Guest

Cisco NAC Appliance (Clean Access)

Clean Access Agent FAQ

Document ID: 63591

Updated: Mar 04, 2009

   Print

Introduction

This document answers the most frequently asked questions (FAQs) related to Cisco Clean Access Agent (formerly Perfigo SmartEnforcer).

The product names have changed. This table lists both the old and new names:

Old Name New Name
SmartManager Clean Access Manager
SecureSmart Server Clean Access Server
SmartEnforcer Clean Access Agent
CleanMachinesAPIs Clean Access APIs

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Supported Features

Q. What operating systems are supported?

A. Agents are supported on these Operating Systems.

Windows Platforms

  • Windows 2000

  • Windows XP

  • Windows Vista

  • Windows 7

Macintosh platforms

  • Mac OS X 10.4.11 "Tiger"

  • Mac OS X 10.5.8 "Leopard"

  • Mac OS X 10.6.4 "Snow Leopard"

Refer to Cisco NAC Appliance Agent/OS/Browser Support Matrix for more information on supported browsers and Java versions.

Q. Does Cisco support Custom APIs?

A. No.

Q. Does Cisco support the agent on VMware or Shared Drivers?

A. This is what is supported or is not supported by the NAC agent on VMware:

  • VMware in NAT Mode

    The NAC agent is not supported irrespective of Inband or OOB because, with VMware NAT mode, all the VMs show up with same IP and MAC. Therefore, you cannot differentiate between the different VMs for auth/posture purposes.

  • VMware in Bridge Mode (L2 separation between the images, different IP/MAC addresses)

    • The NAC agent is supported in Inband mode because unique IP and MAC addresses for the VMs can be obtained.

    • The NAC agent is not supported in OOB mode because, with OOB mode, you have to restrict one MAC address per switchport. Multiple MAC addresses behind a switchport is not supported with OOB. (IP Phones and PCs connected to the IP Phones are supported.)

Hence, the summary is that the NAC agent is supported on VMware if :

  • NAC is in Inband mode.

  • VMware is in bridged mode.

For all other modes, it is unsupported.

Q. Does NAC 4.5 or later support Trend Micro OfficeScan 10.x?

A. NAC supports Trend Micro OfficeScan 10.x starting from version 4.7.1.

Error Messages

Q. The Cisco Clean Access Agent displays either the SecureSmart is not available on the network or No SecureSmart Server found on the network error message. I rebooted the Cisco Clean Access Server and worked around it for a while. How do I fix this?

A. This error is caused by the inability of the Cisco Clean Access Agent to communicate with the Cisco Clean Access Server through the SWISS protocol (the encrypted communication over UDP port 8905).

This can be due to:

  • Log files have grown too large.

  • Check to see if the Apache entries cause the logs to reach 2 gb in size. This issue is fixed in version 3.3.x and later.

  • The SS Certificate is invalid. If the certificate of the Clean Access Server is invalid/incorrect, then the HTTPS connection cannot be made properly. Verify that the certificate popup has the bottom two checks for temporary certificate, or three checks for CA-signed certificate.

  • The client time is incorrect. If the time on the client machine causes it to not trust the server certificate (for example, client time is set to a time that is earlier than the server time), this causes the certificate time to be in the future from the perspective of the client. Check the time on the Clean Access Server and ensure that the NTP protocol to a time server is allowed.

  • There are multiple network cards on the client machine. If the client machine has multiple cards, then it is possible that Windows uses the incorrect card to send the information. Disable the network card that is not in use in order to work around this issue.

  • Try to clear the cache on the Enforcer PC.

    • Issue either the ipconfig or dnsflush command under the command prompt.

      OR

    • In Internet Explorer, under Tools > Internet Options > Advanced, de-select Check for server certificate revocation.

  • Network connectivity is not established.

  • Check to make sure that you have a proper IP address.

  • The local PC or machine can have some issue after a new installation of Cisco Clean Access Agent.

  • Reboot the PC. Issue the service perfigo restart command on the Clean Access Server.

  • Destination port 8905 on the Cisco Clean Access Server is blocked by a network firewall or a personal firewall.

  • Ensure that port 8905 is opened.

  • Third Party software interferes with Cisco Clean Access Agent. Try to disable such software to see if the Clean Access Agent works.

  • Try to turn off personal firewalls, disable VPN software, or disable spam blockers.

  • A software defect is identified and fixed in Cisco Clean Access Server 3.2.6.

  • Upgrade to Cisco Clean Access Manager and Cisco Clean Access Server 3.2.6.

Q. The Cisco Clean Access Agent receives the Network Error error message while it logs on. Why is this?

A. The Cisco Clean Access Agent shows this error when it is unable to communicate with the Cisco Clean Access Server using HTTPS. This can happen due to multiple reasons:

  • The SS Certificate is invalid. If the certificate of the Cisco Clean Access Server certificate is invalid/incorrect, then the HTTPS connection cannot be made properly.

