 Feedback
|
Table Of Contents
Release Notes for Cisco NAC Appliance,
Version 4.8(2)System and Hardware Requirements
Release 4.8(2) and Hardware Platform Support
Release 4.8(2) and Cisco NAC Profiler
Supported Switches for Cisco NAC Appliance
VPN and Wireless Components Supported for Single Sign-On (SSO)
Additional Support Information
Release 4.8(2) CAM/CAS Upgrade Compatibility Matrix
Release 4.8(2) CAM/CAS/Agent Compatibility Matrix
Release 4.8(2) Agent Upgrade Compatibility Matrix
Determining the Software Version
Enhancements in Release 4.8(2)
Support for Internet Explorer 9.0
Support for Internet Explorer 10 on Windows 7
Cisco NAC Windows Agent Version 4.8.2.1
Mac OS X Agent Version 4.8.2.590
Mac OS X Agent Version 4.8.2.591
Cisco NAC Web Agent Version 4.8.2.1
Features Optimized/Removed in Release 4.8(2)
Supported AV/AS Product List Enhancements (Windows Version 86, Mac OS X Version 9)
Cisco NAC Appliance Supported AV/AS Products
Resolved Caveats - Release 4.8(2)
Resolved Caveats - Cisco NAC Agent Vers 4.8.2.1/Mac OS X Vers 4.8.2.590
New Installation of Release 4.8(2)
Paths for Upgrading to Release 4.8(2)
Migrating from Customer-Supplied Hardware to Release 4.8(2) on a NAC-3310/3350/3390 Platform
Upgrading an Existing NAC-3310/3350/3390 Platform to Release 4.8(2)
Migrating from a NAC-3310/3350/3390 Platform to Release 4.8(2) on a NAC-3315/3355/3395 Platform
Features That May Change With Upgrade
General Preparation for Upgrade
Upgrade Instructions for Standalone Machines
Summary of Steps for Standalone Upgrade
Copy the Upgrade File to the CAS/CAM
Run the Upgrade Script on a Release 4.7(x) or 4.8(x) CAM/CAS
Run the Upgrade Script on a Release 4.6(1) CAM/CAS
Upgrade Instructions for HA Pairs
Release 4.8(2) Upgrade Instructions for HA Pairs
Known Issues for Cisco NAC Appliance
Known Issue with CAS-to-CAM Certificate Verification in Internet Explorer
Known Issue with Delayed IP Address Refresh for Windows 7/Vista Clients Running Cisco NAC Agent
Known Issue with Enabling Web Login for Windows 7 Starter Edition Clients
Known Issue with Mass DHCP Address Deletion
Known Issue for VPN SSO Following Upgrade to Release 4.5 and Later
Known Issues with Web Upgrade in Release 4.1(3), 4.1(6), and 4.1(8)
Known Issue with Active HA CAM Web Console Following Failover
Known Issue with Cisco NAC Appliance CAM/CAS Boot Settings
Known Issue with IP Packet Fragmentation Leading to Disconnect Between CAS and Agent
Known Issues with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)
Known Issue for Windows Vista and IP Refresh/Renew
Known Issue with System Center Endpoint Protection
Disabling Administrator Prompt for Certificate on IE 8 and 9
Enabling TLSv1 on Internet Explorer Version 6
Windows Vista and Windows 7—IE 7 and IE 8 Certificate Revocation List
HA Active-Active Situation Due to Expired SSL Certificates
Agent AV/AS Rule Troubleshooting
Debug Logging for Cisco NAC Appliance Agents
Generate Cisco NAC Agent Debug Logs
Generate Mac OS X Agent Debug Log
Recovering Root Password for CAM/CAS
Troubleshooting CAM/CAS Certificate Issues
Troubleshooting Switch Support Issues
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco NAC Appliance,
Version 4.8(2)
Document Number OL-24890-01 Revised: April 18, 2013Contents
These release notes provide the latest cumulative release information for Cisco® NAC Appliance, Release 4.8(2). This document describes new features, changes to existing features, limitations and restrictions ("caveats"), upgrade instructions, and related information. These release notes supplement the Cisco NAC Appliance documentation included with the distribution. Read these release notes carefully and refer to the upgrade instructions prior to installing the software.
•
System and Hardware Requirements
•
•
•
•
Cisco NAC Appliance Releases
4.8(2) ED
May 3, 2011
4.8(1) ED
January 31, 2011
4.8 ED
July 26, 2010
Note
System and Hardware Requirements
This section describes the following:
•
•
•
Licensing
You must obtain and install Cisco NAC Appliance product licenses for the Clean Access Manager (CAM) and Clean Access Server (CAS) in order for your deployment to function. Install the CAM product license in the CAM License Form to initially access the CAM web admin console. Once you can access the CAM web console, upload the additional CAM HA license or CAS license(s) into the CAM (under Administration > CCA Manager > Licensing) in order to add CASs to the CAM. An OOB CAS license must be present to access the "OOB Management" module of the CAM. The Licensing page displays the types of licenses present after they are added.
Note that both CAM and CAS product licenses are generated based on the eth0 MAC address of the CAM. For High Availability (HA) pairs, you must generate an additional CAM HA license based on the eth0 MAC addresses of both Primary and Secondary CAMs and install it on the CAM whether you are adding a CAM HA pair or CAS HA pair.
For complete details on service contract support, obtaining new and evaluation licenses, legacy licenses and RMA, refer to Cisco NAC Appliance Service Contract / Licensing Support.
Hardware Support
This section contains the following topics:
•
•
•
Release 4.8(2) and Hardware Platform Support
FIPS Compliant
You can install or upgrade to Cisco NAC Appliance Release 4.8(2) on the following FIPS-compliant Cisco NAC Appliance platforms:
•
Note
Non-FIPS
You can install or upgrade to Cisco NAC Appliance Release 4.8(2) on the following Cisco NAC Appliance platforms:
•
•
Note
If the FIPS card in a CAM/CAS ceases to work correctly, make sure the card operation switch is set to "O" (for operational mode), as described in FIPS and SSH. If the card is still not operational, you will need to RMA the appliance with Cisco Systems and replace it with a new Cisco NAC-3315/3355/3395 platform. Refer to the "Cisco NAC Appliance RMA and Licensing" section of Cisco NAC Appliance Service Contract/Licensing Support for details.
NME-NAC-K9
Additionally, Cisco NAC Appliance Release 4.8(2) provides substantial changes and enhancements for product hardware support, installation, and upgrade:
•
•
•
•
See also Features Optimized/Removed in Release 4.8(2) for additional information.
Note
Cisco NAC Network Module
The Cisco NAC Network Module for Integrated Services Routers (NME-NAC-K9) is a next generation service module for the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers (ISRs) that is supported starting from Cisco NAC Appliance, Release 4.1(2) and later.
In addition to the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers (ISRs), Cisco NAC Appliance Release 4.8(2) supports Cisco 2911, 2921, 2951, 3925, and 3945 Integrated Services Routers (ISRs).
The Cisco NAC network module has the same software features as the Clean Access Server on a NAC-3300 series appliance, with the exception of high availability. NME-NAC-K9 does not support failover from one module to another.
Note
Note
For further details, including software installation instructions, refer to Getting Started with Cisco NAC Network Modules in Cisco Access Routers.
Note
Release 4.8(2) and Cisco NAC Profiler
All Cisco NAC Appliance releases are shipped with a default version of the Cisco NAC Profiler Collector component. Cisco NAC Appliance 4.8(2) release is shipped with Collector version 3.1.0.24 by default. When upgrading the NAC Server to a newer Cisco NAC Appliance release, the current version of the Collector is replaced with the default version of the Collector shipped with the Cisco NAC Appliance release. For example, if you are running Release 4.8 and Collector 3.1.1, and you upgrade to NAC 4.8(2), the Collector version will be downgraded to 3.1.0.24. You need to manually upgrade the 3.1.0.24 Collector to 3.1.1 again and configure it after the NAC Server upgrade.
Refer to the Release Notes for Cisco NAC Profiler for software compatibility matrixes and additional upgrade and product information.
Note
FIPS 140-2 Compliance
Note
This section describes the following topics:
•
•
•
•
•
•
Overview
Cisco NAC Appliance Release 4.7(0) introduced Federal Information Processing Standard (FIPS) 140-2 Common Criteria EAL2 compliance for new installations on new Cisco NAC-3315, NAC-3355, and NAC-3395 hardware appliance platforms. Release 4.8 now also offers a field-replaceable FIPS card upgrade for Cisco NAC-3310, NAC-3350, and NAC-3390 platforms. In order to provide FIPS compliance in your Cisco NAC Appliance network, both CAM(s) and CAS(s) must be FIPS compliant.
Note
To enable FIPS 140-2 compliance in Cisco NAC Appliance, CAMs and CASs must have an encryption card that handles the primary FIPS "level 2" compliance functions and manages private keys for the system.
In Release 4.8 and 4.7(0), if the FIPS card in a Cisco NAC-3315/3355/3395 CAM/CAS ceases to work correctly, make sure the card operation switch is set to "O" (for operational mode), as described in FIPS and SSH. If the card is still not operational, you will need to RMA the appliance with Cisco Systems and replace it with a new Cisco NAC-3315/3355/3395 platform. Refer to the "Cisco NAC Appliance RMA and Licensing" section of Cisco NAC Appliance Service Contract/Licensing Support for details. When you configure the replacement appliance, you must also ensure you configure it with the same master password and have imported any required third-party certificates before connecting the appliance to the network. For more information, see Release 4.8(2) and Hardware Platform Support.
Note
In addition, in order to ensure FIPS compliance across the entire Cisco NAC Appliance network, users must use the latest Cisco NAC Agent version 4.8.0.35 or 4.7.1.15 on client machines connecting to the Cisco NAC Appliance network. Although Cisco NAC Appliance Releases 4.8 and 4.7(0) support other Cisco NAC Appliance Agent versions, users logging in with a different version of the Agent are not FIPS compliant. For more information on the latest Cisco NAC Agent, see Cisco NAC Windows Agent Version 4.8.2.1.
Note
Capabilities, Dependencies, and Restrictions
FIPS 140-2 compliance in Release 4.7(0) introduced the following capabilities, dependencies, and restrictions:
1.
2.
a.
b.
c.
Note
3.
a.
b.
c.
Note
4.
a.
b.
c.
Note
For more information, see IPSec Considerations with FIPS.
5.
Note
6.
7.
8.
9.
10.
Note
11.
12.
FIPS Compliance in HA Deployments
To support FIPS 140-2 compliance, HA CAMs/CASs automatically establish an IPSec tunnel to ensure all communications between the HA pair appliances remains secure across the network.
Trusted Certificates and Private Key Management with FIPS
In Cisco NAC Appliance Release 4.7(0) and Release 4.8, you can no longer export private keys and you cannot generate CSRs using a FIPS compliant CAM/CAS. To adhere to strict FIPS compliance guidelines, you can only import certificates from trusted third-party resources.
Cisco NAC Appliance uses two types of keys to support FIPS compliance: Private Keys and Shared Master Keys. Both of these key types are managed and stored using the FIPS card installed in the CAM/CAS. During installation, keys are created using the CAM/CAS setup utilities, the keys are then moved to the card for security, and key-generation files and/or directories are then removed from the CAM/CAS.
This enhancement affects the following pages of the CAM web console:
•
•
•
FIPS and SSH
SSH connections between FIPS and non-FIPS CAMs/CASs are supported in Cisco NAC Appliance Release 4.7(0) or Release 4.8. However, if the FIPS card in a CAM/CAS fails (or is inadvertently set to the incorrect operational mode), you cannot use SSH to or from that appliance until the issue with the card is resolved.
You can verify FIPS functionality on a CAM/CAS as follows:
a.
b.
c.
d.
Installed FIPS card is nCipherInfo-FIPS file existsInfo-card is in operational modeInfo-httpd worker is in FIPS modeInfo-sshd up
Note
Installed card in the system: nCipher
System is running in FIPS mode
FIPS and the Cisco NAC Appliance SWISS Protocol
To enhance network security and adhere to FIPS 140-2 compliance, Cisco NAC Appliance encapsulates SWISS communications between client machines and CASs, including Discovery Packet transmission/acknowledgement, authentication, and posture assessment results using the HTTPS protocol.
