The Mac OS X Clean Access Agent user sequence is as follows. The user navigates to the untrusted interface address of the CAS and is redirected to the Login page (Figure 10-61). Figure 10-61 Login Page—Mac OS X. The user is directed to the Download Clean Access Agent page (Figure 10-62). Figure 10-62 Download Clean Access Agent—Mac. Cisco Clean Access Agent is a Shareware software in the category Internet developed by Cisco Systems, Inc. The latest version of Cisco Clean Access Agent is 4.1.3.1, released on. It was initially added to our database on. Cisco Clean Access Agent runs on the following operating systems: Windows.
ContentsIntroduction
This document answers the most frequently asked questions (FAQs) related to Cisco Clean Access Agent (formerly Perfigo SmartEnforcer).
The product names have changed. This table lists both the old and new names:
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Supported FeaturesQ. What operating systems are supported?
A. Agents are supported on these Operating Systems.
Windows Platforms
Macintosh platforms
Refer to Cisco NAC Appliance Agent/OS/Browser Support Matrix for more information on supported browsers and Java versions. https://newjb281.weebly.com/blog/lego-marvel-avengers-mac-free-download.
Q. Does Cisco support Custom APIs?
A. No.
Q. Does Cisco support the agent on VMware or Shared Drivers?
A. This is what is supported or is not supported by the NAC agent on VMware: Eclipse photon free download for mac.
Hence, the summary is that the NAC agent is supported on VMware if :
For all other modes, it is unsupported.
Q. Does NAC 4.5 or later support Trend Micro OfficeScan 10.x?
A. NAC supports Trend Micro OfficeScan 10.x starting from version 4.7.1.
Error MessagesQ. The Cisco Clean Access Agent displays either the SecureSmart is not available on the network or No SecureSmart Server found on the network error message. I rebooted the Cisco Clean Access Server and worked around it for a while. How do I fix this?
A. This error is caused by the inability of the Cisco Clean Access Agent to communicate with the Cisco Clean Access Server through the SWISS protocol (the encrypted communication over UDP port 8905).
This can be due to:
Q. The Cisco Clean Access Agent receives the Network Error error message while it logs on. Why is this?
A. The Cisco Clean Access Agent shows this error when it is unable to communicate with the Cisco Clean Access Server using HTTPS. This can happen due to multiple reasons:
Q. What does the this update can not be performed for an non-administrator account error message on the Cisco Clean Access Agent during a Windows update mean?
A. The issue is that the Clean Access Agent fails to perform the Windows update for non-administrators. Agent Stub is needed for a non-administrator to launch Windows Server Update Services (WSUS). The Stub service is required to support these features for non-admin users:
![]() Q. What does the This client version is old and not compatible. Please login from web browser to see the download link for the new version error message on the Cisco Clean Access Agent mean?
A. The issue is that the Clean Access Agent is a different version than the server. Try to match the Clean Access Agent version with the server.
Q. I have freshly installed the Windows 98 system. When I go to install the 3.2.0 Cisco Clean Access Agent client on the machine I get prompted to update the installer. However, as soon as the Cisco Clean Access Agent attempts to update the installer I get the The provided instmsi upgrade executable 'C:WindowsTemporary Internet FilesContent.IE5KXERWHYBInstMSIA[2].exe' is invalid error message. How do I fix this?
A. Install the full version of the Cisco Clean Access Agent 3.1.3 or 3.2.0 (greater than 5 Mb).
Q. I uploaded Cisco Clean Access Agent to my Cisco Clean Access Server. However, the Cisco Clean Access Server does not publish it. I get a Checking for the uploaded SmartEnforcer client file.. SmartEnforcer client file not found. error message. How do I fix this?
A. Upload the .exe file, not the .zip file. Make sure to extract the .exe file from the zip folder before you upload it. Also, do not change the original .exe file name.
Q. Why do I receive the Access to network is blocked by the adminstrator error message on the Cisco Clean Access Agent when I try to log in?
A. If you are using both the wired and the wireless networks at the same time, this error message can occur. Try using either the wired or the wireless network which might solve the issue. Also, try using the CCA version 4.1.3. This might help to resolve the issue.