    Verify the certificate popup has the bottom two checks for temporary certificate, or three checks for CA-signed certificate.

  • The client time is incorrect. The time on the client machine causes it to not trust the server certificate. For example, client time is set to a time that is earlier than the server time. This causes the certificate time to be in the future from the perspective of the client.

    Check the time on the Cisco Clean Access Server and ensure that the NTP protocol to a time server is allowed.

  • Multiple network cards on the client machine. If the client machine has multiple cards, then it is possible that Windows uses the incorrect card to send the information.

    Disable the network card that is not in use in order to work around this problem.

  • Third Party software interferes with the Cisco Clean Access Agent and Cisco Clean Access Server communication. It is possible that software such as Cisco VPN Client, CheckPoint© VPN Client, and personal firewalls possibly affect the communication.

  • Try to disable such software to see if the Cisco Clean Access Agent works.

  • Clear the cache.

    • Issue the ipconfig /dnsflush command under the command prompt, or in Internet Explorer under Internet Options > Advanced, de-select Check for server certificate revocation.

Q. What does the this update can not be performed for an non-administrator account error message on the Cisco Clean Access Agent during a Windows update mean?

A. The issue is that the Clean Access Agent fails to perform the Windows update for non-administrators. Agent Stub is needed for a non-administrator to launch Windows Server Update Services (WSUS). The Stub service is required to support these features for non-admin users:

  • Download and install agent

  • Upgrade agent

  • Launch an executable

  • Launch WSUS updates

  • Access to Authentication VLAN change detection

  • Perform IP refresh or renew

Q. What does the This client version is old and not compatible. Please login from web browser to see the download link for the new version error message on the Cisco Clean Access Agent mean?

A. The issue is that the Clean Access Agent is a different version than the server. Try to match the Clean Access Agent version with the server.

Q. I have freshly installed the Windows 98 system. When I go to install the 3.2.0 Cisco Clean Access Agent client on the machine I get prompted to update the installer. However, as soon as the Cisco Clean Access Agent attempts to update the installer I get the The provided instmsi upgrade executable 'C:Windows\Temporary Internet Files\Content.IE5\KXERWHYB\InstMSIA[2].exe' is invalid error message. How do I fix this?

A. Install the full version of the Cisco Clean Access Agent 3.1.3 or 3.2.0 (greater than 5 Mb).

Q. I uploaded Cisco Clean Access Agent to my Cisco Clean Access Server. However, the Cisco Clean Access Server does not publish it. I get a Checking for the uploaded SmartEnforcer client file.... SmartEnforcer client file not found. error message. How do I fix this?

A. Upload the .exe file, not the .zip file. Make sure to extract the .exe file from the zip folder before you upload it. Also, do not change the original .exe file name.

Q. Why do I receive the Access to network is blocked by the adminstrator error message on the Cisco Clean Access Agent when I try to log in?

A. If you are using both the wired and the wireless networks at the same time, this error message can occur. Try using either the wired or the wireless network which might solve the issue. Also, try using the CCA version 4.1.3. This might help to resolve the issue.

Q. Why do I receive the Warning: The current Trusted Certificate Authority 'www.perfigo.com' is suited for lab environments only. Cisco recommends importing a third-party Certificate Authority. Please check your Clean Access Server(s) and standby Clean Access Manager for similar messages. error message after upgrading the NAC Appliance?

A. This error message is due to the Perfigo certificates. This issue can be resolved by deleting the Perfigo CA from the trusted CA list.

Q. What does the Revocation information for the security certificate for this site is not available. Do you want to proceed error message on the Cisco Clean Access Agent mean?

A. This issue is due to the unavailability of the revocation information for the security certificate. There are two resolutions available for this issue. The resolutions are provided below:

  1. When you use a CA-signed CAS SSL certificate, check the CRL Distribution Points field of the certificate, which includes intermediate or root CA, and add the URL hosts to the allowed Host Policy of the Unauthenticated/Temporary/Quarantine Roles. This allows the Agent to fetch the CRLs when logging in.

  2. Complete these steps in your Internet browser in order to resolve this issue:

    1. Import the certificate to the trusted root store of the client system.

    2. Choose Tools > Internet Options > Advanced tab > Security section and uncheck Check for server certificate revocation (requires restart).

    3. Now close the existing browser and open a new one in order for the changes to take effect.

Another workaround to remove of this error message is available. You can add <AllowCRLChecks>0</AllowCRLChecks> to the NACAgentCFG.xml file in this directory: C:\ProgramFiles\Cisco\Cisco NAC Agent

Note: The Network Error SSL Certificate Rev Failed 12057 error message on Cisco Clean Access Agent generates due to this problem.

