Cisco Cisco NAC Appliance 4.1.0
12-72
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Troubleshooting the Agent
Note
The Login option on the Agent is correctly disabled (greyed out) in the following cases:
•
For OOB deployments, the Agent user is already logged in through the CAS and the client port is
on the Access VLAN.
on the Access VLAN.
•
For multi-hop L3 deployments, Single Sign-On (SSO) has been enabled and the user has already
authenticated through the VPN concentrator (therefore is already automatically logged into Cisco
NAC Appliance).
authenticated through the VPN concentrator (therefore is already automatically logged into Cisco
NAC Appliance).
•
MAC address-based authentication is configured for the machine of this user and therefore no user
login is required.
login is required.
Client Cannot Connect (Traffic Policy Related)
The following errors can indicate DNS, proxy or network traffic policy related issues:
•
User can login via Agent, but cannot access web page/Internet after login.
•
User cannot access web login page without typing in https://<CAS_IP_address> as the URL.
To troubleshoot these issues:
•
Verify and/or change DNS Servers setting on the CAS (under Device Management > CCA Servers
> Manage <CAS_IP> > Network > DNS)
> Manage <CAS_IP> > Network > DNS)
•
If enabling the CAS as a DHCP server, verify and/or change the DNS Servers field for the Subnet
List (under Device Management > CCA Servers > Manage <CAS_IP> > Network > DHCP >
Subnet List > List | Edit).
List (under Device Management > CCA Servers > Manage <CAS_IP> > Network > DHCP >
Subnet List > List | Edit).
•
If remediation sites cannot be reached after login, verify default host policies (Allowed Hosts) are
enabled for the Temporary role (under User Management > User Roles > Traffic Control > Host).
enabled for the Temporary role (under User Management > User Roles > Traffic Control > Host).
•
If using a proxy server, make sure a traffic policy allowing HTTP traffic to the proxy server is
enabled for the Temporary role. Verify the proxy is correctly set in the browser (from IE go to Tools
> Internet Options > Connections > LAN Settings | Proxy server).
enabled for the Temporary role. Verify the proxy is correctly set in the browser (from IE go to Tools
> Internet Options > Connections > LAN Settings | Proxy server).
See
for additional details.
AV/AS Rule Troubleshooting
To view administrator reports for the Clean Access Agent, go to Device Management > Clean Access
> Clean Access Agent > Reports. To view information from the client, right-click the Agent taskbar
icon and select Properties.
> Clean Access Agent > Reports. To view information from the client, right-click the Agent taskbar
icon and select Properties.
When troubleshooting AV/AS Rules, please provide the following information:
1.
Version of CAS, CAM, and Clean Access Agent.
2.
Client OS version (e.g. Windows XP SP2)
3.
Name and version of AV/AS vendor product.
4.
What is failing—AV/AS installation check or AV/AS update checks? What is the error message?
5.
What is the current value of the AV/AS def date/version on the failing client machine?
6.
What is the corresponding value of the AV/AS def date/version being checked for on the CAM? (see
Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info)
Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info)