Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Web Agent Posture Discovery Request and Cisco ISE Response TheWebagentdoesnotdodiscoveryprobe.ifanendpointisconfiguredtousetheWebagent,CiscoISE respondsusingtheformat,X-ISE-PDP-WEBAGENT=FQDN".Thewebagentdiscoveryresponseisusedto invoketheCiscoNACAgentontheclient,iftheclientprovisioningpolicyisconfiguredtousetheWeb agent. Agent Displays “Temporary Access” Problem Aclientmachineisgranted“TemporaryAccess”tothenetworkfollowingloginandauthentication,but administratorandusersexpectfullnetworkaccess. Possible Causes Thisissueisapplicabletoanyclientmachineloginsessionusinganagenttoconnect. IftheCiscoNACAgentisrunningontheclientand: •Theinterfaceontheclientmachinegoesdown •Thesessionisterminated Resolution Theusermusttrytoverifynetworkconnectivityandthentrytologinagain(andpassthroughposture assessment,aswell)toattempttoreestablishtheconnection. Agent Fails to Initiate Posture Assessment Problem Theuserispresentedwitha“Cleanaccessservernotavailable”message.Thisissueappliestoanyagent authenticationsessionfromCiscoISE. Possible Cause ThiserrorcouldmeanthateitherthesessionhasterminatedorCiscoISEisnolongerreachableonthenetwork. Resolution •Theusercantrytologintothenetworkagain. •TheusercantrytopingthedefaultgatewayortheRADIUSserverIPaddressorFQDNsuppliedby thenetworkadministrator. •Theadministratorcanchecknetworkaccessattributesfortheuser(liketheassignedVLAN,ACLs, routing,executethenslookupcommandontheclient,clientmachineDNSconnection,andsoon). Cisco Identity Services Engine Administrator Guide, Release 1.3 545 Cisco ISE Posture Agents
AnyConnect CiscoISEusesanintegratedmoduleinAnyConnectforCiscoISEposturerequirements.AnyConnectisthe postureagentthatcoexistswithCiscoISENACAgentonthesameendpoint.Basedontheclientprovisioning policyconfigurationinCiscoISE,onlyoneoftheagentswillbeactiveatatime. CiscoAnyConnectisnotsupportedinCWAflow.ItcannotbeprovisionedfromtheGuestportalusing theRequireguestdevicecompliancefieldintheGuestAccess>Configure>GuestPortals>Create, EditorDuplicate>PortalBehaviorandFlowSettings>GuestDeviceComplianceSettingspage. Instead,AnyConnectshouldbeprovisionedfromtheClientProvisioningportalasaresultofredirection configuredinauthorizationpermissions. Note ToleverageCiscoISEforintegrationwithAnyConnectagent,CiscoISE: •ServesasastagingservertodeployAnyConnect,Version4.0anditsfuturereleases •InteractswithAnyConnectposturecomponentforCiscoISEposturerequirements •SupportsdeploymentofAnyConnectprofiles,customization/languagepackages,andOPSWATlibrary updatesforWindowsandMacOSxoperatingsystems •SupportsAnyConnectandlegacyagentsatthesametime Cisco NAC Agent XML File Installation Directories InasystemwheretheCiscoNACAgentinstalledatthedefaultlocation,youcanfindthefollowing.xmlfiles inthefollowingdirectories: •Thenac_login.xmlfileisavailableinthe“C:\ProgramFiles\Cisco\CiscoNACAgent\UI\nac_divs\login” directory. •InthenacStrings_xx.xmlfile,the“xx”indicatesthelocale.Youcanfindacompletelistofthefilesin the“C:\ProgramFiles\Cisco\CiscoNACAgent\UI\cues_utility”directory. Iftheagentisinstalledatadifferentlocation,thenthefileswouldbeavailableat“\Cisco\CiscoNACAgent\UI\nac_divs\login”and“\Cisco\CiscoNAC