Refer to these documents for more information:

Q. When I launch the Web agent on Windows 7 machine, it fails with error message code 3. How do I fix this issue?

A. The error code 3 is a message that indicates that the agent was downloaded but not installed. These are possible workarounds:

  1. Verify that UAC (User Account Control) is enabled.

  2. Verify that Internet Explorer is running in Administrator mode.

  3. Verify if some active X fucnction fails and try to reset all the IE and active X permissions to default.

  4. Verify if any other Anti Virus (AV) software prevents IE from launching its executable from its temporary directory.

Q. I receive an Internet Explorer script error when the NAC agent tries to start. How do I resolve this issue?

A. The error message is shown below.

ca-mgr-faq-2.gif

Complete these steps in order to fix this issue:

  1. Uninstall the Cisco NAC Agent from the system.

  2. Manually delete the C:\Program Files\Cisco\Cisco NAC Agent directory.

  3. Download regrserv32a.exe from this URL:

    http://support.microsoft.com/kb/267279 leavingcisco.com

  4. Run regserv32a.exe. The application is extracted to your local computer.

  5. Open a command prompt, and change to the directory in which the regserv32.exe application was extracted.

  6. Run regsvr32.exe msxml3.dll.

    A dialog box appears that states the registration was successful.

  7. Install the Cisco NAC Agent.

  8. Verify that the Cisco NAC Agent starts successfully.

Miscellaneous

Q. What do I need to do in order to correct when MAC clients do not redirect to the Page Not Found page?

A. Make sure that you do not use a domain name that ends in .local. MAC treats this as a special DNS name for multicast DNS. Therefore, the resolution request is never sent to the DNS server.

Q. What occurs if Clean Access Agent gets blocked by McAfee?

A. The issue is that Clean Access Agent gets blocked by McAfee thinking that the webagent setup program (webagentsetup-win.exe) is a trojan. A workaround for this issue is to modify the method that clients download to exclude the ActiveX applet and strictly utilize the Java component. This can be set on the CAM using the User Pages - Login Page - edit - Web Client(ActiveX/Applet) - Java Applet Only. Or, the user can use any other browser, preferably Firefox.

Q. Who does the Cisco Clean Access Server try to communicate with when it connects using port 8905 as its source port?

A. The Cisco Clean Access Agent communicates with the Cisco Clean Access Server through the SWISS protocol using encrypted communication over UDP port 8905.

Q. How do I limit SSH access to the Cisco Clean Access Server?

A. Change the /etc/ssh/sshd_config file by adding a line similar to this one:

ListenAddress IP_address_of_where_you_want_ssh_to_allow_connections

For example:

ListenAddress 192.168.151.60 

Issue the service sshd restart command to restart the SSHD process.

Q. How do I disable Clean Access Agent for Windows 98/95?

A. Under CleanMachines, uncheck Windows All and select each OS independently for Require Use of Clean Access Agent.

ca-mgr-faq-3.gif

Q. The Edge switches running SNMPv3 are not polled correctly by the Collector after sending a link up or MAC notification trap. Discovery of endpoints connecting to ports on switches running SNMPv3 is delayed until the next regular poll of the switch by NetMap in the NAC Profiler. Why?

A. This issue is related to the Cisco bug ID CSCta25695 ( registered customers only) . Refer to this bug for more information.

Q. Why are there some issues when I use certificates from Perfigo in NAC Appliance?

A. The reason for the issues when you use certificates from Perfigo can be due to the version of Cisco NAC Appliance used. Cisco NAC Appliance Release 4.7(0) no longer contains the www.perfigo.com Certificate Authority (CA) in the .ISO or upgrade image. Administrators who require the www.perfigo.com CA in the network must manually import the CA from a local machine after the installation or upgrade to Release 4.7(0).

In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other trusted store of the appliance so that the CAM can trust the certificate of the CAS and vice-versa.

Q. AV check fails on Cisco Clean access for Windows 7 machines. How do I fix this problem?

A. This issue happens because requirement-rules did not have correct rule chosen under the Windows 7 OS. Choose all the requirement-rules for the Windows 7 under the existing requirement.

Q. The NAC denies network access due to no antivirus being installed on the workstation even though AVG 10 is installed on it. What is the reason behind this problem?

A. AVG 10 is not yet supported on NAC. Refer to Cisco bug IDCSCtj89340 ( registered customers only) for more information on this enhancement

Q. Can I pass DHCP requests for Nortel IP Phones behind a NAC?

A. Yes. You can pass the DHCP requests for Nortel IP Phones behind a NAC. Refer to Nortel IP Phones behind NAC for more information.

Related Information

Updated: Mar 04, 2009
Document ID: 63591