This document answers the most frequently asked questions (FAQs)
related to Cisco Clean Access Agent (formerly Perfigo SmartEnforcer).
The product names have changed. This table lists both the old and new
Clean Access Manager
Clean Access Server
Clean Access Agent
Clean Access APIs
Refer to the
Technical Tips Conventions for more information on document
What operating systems are supported?
A. Agents are supported on these Operating Systems.
NAC Appliance Agent/OS/Browser Support Matrix for more information on
supported browsers and Java versions.
Does Cisco support Custom APIs?
Does Cisco support the agent on VMware or Shared Drivers?
A. This is what is supported or is not supported by the NAC agent on
VMware in NAT Mode
The NAC agent is not supported irrespective of Inband or OOB because,
with VMware NAT mode, all the VMs show up with same IP and MAC. Therefore, you
cannot differentiate between the different VMs for auth/posture
VMware in Bridge Mode (L2 separation between the images,
different IP/MAC addresses)
The NAC agent is supported in Inband mode because unique IP and MAC
addresses for the VMs can be obtained.
The NAC agent is not supported in OOB mode because, with OOB mode,
you have to restrict one MAC address per switchport. Multiple MAC addresses
behind a switchport is not supported with OOB. (IP Phones and PCs connected to
the IP Phones are
Hence, the summary is that the NAC agent is supported on VMware if
For all other modes, it is unsupported.
Does NAC 4.5 or later support Trend Micro OfficeScan
A. NAC supports Trend Micro OfficeScan 10.x starting from version
The Cisco Clean Access Agent displays either the
SecureSmart is not available on the network or
No SecureSmart Server found on the network error
message. I rebooted the Cisco Clean Access Server and worked around it for a
while. How do I fix this?
A. This error is caused by the inability of the Cisco Clean Access Agent
to communicate with the Cisco Clean Access Server through the SWISS protocol
(the encrypted communication over UDP port 8905).
This can be due to:
Log files have grown too large.
Check to see if the Apache entries cause the logs to reach 2 gb in
size. This issue is fixed in version 3.3.x and later.
The SS Certificate is invalid. If the certificate of the Clean Access
Server is invalid/incorrect, then the HTTPS connection cannot be made properly.
Verify that the certificate popup has the bottom two checks for temporary
certificate, or three checks for CA-signed certificate.
The client time is incorrect. If the time on the client machine
causes it to not trust the server certificate (for example, client time is set
to a time that is earlier than the server time), this causes the certificate
time to be in the future from the perspective of the client. Check the time on
the Clean Access Server and ensure that the NTP protocol to a time server is
There are multiple network cards on the client machine. If the client
machine has multiple cards, then it is possible that Windows uses the incorrect
card to send the information. Disable the network card that is not in use in
order to work around this issue.
Try to clear the cache on the Enforcer PC.
Issue either the ipconfig or
dnsflush command under the command prompt.
In Internet Explorer, under Tools > Internet Options
> Advanced, de-select Check for server certificate
Network connectivity is not established.
Check to make sure that you have a proper IP address.
The local PC or machine can have some issue after a new installation
of Cisco Clean Access Agent.
Reboot the PC. Issue the service perfigo
restart command on the Clean Access Server.
Destination port 8905 on the Cisco Clean Access Server is blocked by
a network firewall or a personal firewall.
Ensure that port 8905 is opened.
Third Party software interferes with Cisco Clean Access Agent. Try to
disable such software to see if the Clean Access Agent works.
Try to turn off personal firewalls, disable VPN software, or disable
A software defect is identified and fixed in Cisco Clean Access
Upgrade to Cisco Clean Access Manager and Cisco Clean Access Server
The Cisco Clean Access Agent receives the Network
Error error message while it logs on. Why is
A. The Cisco Clean Access Agent shows this error when it is unable to
communicate with the Cisco Clean Access Server using HTTPS. This can happen due
to multiple reasons:
The SS Certificate is invalid. If the certificate of the Cisco Clean
Access Server certificate is invalid/incorrect, then the HTTPS connection
cannot be made properly.
Verify the certificate popup has the bottom two checks for temporary
certificate, or three checks for CA-signed certificate.