Agent\cues_utility”. Cisco NAC Agent for Windows Clients TheCiscoNACAgentprovidesthepostureassessmentandremediationforclientmachines. UserscandownloadandinstalltheCiscoNACAgent(read-onlyclientsoftware),whichcancheckthehost registry,processes,applications,andservices.TheCiscoNACAgentcanbeusedtoperformWindowsupdates orantivirusandantispywaredefinitionupdates,launchqualifiedremediationprograms,distributefilesuploaded totheCiscoISEserver,distributewebsitelinkstowebsitesforuserstodownloadfilestofixtheirsystem, orsimplydistributeinformationandinstructions. Cisco Identity Services Engine Administrator Guide, Release 1.3 546 AnyConnect
CiscostronglyrecommendsthatyouensurethatthelatestWindowshotfixesandpatchesareinstalledon WindowsXPclientssothattheCiscoNACAgentcanestablishasecureandencryptedcommunicationwith CiscoISE(viaSSLoverTCP). Uninstall the Cisco NAC Agent from Windows 7 and Earlier Clients TheCiscoNACAgentinstallstoC:\ProgramFiles\Cisco\CiscoNACAgent\ontheWindowsclient. Youcanuninstalltheagentinthefollowingways: •Bydouble-clickingtheUninstallCiscoNACAgentdesktopicon. •BygoingtoStartMenu>Programs>CiscoSystems>CiscoCleanAccess>UninstallCiscoNAC Agent •BygoingtoStartMenu>ControlPanel>AddorRemovePrograms>CiscoNACAgentand uninstalltheCiscoNACAgent. Uninstall the Cisco NAC Agent in a Windows 8 Client YoucanuninstallCiscoNACAgentinaWindows8clientinMetromode. Procedure Step 1SwitchtoMetroMode. Step 2Right-ClickCiscoNACAgenttile. Step 3SelectUn-Installfromtheoptionsavailableatthebottomofthescreen. Step 4ThesystemautomaticallyswitchestoDesktopmodeandopensAdd/Removecontrolpanel. Step 5IntheAdd/Removecontrolpanel,performoneofthefollowing: a)DoubleClickCiscoNACAgentandclickUninstall. b)SelectCiscoNACAgentandclickUninstall. c)RightClickCiscoNACAgentandselectUninstall. Windows 8 Metro and Metro App Support —Toast Notifications TheEnableToastNotificationoptionisavailableontheCiscoNACAgentTrayIconthatcansendrelevant notificationstousersonWindows8clients. InCiscoNACAgentscenarioswheretheuserdoesnotgetnetworkaccess,like"RemediationFailed"or "NetworkAccessexpired",theAgentdisplaysthefollowingtoastnotification:Networknotavailable,Click "OK"tocontinue. Togetmoredetails,youcanselectthetoastandyouwillberedirectedtoDesktopmodeandtheCiscoNAC agentdialogisdisplayed. ToastNotificationisdisplayedforallpositiverecommendedactionsthattheuserneedstoperformtogain networkaccess.Thefollowingaresomeexamples: •ForNetworkAcceptancepolicy,toastwillbedisplayedas:"ClickAccepttogainnetworkaccess" Cisco Identity Services Engine Administrator Guide, Release 1.3 547 Cisco NAC Agent for Windows Clients
•ForAgent/ComplianceModuleUpgrade,toastwillbedisplayedas:"ClickOKtoUpgrade/Update" •Inthe"userloggedout"event,when"AutoClose"optionforLogoffisnotenabledinCleanAccess Manager(CAM),toastnotificationisprovided.Thistoastenablestheuserstoknowthattheyhavebeen loggedoutandthattheyneedtologinagaintogetnetworkaccess. Cisco NAC Agent for Macintosh Clients TheCiscoNACOSXAgentprovidesthepostureassessmentandremediationforMacintoshclientmachines. UserscandownloadandinstalltheCiscoNACOSXAgent(read-onlyclientsoftware),whichcancheck