Q. Why do I receive the Warning: The current Trusted Certificate Authority 'www.perfigo.com' is suited for lab environments only. Cisco recommends importing a third-party Certificate Authority. Please check your Clean Access Server(s) and standby Clean Access Manager for similar messages. error message after upgrading the NAC Appliance?
A. This error message is due to the Perfigo certificates. This issue can be resolved by deleting the Perfigo CA from the trusted CA list.
Q. What does the Revocation information for the security certificate for this site is not available. Do you want to proceed error message on the Cisco Clean Access Agent mean?
A. This issue is due to the unavailability of the revocation information for the security certificate. There are two resolutions available for this issue. The resolutions are provided below:
Another workaround to remove of this error message is available. You can add <AllowCRLChecks>0</AllowCRLChecks> to the NACAgentCFG.xml file in this directory: C:ProgramFilesCiscoCisco NAC Agent
Note: The Network Error SSL Certificate Rev Failed 12057 error message on Cisco Clean Access Agent generates due to this problem.
Refer to these documents for more information:
Q. When I launch the Web agent on Windows 7 machine, it fails with error message code 3. How do I fix this issue?
A. The error code 3 is a message that indicates that the agent was downloaded but not installed. These are possible workarounds:
Q. I receive an Internet Explorer script error when the NAC agent tries to start. How do I resolve this issue?
A. The error message is shown below.
Complete these steps in order to fix this issue:
MiscellaneousQ. What do I need to do in order to correct when MAC clients do not redirect to the Page Not Found page?
A. Make sure that you do not use a domain name that ends in .local. MAC treats this as a special DNS name for multicast DNS. Therefore, the resolution request is never sent to the DNS server.
Q. What occurs if Clean Access Agent gets blocked by McAfee?
A. The issue is that Clean Access Agent gets blocked by McAfee thinking that the webagent setup program (webagentsetup-win.exe) is a trojan. A workaround for this issue is to modify the method that clients download to exclude the ActiveX applet and strictly utilize the Java component. This can be set on the CAM using the User Pages - Login Page - edit - Web Client(ActiveX/Applet) - Java Applet Only. Or, the user can use any other browser, preferably Firefox.
Q. Who does the Cisco Clean Access Server try to communicate with when it connects using port 8905 as its source port?
A. The Cisco Clean Access Agent communicates with the Cisco Clean Access Server through the SWISS protocol using encrypted communication over UDP port 8905.
Q. How do I limit SSH access to the Cisco Clean Access Server?
A. Change the /etc/ssh/sshd_config file by adding a line similar to this one:
For example:
Issue the service sshd restart command to restart the SSHD process.
Q. How do I disable Clean Access Agent for Windows 98/95?
A. Under CleanMachines, uncheck Windows All and select each OS independently for Require Use of Clean Access Agent.
Q. The Edge switches running SNMPv3 are not polled correctly by the Collector after sending a link up or MAC notification trap. Discovery of endpoints connecting to ports on switches running SNMPv3 is delayed until the next regular poll of the switch by NetMap in the NAC Profiler. Why?
A. This issue is related to the Cisco bug ID CSCta25695 (registered customers only) . Refer to this bug for more information.
Q. Why are there some issues when I use certificates from Perfigo in NAC Appliance?
A. The reason for the issues when you use certificates from Perfigo can be due to the version of Cisco NAC Appliance used. Cisco NAC Appliance Release 4.7(0) no longer contains the www.perfigo.com Certificate Authority (CA) in the .ISO or upgrade image. Administrators who require the www.perfigo.com CA in the network must manually import the CA from a local machine after the installation or upgrade to Release 4.7(0).
In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other trusted store of the appliance so that the CAM can trust the certificate of the CAS and vice-versa.
Q. AV check fails on Cisco Clean access for Windows 7 machines. How do I fix this problem?
A. This issue happens because requirement-rules did not have correct rule chosen under the Windows 7 OS. Choose all the requirement-rules for the Windows 7 under the existing requirement.
Q. The NAC denies network access due to no antivirus being installed on the workstation even though AVG 10 is installed on it. What is the reason behind this problem?