In addition, the CAS SWISS mechanism has been enhanced to feature a new handler that uses 3DES encryption for SWISS protocol functions. Because of these changes, older versions of Cisco NAC Appliance Agents are not compatible with FIPS-compliant CAMs/CASs in Releases 4.8 and 4.7(0).
IPSec Considerations with FIPS
Cisco NAC Appliance Releases 4.8 and 4.7(0) use IPSec for the following purposes:
•
•
•
•
When setting up your Cisco NAC Appliance to use IPSec, you must ensure you can set up and import certificates and configure IPSec tunnels between Cisco NAC Appliance and your external authentication resources.
For Active Directory, LDAP, and Kerberos functions with FIPS-compliant CAMs/CASs, you must ensure that hosts are running Windows 2008 Server to support secure authentication sessions between external resources and FIPS-compliant appliances.
FIPS and SNMP Configuration
Cisco NAC Appliance Release 4.7(0) and Release 4.8 provide support for SHA-1 and 3DES encryption when configuring SNMP management on a FIPS-compliant CAM.
This enhancement affects the following page of the CAM web console:
•
FIPS and Cisco Secure ACS as RADIUS Authentication Provider
You can configure a FIPS 140-2 compliant external RADIUS Authentication Provider type by setting up a secure IPSec tunnel between your Cisco NAC Appliance system and Cisco ACS 4.x in a Windows environment running Windows Server 2003 or 2008.
For specific configuration instructions, see "Add a FIPS 140-2 Compliant RADIUS Auth Provider Using an ACS Server" section of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(2).
FIPS with VPN SSO
You can configure Cisco NAC Appliance to connect to and manage a Cisco ASA VPN Concentrator in a FIPS 140-2 compliant deployment.
For specific configuration instructions, see the "Configure VPN SSO in a FIPS 140-2 Compliant Deployment" section of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(2).
FIPS with AD SSO
To maintain FIPS 140-2 compliance and support AD SSO, you must use 32-bit Windows Server 2008 with KTPass version 6.0.6001.18000, and client machines must run Windows Vista or Windows 7 with Cisco NAC Agent version 4.7.1.15 or version 4.8.0.35 installed. For specific configuration instructions, see the "Configure Active Directory for FIPS 140-2 Compliant AD SSO" section of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(2).
You cannot perform AD SSO in a FIPS-compliant network using Cisco Wireless LAN Controllers because the WLCs do not support IPSec communication with the Cisco NAC Appliance network, so you cannot provide RADIUS SSO capability to users in your FIPS 140-2 compliant environment.
Supported Switches for Cisco NAC Appliance
See Cisco NAC Appliance Switch and Wireless LAN Controller Support for complete details on:
•
•
•
•
•
VPN and Wireless Components Supported for Single Sign-On (SSO)
Table 1 lists VPN and wireless components supported for Single Sign-On (SSO) with Cisco NAC Appliance. Elements in the same row are compatible with each other.
Table 1 VPN and Wireless Components Supported By Cisco NAC Appliance For SSO
4.5 and later
Cisco 5500 Series Wireless LAN Controllers
N/A
Cisco WiSM Wireless Service Module for the Cisco Catalyst 6500 Series Switches
N/A
Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)1
N/A
Cisco ASA 5500 Series Adaptive Security Appliances, Version 8.0(3)7 or later2
AnyConnect
Cisco ASA 5500 Series Adaptive Security Appliances, Version 8.0(3)7 or later
•
•
Cisco WebVPN Service Modules for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco VPN 3000 Series Concentrators, Release 4.7
Cisco PIX Firewall
1 For additional details, see also Known Issues with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs).
2 Release 4.5 and later supports existing AnyConnect clients accessing the network via Cisco ASA 5500 Series devices running release 8.0(3)7 or later. For more information, see the Release Notes for Cisco NAC Appliance, Version 4.1(3), and CSCsi75507.
Note
Cisco WLCs do not support IPSec communication with the Cisco NAC Appliance network, so you cannot provide RADIUS SSO capability to users in your FIPS 140-2 compliant environment.
For further details, see the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(2) and the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(2).
Additional Support Information
Refer to Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later for additional details related to Windows/Mac OS X/Web Agent support.
Refer to Supported Hardware and System Requirements for Cisco NAC Appliance for additional information on Cisco NAC Appliance hardware platforms and support information for Cisco NAC Appliance 4.1(x) and earlier releases.
Software Compatibility
This section describes software compatibility for releases of Cisco NAC Appliance:
•
•
•
Release 4.8(2) CAM/CAS Upgrade Compatibility Matrix
Table 2 shows CAM/CAS upgrade compatibility. You can upgrade/migrate your CAM/CAS from the previous release(s) specified to the latest release shown in the same row. When you upgrade your system software, Cisco recommends you upgrade to the most current release available whenever possible.
Table 2 Release 4.8(2) CAM/CAS Upgrade Compatibility Matrix
4.8(1)
4.8
4.7(x)
4.6(1)4.8(2)
4.8(1)
4.8
4.7(x)
4.6(1)4.8(2)
1 Next generation Cisco NAC Appliance platforms (FIPS or non-FIPS Cisco NAC-3315, NAC-3355, NAC-3395) support fresh installation of Release 4.8(2) or upgrade from Release 4.7(x) or 4.8 to Release 4.8(2) only. You can also install or upgrade to Release 4.8(2) on the NAC-3310, NAC-3350, and NAC-3390 platforms, but they operate in non-FIPS mode only. See Hardware Support and Changes for 4.8(2) Upgrade for additional details.
2 The Clean Access Server is shipped with a default version of the Cisco NAC Profiler Collector. See Release 4.8(2) and Cisco NAC Profiler for details.
.
Release 4.8(2) CAM/CAS/Agent Compatibility Matrix
Table 3 lists Cisco NAC Appliance Manager/Server/Agent compatibility per supported release. CAM/CAS/Agent versions displayed in the same row are compatible with one another. Cisco recommends that you synchronize your software images to match those shown as compatible in Table 3.
For complete support information, including specific client machine operating systems supported with specific Agent versions, refer to the Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later.
Table 3 Release 4.8(2) CAM/CAS/Agent Compatibility Matrix
4.8
4.7(0)4.8
4.7(0)4.8.0.35
4.7.1.15N/A
N/A
4.8(2)
4.8(2)
4.8.2.1
4.8.1.5
4.8.0.35
4.7.4.2
4.7.3.2
4.7.2.10
4.7.1.511
4.7.1.154.8.2.591
4.8.2.590
4.8.1.584
4.8.0.569
4.7.3.522
4.7.2.507
4.7.1.506
4.7.0.24.8.2.1
4.6.2.113
4.6.0.3
4.8(1)
4.8(1)
4.8.1.5
4.8.0.35
4.7.4.2
4.7.3.2
4.7.2.10
4.7.1.511
4.7.1.154.8.1.584
4.8.0.569
4.7.3.522
4.7.2.507
4.7.1.506
4.7.0.24.8.1.4
4.6.2.113
4.6.0.3
4.8
4.8
4.8.1.5
4.8.0.35
4.7.2.10
4.7.1.511
4.7.1.154.8.1.584
4.8.0.569
4.7.2.507
4.7.1.506
4.7.0.24.8.0.4
4.6.2.113
4.6.0.3
4.7(3)
4.7(3)
4.8.1.5
4.7.4.2
4.7.3.2
4.7.2.10
4.7.1.511
4.7.1.154.8.1.584
4.7.3.522
4.7.2.507
4.7.1.506
4.7.0.24.7.4.1
4.7.3.14.6.2.113
4.6.0.3
4.5.2.0 5
4.5.1.0
4.5.0.04.5.0.0
4.1.8.0
4.1.6.0
4.1.3.24.1.3.0
4.7(2)
4.7(2)
4.8.1.5
4.8.0.35
4.7.4.2
4.7.3.2
4.7.2.10
4.7.1.511
4.7.1.154.8.1.584
4.8.0.569
4.7.3.522
4.7.2.507
4.7.1.506
4.7.0.24.7.2.5
4.6.2.113
4.6.0.3
4.5.2.0 6
4.5.1.0
4.5.0.04.5.0.0
4.1.8.0
4.1.6.0
4.1.3.24.1.3.0
4.7(1)7
4.7(1)
4.8.1.5
4.8.0.35
4.7.4.2
4.7.3.2
4.7.2.10
4.7.1.511
4.7.1.154.8.1.584
4.8.0.569
4.7.3.522
4.7.2.507
4.7.1.506
4.7.0.24.7.1.504 8
4.6.2.113
4.6.0.3
4.5.2.0 4
4.5.1.0
4.5.0.04.5.0.0 7
4.1.8.0 7
4.1.6.0
4.1.3.24.1.3.0 7
4.7(0)
4.7(0)
4.8.1.5
4.8.0.35
4.7.4.2
4.7.3.2
4.7.2.10
4.7.1.511
4.7.1.154.8.1.584
4.8.0.569
4.7.3.522
4.7.2.507
4.7.1.506
4.7.0.24.7.0
4.6.2.113
4.6.0.3
4.5.2.0 7
4.5.1.0
4.5.0.04.5.0.0 7
4.1.8.0 7
4.1.6.0
4.1.3.24.1.3.0 7
4.6(1)
4.6(1)
4.8.1.5
4.8.0.35
4.7.4.2
4.7.3.2
4.7.2.10
4.7.1.511
4.7.1.15 9 ,104.8.1.584
4.8.0.569
4.7.3.522
4.7.2.507
4.7.1.506
4.7.0.2N/A
4.6.2.113
4.6.0.3
1 Next generation Cisco NAC Appliance platforms (FIPS or non-FIPS Cisco NAC-3315, NAC-3355, NAC-3395) support fresh installation of Release 4.8(2) or upgrade from Release 4.7(x) or 4.8(x) to Release 4.8(2) only. You can also install or upgrade to Release 4.8(2) on the NAC-3310, NAC-3350, and NAC-3390 platforms, but they operate in non-FIPS mode only. See Hardware Support and Changes for 4.8(2) Upgrade for additional details.
2 Make sure that both CAM and CAS are of same version.
3 See Enhancements in Release 4.8(2) for details on each version of the Windows/Mac OS X/Web Agents.
4 Release 4.8 and 4.7(0) are the only certified FIPS-compliant Cisco NAC Appliance releases.
5 CAM/CAS Release 4.7(2) supports 4.1.3.2 and later Agents for basic compatibility (login/logout) and AV/AS product support. The maximum available AV/AS support is based on the maximum version of the Agent file uploaded to the CAM as well as the maximum version of the Agent on the client. See Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later for details. For full 4.5 and later features (including Mac OS X posture assessment), the 4.5.0.0 or later Agent must be run with the appropriate 4.5 or later CAM/CAS.
6 CAM/CAS Release 4.8(x) and 4.7(x) support 4.1.3.2 and later Agents for basic compatibility (login/logout) and AV/AS product support. The maximum available AV/AS support is based on the maximum version of the Agent file uploaded to the CAM as well as the maximum version of the Agent on the client. See Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later for details. For full 4.5 and later features (including Mac OS X posture assessment), the 4.5.0.0 or later Agent must be run with the appropriate 4.5 or later CAM/CAS.
7 When upgrading the CAM from version 4.5(x) and later to Release 4.8(2), Agent files are automatically upgraded to the latest Agent version packaged with the CAM software image.
8 Cisco NAC Web Agent version 4.7.1.504 does not support Windows 7 Starter Edition. Client machines with the Windows 7 Starter Edition operating system can only perform web login to verify user credentials when accessing the network via Cisco NAC Appliance Release 4.7(1). For specific information on enabling web login for client machines running Windows 7 Starter Edition, see Known Issue with Enabling Web Login for Windows 7 Starter Edition Clients.
9 4.6.x.x and 4.7.1.x Windows Agents and 4.6.x.x and 4.7.x.y Mac OS X Agents are supported on 4.1(3) and later CAM/CAS releases for basic compatibility (login/logout) and AV/AS product support. The maximum available AV/AS support is based on the maximum version of the Agent file uploaded to the CAM as well as the maximum version of the Agent on the client. See Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later for details. For full 4.5 and later features (including Mac OS X posture assessment), the 4.5.0.0 or later Agent must be run with the appropriate 4.5 or later CAM/CAS.
10 If you only upgrade to the latest version of the Cisco NAC Agent, and leave your CAM/CAS at Release 4.5(1) or earlier, the Agent operates as an English-only entity—you cannot take advantage of the native operating system localization support available to Cisco NAC Agent users who are logging in to a 4.7(x) CAM/CAS network.
