Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC Agent never seems to initiate communication with CAS

I can (occassionally) get the pilot NAC devices to log-in to the CAS server through a combination of restarting the NAC Agent service, re-starting the NAC Agent UI, and bouncing the port.

My configuration is an L3 OOB GW - my issue does not seem to be with NAC but rather with getting the agents to initiate communication with the CAS in the first place.

I am using NAC CAM/CAS 4.7.2 and agent version

The unauthenticated/untrusted roles have been allowed full unrestricted inbound access through the CAS as part of the troubleshooting process.

I have attached a copy of the report generated by the log packager utility on a machine which was failing to log-in.

(incidentally I note on every machine I have attempted to run the log packager on that the 'log agent plugin' fails to return a response within 300 secs and hence does not generate any useful output. - is there ANY way to get visibility into these logs eithere through a different utility/viewer or by entending the 300-second timeout when packaging logs?)

Thanks in advance


Everyone's tags (5)
New Member

Re: NAC Agent never seems to initiate communication with CAS

Yeah, it looks like there's something weird going on with the agent - the only log included only goes from Nov 9th 15:06:58 to 15:07:15 and basically just covers the NAC service launching the GUI. 

Is this virtual gateway or real IP gateway?  If you go back to blocking port 80 and 443 traffic on the CAS, do you get redirected to the CAS when you open up the web browser?

New Member

Re: NAC Agent never seems to initiate communication with CAS

Attached is a new log generated today for comparison... without the ability to interpret these logs files myself I'm not sure if they are of any more use than the last set.  (this log was generated on a user workstation that has the agent installed but is NOT logging in to the CAS.

The CAS in this case is a (pair of) Real IP Gateway(s) configured OOB.

In response to your question - it is possible on any of these workstations to log into the CAS using the WEB login (by explicitly typing the IP address of the url for the cas) - did you want me to specifically deny 80 and 443 traffic and then see if any attempted web connection will result in a prompt within the IE window?  (I can consider doing so although there is a proxy server in use on site which is situated 'behind' the CAS from the perspective of these users)

Is there anything unusual about the fact that one of the plugins initiated by the log packager never completes within the 300 seconds or is this something you see fairly regularly?