A. AVG 10 is not yet supported on NAC. Refer to Cisco bug IDCSCtj89340 (registered customers only) for more information on this enhancement
Q. Can I pass DHCP requests for Nortel IP Phones behind a NAC?
A. Yes. You can pass the DHCP requests for Nortel IP Phones behind a NAC. Refer to Nortel IP Phones behind NAC for more information.
Related InformationContentsIntroduction
This document addresses the most frequently asked questions (FAQs) related to Cisco Clean Access Server (formerly Perfigo SecureSmart Server).
The product names have changed. This table lists both the old and new names:
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
InstallationQ. How do I install the LSI SCSI drivers for Dell 1750 or others?
A. Complete these steps:
ConfigurationQ. How do I configure the Broadcom drivers?
A. Complete these steps:
Q. How do I configure the Cisco Clean Access Server behind a NAT gateway?
A. Complete these steps for each Cisco Clean Access Server deployed behind a NAT gateway.
Duplex and Speed SettingsQ. How do I set the duplex and speed on the Cisco Clean Access Server network interface cards?
A. Use this as a guide to set up appropriate network interface cards in the /etc/modules.conf file.
Note: Append the options parameter at the end for the /etc/modules.conf file with the use of the vi editor.
Q. How do I set the duplex/speed on the Cisco Clean Access Interface 'bnx2' ?
A. On Cisco Clean Access Server devices (even on CAM), there are files for each network interface that describe the properties and speed/duplex settings.
Here are the steps how to perform it manually:
Q. How do I check to see the duplex and speed on the Cisco Clean Access Server network interface cards (NICs)?
A. Run the mii-tool utility from the command line. It works for the on-board NIC, but does not support fiber NICs.
For fiber NICs, use the grep 'eth0' command on /var/log/messages.
You can also issue a tail -f command on /var/log/messages. This displays messages whenever a NIC becomes active or inactive.
Supported FeaturesQ. What is the number of VPN connections supported per Cisco Clean Access Server?
A. No limit is placed for IPsec.
PPTP and L2TP are currently set to 32 tunnels each.
Q. How do I change the IP address of the Cisco Clean Access Server? Do I need to delete and re-add the Cisco Clean Access Server?
A. Cisco recommends that you change the IP address of the Cisco Clean Access Server via the Manager UI. When the IP address of the Cisco Clean Access Server is changed from the Manager UI, reboot the Cisco Clean Access Server. It automatically tries to connect to the Cisco Clean Access Manager upon reboot. The Cisco Clean Access Manager changes the IP address of the Cisco Clean Access Server in the database and the SSKEY remains the same.
Note: If you delete and re-add the Cisco Clean Access Server, you lose all the configuration settings of the Cisco Clean Access Server.
Q. How do I limit SSH access to the Cisco Clean Access Server?
A. Add a line similar to this example in order to change the /etc/ssh/sshd_config file:
For example:
Cisco Agent Desktop Download
Issue the service sshd restart command in order to restart the SSHD process.
Q. How does the Bandwidth Burst setting work?
A. Under CleanMachines, uncheck Windows All and select each OS independently for Require Use of SmartEnforcer or not.
Q. I recently read in the Clean Access Server Installation and Administration Guide Release 3.3BETA on page 68 that the recommended maximum number of subnets per Clean Access Server is 1000. I need to create more than 1000. What is the limit?
A. The limit of 1000 is a warning only. If the machine has enough memory (more than 1G), you can configure up to 2500 subnets.
Q. How do I manage a batch of access points that I have on a specific VLAN that is managed by the Clean Access Server. I have added them in the Access Point Device Management?
A. Add the MAC addresses of the Access Points to the Filters >Devices area as opposed to the Access Point Device Management section.
Q. I have secondary (sometimes multiple secondary) subnets on each VLAN. The 150 subnet is for clients, and the 172 subnet is for the management of our networking gear in the building. Is the Clean Access Server able to deal with multiple subnets on a single VLAN?
A. An example of this problem is:
Clean Access Server is in the virtual gateway mode:
Clean Access Server is in a gateway (real-ip or NAT) mode:
Q. Why am I unable to add the Clean Access Server to the Clean Access Manager (CAM)?
A. If you are unable to add the Clean Access Server to the CAM, then this is a licensing issue. Make sure that the server licenses are generated based on the Primary CAM's ethernet 0 MAC address. The MAC addresses on the server license should match the (Primary) MAC address of the CAM.