Release 4.8(2) Agent Upgrade Compatibility Matrix
Table 4 shows Cisco NAC Appliance Agent upgrade compatibility when upgrading existing versions of the persistent Agents on clients after CAM/CAS upgrade.
Note
For complete support information, including specific client machine operating systems supported with specific Agent versions, refer to the Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later.
Table 4 Release 4.8(2) Agent Upgrade Compatibility Matrix
4.8(2)
4.8(2)
4.8.1.53, 4
4.8.0.35 3, 4
4.7.4.2
4.7.3.2
4.7.2.10 3, 4
4.7.1.5113 , 4
4.7.1.15 5
4.6.2.1134.8.2.1
4.8.1.584
4.8.0.569
4.7.3.522
4.7.2.507
4.7.1.506
4.7.0.2
4.6.0.34.8.2.591
4.8.2.590
1 Next generation Cisco NAC Appliance platforms (FIPS or non-FIPS Cisco NAC-3315, NAC-3355, NAC-3395) support fresh installation of Release 4.8 or upgrade from Release 4.7(0), 4.7(1), or 4.7(2) to Release 4.8 only. You can also install or upgrade to Release 4.8 on the NAC-3310, NAC-3350, and NAC-3390 platforms, but they operate in non-FIPS mode only. See Hardware Support and Changes for 4.8(2) Upgrade for additional details.
2 See Enhancements in Release 4.8(2) for details on each version of the Windows/Mac OS X/Web Agent.
3 Cisco NAC Agent versions 4.7.1.511, 4.7.2.10, and 4.8.0.35 are the only Cisco NAC Appliance Agents that support Windows 7 operating systems. (Cisco NAC Agent version 4.7.1.511 does not support the Windows 7 Starter Edition operating system.)
4 For checks/rules/requirements, version 4.1.1.0 and later Windows Agents can detect "N" (European) versions of the Windows Vista operating system, but the CAM/CAS treat "N" versions of Vista as their US counterpart.
5 To remain FIPS-compliant, users logging into Cisco NAC Appliance via AD SSO must run Windows Vista or Windows 7 and have Cisco NAC Agent version 4.7.1.15 or 4.8.0.35 installed on their client machine. Windows XP clients cannot perform AD SSO in a FIPS 140-2 compliant network. See FIPS with AD SSO for details.
Determining the Software Version
Clean Access Manager (CAM) Version
•
•
Clean Access Server (CAS) Version
•
•
Administration > Software Upload | Current Version•
Cisco NAC Appliance Agent Version (Windows, Mac OS X, Web Agent)
•
•
Cisco Clean Access Updates
•
New and Changed Information
This section describes enhancements added to the following releases of Cisco NAC Appliance for the Clean Access Manager and Clean Access Server.
Enhancements in Release 4.8(2)
•
•
•
•
•
•
•
•
L3 Wireless Out-of-Band
•
Support for Internet Explorer 9.0
Cisco NAC Appliance Release 4.8(2) includes support for Internet Explorer 9.0.
Internet Explorer 9.0 uses Java Applet by default. Turn the Compatibility Mode "ON" to use the ActiveX. You can change the Compatibility Mode by using Tools > Compatibility View Settings in the Internet Explorer 9.0 window.
Note
Support for Internet Explorer 10 on Windows 7
Cisco NAC Appliance Release 4.8(2) supports Internet Explorer 10 on Windows 7. When Internet Explorer 10 is installed on Windows 7, to get full network access, you need to update to March 2013 Hotfix ruleset.
Cisco NAC Windows Agent Version 4.8.2.1
Cisco NAC Appliance Release 4.8(2) introduces Cisco NAC Agent version 4.8.2.1.
Refer to Release 4.8(2) CAM/CAS/Agent Compatibility Matrix for additional compatibility details.
For details on Agent functionality, refer to the "Cisco NAC Appliance Agents" chapter of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(2).
Mac OS X Agent Version 4.8.2.590
Cisco NAC Appliance Release 4.8(2) is bundled with Mac OS X Agent version 4.8.2.590.
Cisco Mac OS X Agent version 4.8.2.590 provides updated AV/AS support capabilities on Macintosh client machines as described in Cisco NAC Appliance Supported AV/AS Products.
Mac OS X Agent Version 4.8.2.591
Cisco Mac OS X Agent version 4.8.2.591 supports Mac OS X 10.7 "Lion". This verson is available from Software Downloads on Cisco.com and from NAC Updates on the CAM.
You can download the Agent Installation file as follows and upload it to the CAM.
Step 1
Step 2
Step 3
Step 4
Step 5
Cisco NAC Web Agent Version 4.8.2.1
Cisco NAC Appliance Release 4.8(2) introduces Cisco NAC Web Agent version 4.8.2.1.
For details on Agent functionality, refer to the "Cisco NAC Appliance Agents" chapter of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(2).
Features Optimized/Removed in Release 4.8(2)
In Cisco NAC Appliance release 4.8(2), you can use a .tar.gz upgrade process similar to that used for upgrading CAM/CAS appliances in earlier releases of Cisco NAC Appliance (like the process used in Release 4.6(1), 4.7(2), and 4.8) instead of having to perform "in-place" upgrades via an .ISO image on a CD-ROM, as is required to upgrade to Cisco NAC Appliance release 4.7(0) and 4.7(1). For more information, see Upgrading to Release 4.8(2).
Note
Supported AV/AS Product List Enhancements (Windows Version 86, Mac OS X Version 9)
See Cisco NAC Appliance Supported AV/AS Products for the latest AV/AS product charts.
Cisco NAC Appliance Supported AV/AS Products
The Cisco NAC Appliance Supported AV/AS Product List is a versioned XML file distributed from a centralized update server and downloaded to the Clean Access Manager via Device Management > Clean Access > Updates > Update. It provides the most current matrix of supported antivirus (AV) and anti-spyware (AS) vendors and products per version of the Agent, and is used to populate AV/AS Rules and AV/AS Definition Update requirements for Agents that support posture assessment/remediation.
You can access AV and AS product support information from the CAM web console under Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info. For convenience, this section also provides the following summary and product charts. The charts list which product versions support virus or spyware definition checks and automatic update of client virus/spyware definition files via the user clicking the Update button on the Agent.
Note
Windows 7/Vista/XP
For Windows 7/Vista/XP AV/AS support information on the Cisco NAC Agent (version 4.8.2.1) and Cisco NAC Web Agent (version 4.8.2.1), see the Cisco NAC Appliance Release 4.8(1) and 4.8(2) Supported Windows AV/AS Products document optimized for UTF-8 character display.
Mac OS X
For Mac OS X AV/AS support information on the Cisco Mac OS X Agent (version 4.8.2.590), see the Cisco NAC Appliance Release 4.8(1) and 4.8(2) Supported Mac OS X AV/AS Products document optimized for UTF-8 character display.
Note
Note
Note that Clean Access works in tandem with the installation schemes and mechanisms provided by supported AV/AS vendors. In the case of unforeseen changes to underlying mechanisms for AV/AS products by vendors, the Cisco NAC Appliance team will update the Supported AV/AS Product List and/or Agent in the timeliest manner possible in order to support the new AV/AS product changes. In the meantime, administrators can always use the "custom" rule workaround for the AV/AS product (such as pc_checks/pr_ rules) and configure the requirement for "Any selected rule succeeds."
Refer to Enhancements in Release 4.8(2) for additional details on Agent versions in this release.
Caveats
This section describes the following caveats:
•
•
•
Note
http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 4.8(2)
Table 5 List of Open Caveats (Sheet 1 of 36)
CSCsd03509
No
The Time Servers setting is not updated in HA-Standby CAM web console
After updating the "Time Servers" setting in HA-Primary CAM, the counterpart "Time Servers" setting for the HA-Standby CAM does not get updated in the web console even though the "Time Servers" setting is updated in the HA-Standby CAM database.
Workaround
CSCsg07369
No
Incorrect "IP lease total" displayed on editing manually created subnets
Steps to reproduce:
1.
2.
3.
4.
The issue is judged to be cosmetic and does not affect DHCP functionality.
CSCsg66511
No
Configuring HA-failover synchronization settings on Secondary CAS takes an extremely long time
Once you have configured the Secondary CAS HA attributes and click Update, it can take around 3 minutes for the browser to get the response from the server. (Configuring HA-failover synchronization on the Primary CAS is nearly instantaneous.)
CSCsh77730
No
Agent locks up when greyed out OK button is pressed
The Agent locks up when the client machine refreshes its IP address. This only occurs when doing an IP release/renew, so the CAS must be in an OOB setup.
If the Automatically close login success screen after <x> secs option is enabled and the duration set to 0 (instantaneous) in the Clean Access > General Setup > Agent Login page and the user clicks on the greyed out OK button while the IP address is refreshing, the Agent locks up after refreshing the IP address. The IP address is refreshed and everything else on the client machine works, but the user cannot close the Agent without exiting via the system tray icon, thus "killing" the Agent process.
Workaround
CSCsi07595
No
DST fix will not take effect if generic MST, EST, HST, etc. options are specified
Due to a Java runtime implementation, the DST 2007 fix does not take effect for Cisco NAC Appliances that are using generic time zone options such as "EST," "HST," or "MST" on the CAM/CAS UI time settings.
Workaround
Note
CSCsj46232
No
Agent should NOT pop-up during CAS HA failover
Agent pops up during CAS HA failover. The user ISD still appears in the Online User List and the client machine still appears in the Certified Devices List.
Workaround
CSCsk55292
No
Agent not added to system tray during boot up
When the Agent is installed on a Windows client, the Start menu is updated and Windows tries to contact AD (in some cases where the AD credentials are expired) to refresh the Start menu.
Due to the fact that the client machine is still in the Unauthenticated role, AD cannot be contacted and an approximately 60 second timeout ensues, during which the Windows taskbar elements (Start menu, System Tray, and Task Bar) are locked. As a result, the Agent displays a "Failed to add Clean Access Agent icon to taskbar status area" error message.
Workaround
•
•
CSCsl13782
No
Microsoft Internet Explorer 7.0 browser pop-ups on Windows Vista launched from the Summary Report appear behind the Summary Report window
This is also seen when you click on the Policy link in the Policy window. This issue appears on Vista Ultimate and Vista Home, but is not seen with Firefox or on Internet Explorer versions running in Windows 2000 or Windows XP.
Workaround
Note
CSCsl17379
No
Multiple Agent pop-ups with Multi NIC in L2 Virtual Gateway OOB role-based VLAN
The user sees multiple Agent login dialogs with two or more active NICs on the same client machine pointing to the Unauthenticated network access point (eth1 IP address).
After the first Agent pops up and the user logs in, a second Agent login dialog pops up. If the user logs in to this additional Agent instantiation there are now two entries for the same system with both MAC addresses in the CAM's Certified Device List and Online Users List.
Workaround
CSCsl40812
No
The Refresh Windows domain group policy after login option is not functioning for Cisco NAC Web Agent
(It is working fine with the Clean Access Agent.)
This scenario was tested configuring a GPO policy for a Microsoft Internet Explorer browser title. The browser was not refreshed as expected after login in using the Web Agent.
CSCsl75403
No
Mac OS X Agent does not detect VPN interface-fails MAC filters/L3 strict mode
This caveat addresses two issues:
1.
2.
With MacOS X client machines, there are no separate interfaces created once the client machine successfully connects to the VPN concentrator. The implementation is different on Windows where a separate interface gets created having an IP address assigned by the VPN concentrator.
Workaround
•
•
Note
CSCsl88429
No
User sees Invalid session after pressing [F5] following Temporary role time-out
When a user presses [F5] or [Refresh] to refresh the web page after the Agent Temporary role access timer has expired, the user sees an "Invalid" session message. If the user then attempts to navigate to the originally requested web address, they are prompted with the web login page again and are able to log in.
CSCsl88627
No
Description of removesubnet has "updatesubnet" in op field
The removesubnet API function description has "updatesubnet" listed in its operations field. The description should read "removesubnet."
CSCsm20254
No
CAS duplicates HSRP packets with Cisco NAC Profiler Collector Modules enabled.
Symptom HSRP duplicate frames are sent by CAS in Real-IP Gateway with Collector modules enabled. This causes HSRP issues and the default gateway to go down.
