part of installing the agent. Now the agent installation requires administrator rights.

  HTH,

  Faisal

• NAC agent the wireless runs whenever we have controllers

  Hello everyone, we have a problem in our environment and wanted to inquire about this. We have a Cisco wireless infrastructure in place - 5508 2 controllers and about 200 3502 AP we have split the AP evenly between 2 controllers. We backend system with an own server in the strip of the NAC device for post assesment. What we are seeing, is that when a user "passes" a point of access to the other, and if the AP is connected to 2 separate controllers, the NAC agent will take place once again. Newspapers in cam supports this, as we see the user is disconnected and then reconnected. We have 2 controllers configured in a mobility group which should allow roaming. So what would be the expected behavior? Is the controller always send RADIUS Accounting Stop packets to the CAs when it tends a session wireless to another controller, even if they are in a group of mobility?  Any help or thoughts would be appreciated.

  Thank you

  The f

  Jeff,

  Since you're using dot1x, I found the following note in the configuration guide for mobility:

  http://www.Cisco.com/en/us/docs/wireless/controller/7.2/configuration/guide/cg_mobility.html

  

  All clients configured with 802. full authentication is complete by 1 security X/Wi-Fi Protected Access (WPA) to conform to the IEEE standard.

  Your radius server that you see a second authentication attempt from the second controller? If Yes, then most likely, this is because of the management of accounts radius stop and start messages while roaming.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• NAC agent and configuration of NHPS with ISE 1.1.1

  I try to get all the workstations (OSX and Windows) install the begging native NAC Agent and Assistant during the on-board process.

  I currently use portal default comments to EHT.

  The environment has been implemented using a design of dual SSID.

  For the moment, devices can plug the SSID of provisioning and get the CWA. Recording device works, the portal is running the installer of NHPS that correctly implements the network card.

  The problem is that the portal never tries to install the NAC Agent.

  Has a political client provisioning policies for wired and wireless as well as BONES. Each strategy includes a PSN and Agent NAC configuration. It seems that portal comments only checks the configuration of PSN and not the NAC Agent config.

  Any ideas?

  Just if I understand correctly, you are using both a client provisioning portal and a native Portal begging provisoning related policies separate authz.

  With that road you check to see if the customer is consistent in the political portal provisioning client.

  Let me know if you have following configured (windows OS in the example), this implies that endpoint is statically assigned to RegisteredDevices after native pursueth provisioning.

  Rule 0 (Group of endpoint = RegisteredDevice) AND (AD:Domain user and authentication method: x 509 and posturestatus: COMPATIBLE) = access allowed

  Rule 1 (Group of endpoint = RegisteredDevice) AND (AD:domain user authentication method: x 509 [If you have deployed the certs to the State native supp] AND workstation NOT EQUAL: COMPLIANT) client provisioning RESULT portal.

  Rule 2 (endpoint = Workstation group) AND RESULTS (AD:Domain user AND breed authentication using mschapv2) provisioning windows portal

  Hope that helps,

  Tarik Admani
  * Please note the useful messages *.

• NAC agent constantly authenticate

  I have a problem with NAC 4.9.4.3 where he réauthentifie randomly. There is no newspaper on the switch or within ISE to explain why this happens. The user seems to remain connected. Did somebody encounter this problem?

  Hi Deirra,

  How many times do you see that? You experience this problem with all the endpoints?

  If you don't see the newspaper on the ISE/switch so maybe not pure new authentication. The question may be followed by looking at the NAC agent logs.

  -Jousset

• Ports of the NAC

  Hello Experts,

  Have some questions that came across while doing work of the NAC at one of our subsidiaries. If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.

  Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.

  the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.

  Apprecite all help, thank you.

  Hello

  See online:

  If there is some user ports which are not selected for the profile of the NAC, is it possible (except physical control on the cell phone of the user by allowing all ports & audit) which can be used to track the paths of users without mail for NAC.

  [Tiago] On the graphical interface of CAM, you can check which controlled uncontrolled ports are. It is the only place where ports can be determined to be managed/no managed.

  Second, if the user of the NAC port is manually on the vlan user (rather than quarantine or vlan temporary), which is the correct order for that.

  the user on NAC field must be typed manually to vlan user or port profile should try not controlled followed by rebound port & update.

  [Tiago] When you perform the configuration of the switch, the switchports can be put on the vlan user or default access vlan. It depends on the port profile settings that you have configured. By default, when a port is managed on the basis, if a client connects, an SNMP trap is sent to the CAM. The CAM check whether the machine is certified or not (check the mac address). If the machine is not certified cam becomes the vlan the authenticated vlan configured on the port profile.

  So, whenever you connect a PC to a switchport, CAM evaluates what is the vlan correct the PC to start and change it accordingly.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• NAC Agent recognizes bad OS

  I have a laptop windows 7 where the NAC agent think it's windows XP. It fails the NAC checks because he wants to ServicePack 3 must be installed. Has anyone already this issue or know where the NAC agent provides for what operating system it is?

  Just getting worse, I reinstall windows 7 but I was wondering if anyone could provide any idea for me?

  Johnathan,

  We have encountered this problem before. Check the properties for the executables of the NAC Agent and make sure that compatibility mode is not set to Windows XP.

  Doug

• Help the NAC OOB Windows SSO

  We have just upgraded to Windows 2003 AD to Win2k8 R2 and Single Sign it has stopped working. Authentication works very well, but the NAC agent does not use the Windows credentails. Users must enter their user name and password manually.

  The AD server is a new server but has the same IP addresses as the old man. I'm running the CAM/CASE 4.7.2.

  Gregg

  Gregg,

  2 k 8 does not by default, so I suspect that is where it's a failure. Please look at the following sections and rerun ktpass (on a new user preference) as shown in the link:

  http://www.Cisco.com/en/us/docs/security/NAC/appliance/configuration_guide/47/CAs/s_adsso.html#wp1257882

  HTH,

  Faisal

  --

  If you find this article useful, please note so that others can easily find the answer

• NAC agent don't popup configure what ORGANIZATIONAL unit in Active Directory

  Hi expert,

  I need help problem on NAC L2OOB-VG, the NAC server and client version 4.7.2. My problem is:

  -Before I use NAC ADSSO with Windows Server 2003 Active Directory and everything work fine. Untrust popup of the NAC agent connection users, authenticate users and users of action switch for trust to Vlan.

  -Now my DC have a problem so I upgrate this DC to Windows Server 2008 SP2 and configure the OU, Active Directory, I create OUS and move users to OR for simple management, after that I configured ktpass and service ADSSO in the NAC has start.

  So now my problem is:

  -Agent NAC users connection not popup and does not authenticate users.

  -When I move this users in UO to the domain users, popup will for the Attorney to the NAC and authenticate the user.

  How can I configure NAC in consultation with users in UO?

  Thank you for any assistance.

  Hello

  You have defined LDAP search servers to use with your SSO AD? All maps are you doing?

  Faisal