Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAC: How to reduce login time of Windows Client Machines in Authentication VLAN

Hi All,

I am trying to reduce the log in time the client machines take when they are in the authentication vlan.  The login time increases from 5 minutes to 7 minutes when machines are managed by the NAC. 

We need for the NAC Agent to perform AD SSO and posture assessment before login scripts or other processes execute.  It is critical for us to delay other processes from executing until after NAC places client machines on the access vlan because those processes would hang & fail while they are in the authentication vlan. One of the process that hung & failed is the mapping of different network drives when login scripts are executed.

We ran a test script and discovered that the NAC Agent will not execute until it inserts itself into Window's system tray which requires the execution of Window's iExplorer process.  However, executing Window's iExplorer process also means executing many other processes that should not be executed (since they will hang & fail) until after NAC moves those client machines into the access vlan. 

I need to know if it is possible to execute the NAC Agent w/o it inserting itself into the system tray.  If possible, how is this achieved?

Any help is appreciated.

Thank you 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: NAC: How to reduce login time of Windows Client Machines in

David,

Currently not possible. NAC agent runs as a program and has to run under user credentials for it to be able to identify the user correctly that is being NAC'd. In later versions there's a service component of the agent, but the SSO functionality still relies on the Agent being loaded correctly. Your option is to run a delay script (detailed here: http://tinyurl.com/25d2aua ) and once that passes, then call your other scripts which do the mapping.

Also if you're having such inordinate delays in the initial SSO process, ensure you have all the ports open that need to be open, including the IP FRAGMENTS and ICMP to all your DCs in the Unauthenticated Role.

HTH,

Faisal

4 REPLIES

Re: NAC: How to reduce login time of Windows Client Machines in

David,

Currently not possible. NAC agent runs as a program and has to run under user credentials for it to be able to identify the user correctly that is being NAC'd. In later versions there's a service component of the agent, but the SSO functionality still relies on the Agent being loaded correctly. Your option is to run a delay script (detailed here: http://tinyurl.com/25d2aua ) and once that passes, then call your other scripts which do the mapping.

Also if you're having such inordinate delays in the initial SSO process, ensure you have all the ports open that need to be open, including the IP FRAGMENTS and ICMP to all your DCs in the Unauthenticated Role.

HTH,

Faisal

New Member

Re: NAC: How to reduce login time of Windows Client Machines in

Faisal,

We also have another client form factor that needs to be NAC'd as well.

It appears to me that the issue lies in that NAC requires the iexplore.exe to be the user shell. When ever a user logs in with an alternative shell such as CMD.exe NAC fails and throws the error message "it is unable to place it self in the taskbar". We have other Windows client form factors that have alternative shells, and we still want their access to be controlled by the NAC.  We are hoping that there is an alternative method to authenticate or  a work around to this issue. Please advise.

Re: NAC: How to reduce login time of Windows Client Machines in

David,

That might be problematic too. Agent is supported on certain OS's, and the agent actually does a lot of communication using the IE engine with the CAS using HTTPS, so if that particular mode of communication isn't available to the agent, it won't work.

Your best bet then is to filter those alternate devices, or if they support any sort of browsing, to do web-login with them.

HTH,

Faisal

New Member

Re: NAC: How to reduce login time of Windows Client Machines in

Faisal,

If we do web-login, can AD-SSO be used as the provider instead of the NAC's Local Database?

915
Views
0
Helpful
4
Replies