antivirusandantispywaredefinitionupdates. AfteruserslogintotheCiscoNACOSXAgent,theagentgetstherequirementsthatareconfiguredforthe userroleandtheoperatingsystemfromtheCiscoISEserver,checksforrequiredpackagesandsendsareport backtotheCiscoISEserver.Ifrequirementsaremetontheclient,theuserisallowednetworkaccess.If requirementsarenotmet,theagentpresentsadialogtotheuserforeachrequirementthatisnotsatisfied.The dialogprovidestheuserwithinstructionsandtheactiontotakefortheclientmachinetomeettherequirement. Alternatively,ifthespecifiedrequirementsarenotmet,userscanchoosetoacceptrestrictednetworkaccess whiletheusertriestoremediatetheclientsystem. Uninstall the Cisco NAC Agent from Macintosh Clients YoucanuninstalltheCiscoNACAgentforMacOSXclientsbyrunningtheuninstallscriptasfollows: Procedure Step 1Openthenavigatorpaneandnavigateto>Applications. Step 2Highlightandright-clicktheCCAAgenticontobringuptheselectionmenu. Step 3ChooseShowPackageContentsanddouble-clickNacUninstalltouninstalltheCiscoNACAgentonMac OSX. Cisco Web Agent TheCiscoWebAgentprovidestemporalpostureassessmentforclientmachines. UserscanlaunchtheCiscoWebAgentexecutable,whichinstallstheWebAgentfilesinatemporarydirectory ontheclientmachineviaActiveXcontrolorJavaapplet. AfteruserslogintotheCiscoWebAgent,theWebAgentgetstherequirementsthatareconfiguredforthe userroleandtheoperatingsystemfromtheCiscoISEserver,checksthehostregistry,processes,applications, andservicesforrequiredpackagesandsendsareportbacktotheCiscoISEserver.Ifrequirementsaremet ontheclientmachine,theuserisallowednetworkaccess.Ifrequirementsarenotmet,theWebAgentpresents adialogtotheuserforeachrequirementthatisnotsatisfied.Thedialogprovidestheuserwithinstructions andtheactiontotakefortheclientmachinetomeettherequirement.Alternatively,ifthespecifiedrequirements arenotmet,userscanchoosetoaccepttherestrictednetworkaccesswhiletheytrytoremediatetheclient systemsothatitmeetsrequirementsfortheuserloginrole. Cisco Identity Services Engine Administrator Guide, Release 1.3 548 Cisco NAC Agent for Macintosh Clients
ActiveXissupportedonlyonthe32-bitversionsofInternetExplorer.YoucannotinstallActiveXona Firefoxwebbrowserorona64-bitversionofInternetExplorer. Note Cisco NAC Agent Logs IntheCiscoNACAgentforWindows,right-clicktheAgentTrayIconandthenclickLogPackagertorun thesupportpackageandcollecttheagentlogs. IntheCiscoNACAgentforCiscoNACOSX,intheToolsmenu,right-clicktheAgenticonandclickthe CollectSupportLogsoptiontocollecttheagentlogsandsupportinformation.Thecollectedinformationis availableasazipfile.Theusercansavethefilebychoosingthefilelocationandfilename.Bydefaultthe fileissavedonthedesktopwiththefilenameasCiscoSupportReport.zip. Iftheagentcrashesorhangs,youcanruntheCCAAgentLogPackager.apptocollectthelogs.Thisfileis availableat/Applications/CCAAgent.app.Youcanright-clickCCAAgent.app,selectShowPackageContents anddouble-clickCCAAgentLogPackagertocollectthesupportinformation. Create an Agent Customization File for the Cisco NAC Agent Anagentcustomizationfileallowsyoutocustomizethelogo,fields,andmessagetextcontainedinaCisco