Conditions
Workaround
CSCsm61077
No
ActiveX/Java applet fails to refresh the IP address on Vista with User Account Control (UAC) turned on
When logged in as a machine admin on Vista and using web login with IP refresh configured, IP address refresh/renew via ActiveX or Java will fail due to the fact that IE does not run as an elevated application and Vista requires elevated privileges to release and renew an IP address.
Workaround
1.
2.
3.
Note
Alternatively, the Cisco NAC Web Agent can be used with no posture requirements enabled.
See also Known Issue for Windows Vista and IP Refresh/Renew.
CSCso15754
No
The ClamXAV live update feature may not work the first time if a "failed" ClamXAV installation requirement immediately precedes the live update in the Mac OS X Assessment Report remediation window
If both a ClamXAV Link Distribution and a ClamXAV live update requirement are configured for Mac OS X client remediation, and the installation requirement appears right before the live definition update, then the ClamXAV live update may fail because as the installation process completes, the live update process begins and does not have a chance to read the updated ClamXAV version before launching. Therefore, if the timing is not right, users may have already started the live update while the actual ClamXAV application update tool is still copying onto the client machine.
Workaround
CSCso49473
No
"javax.naming.CommunicationException" causes no provider list
ADSSO with LDAP Lookup
If the LDAP connection to Active Directory fails during the lookup process (because the lookup takes a long time or the connection is suddenly lost), the Agent does not receive the list of authentication providers from the CAS. As a result, the user is presented with a blank provider list.
LDAP server fails to respond due to network connectivity failure or a long directory search. The failure must occur after communication to the LDAP server has begun.
Note
CSCso50613
No
Mac OS X Agent DHCP refresh fails if dhcp_refresh file does not exist
DHCP refresh will fail with no notice (to the user or to the logs) if the dhcp_refresh file does not exist. The dhcp_refresh tool is required for all versions of Mac OS X Agents, so it always fails if the dhcp_refresh tool is missing regardless the Mac OS version.
Workaround
1.
2.
3.
CSCsr52953
No
RMI error messages periodically appear for deleted and/or unauthorized CASs in CAM event logs
Clean Access Servers connected to a CAM can periodically appear as "deleted" or "unauthorized" in the CAM event logs even though the CAS is functioning properly and has not experienced any connection issues with the Clean Access Manager. Error message examples are:
•
•
Workaround
•
•
CSCsu47350
No
Invalid version number displayed in CAM backup snapshot web page
When the administrator navigates to another page in the CAM web console during the backup snapshot process, the resulting snapshot version number is invalid.
CSCsu63247
No
DHCP IP refresh not working for some Fedora core 8 client machines
DHCP IP refresh does not work on Fedora core 8 clients logging in to a Layer 3 Real-IP Gateway CAS using the current version of the Java applet. As a result, Fedora core8 clients must use web login to gain access to the Cisco NAC Appliance network.
Note
CSCsu78379
No
Bandwidth settings for Receiver CAM roles should not change after Policy Sync
Steps to reproduce:
1.
2.
3.
4.
5.
6.
Note
CSCsu84848
No
CAM should set the switch port to Authentication VLAN before removing from OUL and DCL
The CAM should set the switch port to the Authentication VLAN before removing the user from Online Users List and Discovered Client List when the Switch or WLC entry is deleted from the CAM.
Workaround
CSCsv18261
No
HA Failover database sync times out in event log after reboot
In Cisco NAC Appliance Release 4.5, the CAM HA database copy function times out when the active CAM fails over and becomes the standby CAM. (Event log entries show that the database copy function times out.) This situation arises when the inactive CAM comes up and attempts to copy the database from the active CAM, but the database is still locked by the [now standby] CAM. This issue is not seen during normal operation and database sync because the entries are copied in real time.
Note
CSCsv20270
No
Conflicting CAM's eth1 HA heartbeat address with Release 4.5.0 after upgrade
The perfigo service cannot be started on the standby CAM because both the eth1 interface of HA CAMs have the same IP address: either 192.168.0.253 or 192.168.0.254.
This happens in an HA setup when one of the CAMs is upgraded from Release 4.0(x) to 4.5 and the other CAM is fresh CD installed.
Workaround
CSCsv22418
No
CAS service IP not reachable after standby reboot due to race condition
The Active CAS's service IP become unreachable after standby CAS reboot.
In a rare race condition, the standby CAS temporarily becomes active for very short period of time after reboot.
Workaround
1.
2.
CSCsv78301
No
VPN SSO login does not work with VPN in managed subnet after upgrade to Cisco NAC Appliance Release 4.5
Prior to Release 4.5, the Clean Access Server associates the client with the VPN IP address and VPN Concentrator's MAC address after the first login. From there, the SWISS protocol only checks the IP address from the Agent and reports back to the Agent that the client is logged in (regardless of whether the client is connected via Layer 2 or Layer 3).
In Release 4.5, the SWISS protocol checks the MAC address for Layer 2 clients, but the MAC address reported by the Agent (which is the real client MAC address) is different from the one the CAS gets for the client (the VPN concentrator MAC address). As a result, the SWISS protocol tells the Agent that the client machine is not logged in (due to the different MAC addresses recorded) and the Agent launches the login dialog repeatedly, never able to complete login.
Workaround
CSCsv92867
No
DB conversion tool (Latin1 to UTF8)-iconv cannot work with † format
Release 4.5 and earlier Clean Access Managers with foreign characters in the database cannot be upgraded to Release 4.6(1) and later.
Workaround
•
•
CSCsw39262
No
Agent cannot be launched when switching between users in Vista
The Cisco NAC Agent does not support Windows Fast User Switching. The effect is that the primary user is the only user that:
•
•
•
Note
Workaround
CSCsw45596
No
Username text box should be restricted with max no of characters
The Username text box is presently taking the characters such that the total size is ~5kb. It is better to have the upper bound for the Username text box to hold the number of characters that it can take.
CSCsw67476
No
Mac OS X Agent upgrade cannot be restarted once stopped
User is not able to log in again (no agent screen or icon available) when they cancel the Mac OS X Agent upgrade process.
Note
Workaround
CSCsw88911
No
Mac Agent freezes on login dialog, but remains operational
The tray icon of a Mac OS X Agent logged into a Cisco NAC Appliance OOB deployment shows Click - Focus then Click again and is hung (looks like logging in).
Workaround
CSCsx05054
No
DHCP does not work with IGNORE fallback policy and CAS Failover
If CAS Fallback policy is set to IGNORE and the CAM becomes unreachable from CAS, the CAS blocks all traffic and CAS DHCP stops working.
Workaround
CSCsx18496
No
Cisco Log Packager crashes on XP Tablet PC with Restricted User credentials
CSCsx29191
No
Mac OS X Agent has no `APPLE'+TAB presence
When using the Mac OS X Agent, the GUI focus can get lost and is hard to regain. This issue was observed during upgrade.
Workaround
CSCsx35438
No
Clean Access Manager read timeout reached when deleting many DHCP IPs at once
After upgrading to or installing Release 4.1(8) and deleting hundreds of DHCP IPs at once, the Clean Access Server becomes unmanageable. This issue affects Clean Access Servers configured as a DHCP server on which the administrator tries to delete more than 800 DHCP IPs at once.
Workaround
CSCsx35911
No
Mac OS X Agent does not pop up for login and click-focus does not get user's attention
When the user moves from a non-Cisco NAC Appliance network to a Cisco NAC Appliance network, the Agent login dialog does not automatically appear. Click-focus can resolve the issue, but the is not generally obvious to the user. The result of this issue is that users would likely be stuck in the authentication network and/or assigned to a restricted role for the duration of their session.
Workaround
CSCsx37073
No
Cisco NAC Agent does not pop-up if authentication server name is \\
Steps to reproduce:
1.
2.
3.
4.
5.
6.
7.
Repeat the above steps with authentication server named "myKerberos" instead of \\. The CAM returns a "Clean Access Server is not properly configured. Please contact your administrator if the problem persists" error message.
Workaround
CSCsx45051
No
Agent may proceed with AV/AS auto remediation while it's not supported
For an AV/AS Definition Update Requirement Type with Automatic Remediation Type and Antivirus/Anti-Spyware Vendor Name configured as ANY, when the client fails the requirement, the Agent should automatically launch the AV (or AS) update on the AV product for which the Agent supports live update. If live update is not supported, the Agent should prompt the user to perform manual remediation. With this issue, the Agent may proceed with auto remediation on a product for which the Agent does not support live update. As a result, auto remediation will fail, and the agent will prompt user to do manual remediation.
Note
Workaround
CSCsx49160
No
Cisco NAC Agent shows one less authentication provider if one of the provider names is \
Steps to reproduce:
1.
2.
3.
4.
5.
6.
This time, the authentication provider list only shows Local DB—\ is missing.
Workaround
CSCsx52263
No
NAC Appliances always assume USA keyboard layout
When connected via Keyboard and Monitor, if a keyboard with layout other than US layout is used, the Cisco NAC Appliances do not recognize the keyboard and it is possible to erroneously enter different characters.
Workaround
CSCsy32119
No
Cisco NAC Appliance CAM/CAS need ability to set port speed/duplex manually
There have been instances where switch ports are not negotiating the same as other ports on the same appliance. This is inefficient since the ports in question do not necessarily use the highest possible speed. In addition, there could be collisions, FEC, and errors on a port if there is a mismatch.
Note
CSCsy45807
No
Mac OS X Agent does not pop up using Sprint Wireless
This issue has been encountered using Sprint Wireless Novatel U727 on 2 different Mac OS X client machines.
CSCsz19346
No
Korean log packager GUI translations/buttons are garbled & some missing
Workaround
CSCsz19912
No
Log Packager CiscoSupportReport file shows ##### in place of system info
The system logs created by the log packager are showing ##### instead of actual data, as in the following examples:
04/23/2009 10:49:22 W32Time (ID=0x825a0083): NtpClient# 'CCAVPN-AD'# DNS ## ### ## ## #### ### ### ### #### #####. NtpClient# 15# ## ## #### # ### ### ### # ## ###. ##: ### #### ####. (0x80072AF9).04/23/2009 10:49:21 W32Time (ID=0x825a0083): NtpClient# 'CCAVPN-AD'# DNS ## ### ## ## #### ### ### ### #### #####. NtpClient# 15# ## ## #### # ### ### ### # ## ###. ##: ### #### ####. (0x80072AF9).This issue occurs on Japanese, Korean, and Chinese systems using Cisco Log Packager.
Note
CSCsz38970
No
Accessibility: login displays not announced
After you log into Windows, you see the ADSSO display and then the local corporate display. JAWS does not announce the Cisco NAC Agent displays.
Note
Workaround
CSCsz48847
No
Accessibility: after successful log-in, JAWS is still on Cisco NAC Agent page
JAWS stays on The Cisco NAC Agent window even though no Agent window is displayed.
Workaround
CSCsz49147
No
Accessibility: JAWS does not announce installer after upgrade
During upgrade of the Cisco NAC Agent, the MS installer window is not announced.
Note
Workaround
CSCsz55538
No
IP refresh message shows up in L3OOBRIP with IP Un-numbered scenario
When L3OOBRIP with IP un-numbered is configured, the IP refresh message shows up even if IP refresh does not happen.
Workaround
CSCsz83270
No
Agent file download fails at lower speed WAN links between CAS and CAM
When the Agent is uploaded to the CAM, the .tar file gets partially downloaded and removed several times on CAS before it is successfully downloaded and its contents unpacked. As a result the client does not pop-up for a long time for upgrade or fresh install from the Cisco NAC Appliance web login page.
This happens during agent upgrade or download from web page when CAS and CAM are separated by a WAN link (512kbps/256kbps).
Workaround
Note
CSCsz85892
No
Web login display Guest ID instead of Username
Steps to reproduce:
1.
2.
3.
4.
5.
CSCsz92761
No
CAM GUI and publishing behavior during DB restore
When a CAM snapshot is restored from a database, the CAM web console times out, and once refreshed, shows the associated CAS is offline as a result of triggering a database restoration.
This issue occurs when the CAM and CAS are connected via WAN links (T1/256k/512k) with several CASs experiencing at least 400ms delay.
Note
Workaround
CSCta12544
No
Server communication error upon web and Agent login
This issue can occur when a brand new Release 4.5 or later CAS is connected to a CAM pair that has been upgraded from an older release of Cisco NAC Appliance to Release 4.5 or later, resulting in unreliable communication between the CAM HA pair and the new CAS.
