Cisco NAC Appliance (Clean Access)

This document answers the most frequently asked questions (FAQs) related to Cisco Clean Access Agent (formerly Perfigo SmartEnforcer).

The product names have changed. This table lists both the old and new names:

A. Make sure that you do not use a domain name that ends in .local. MAC treats this as a special DNS name for multicast DNS. Therefore, the resolution request is never sent to the DNS server.

A. Agents are supported only on Windows 98 through XP. MAC and Linux are not supported.

A. No.

A. This is what is supported or is not supported by the NAC agent on VMware:

• VMware in NAT Mode

  The NAC agent is not supported irrespective of Inband or OOB because, with VMware NAT mode, all the VMs show up with same IP and MAC. Therefore, you cannot differentiate between the different VMs for auth/posture purposes.

• VMware in Bridge Mode (L2 separation between the images, different IP/MAC addresses)

  • The NAC agent is supported in Inband mode because unique IP and MAC addresses for the VMs can be obtained.

  • The NAC agent is not supported in OOB mode because, with OOB mode, you have to restrict one MAC address per switchport. Multiple MAC addresses behind a switchport is not supported with OOB. (IP Phones and PCs connected to the IP Phones are supported.)

Hence, the summary is that the NAC agent is supported on VMware if :

• NAC is in Inband mode.

• VMware is in bridged mode.

For all other modes, it is unsupported.

A. This error is caused by the inability of the Cisco Clean Access Agent to communicate with the Cisco Clean Access Server through the SWISS protocol (the encrypted communication over UDP port 8905).

This can be due to:

• Log files have grown too large.

• Check to see if the Apache entries cause the logs to reach 2 gb in size. This issue is fixed in version 3.3.x and later.

• The SS Certificate is invalid. If the certificate of the Clean Access Server is invalid/incorrect, then the HTTPS connection cannot be made properly. Verify that the certificate popup has the bottom two checks for temporary certificate, or three checks for CA-signed certificate.

• The client time is incorrect. If the time on the client machine causes it to not trust the server certificate (for example, client time is set to a time that is earlier than the server time), this causes the certificate time to be in the future from the perspective of the client. Check the time on the Clean Access Server and ensure that the NTP protocol to a time server is allowed.

• There are multiple network cards on the client machine. If the client machine has multiple cards, then it is possible that Windows uses the incorrect card to send the information. Disable the network card that is not in use in order to work around this issue.

• Try to clear the cache on the Enforcer PC.

  • Issue either the ipconfig or dnsflush command under the command prompt.

    OR

  • In Internet Explorer, under Tools > Internet Options > Advanced, de-select Check for server certificate revocation.

• Network connectivity is not established.

• Check to make sure that you have a proper IP address.

• The local PC or machine can have some issue after a new installation of Cisco Clean Access Agent.

• Reboot the PC. Issue the service perfigo restart command on the Clean Access Server.

• Destination port 8905 on the Cisco Clean Access Server is blocked by a network firewall or a personal firewall.

• Ensure that port 8905 is opened.

• Third Party software interferes with Cisco Clean Access Agent. Try to disable such software to see if the Clean Access Agent works.

• Try to turn off personal firewalls, disable VPN software, or disable spam blockers.

• A software defect is identified and fixed in Cisco Clean Access Server 3.2.6.

• Upgrade to Cisco Clean Access Manager and Cisco Clean Access Server 3.2.6.

A. The Cisco Clean Access Agent shows this error when it is unable to communicate with the Cisco Clean Access Server using HTTPS. This can happen due to multiple reasons:

• The SS Certificate is invalid. If the certificate of the Cisco Clean Access Server certificate is invalid/incorrect, then the HTTPS connection cannot be made properly.

  Verify the certificate popup has the bottom two checks for temporary certificate, or three checks for CA-signed certificate.

• The client time is incorrect. The time on the client machine causes it to not trust the server certificate. For example, client time is set to a time that is earlier than the server time. This causes the certificate time to be in the future from the perspective of the client.

  Check the time on the Cisco Clean Access Server and ensure that the NTP protocol to a time server is allowed.

• Multiple network cards on the client machine. If the client machine has multiple cards, then it is possible that Windows uses the incorrect card to send the information.

  Disable the network card that is not in use in order to work around this problem.

• Third Party software interferes with the Cisco Clean Access Agent and Cisco Clean Access Server communication. It is possible that software such as Cisco VPN Client, CheckPoint© VPN Client, and personal firewalls possibly affect the communication.

• Try to disable such software to see if the Cisco Clean Access Agent works.

• Clear the cache.

  • Issue the ipconfig /dnsflush command under the command prompt, or in Internet Explorer under Internet Options > Advanced, de-select Check for server certificate revocation.

A. The issue is that the Clean Access Agent fails to perform the Windows update for non-administrators. Agent Stub is needed for a non-administrator to launch Windows Server Update Services (WSUS). The Stub service is required to support these features for non-admin users:

• Download and install agent

• Upgrade agent

• Launch an executable

• Launch WSUS updates

• Access to Authentication VLAN change detection

• Perform IP refresh or renew

A. The issue is that the Clean Access Agent is a different version than the server. Try to match the Clean Access Agent version with the server.

A. The issue is that Clean Access Agent gets blocked by McAfee thinking that the webagent setup program (webagentsetup-win.exe) is a trojan. A workaround for this issue is to modify the method that clients download to exclude the ActiveX applet and strictly utilize the Java component. This can be set on the CAM using the User Pages - Login Page - edit - Web Client(ActiveX/Applet) - Java Applet Only. Or, the user can use any other browser, preferably Firefox.

A. Install the full version of the Cisco Clean Access Agent 3.1.3 or 3.2.0 (greater than 5 Mb).

A. The Cisco Clean Access Agent communicates with the Cisco Clean Access Server through the SWISS protocol using encrypted communication over UDP port 8905.

A. Upload the .exe file, not the .zip file. Make sure to extract the .exe file from the zip folder before you upload it. Also, do not change the original .exe file name.

A. Change the /etc/ssh/sshd_config file by adding a line similar to this one:

ListenAddress IP_address_of_where_you_want_ssh_to_allow_connections

For example:

ListenAddress 192.168.151.60 

Issue the service sshd restart command to restart the SSHD process.

A. Under CleanMachines, uncheck Windows All and select each OS independently for Require Use of Clean Access Agent.

A. If you are using both the wired and the wireless networks at the same time, this error message can occur. Try using either the wired or the wireless network which might solve the issue. Also, try using the CCA version 4.1.3. This might help to resolve the issue.

A. NAC supports Trend Micro OfficeScan 10.x starting from version 4.7.1.