NACAgentscreendialogtosuityourspecificWindowsclientnetworkaccessrequirements. Youcancreateacustomizationpackageasa.zipfilethatcontainsanXMLdescriptorfileandanother.zip filewiththecontentscomprisingthecustomizedoptions. Procedure Step 1AssemblethefilesrequiredtocompriseyourAgentscreencustomizationpackage: •Customizednac_login.xmlfile •Customizedcorporate/companylogoasa.giffile •OneormorecustomizednacStrings_xx.xmlfiles •CustomizedupdateFeed.xmldescriptorfile Step 2Createazipfilecalled“brand-win.zip”thatcontainstheassembledfiles.Forexample,inaLinuxorUnix environment,executethefollowing:zip-rbrand-win.zipnac_login.xmlnac_logo.gifnacStrings_en.xml nacStrings_cy.xmlnacStrings_el.xml Step 3Createa“custom.zip”filethatcontainsanappropriateupdateFeed.xmldescriptorfileandthe.zipfilecreated above.Forexample,inaLinuxorUnixenvironment,executethefollowing:zip-rcustom.zipupdateFeed.xml brand-win.zip Step 4Savetheresulting“custom.zip”filetoalocationonalocalmachinethatyoucanaccesswhenuploadingthe filetoCiscoISE. Cisco Identity Services Engine Administrator Guide, Release 1.3 549 Cisco NAC Agent Logs
Custom nac_login.xml File Template Thenac_login.xmlfileisoneofthefilesthatisrequiredinyourAgentscreencustomizationpackage,which allowsyoutocustomizethelogo,fields,andmessagetextcontainedinaCiscoNACAgentdialog,likethe Propertieswindow,tosuityourspecificWindowsclientnetworkaccessrequirements. Usethefollowingtemplatetoconstructanappropriate“nac_login.xml”filetocustomizethelogo,fields,and messagetextcontainedinaCiscoNACAgentscreen. Thefollowingexampleshowsacustomizedfile. Custom nacStrings_xx.xml File Template ThisisoneofthefilesthatisrequiredinyourAgentscreencustomizationpackage,allowsyoutocustomize thelogo,fields,andmessagetextcontainedinaCiscoNACAgentdialog,likethePropertiesscreen,tosuit yourspecificWindowsclientnetworkaccessrequirements. UsethefollowingtemplatetoconstructaoneormorenacStrings_xx.xmlfiles,wherexxisatwo-character identifierforthespecificlanguage. ThefollowingexampleshowsacustomizednacStrings_xx.xmlfile. CiscoSystems,Inc.CiscoSystemsCiscoCiscoCopyright2009-2013AllRightsReservedNACAgent%1isavailable.%br%Doyouwanttoinstallthisupdatenow?UnabletoupdateNACAgent.Pleasetryagain. Cisco Identity Services Engine Administrator Guide, Release 1.3 550 Create an Agent Customization File for the Cisco NAC Agent
DownloadingtheupdateofNACAgent.PackageNameCompleted%1of%2bytesSpeed%1bytes/secNACAgentPosturecomponentversion%1isavailable.%br%Doyouwanttoinstallthisupdatenow?UnabletoupdateNACAgentPosturecomponent.Pleasetryagain.DownloadingtheupdateofNACAgnetPosturecomponent.EducationFirstComplianceCheck VersionPostureComponentVersionEnteryourusernameEnteryourPINRememberMeServerCustomEFpackageversion2.1.1.1withEFLogoThisaccountisalreadyactiveonanotherdeviceLoginasDifferentUserRemoveOldestLoginSessionDevToolsPerformingWindowsDomainautomaticloginforNACUnknownauthenticationtypePerformingdevicefilterautomaticloginforNACPerformingautomaticloginintoNACenvironmentforremoteuserAuthenticatingUser SendingResponse CheckingRequirementsSystemCheckComplete NACProcessCompletedNACProcessCompleted NetworkUsagePolicyAgentProperties&InformationRemediatingSystemSessionhasExpired UpdateAgentDownloadingAgent UpdatePostureComponentDownloadingPostureComponentCheckingAboutCancelLogoutRemediatingSystemSystemCheckCompleteLoggedInNetworkAccessDeniedTemporaryNetworkAccessPleasebepatientwhileyoursystemischeckedagainstthenetworksecuritypolicyAccept Cisco Identity Services Engine Administrator Guide, Release 1.3 551 Create an Agent Customization File for the Cisco NAC Agent