CSCta19323
No
Memory for crash kernel message seen during 4.7.0 CD install
The message is benign, it is displayed when memory is not configured/allocated for a crash kernel to aid in crash dump. This is displayed by Red Hat and CentOS 5 releases while booting on any system.
CSCta32189
No
Group mapping cannot be done if Class attribute data is big
When the ASA authenticates the VPN clients using LDAP and when the ASA does LDAP group mapping, the group information is sent in the class attribute of the accounting packet. This information is used by NAC for doing group mapping based on the class attribute, which fails while performing VPN SSO.
CSCta35732
No
Deleting subnet filters causes CASs to disconnect
When you delete the subnet filter one after another from the CAM, the web console slows down and looses connection to the associated CAS.
The CAM connects to all the CASs every few minutes via serial interface and checks for heartbeats. If a CAS goes offline, the CAM tries to connect to the CAS to resume connection. However, the wait time depends on the number of CASs attached to the CAM.
Note
CSCta35741
No
Agent not Popping up for First time for TLS not enabled on IE 6.0
If TLS 1.0 is not enabled on Microsoft Internet Explorer browsers when the user launches the Cisco NAC Agent in a FIPS 140-2 compliant network, the Agent dialog/login screen does not appear.
Workaround
CSCta72210
No
Proxy exception error misleading
If CAS is accessed using proxy server, error message is displayed prompting the user to check the proxy settings of the browser.
CSCta97229
No
Collector Modules show "Stopping" instead of "Stopped" in Profiler UI
This issue happens when the administrator manually stops the Profiler Collector.
Workaround
CSCtb30587
No
Clearing CAM CDL upon intra-subnet roaming keeps client in Access VLAN
This issue has been seen on WLC1 managing AP1 and WLC2 managing AP2 have same SSID with WLANs on both the controllers mapped to interface which are on the same subnet. (Both controllers are running version 6.0.182.0.)
Steps to reproduce:
1.
2.
However, the CAM still lists WLC1 IP address with client entry.
3.
CSCtb30691
No
Agent pops up from and active wired NIC after user is already authenticated via a wireless NIC in the same client machine
After authenticating using the wireless NIC with a higher preference than the wired NIC on the same client machine, the Agent pops up again, prompting the user to enter authentication credentials. This happens on Windows XP SP3 client machines. (This issue has not been observed in Windows XP SP2.)
Workaround
CSCtb32797
No
LDAP GSSAPI with SSL lookup and authentication fails
The Cisco NAC Appliance network returns the following message:
"Unsupported Ldap Operation ([LDAP: error code 53 - 00002029: LdapErr: DSID-0C09048A, comment: Cannot bind using sign/seal on a connection on which TLS or SSL is in effect, data 0, v1771])"
or
"Naming Error (dcchild.child.2k8.com:636; socket closed)"
Note
Note
CSCtb38026
No
Scripting error with database restore with modified DB snapshot name
If the database snapshot name is altered to include some string after the version number and before the .gz suffix like the following:
08_12_09-23-48_snapshot_VER_4_7_0_A23_upgraded_from_4-1-3.gzthe database restoration process returns a scripting error. This issue is only cosmetic and does not affect the database restore functionality.
Workaround
CSCtb44223
No
Mac OS X Agent gets presented with incorrect login page and providers
The Mac OS X Agent is presented with providers from a configured "MAC_ALL" OS login page rather than the intended "MAC_OSX" login page.
This issue has been observed on Mac OS X 10.4 and 10.5 running Agent version 4.6.0.3 in a Cisco NAC Appliance Release 4.6(1) deployment.
Workaround
CSCtb55184
No
Web Agent download fails if the CAS IP address in the trusted certificate is different from the CAS domain IP address.
This situation can occur when the CAS is in Layer 2 In-Band Real-IP gateway mode, and IP used for initial SSL cert during install is different from that imported using the web console.
Workaround
CSCtb70199
No
Redirect Blocked Request option shows incorrect page when using filter
User gets redirected to the default Blocked page URL when attempting to access a webpage that is not allowed under their user role's traffic policies instead of a custom page or URL that has been defined by the administrator. This occurs because the user shows up in the certified device list as [device-filter] but does not appear in the online user list.
CSCtb92910
No
Need to reflect all the states of FIPS card in the UI and CLI
Currently, the web console page only reflects whether or not the FIPS card is operational, but states like maintenance or initialization are not reflected.
Workaround
Note
CSCtb98457
No
Posture Assessment requirements for Vista machines results in the user being placed in the temporary role.
This has been observed in Windows Vista Home operating systems running version 4.6.2.113 of the Cisco NAC Agent.
Workaround
CSCtc00668
No
Mac Agent trying to update Avast even though application is up-to-date
Following login, the Mac Agent pops up prompting user to update "ANY" AV.
Workaround
•
•
•
CSCtc01957
No
Firefox 3.5.2 Freezes and user cannot enter user credentials
After the applet loads in the Firefox browser, the user login page locks up and the user is unable to enter login credentials.This situation can occur when a user is attempting web login with a FireFox 3.5.2 browser for the very First time.
Workaround
CSCtc41408
No
Windows 7 tray icon default should be show icon and notifications
According to Microsoft, there is no way for a program to promote itself by setting the "Show Icon and Notifications" option. This can be done only by the user and only manually. Default behavior is to hide all icons.
Workaround
CSCtc46376
No
Windows WSUS update (Microsoft rules) is not working for KB890830
When a WSUS update is performed on a new installation of Windows 7 (where no updates have been applied), and the No UI option is selected for the requirement, the WSUS update can fail.
The portion of the Windows update that fails to install is the KB890830 update (Windows Malicious Software Removal Tool, http://support.microsoft.com/?kbid=890830). This upgrade must be installed with admin privileges and there is a one time EULA that the user must accept during installation.
After KB890830 is installed, there are monthly updates that are pushed out from Microsoft on patch Tuesday. The subsequent updates of KB890830 do not require admin privileges and they work fine on a client where the user is not a member of the admin group.
If users manually install KB890830 on a client system as a non-admin user using Windows Update, they are prompted for the administrator password and then get the EULA.
Workaround
CSCtc52252
No
Cannot uninstall the Agent using MSI executable with full quiet mode selected
If you open a Command Prompt window and run the MSI install/uninstall commands using the quiet option, the command fails.
Workaround
CSCtc59248
No
The Agent does not launch if IE has never been launched or the CA certificate is not installed
The Cisco NAC Agent login window does not pop up (or takes a long time to pop up) during initial login because:
•
•
This problem could also occur when the administrator kicks the user out of the NAC Appliance network after logging in via and OOB session.
Workaround
Note
CSCtc66277
No
IP refresh takes a minute and Agent vanishes after that
This issue can come up in a network where spanning tree merge has been configured on the switch. Configuring portfast minimizes the IP refresh time.
Note
CSCtc68565
No
Web Agent does not launch using ActiveX on a client machine where the administrator UAC is "default"
When using Windows 7 as a local machine administrator and a proxy server, Internet Explorer places the CAS into the intranet settings category, which automatically disables "Protected Mode."
Workaround
CSCtc84563
No
Clean Access Agent does not register dynamic DNS after authentication
Computers running the Clean Access Agent register with dynamic DNS upon system startup, but they are not re-registered after they are moved to the production VLAN upon successful authentication and posture assessment.
Workaround
CSCtc86765
No
The Cisco NAC Agent does not pop up in a VPN environment upon re-connecting to the VPN server
This issue has been observed when power cycling a SOHO (Small office home office) DSL/Cable modem router, thus terminating the VPN connection.
Workaround
CSCtc90896
No
For McAfee Total Protection 5.0, you need to change firewall setting
AV definition file update for McAfee Total Protection 5.0 does not work with the default McAfee firewall settings.
Workaround
CSCtc90964
No
Inaccuracy in AV/AS support info
Latest Virus Definition version/date for Selected Vendor under AV/AS support info does not display the updated version/date for some AV/AS vendors.
CSCtc91616
No
Inconsistent support for Internationalized characters in usernames
It is unclear if Internationalized characters are supported for uncommon user names in Cisco NAC Appliance. For example, some internationalized characters (like è) are allowed when creating a username on the CAM, but user login fails. Other character sets (like Japanese) also fail when attempting to create the user in the Local DB.
CSCtc92037
No
Mac agent in L2 non-strict mode does not pop up behind NAT router.
With L2 non-strict mode and Mac client behind NAT router, Mac agent does not pop up.
Note
CSCtc97878
No
CCA CAS can fail to commit large policy list to click
When a Cisco Clean Access environment is configured with several rules in the user roles, a threshold may be reached where traffic is blocked at the CAS that is specifically allowed in the rules. This can result in undesired and unpredictable behavior.
CSCtd04881
No
Serbian web install shows error and installer is English
A popup window appears with an error message in Serbian, which approximately translates to, "Writing error in applied transformation. Recommend to use a valid transformation path."
After clicking OK the installer launches in English, yet the application launches and is fully functional in Serbian.
Note
CSCte55522
No
The Cisco NAC Agent for Release 4.7(2) does not update ZoneAlarm 7.1.078.000 in Windows Vista Ultimate
This particular update works in Windows Vista Ultimate SP0.
Workaround
CSCte64337
No
Unexpected switch to UDP discovery mechanism
There are unexpected SSM events found in the Agent log. These events are caused by unexpected switch to UDP discovery after SwissUdpExchange starts sending Swiss requests.
CSCte76636
No
L3 MAC unable to refresh on Vista (32-bit/64-bit) w/ UAC w/o port bounce
Windows Vista users are not able to get an IP address from the DHCP pool for the access VLAN with web login or web agent.
Workaround
CSCtf02702
No
After deleting and re-adding a CAS, the CAM web console displays that AD SSO is started
This issue does not impact Cisco NAC Appliance functionality. After deleting and re-adding a CAS, the administrator must also reboot the CAS. Once you reboot the CAS (or perform "service perfigo restart"), everything works as designed.
Workaround
CSCtf69345
No
Agent reports incorrect update details for McAfee 8.7.0i on Win7 x64
NAC Agent reports incorrect McAfee virus definition update date and version, while McAfee shows the right date.
This occurs because Windows registry is blocked with permissions issue and prevents McAfee from overwriting the appropriate date and version information to registry.
Workaround
1.
2.
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee3.
4.
5.
CSCtf99678
No
Enable OOB logoff msg for Windows not grayed out in Firefox browser
The Enable OOB logoff for Windows NAC Agent and Mac OS X Agent checkbox is not grayed out in Mozilla Firefox version 3.5.8, even with the "Use 'WINDOWS_ALL' settings for this OS version" option checked.
Note
CSCtg01263
No
Invalid provider name seen between multi-NIC transition with OOB Logoff
This problem is happening because while the role based (with IP refresh) wired NIC is transition from logged in, through IP refresh on logout, then the wireless NIC has the better metric so the wireless side responds, once the ip is refreshed on the wired side an invalid provider is seen and then wired login continues normally.
CSCtg06599
No
IP refresh on Win 7 after successful auth is very slow
After a successful login, it takes 1-4 minutes for a machine to complete the IP refresh. This happens with Windows 7 and Vista machines moving from authentication to access networks (with an IP address change).
This occurs because the Network Connectivity Status Indicator, which is part of the Network Location Awareness in Windows, tries to reach the msftncsi.com web page while performing IP refresh. If it is not able to reach this website, then Microsoft takes longer to sense the machine's status and results in slower applications that require internet access.
For more information, see Known Issue with Delayed IP Address Refresh for Windows 7/Vista Clients Running Cisco NAC Agent.
CSCtg39044
No
Running Internet Explorer in offline more effects Cisco NAC Agent auto-upgrade function
When users access the network via Internet Explorer in offline mode, the Cisco NAC Agent auto-upgrade function does not work correctly for Agent versions 4.7.2.10 and earlier. The login session appropriately prompts the user to upgrade the Agent, but clicking OK brings up the login screen instead of launching the Agent installer.
CSCtg45522
No
Delay in Agent logging out in Vista 64-bit
Found that after authentication when click logout on a Vista 64bit machine, it takes a while before CAM receives the logout message and hence client takes a while to switch back from access to auth.