The client time is incorrect. The time on the client machine causes
it to not trust the server certificate. For example, client time is set to a
time that is earlier than the server time. This causes the certificate time to
be in the future from the perspective of the client.
Check the time on the Cisco Clean Access Server and ensure that the
NTP protocol to a time server is allowed.
Multiple network cards on the client machine. If the client machine
has multiple cards, then it is possible that Windows uses the incorrect card to
send the information.
Disable the network card that is not in use in order to work around
Third Party software interferes with the Cisco Clean Access Agent and
Cisco Clean Access Server communication. It is possible that software such as
Cisco VPN Client, CheckPoint© VPN Client, and personal firewalls possibly
affect the communication.
Try to disable such software to see if the Cisco Clean Access Agent
Clear the cache.
What does the this update can not be performed for an
non-administrator account error message on the Cisco Clean
Access Agent during a Windows update mean?
A. The issue is that the Clean Access Agent fails to perform the Windows
update for non-administrators. Agent Stub is needed for a non-administrator to
launch Windows Server Update Services (WSUS). The Stub service is required to
support these features for non-admin users:
Download and install agent
Launch an executable
Launch WSUS updates
Access to Authentication VLAN change detection
Perform IP refresh or renew
What does the This client version is old and not
compatible. Please login from web browser to see the download link for the new
version error message on the Cisco Clean Access Agent
A. The issue is that the Clean Access Agent is a different version than
the server. Try to match the Clean Access Agent version with the server.
I have freshly installed the Windows 98 system. When I go to install the
3.2.0 Cisco Clean Access Agent client on the machine I get prompted to update
the installer. However, as soon as the Cisco Clean Access Agent attempts to
update the installer I get the The provided instmsi upgrade
executable 'C:Windows\Temporary Internet
Files\Content.IE5\KXERWHYB\InstMSIA.exe' is invalid error
message. How do I fix this?
A. Install the full version of the Cisco Clean Access Agent 3.1.3 or 3.2.0
(greater than 5 Mb).
I uploaded Cisco Clean Access Agent to my Cisco Clean Access Server.
However, the Cisco Clean Access Server does not publish it. I get a
Checking for the uploaded SmartEnforcer client file....
SmartEnforcer client file not found. error message. How do I
A. Upload the .exe file, not the .zip file. Make sure to extract the .exe
file from the zip folder before you upload it. Also, do not change the original
.exe file name.
Why do I receive the Access to network is blocked by the
adminstrator error message on the Cisco Clean Access Agent when
I try to log in?
A. If you are using both the wired and the wireless networks at the same
time, this error message can occur. Try using either the wired or the wireless
network which might solve the issue. Also, try using the CCA version 4.1.3.
This might help to resolve the issue.
Why do I receive the Warning: The current Trusted
Certificate Authority 'www.perfigo.com' is suited for lab environments only.
Cisco recommends importing a third-party Certificate Authority. Please check
your Clean Access Server(s) and standby Clean Access Manager for similar
messages. error message after upgrading the NAC
A. This error message is due to the Perfigo certificates. This issue can
be resolved by deleting the Perfigo CA from the trusted CA list.
What does the Revocation information for the security
certificate for this site is not available. Do you want to
proceed error message on the Cisco Clean Access Agent
A. This issue is due to the unavailability of the revocation information
for the security certificate. There are two resolutions available for this
issue. The resolutions are provided below:
When you use a CA-signed CAS SSL certificate, check the CRL
Distribution Points field of the certificate, which includes
intermediate or root CA, and add the URL hosts to the allowed Host Policy of
the Unauthenticated/Temporary/Quarantine Roles. This allows the Agent to fetch
the CRLs when logging in.
Complete these steps in your Internet browser in order to resolve
Import the certificate to the trusted root store of the client
Choose Tools > Internet Options > Advanced tab >
Security section and uncheck Check for server certificate
revocation (requires restart).
Now close the existing browser and open a new one in order for the
changes to take
Another workaround to remove of this error message is available. You
to the NACAgentCFG.xml file in this directory:
C:\ProgramFiles\Cisco\Cisco NAC Agent
Note: The Network Error SSL Certificate Rev Failed
12057 error message on Cisco Clean Access Agent generates due
to this problem.