ApplyCancelUpdateLaterCloseHideComplianceShowComplianceDownloadGuestAccessGoToLinkLaunchLogInRe-ScanOKHidePropertiesRejectRepairRescanResetGetRestrictedNETaccessThisonecomesdownfromthenetworkSaveReportSkipSkipAllOptionalSubmitUpdatedays Thereisapproximately%1leftuntilyourtemporarynetworkaccessexpiresYourTemporaryNetworkAccesshasExpired!%1leftExpired!Thiswindowwillclosein%1secsFullNetworkAccessYourdeviceconformswithallthesecuritypoliciesforthisprotectednetworkOnlyoptionalrequirementsarefailing.Itisrecommendedthatyouupdateyoursystematyourearliestconvenience.RefreshingIPaddress.PleaseWait...RefreshingIPaddresssucceeded.ConnectingtoprotectedNetwork.PleaseWait...GuestNetworkAccessNetworkAccessDenied Cisco Identity Services Engine Administrator Guide, Release 1.3 552 Create an Agent Customization File for the Cisco NAC Agent
Thereisatleastonemandatoryrequirementfailing.Youarerequiredtoupdateyoursystembeforeyoucanaccessthenetwork.NetworkUsageTermsandConditionsarerejected.Youwillnotbeallowedtoaccessthenetwork.RestrictedNetworkAccessgranted.Youhavebeengrantedrestrictednetworkaccessbecauseyourdevicedidnotconformwithallthesecuritypoliciesforthisprotectednetworkandyouhaveoptedtodeferupdatingyoursystem.Itisrecommendedthatyouupdateyoursystematyourearliestconvenience.TemporaryNetworkAccessPleasebepatientwhileyoursystemischeckedagainstthenetworksecuritypolicy.PerformingRe-assessmentThereisatleastonemandatoryrequirementfailing.Youarerequiredtoupdateyoursystemotherwiseyournetworkaccesswillberestricted.PerformingRe-assessmentOnlyoptionalrequirementsarefailing.Itisrecommendedthatyouupdateyoursystematyourearliestconvenience.LoggedoutTemporaryAccesstothenetworkhasexpired.Loggedout FinishedCheckingRequirementsPleasebepatientwhilewedetermineifyoursystemiscompliantwiththesecuritypolicyChecking%1outof%2AccesstothenetworkrequiresthatyouviewandacceptthefollowingNetworkUsagePolicyNetworkUsagePolicyTermsandConditionsRemediatingPleaseRemediate Cisco Identity Services Engine Administrator Guide, Release 1.3 553 Create an Agent Customization File for the Cisco NAC Agent
CheckingforcompliancewithRequirementNameLocationSoftwareprogram(s)UpdateDonotchangecurrentsettingNotifybeforedownloadNotifybeforeinstallDownloadandinstallationChangetonotifybeforedownloadChangetonotifybeforeinstallationChangetodownloadandinstallationDescriptionSecurityComplianceSummaryScanResultRequirementNameRequirementDescription-RemediationSuggestionMandatoryOptionalPassedPleasedownloadandinstalltheoptionalsoftwarebeforeaccessingthenetworkPleasedownloadandinstalltherequiredsoftwarebeforeaccessingthenetworkPleaselaunchtheoptionalremediationprogram(s)beforeaccessingthenetwork Cisco Identity Services Engine Administrator Guide, Release 1.3 554 Create an Agent Customization File for the Cisco NAC Agent