CSCtg45741
No
IP address release takes a while in Windows 7 32-bit using taskbar logout option
IP release takes a long time to complete on Windows 7 32-bit clients for Cisco NAC Agent. As a result, the delay between release and renew is around 50sec.
CSCtg45753
No
Cisco NAC Agent won't pop-up with multi-NIC same metric /auth/discovery 404
This issue can occur when Agent runs on a client machine with two NICs using the same metric. (For example, the wired interface has NAC, while the wireless interface has no NAC.)
Note
CSCtg57758
No
Error in Mac OS X Agent while editing Filters
CSCtg61995
No
Mac OS X Agent SWISS discovery back-off algorithm
When Mac Agent is not connected to a NAC network, the Agent will never give up on trying to contact the last known CASes. It will continuously send UDP SWISS packet every ~17 seconds forever.
CSCtg65859
No
The Cisco NAC Agent is not able to logout in an OOB deployment
Cisco NAC Appliance generates a "Rogue Client Agent Report" after the user performs web login and then launches the NAC Agent (or closes the NAC Agent dialog window if already launched), and then tries to log out using the NAC Agent in an OOB environment.
Workaround
CSCtg69836
No
HTML Canned Report Missing AV gives blank report, but is ok for PDF
CSCth00256
No
Cert error seen on Mac Agent during login on multinic setup
After importing self-signed certificate in the trusted Root CA on Mac OSX client machine, while logging in using wireless, a message pops up stating that the certificate is incorrect.
Workaround
CSCth17804
No
VPN SSO presents a blank Cisco NAC Agent login dialog
Following a VPN disconnect, the client machine renegotiates for VPN to connect through the network and the user is presented with a blank Agent login dialog.
CSCth60233
No
Windows IP Refresh not working properly after user logoff
This issue has been observed on both Windows XP and Vista client machines—the Agent is not releasing the IP address.
Workaround
CSCth61503
No
Duplicate kernel status message appears during CD installation
The "Memory for crash kernel (0x0 to 0x0) not within permissible range" message appears twice in a row during CD installation.
CSCth73166
No
Remediation and login screens are still displayed after network change
The Agent displays these screens indefinitely (or until the remediation timer expires) after removing the network cable or changing networks while the Agent login or remediation screens are active.
Workaround
CSCth73774
No
McAfee Virus scan 14.0 remediation fails
This issue has been observed during client remediation of McAfee VirusScan 14.0.
Workaround
CSCth85390
No
Certificate dialog appears multiple times when certificate is not valid
Workaround
CSCth85833
No
The Cisco NAC Agent tool-tip indicates logged-in long after VPN disconnect
This issue has been observed performing VPN SSO via the Cisco NAC Agent on Windows 7 client machines.
Note
CSCth88009
No
The Mac OS X Agent's Popup Login Window option does not work during SSO
CSCth98219
No
Agent appears when user is logged in via restricted network access role
When a user logs into an Out-of-Band network and accepts Restricted network access after failing a mandatory requirement. the Cisco NAC Agent appears a second time (and continues to appear each time) when the user either logs in again without remediating, or closes the Agent login dialog.
Workaround
CSCti03955
No
The Agent login dialog becomes unresponsive when the Temporary role timer runs out
This situation can occur if the Temporary role timer expires during a long remediation like WSUS or AV/AS update.
Workaround
Note
CSCti35086
No
Disable Fast SSID change for NAC Wireless OOB setup
Wireless clients without the Cisco NAC Agent installed can associate to a "guest" WLAN where NAC is not enabled.
When FAST SSID Change is enabled globally on a Wireless LAN Controller, wireless clients (without the Cisco NAC Agent installed can then disassociate from the "guest" WLAN and immediately associate to the corporate WLAN (where NAC functionality is enabled), resulting in the client machine being placed directly into the network Access VLAN without being redirected to the Quarantine role.
Workaround
CSCti68556
No
Device MAC address is not added to the filter
Under Device Management > Clean Access > General Setup > Web Login, if Exempt certified devices from web login requirement by adding to MAC filters is checked for MAC_ALL OS, the client MAC address fails to get added to Filters list.
CSCtj07399
No
Clean Access Mac Agent doesn't always recognize AV Definition Updated
When Mac OSX user is connecting to Clean Access without AV installed, the Agent detects that the user fails the check. It detects when the Anti Virus is installed. But, when the Anti Virus signatures are updated, it is not detected by the Agent.
Workaround
CSCtj10001
No
NAC Agent GUI pops up on unmanaged port
The NAC Agent may popup on an unmanaged port with the following message:
"Unable to process out-of-band login request from MAC Add ## IPAddress] reason: [IP] port [Gi2/0/30] is not managed"
Workaround
CSCtj53399
No
Clean Access Server can bridge traffic in RIP mode
There are intermittent issues in which traffic is bridged across a Clean Access Server in RIP mode. Despite being in routed mode, the CAS bridges traffic on the native VLAN, arriving to the CAS untagged.
Workaround
CSCtj59983
No
Exporting reports behaviour inconsistent with filters
When trying to export reports from Clean Access, using any criteria except "is" or "is not" provides false results. The GUI shows the correct results when using any criteria, but the export option downloads all the records and the filter is not applied.
Workaround
CSCtj65580
No
DHCP Requests Fail After Failover to Secondary CAM
In HA setup, when DHCP is working failover to secondary, DHCP Requests are not sent or answered through CAS.
CSCtj81255
No
Two MAC addresses detected on neighboring switch of ACS 1121 Appliance.
Symptom Two MAC addresses are detected on the switch interface connected to an ACS 1121 Appliance although only one interface is connected on the ACS 1121 Server eth 0.
Conditions
Workaround
Caution
CSCtk13370
No
HTC Pure and Blackberry 9700 detected as Windows_All
The HTC Pure and Blackberry 9700 are detected as Windows_All. These phones are not able to run the NAC Agent, so they should be detected as ALL.
Workaround
CSCtk57221
No
CDL timer getting killed when configured CAS status is down
Certified Device List timer on CAM may fail to start at configured time causing no certified devices to get cleared. Once this problem occurs the timer will no longer run and hence the certified devices will not be cleared until one of the following workarounds is performed.
Workaround
•
•
CSCtk65718
No
Need procedure for adding RMA unit with OOB setup
When replacing RMA (stand by unit), active unit must be rebooted as part of the replacement procedure. Some clients may get in access VLAN or auth VLAN depending on prior setting of the switch. When CAM becomes active, clients will not be placed in correct VLAN that are in the access VLAN already. This occurs when both CAMs are down.
Workaround
•
•
•
CSCtl06228
No
Abnormal behavior when "Restricted Network Access" is clicked
In OOB deployment, while downloading the NAC Agent, when the "Restricted Network Access" button is clicked, the NAC Agent keeps on popping up showing the following message:
"You have only restricted network access"
CSCtl11411
No
Redirect delay setting does not take effect when using Web Agent
Advanced SNMP setting "Redirection Delay with bouncing" does not take effect for clients running the web agent and performing posture assessment. This can cause the clients to get redirected to a "Page cannot be displayed" message after logging in if the setting under the user role is set to redirect to a URL.
Workaround
•
•
CSCtl24190
No
Getting messages in CAS console when upgrading from 4.7.3 to 4.8.1
While upgrading NAC version 4.7(3) to 4.8(1), the following message is displayed in the CAS web console:
"value missing in 'icmp type' directive"
Note
CSCtl42765
No
CAM Admin group policies missing option for "Reporting" page
If the Admin users are setup to have read-only access to any configuration, but need to allow them to run Reports from the Monitoring > Reports page, there is no method available to configure this option.
Workaround
The Reporting page access is controlled by the "CCA Servers" option under Device Management. So to minimize the permissions given, and still be able to run Reports, the following configuration will work.
Create an Admin Group with "view only" for all the Clean Access Servers options, and under Module Features set everything to "read only" except for the option "CCA Servers:". Set that to "add-edit".
As long as the individual CASs themselves are set to "view only" the users cannot delete or make any changes to them, but they would be able to perform two admin-like operations on the CAM with this permission set.
1) Add a new Clean Access Server.
2) Enable/Change CCA Server Authorization.
CSCtl59461
No
CAM shows old AV dates even with latest checks set
Even if the CAM Updates are pulling down the latest Checks & Rules, the CAM still shows the latest definition dates for many vendors like AVG, Microsoft, McAfee, and Symantec
Workaround
CSCtl83172
No
Logging failure in CCA Manager
When Clean Access Manager is running all logging at "TRACE", logging stops in /perfigo/control/tomcat/logs.
Workaround
CSCtl85558
No
Nessus scanning doesn't finish completely and doesn't generate logs
When Nessus scanning is enabled for web-logins, the scan is not completed and no logs are generated in the NAC.
Workaround
CSCtl86020
No
Certificate details showing up blank when viewed from CCA device
When the subject line of the certificate contains certain alphanumeric characters, the NAC GUI does not detect them correctly and the certificate details are shown as blank when viewed through the GUI. The functionality of the certificate is not affected, but details are not displayed properly.
Workaround
CSCtn17223
No
DHCP Option 82 not correctly returned by NAC DHCP Server
DHCP Snooping will not work with the NAC Server acting as a DHCP Server. The switch is seen adding option 82 to the Discover and Offer, but the NAC Server does not add option 82 to the lease and does not return option 82 in the Offer.
Workaround
CSCtn19754
No
Client can't log in, still present in CAS OOB OUL
OOB users may randomly fail to connect to the network. Device is not in CDL or OUL of the CAM, however remains in the OUL of the CAS.
Workaround
CSCtn32436
No
Enable User Activity Logging causes load spike on CAM
When "Enable User Activity Logging" is enabled the CAM's postmaster process causes the load on the CAM to raise to the point where users are no longer able to login.
Workaround
CSCtn47794
No
VLANDetectWithoutUI does not function on initial boot
VLANDetectWithoutUI parameter allows VLAN detection to continue running when NACAgentUI.exe is closed or the user logs off.
CSCtn89835
No
CAM should send SNMP SET only to ports not matching the actual configuration
The CAM re-sends SNMP SET for the OID cmnMacAddrLearntEnable on all the switch ports, even when applying a port profile to just a new single port.
CSCtn90737
No
HA Failover GUI settings differ between Primary and Secondary
In the Failover tab for HA setup, the Heartbeat timer default values listed on the screen differ. For Primary Role, the value is 15 seconds, but for Secondary Role, it is 30 seconds.
CSCtn90845
No
After upgrading from 4.8 to 4.8(1), the Failover tab no longer displays the warning if heartbeat timeout is less than the Link-detect timer. This warning was displayed prior to the releases 4.8.
CSCtn93513
No
Restricted VLAN IPs are not NACed correctly
When the "Restrict range to VLAN ID" option is checked, the CAS is not NACing requests for IPs from users in the wrong VLAN.
CSCto25245
No
Running AV/AS canned reports gets hung for ever and stops HA sync
Canned reports for AV/AS information hang and crash HA.
CSCto49390
No
NAC Agent 4.8.1.5 takes long time to login
NAC Agent 4.8.1.5 takes long time to login when used with Symantec Endpoint Protection, v11
CSCto54241
No
OUL is not updated when mac-move trap hits the CAM.
This is only a cosmetic issue as the CAM kicks the user off on the correct port.
CSCto55879
No
Unable to extract CAM backups on 4.8
Not able to extract the Manager database from the tar.gz backup file produced by utilizing the "Create Snapshot" option.
CSCto76408
No
When CA eTrust PestPatrol Anti-Spyware 8.x is updated, the definitions are not detected.
Workaround
CSCto91195
No
CAM syslog stops sending messages after being heavily loaded
When a large amount of data (> 200k) is sent to syslog, the Manager stops sending data. It does not recover from this situation on its own and requires a restart of services to restore syslogging.
Workaround
Manual restart of service on the Manager restores syslogging.
If the issue is triggered by a large purge of the CDL, configure the Manager to clear 60 or fewer CDL entries per minute. This can be done within the Certified Device List Timer by setting to clear the oldest 60 devices every minute, until all matching devices are cleared.
Resolved Caveats - Release 4.8(2)
Refer to Enhancements in Release 4.8(2) for additional information.
Resolved Caveats - Cisco NAC Agent Vers 4.8.2.1/Mac OS X Vers 4.8.2.590
Refer to Enhancements in Release 4.8(2) for additional information.
