NAC Agent Issue

Unanswered Question
Jul 26th, 2010
User Badges:

Hi


I have implemented Cisco NAC for remote VPN users. As part of this they go through 3 checks:


1. Antivirus installation check


2. Antivirus definition check


3. File check


I have configured the definition check to remediate via internal update servers if 30 days or more out of date.


The issue I'm seeing is that the end user recieves the following Cisco Agent error during the remediation process (while in the temporary role):


"The remediation you are attempting is reporting an access denied error. This is usually due to a privilege issue. Please contact your system administrator."


The definition update happens in the background though (I have allowed the required access through the NAC server) and once complete places the user in the correct role. Therefore It's no so much an issue, just a misleading message displayed to the user.


Has anyone seen this before or know where this is configure?


Kind Regards

Terry

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Faisal Sehbai Mon, 07/26/2010 - 07:29
User Badges:
  • Gold, 750 points or more

Terry,


What AV and what version of that AV are you running? Your users are admins on their machines?


Faisal

Terry Mon, 07/26/2010 - 07:56
User Badges:

Hi Faisal


Thanks for your reply, Symantec Antivirus 10.X is being used and the users (so far test machines) have admin rights.


Kind Regards

Terry

Faisal Sehbai Tue, 07/27/2010 - 04:58
User Badges:
  • Gold, 750 points or more

Terry,


Can you please post an agent log file from an affected machine?


If it's 4.7, it would be just running the Cisco Log Packager utility from the Start -> Programs menu.


Thanks,

Faisal

blaxucisco Sun, 09/12/2010 - 19:48
User Badges:

Hi Faisal,


I also have same problem. we are using symantec endpoint 11. though user has full administrative right on the workstation it doesn't have a privilege to update the virus definition, manual definition update option has been disabled by antivirus server configuration. for the successful remediation, does user needs to have manual update privilege?


Laxman

Faisal Sehbai Mon, 09/13/2010 - 19:04
User Badges:
  • Gold, 750 points or more

Laxman,


If the AV server has the update options disabled, I don't think NAC can do anything here. You'll have to work with the AV server's admin to ensure that your users can do manual update of their AV, if need be.


HTH,

Faisal

blaxucisco Mon, 09/13/2010 - 19:59
User Badges:

Hi Faisal,


my problem is when NAC try to remediate the client it is getting error message (images are attached). That means if user doesn't have a privilege to udpate the antivirus, NAC agent also can not do the remediation process am I right?



Faisal Sehbai Tue, 09/14/2010 - 20:58
User Badges:
  • Gold, 750 points or more

Laxman,


The screenshots suggest you have a newer version of the agent running. This agent should have been installed as an administrator. If it wasn't then you would see the privilege problems.


Can you please verify whether the agent was installed as an admin? If not, can you install it as one and try your test again?


Thanks,

Faisal

blaxucisco Tue, 09/14/2010 - 21:08
User Badges:

Hi Faisal,


this agent has been installed via centrally, pushing from the software deployement server. and we have to install to all computers (aobut 1500) by same way. int this scenario, its not easy to install the agent with administrative privilege  on the all pcs. so, which version of nac agent should I use to eliminate this problem?


thank you

Laxman

marioderosa2008 Tue, 06/19/2012 - 05:40
User Badges:

Hi Faisal,


I am still having this problem.


Even though the agent displays that error message, the AV still updates in the background. The problem then is that the agent fails to realise that the definitions are then fully up to date and does not re-check posture automaticly. therefore i am having to disconnect and re-connect the network cable for the agent to realise that I am not fully compliant.


Is there anything that i can do to make this posture / remediation process, automatic and seemless?


Mario

marioderosa2008 Mon, 05/21/2012 - 06:51
User Badges:

Hi Faisal,


I have the same problem. My users get redirected to a web page with a link to install the NAC agent, this installation used to fail. So I made the user an admin on his own machine.


The installation now succeeds, so the agent is being installed as a Local Admin, however I still get the exact same error above.


Currently my ISE is handing out agent version 4.9.0.37


Any help appreciated.


Mario

Actions

This Discussion