Refer to these documents for more information:
When I launch the Web agent on Windows 7 machine, it fails with error
message code 3. How do I fix this issue?
A. The error code 3 is a message that indicates that the agent was
downloaded but not installed. These are possible workarounds:
Verify that UAC (User Account Control) is enabled.
Verify that Internet Explorer is running in Administrator
Verify if some active X fucnction fails and try to reset all the IE
and active X permissions to default.
Verify if any other Anti Virus (AV) software prevents IE from
launching its executable from its temporary directory.
I receive an Internet Explorer script error when the NAC agent tries to
start. How do I resolve this issue?
A. The error message is shown below.
Complete these steps in order to fix this issue:
Uninstall the Cisco NAC Agent from the system.
Manually delete the C:\Program Files\Cisco\Cisco NAC
Download regrserv32a.exe from this URL:
Run regserv32a.exe. The application is extracted to your local
Open a command prompt, and change to the directory in which the
regserv32.exe application was extracted.
Run regsvr32.exe msxml3.dll.
A dialog box appears that states the registration was successful.
Install the Cisco NAC Agent.
Verify that the Cisco NAC Agent starts
What do I need to do in order to correct when MAC clients do not redirect
to the Page Not Found page?
A. Make sure that you do not use a domain name that ends in .local. MAC
treats this as a special DNS name for multicast DNS. Therefore, the resolution
request is never sent to the DNS server.
What occurs if Clean Access Agent gets blocked by
A. The issue is that Clean Access Agent gets blocked by McAfee thinking
that the webagent setup program (webagentsetup-win.exe) is a trojan. A
workaround for this issue is to modify the method that clients download to
exclude the ActiveX applet and strictly utilize the Java component. This can be
set on the CAM using the User Pages - Login Page - edit - Web
Client(ActiveX/Applet) - Java Applet Only. Or, the user can use any
other browser, preferably Firefox.
Who does the Cisco Clean Access Server try to communicate with when it
connects using port 8905 as its source port?
A. The Cisco Clean Access Agent communicates with the Cisco Clean Access
Server through the SWISS protocol using encrypted communication over UDP port
How do I limit SSH access to the Cisco Clean Access Server?
A. Change the /etc/ssh/sshd_config file by adding a line
similar to this one:
Issue the service sshd restart command to
restart the SSHD process.
How do I disable Clean Access Agent for Windows 98/95?
A. Under CleanMachines, uncheck Windows All and select
each OS independently for Require Use of Clean Access Agent.
The Edge switches running SNMPv3 are not polled correctly by the
Collector after sending a link up or MAC notification trap. Discovery of
endpoints connecting to ports on switches running SNMPv3 is delayed until the
next regular poll of the switch by NetMap in the NAC Profiler.
A. This issue is related to the Cisco bug ID
registered customers only)
. Refer to this bug for more
Why are there some issues when I use certificates from Perfigo in NAC
A. The reason for the issues when you use certificates from Perfigo can be
due to the version of Cisco NAC Appliance used.
NAC Appliance Release 4.7(0) no longer contains the
www.perfigo.com Certificate Authority (CA) in
the .ISO or upgrade image. Administrators who require the
www.perfigo.com CA in the network must manually
import the CA from a local machine after the installation or upgrade to Release
In order to establish the initial secure communication channel between
a CAM and CAS, you must import the root certificate from each appliance into
the other trusted store of the appliance so that the CAM can trust the
certificate of the CAS and vice-versa.
AV check fails on Cisco Clean access for Windows 7 machines. How do I fix
A. This issue happens because requirement-rules did not have correct rule
chosen under the Windows 7 OS. Choose all the requirement-rules for the Windows
7 under the existing requirement.
The NAC denies network access due to no antivirus being installed on the
workstation even though AVG 10 is installed on it. What is the reason behind
A. AVG 10 is not yet supported on NAC. Refer to Cisco bug IDCSCtj89340
registered customers only)
for more information on
Can I pass DHCP requests for Nortel IP Phones behind a
A. Yes. You can pass the DHCP requests for Nortel IP Phones behind a NAC.
Refer to Nortel IP
Phones behind NAC for more information.