New Installation of Release 4.8(2)
The following steps summarize how to perform new CD software installation of Release 4.8(2) on supported Cisco NAC Appliance hardware platforms (see Release 4.8(2) and Hardware Platform Support for additional support details).
To upgrade on an existing Cisco NAC Appliance, refer to the instructions in Upgrading to Release 4.8(2).
Note
For New Installation:
With Release 4.8(2), installation occurs in two phases:
1.
2.
Step 1
Step 2
Step 3
a.
b.
c.
Note
d.
Step 4
Step 5
Step 6
Step 7
Step 8
For additional information on configuring your deployment, including adding the CAS(s) to the CAM, refer to the following guides:
•
•
Note
In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other appliance's trusted store so that the CAM can trust the CAS's certificate and vice-versa.
Note
Note
Upgrading to Release 4.8(2)
Note
This section provides instructions for how to upgrade your existing supported Cisco NAC Appliance platform to Release 4.8(2). If you need to perform a new CD software installation, refer instead to New Installation of Release 4.8(2).
Refer to the following information prior to upgrade:
•
•
•
•
Caution
Note
Paths for Upgrading to Release 4.8(2)
Depending on the type of upgrade you are performing, use one of the following sets of guidelines to successfully upgrade your Cisco NAC Appliance release image, Cisco NAC Appliance hardware, or both:
•
•
•
Note
Migrating from Customer-Supplied Hardware to Release 4.8(2) on a NAC-3310/3350/3390 Platform
Note
If you are running the Cisco NAC Appliance software (Release 4.1(x) or earlier) on a non-Cisco NAC Appliance platform, you must purchase Cisco NAC Appliance hardware before you can upgrade your system to Release 4.6(1) or later. You may additionally need to obtain proper FlexLM product licenses. Once you obtain your new Cisco NAC Appliance hardware, Cisco recommends that you:
Step 1
Step 2
Step 3
Step 4
Note
Step 5
Step 6
Upgrading an Existing NAC-3310/3350/3390 Platform to Release 4.8(2)
Note
The Release 4.8(2) .ISO installation/upgrade image only supports upgrade from Release 4.6(1), 4.7(x), and 4.8. If you are running an older software version (e.g. Release 4.1(8) or earlier), you must first upgrade your system to one of the supported base releases for Release 4.8(2) upgrade.
Step 1
Step 2
Step 3
Migrating from a NAC-3310/3350/3390 Platform to Release 4.8(2) on a NAC-3315/3355/3395 Platform
Note
If you are running the Cisco NAC Appliance software (Release 4.1(x) or earlier) on a NAC-3310/3350/3390 platform and are planning to upgrade to next generation NAC-3315/3355/3395 hardware you must first upgrade your existing system to Release 4.6(1) or later before shifting to a new hardware platform. You may additionally need to obtain proper FlexLM product licenses for your new hardware before upgrading, as well. Once you obtain your next generation NAC-3315/3355/3395 hardware, Cisco recommends that you:
Step 1
Step 2
Step 3
Step 4
Step 5
Changes for 4.8(2) Upgrade
Cisco NAC Appliance Release 4.8(2) is an Early Deployment software maintenance release. Cisco strongly recommends to test new releases on a pilot system prior to upgrading your production system.
If planning to upgrade to Cisco NAC Appliance Release 4.8(2), note the following:
•
Hardware Considerations
•
–
Note
–
You cannot install any Cisco NAC Appliance release other than Release 4.7(0) or later on the NAC-3315, NAC-3355, and NAC-3395. You cannot upgrade to or install Release 4.6(1) and later on any non-Cisco platform. See Hardware Support for additional details.
•
Upgrade Changes
Warning•
•
•
•
•
•
•
•
•
Note
Features That May Change With Upgrade
•
•
If you are upgrading to Release 4.5(1) and later, however, your existing values for these settings are preserved and you must specify new values for these settings to take advantage of the enhanced CAS Fallback capabilities available in Release 4.5(1).•
Password Changes
•
•
For additional details, see also:
•
General Preparation for Upgrade
Cisco strongly recommends you review this section carefully before commencing any Cisco NAC Appliance upgrade.
Caution
•
You must upgrade your Clean Access Manager and all your Clean Access Servers concurrently. The Cisco NAC Appliance architecture is not designed for heterogeneous support (i.e., some Clean Access Servers running 4.8 software and some running 4.6(1) or 4.7(x) software).
•
Depending on the number of Clean Access Servers you have, the upgrade process should be scheduled as downtime. For minor release upgrades, our estimates suggest that it takes approximately 10 to 20 minutes for the Clean Access Manager upgrade and 10 minutes for each Clean Access Server upgrade. Use this approximation to estimate your downtime window.
•
Starting with Cisco NAC Appliance Release 4.1(6), the Clean Access Manager and Clean Access Server require encrypted communication. Therefore, you must upgrade CASs before the CAM that manages them to ensure the CASs have the same (upgraded) release when the CAM comes back online and attempts to reconnect to the managed CASs.
If you upgrade the Clean Access Manager by itself, the Clean Access Server (which loses connectivity to the CAM during Clean Access Manager restart or reboot) continues to pass authenticated user traffic only if the CAS Fallback Policy specifies that Cisco NAC Appliance should "ignore" traffic from client machines.
•
When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port must be disabled for Cisco NAC Appliance CAMs/CASs, and for any other server hardware platform that supports the BIOS redirection to serial port functionality.
Note
•
Cisco recommends creating a manual backup snapshot before and after upgrade of your CAM database. The snapshot contains CAM database configuration and CAS configuration for all CASs added to the CAM's domain. Pre- and post-upgrade snapshots allow you to revert to your previous database should you encounter problems during upgrade and preserves your upgraded database as a baseline after upgrade. Make sure to download the snapshots to another machine for safekeeping. After upgrade, delete all earlier snapshots from the CAM web console as they are no longer compatible.
Warning•
Cisco recommends to backup all the necessary files that are not related to the database configuration from the system before running upgrade. For example, any previous database backups and CAM/CAS log files can be backed up.
•
Once you have upgraded your software to Release 4.8(2), if you wish to revert to your previous version of software, you will need to reinstall the previous version from the CD and recover your configuration based on the backup you performed prior to upgrading to 4.8(2). See Upgrade Instructions for Standalone Machines for additional details.
•
For upgrade via console/SSH, you will need your CAM and CAS root user password.
Upgrade Instructions for Standalone Machines
This section describes how to upgrade standalone (i.e. non-HA) CAM/CAS machines from Release 4.6(1), 4.7(x), or 4.8 to Release 4.8, and only applies to Cisco NAC-3310/3350/3390 or Cisco NAC-3315/3355/3395 platforms. If you have HA CAM/CAS pairs, refer instead to Upgrade Instructions for HA Pairs.
In Cisco NAC Appliance release 4.8(2), you can now use a .tar.gz upgrade process similar to that used for upgrading CAM/CAS appliances in earlier releases of Cisco NAC Appliance (like the process used in Release 4.6(1) and Release 4.7(2)) instead of having to perform "in-place" upgrades via an .ISO image on a CD-ROM, as is required to upgrade to Cisco NAC Appliance release 4.7(0) and 4.7(1).
After you have downloaded and copied the upgrade file to the CAM/CAS, you must use the CAM/CAS CLI to extract the upgrade image files and perform the upgrade procedure as described in:
•
•
Note
Review Changes for 4.8(2) Upgrade and General Preparation for Upgrade before proceeding with these upgrade instructions.
Summary of Steps for Standalone Upgrade
The steps to upgrade standalone 4.8(2) systems are as follows:
1.
3.
4.
Create CAM DB Backup Snapshot
This section describes how to back up your current system so that you can retrieve your previous configuration in case there is an issue with the upgrade process.
Note
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Note
Download the Upgrade File
This section describes how to access and download the upgrade file to your local machine.
Step 1
Step 2
Step 3
•
•
Copy the Upgrade File to the CAS/CAM
This section describes how to copy the upgrade file to the Clean Access Manager and Clean Access Server(s) respectively using WinSCP, SSH File Transfer, or PSCP as described below.
If Using the Release 4.8, Release 4.7(x), or Release 4.6(1) CAM/CAS Web Console
Step 1
Step 2
•
•
Step 3
If Using WinSCP or SSH File Transfer
Step 1
Step 2
Step 3
Step 4
If Using PSCP
Step 1
Step 2
Step 3
pscp cca_upgrade-4.8.2-from-4.6.x.tar.gz root@<ipaddress_manager>:/storeor
pscp cca_upgrade-4.8.2-from-4.7.x-4.8.x.tar.gz root@<ipaddress_manager>:/storeStep 4
pscp cca_upgrade-4.8.2-from-4.6.x.tar.gz root@<ipaddress_server>:/storeor
pscp cca_upgrade-4.8.2-from-4.7.x-4.8.x.tar.gz root@<ipaddress_server>:/store
Run the Upgrade Script on a Release 4.7(x) or 4.8(x) CAM/CAS
This section describes how to untar the upgrade file and run the script to upgrade standalone CAM/CAS machines from release 4.7(x) or 4.8(x) to release 4.8(2). You will need to login with your CAM and CAS root user passwords and access the command line of the CAM or CAS machine using one of the following methods:
•
•
•
When run, the upgrade script automatically determines whether the machine is a Clean Access Manager (CAM) or Clean Access Server (CAS) and executes accordingly.
Note
Step 1: Upgrade the Release 4.7(x) CAS
Step 1
Step 2
Step 3
cd /storeStep 4
ls -lStep 5
tar xzvf cca_upgrade-4.8.2-from-4.7.x-4.8.x.tar.gzThe extraction process automatically places the upgrade files and necessary upgrade script in the /cca_upgrade-4.8.2 directory.
Step 6
cd cca_upgrade-4.8.2./UPGRADE.shStep 7
Finished upgrading the system to 4.8.2Upgrade is complete.Changes require a REBOOTStep 8
rebootStep 9
cd /perfigo/common/bin/./showstate.sh | grep INCORRECTIf you do not see any output from the "grep INCORRECT" portion of the command, then your appliance has been upgraded successfully.
If your system returns any "INCORRECT" statements from the upgrade process, enter ./showstate.sh again to capture the entire upgrade process output (including all CORRECT and INCORRECT entries) and save it to an easily accessible location on your local machine along with your backup snapshot you created in Create CAM DB Backup Snapshot to help debug any upgrade issues.
Step 10
Tip
Step 2: Upgrade the Release 4.7(x) or 4.8 CAM
Step 1
Step 2
Step 3
cd /storeStep 4
ls -lStep 5
tar xzvf cca_upgrade-4.8.2-from-4.7.x-4.8.x.tar.gzThe extraction process automatically places the upgrade files and necessary upgrade script in the /cca_upgrade-4.8.2 directory.
Step 6
cd cca_upgrade-4.8.2./UPGRADE.shStep 7
Stopping the perfigo service...Currently installed Windows NAC Agent version is 4.7.1.15. Do you want to change the Windows NAC Agent to version 4.8.2.1 (y/n)? [y] yCurrently installed Mac Agent version is 4.7.0.2. Do you want to change the Mac Agent to version 4.8.2.590 (y/n)? [y] yGoing to upgrade the manager rpmWindows NAC Agent version updated to 4.8.2.1.Mac Agent version updated to 4.8.2.590.Step 8
Finished upgrading the system to 4.8.2Upgrade is complete.Changes require a REBOOTStep 9
rebootStep 10
cd /perfigo/common/bin/./showstate.sh | grep INCORRECTIf you do not see any output from the "grep INCORRECT" portion of the command, then your appliance has been upgraded successfully.
If your system returns any "INCORRECT" statements from the upgrade process, enter ./showstate.sh again to capture the entire upgrade process output (including all CORRECT and INCORRECT entries) and save it to an easily accessible location on your local machine along with your backup snapshot you created in Create CAM DB Backup Snapshot to help debug any upgrade issues.
Tip
Run the Upgrade Script on a Release 4.6(1) CAM/CAS
This section describes how to untar the upgrade file and run the script to upgrade standalone CAM/CAS machines from Release 4.6(1) to Release 4.8(2). If you are upgrading an existing Release 4.7(x) or 4.8 CAM/CAS, see Run the Upgrade Script on a Release 4.7(x) or 4.8(x) CAM/CAS. You will need to login with your CAM and CAS root user passwords and access the command line of the CAM or CAS machine using one of the following methods:
•
•
When run, the upgrade script automatically determines whether the machine is a Clean Access Manager (CAM) or Clean Access Server (CAS) and executes accordingly.