Q. Should I generate a new CSR to renew the certificate on the Clean Access Server?
A. No. For renewal of the certificate on the Clean Access Server, do not generate a new CSR. However, if you are generating a new CSR, then you have to upload the private key in the Clean Access Server. After uploading the private key, reboot the Clean Access Server. This completes the renewal process.
Q. Is it possible to pass through multicast traffic through CCA?
A. No, multicast is not supported under the inband real gateway. However, it will work for out-of-band or virtual gateway.
Q. Does NAC support Windows 2008 64-bit server?
A. No, but it does support 32-bit Windows 2008 server.
Q. Does NAC include a feature to duplicate the user roles and policies/properties associated with it to a new user role ?![]()
A. No. This cannot be done as there is no such provision in the GUI.
Log MessagesQ. In the /var/log/messages or the /var/log/ha-log messages I see several heartbeat messages for Failover. Why is this and how do I fix it?
A. These are the heartbeat messages that you see:
You see these messages when the peer server is up after a reboot. You can also see it in the log on the primary server when:
Note: When you issue the service perfigo restart command, it does not trigger this log.
Q. I see the Clean Access Server 2004-08-30 11:30:28 192.168.151.60 System Stats: Load factor 0 (max since reboot: 3) Mem: 261160960 237854720 23306240 212992 47259648 99737600 cpu 188552 153 91405324 194183 messages in my event logs. What do they mean?
A. System statistics are generated for each Clean Access Server managed by the Clean Access Manager every hour by default. Reported information includes the load factor of each server, maximum load since reboot, memory, and CPU usage.
For the example provided, system % = 91405324*100/(188552+153+91405324+194183) = 99.58%. Similarly, you can calculate the others as well. However, on a Clean Access Server, system time is typically greater than 90 percent. This is the sign of a healthy system.
Error MessagesQ. Why do I receive the cannot add Clean Access server error message?
A. Check these items:
Q. Why do I receive the CAS Network Error: Clean Access Server could not establish a secure connection to Clean Access Manager at null. error message?
A. You might receive this error if the Clean Access Manager certificate has expired, cannot be trusted, or cannot be reached. The error is basically due to CAS or CAM communication issues.
In order to resolve this issue, verify these items:
Q. Why do I receive the Encountered error while building X509 certificate chain .. cannot find certificate for the following Certificate Authority error message?
A. You must use the correct root certificate. If Microsoft Certificate Authority (CA) is used, save the certificate in Base64 rather than default encoded.
Q. I get the Authentication 2004-11-01 15:53:40 Server communication error, [00:0E:35:5F:F9:91 ## 172.19.168.42] bart and Authentication 2004-11-01 15:53:13 Server communication error, [00:0E:35:5F:F9:91 ## 172.19.168.42] bart errors on the event logs. How do I fix this?
A. If you run failover Clean Access Server in virtual gateway mode, then edit the vi /etc/hosts file and change the SS-1 (Clean Access Server) address to the Service IP (virtual address). You need to change them on both Clean Access Servers, active and standby.
Q. I get the TCP/IP Stack Signature: UNKNOWN UNKNOWN [65535:64:1:64:M1460,N,W2,N,N,T0,S,E:P] { } message. How do I fix this and how can I disable install of the client for iPhones?
A. Here are the instructions that should work for not requiring the agent for iPhones:
Q. You might receive this error message: Error: Upload Failed. This CA-Signed Certificate doesn't match the private key in the key database. How can I resolve this?
A. In order to resolve the issue, complete these steps:
Q. I received this error message: NAC Guest server log: _SYSTEM_ ( - 172.16.98.9) User trying to authenticate from invalid location: [email protected] 2011 15-Jan-2010 11:41:44. How can I resolve this error?
A. This issue is releated to bug CSCsq86376 (registered customers only) and it would show up if you are not using IP addresses in their radius packets from the WLC.
Q. I received this error meaage while upgrading CAS with CD: 'Buffer I/O error on device hda, logical block'. How can I resolve this error?
A. This issue usually occurs when the CD is corrupted or is burnt at high speed. With a larger ISO the CD must not be burnt at more than 10X or 8X speed.
Q. You might receive this error message when you connect CAM to CAS: Error: RMISocketFactory:Creating RMI socket failed to host. How is this issue resolved?
A. This error message might occur due to mismatched versions on the CAM and CAS or due to mismatched certificates or the shared secret used. For more information on how to resolve the certificate issues, refer to NAC (CCA): How to Fix Certificate Errors on the CAM/CAS After Upgrade to 4.1.6.
Q. I received this error message: The certificate issuer for this site is untrusted or unknown.Do you wish to proceed? How can I resolve this error?
A. This message appears because the certificate used on the CAS is self-issued and is not stored in the certificate store of the clients. This error can be resolved by loading a certificate from an external vendor (such as Verisign, Entrust, etc.) that is already known to the client machines. This requires purchasing a certificate from one of these vendors and installing it on the CAS, or you can use your own certificate authority (however, you need to manually install the CA certificate from this on each client).
Note: Reinstalling the certificate on the CAS requires removing it and re-adding it to the CAM. This can be disruptive to your network. This is highly recommended only when there is an possible outage window.
MiscellaneousQ. Clean Access Server DHCP Service does not restart or occasionally stops. What needs to be done?
A. The DHCP settings are compiled on the Clean Access Server. Sometimes these compiled settings can become corrupted, especially after an upgrade to the Clean Access Server software. The solution is to force the Clean Access Server to recompile the settings. In order to do this, make a change, and click update.
Symptoms:
The DHCP server does not start, or it occasionally fails on the Clean Access Server.
Instructions:
Note: Another situation that can cause the DHCP server not to start is overlapping subnet configurations. Check for this as well.
Q. I configured the Heartbeat timer so that a device is logged off the system after some inactive time. In the event log, it states that it cannot ping the device but the device continues to pass traffic back and forth. How do I fix this?
A. This is an example of the error:
Check to see if the device has any built-in firewalls that block ARP packets from the Cisco Clean Access Server. The Cisco Clean Access Server performs ARP ping. This is an ARP message and should not be blocked.
Q. I configured the Heartbeat timer so that a device logs off the system after some period of inactivity. In the event log, it states that it cannot ping the device but the device still passes traffic back and forth. How do I fix this?
A. Make sure that you configure a serial port for failover connection.
If the computer that runs the Cisco Clean Access Server software has two serial ports, you can use the additional port for the serial cable connection. By default, the first serial connector detected on the server is configured for console input/output (to facilitate installation and other types of administrative access). If the computer has only one serial port (ttyS0) and you do not intend to use it for administrative access, you can reconfigure the port to serve as the failover connection.
Complete these steps in order to reconfigure ttyS0 as the heartbeat connection:
Q. How long does it take the Cisco Clean Access Manager (formerly SmartManager) to time out the Cisco Clean Access Server and for the SecureSmart 2004-08-26 12:26:42 192.168.1.1 is inaccessible! message to display?Cisco Nac Agent Download Mac
A. The Cisco Clean Access Manager takes three minutes to timeout each Cisco Clean Access Server before it displays the Not Connected status.
Q. What is the impact of changing the network interface card (NIC) on Cisco Clean Access Server?
A. If you have a non-site license, you do not need to inform Cisco Technical Support of the change on the MAC address. You only need to inform Cisco Technical Support when your number of Clean Access Servers changes. If you have a site license, you do not need to inform Cisco Technical Support.
Q. I am able to get an IP address from the Clean Access DHCP server, but after that, I continue to see a 'Page Not Found' message when I try to open a browser to an outside address. I was never redirected to the web login page. Why is this?
A. You can be experiencing one of these issues:
Q. Do I need to update anything after I replace a faulty Cisco Clean Access Server?
A. In some instances, the ss_key is no longer the same. Complete these steps.
Q. SSH connectivity is lost while shutting down the perfigo service on a CAS using the service perfigo shut command. I cannot reconnect unless someone is physically at the box and can restart it. How can I resolve this issue?
A. This issue can be resolved by using the service perfigo maintenance command in NAC versions 4.1 and later.
Q. I cannot boot the NAC appliance with the new CAS/CAM CD that I have. What should I do?
A. Verify the following in order to resolve this:
Related InformationComments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2020
Categories |