Note
Step 1: Upgrade the Release 4.6(1) CAS
Step 1
Step 2
Step 3
cd /storeStep 4
ls -lStep 5
tar xzvf cca_upgrade-4.8.2-from-4.6.x.tar.gzThe extraction process automatically places the upgrade files and necessary upgrade script in the /cca_upgrade-4.8.2 directory.
Step 6
cd cca_upgrade-4.8.2./UPGRADE.shStep 7
After setting up the system for upgrade, upgrade will runin Standard or Serial console as per selection below.Please choose one of the following actions:1) Upgrade over Standard console (monitor and keyboard).2) Upgrade over Serial console.3) Upgrade without user interaction.4) Exit upgrade.3
Note
Step 8
The master secret is used to encrypt sensitive data.Remember to configure all HA pairs with the same secret.Please enter the master secret:Please confirm the master secret:After reboot, upgrade will proceed without user interaction.Upgrade will take 20-30 minutes to complete. Once upgrade completes, machine is rebooted and will be available for ssh login.After logging back in, please check the log at /root/nac-install.log.If the upgrade is successful, the log file should contain "Upgrade completed successfully.".nac-upgrade: ready to reboot. Press <ENTER> to reboot
Note
Step 9
Step 10
ping <appliance IP address>Once the appliance is reachable, SSH into the appliance to verify connectivity before proceeding with the set up for the CAM.
Step 11
cd /perfigo/common/bin/./showstate.sh | grep INCORRECTIf you do not see any output from the "grep INCORRECT" portion of the command, then your appliance has been upgraded successfully.
If your system returns any "INCORRECT" statements from the upgrade process, enter ./showstate.sh again to capture the entire upgrade process output (including all CORRECT and INCORRECT entries) and save it to an easily accessible location on your local machine along with your backup snapshot you created in Create CAM DB Backup Snapshot to help debug any upgrade issues.
Step 12
Tip
Step 2: Upgrade the Release 4.6(1) CAM
Note
Step 1
Step 2
Step 3
cd /storeStep 4
ls -lStep 5
tar xzvf cca_upgrade-4.8.2-from-4.6.x.tar.gzThe extraction process automatically places the upgrade files and necessary upgrade script in the /cca_upgrade-4.8.2 directory.
Step 6
cd cca_upgrade-4.8.2./UPGRADE.shStep 7
After setting up the system for upgrade, upgrade will runin Standard or Serial console as per selection below.Please choose one of the following actions:1) Upgrade over Standard console (monitor and keyboard).2) Upgrade over Serial console.3) Upgrade without user interaction.4) Exit upgrade.3
Note
Step 8
The master secret is used to encrypt sensitive data.Remember to configure all HA pairs with the same secret.Please enter the master secret:Please confirm the master secret:After reboot, upgrade will proceed without user interaction.Upgrade will take 20-30 minutes to complete. Once upgrade completes, machine is rebooted and will be available for ssh login.After logging back in, please check the log at /root/nac-install.log.If the upgrade is successful, the log file should contain "Upgrade completed successfully.".nac-upgrade: ready to reboot. Press <ENTER> to rebootStep 9
Step 10
ping <appliance IP address>Once the appliance is reachable, SSH into the appliance to verify connectivity.
Step 11
cd /perfigo/common/bin/./showstate.sh | grep INCORRECTIf you do not see any output from the "grep INCORRECT" portion of the command, then your appliance has been upgraded successfully.
If your system returns any "INCORRECT" statements from the upgrade process, enter ./showstate.sh again to capture the entire upgrade process output (including all CORRECT and INCORRECT entries) and save it to an easily accessible location on your local machine along with your backup snapshot you created in Create CAM DB Backup Snapshot to help debug any upgrade issues.
Tip
Upgrade Instructions for HA Pairs
In Cisco NAC Appliance release 4.8(2), you can now use a .tar.gz upgrade process similar to that used for upgrading CAM/CAS appliances in earlier releases of Cisco NAC Appliance (like the process used in Release 4.6(1) and Release 4.7(2)) instead of having to perform "in-place" upgrades via an .ISO image on a CD-ROM, as is required to upgrade to Cisco NAC Appliance release 4.7(0) and 4.7(1).
See Release 4.8(2) Upgrade Instructions for HA Pairs to upgrade your HA Pair CAM/CAS appliances.
Release 4.8(2) Upgrade Instructions for HA Pairs
This section describes how to upgrade high-availability (HA) pairs of CAM or CAS servers from Release 4.6(1), 4.7(x), or 4.8 to Release 4.8(2), and only applies to Cisco NAC-3310/3350/3390 or Cisco NAC-3315/3355/3395 platforms. If you have standalone CAM/CAS servers, refer instead to Upgrade Instructions for Standalone Machines.
Note
Note
Note
Note
Review Changes for 4.8(2) Upgrade and General Preparation for Upgrade before proceeding with these upgrade instructions.
Upgrading HA-CAM and HA-CAS Pairs
The following steps show the recommended way to upgrade an existing high-availability (failover) pair of Clean Access Managers or Clean Access Servers.
Warning
Step 1
•
•
Step 2
Note
Step 3
Step 4
Step 5
cd /storeStep 6
ls -lStep 7
tar xzvf cca_upgrade-4.8.2-from-4.7.x-4.8.x.tar.gzor
tar xzvf cca_upgrade-4.8.2-from-4.6.x.tar.gzThe extraction process automatically places the upgrade files and necessary upgrade script in the /cca_upgrade-4.8.2 directory.
Step 8
cd /perfigo/common/bin/./fostate.shThe results should be either "My node is active, peer node is standby" or "My node is standby, peer node is active". No nodes should be dead. This should be done on both appliances, and the results should be that one appliance considers itself active and the other appliance considers itself in standby mode. Future references in these instructions that specify "active" or "standby" refer to the results of this test as performed at this time.
Note
•
•
Step 9
For CAM—service perfigo stop
For CAS—service perfigo maintenance
Step 10
Step 11
cd /perfigo/common/bin/./fostate.shMake sure this returns "My node is active, peer node is dead" before continuing.
Step 12
a.
b.
./UPGRADE.shc.
Please choose whether to upgrade Windows Agent to 4.8.2.1 (It's highly recommended to upgrade) (y/n)? [y]Please choose whether to upgrade Mac Agent to 4.8.2.590 (It's highly recommended to upgrade) (y/n)? [y]Step 13
service perfigo stopWait until the active appliance has suspended services.
Step 14
service perfigo startStep 15
a.
b.
cd cca_upgrade-4.8.2c.
./UPGRADE.shd.
Please choose whether to upgrade Windows Agent to 4.8.2.1 (It's highly recommended to upgrade) (y/n)? [y]Please choose whether to upgrade Mac Agent to 4.8.2.590 (It's highly recommended to upgrade) (y/n)? [y]Step 16
cd /perfigo/common/bin/./showstate.sh | grep INCORRECTIf you do not see any output from the "grep INCORRECT" portion of the command, then your appliance has been upgraded successfully.
If your system returns any "INCORRECT" statements from the upgrade process, enter ./showstate.sh again to capture the entire upgrade process output (including all CORRECT and INCORRECT entries) and save it to an easily accessible location on your local machine along with your backup snapshot you created in Create CAM DB Backup Snapshot to help debug any upgrade issues.
Step 17
service perfigo stopStep 18
rebootWait until it is running normally and you are able to connect to the web console.
Step 19
reboot
Note
Known Issues for Cisco NAC Appliance
This section describes known issues when integrating Cisco NAC Appliance:
•
•
•
•
•
•
•
•
•
•
•
•
Known Issue with CAS-to-CAM Certificate Verification in Internet Explorer
When launching the CAM web console in Release 4.8(2) using Internet Explorer, you may see a "Choose a digital certificate" pop-up dialog with no options available in the selection window. This pop-up is a result of the way the CAM verifies CAS-to-CAM certificates for communication. If you click OK or Cancel, the dialog disappears and you can continue the web console session normally. If you want to ensure this pop-up does not appear in the future. you can apply the following custom security setting in Internet Explorer:
1.
2.
3.
Note
Known Issue with Delayed IP Address Refresh for Windows 7/Vista Clients Running Cisco NAC Agent
The IP address release/renew process for Windows 7 and Windows Vista client machines running Cisco NAC Agent version 4.8.0.x that move from the authentication to access VLAN can take as long as 4 minutes to complete.
This situation can occur when the Network Connectivity Status Indicator, which is part of the Network Location Awareness in Windows, tries to reach the msftncsi.com web page while refreshing the client machines IP address. When the client machine cannot reach this page, Windows 7 and Windows Vista take longer to sense the machine's status, thus slowing down applications requiring internet access.
For reference, see:
•
•
To resolve this issue, open the following sites using host traffic policies in any user roles associated with the client login session (Unauthenticated/Quarantine, Temporary, and standard user login roles):
•
•
The administrator can also use a utility like Microsoft SMS to pass a registry update disabling this option in the Windows registry on client machines.
See CSCtg06599 for more information.
Known Issue with Enabling Web Login for Windows 7 Starter Edition Clients
Note
Cisco NAC Agent version 4.7.1.511 and Cisco NAC Web Agent version 4.7.1.504 do not support Windows 7 Starter Edition. Client machines with the Windows 7 Starter Edition operating system can only perform web login to verify user credentials when logging into the network via Cisco NAC Appliance Release 4.7(1). The solution to simultaneously provide Cisco NAC Appliance support for web login on Windows 7 Starter Edition client machines as well as Agent login for other Windows operating systems requires the administrator to add a web login page that classifies Windows 7 Starter Edition in a "WINDOWS_ALL" operating system context. To enable web login functions for client machines running Windows 7 Starter Edition:
•
•
–
–
Known Issue with Mass DHCP Address Deletion
An issue exists in Release 4.5(1) and later where a Clean Access Server configured to be a DHCP server can become unmanageable if the administrator attempts to delete more than 800 DHCP addresses from the appliance using the Clean Access Manager web console. If you have more than 800 DHCP addresses, Cisco recommends deleting addresses in smaller blocks of no more than 800 addresses at a time.
In addition to ensuring you do not delete more than 800 DHCP addresses at a time, there are two methods to work around this potential issue.
Workaround 1
The DHCP IP delete can be done manually by connecting to the CLI and executing the following commands:
service perfigo stoprm -f /var/state/dhcp/dhcpd.leasestouch /var/state/dhcp/dhcpd.leasesservice perfigo startIf on an HA system, Cisco strongly recommends taking the CASs offline and performing the commands on both machines simultaneously, taking particular care to issue the service perfigo start on the two appliances at roughly the same time.
Workaround 2
If you experience this problem more than once, Cisco recommends changing the Clean Access Manager timeout value by editing the /perfigo/control/bin/starttomcat file and adding "-DRMI_READ_TIME_OUT=<new value>" to the end of the CATALINA_OPTS options string. (The current default value is 60 seconds, and Cisco does not recommend increasing the timeout value to any more than 300 seconds.) Please note that increasing the read time out value can likely lower the resiliency of WAN deployments, thus reversing the CAM/CAS connectivity improvements introduced when Cisco addressed caveat CSCsw20607 in the Release Notes for Cisco NAC Appliance, Version 4.5(1).
Note
For more information, see CSCsx35438.
Known Issue for VPN SSO Following Upgrade to Release 4.5 and Later
When you upgrade your Cisco NAC Appliance network employing VPN SSO to Release 4.5 and later, user login does not work properly when the user VPN is part of a managed subnet on the CAS.
In Release 4.5 and later, the SWISS protocol checks the MAC address for Layer 2 clients, but the MAC address reported by the Agent (which is the real client MAC address) is different from the one the CAS gets for the client (the VPN concentrator MAC address). As a result, the SWISS protocol tells the Agent that the client machine is not logged in (due to the different MAC addresses recorded) and the Agent launches the login dialog repeatedly, never able to complete login. Prior to Release 4.5, the Clean Access Server associates the client with the VPN IP address and VPN Concentrator's MAC address after the first login. From there, the SWISS protocol only checks the IP address from the Agent and reports back to the Agent that the client is logged in (regardless of whether the client is connected via Layer 2 or Layer 3).
To work around this issue, remove the subnet making up the client machine address pool from the collection of managed subnets and create a Layer 3 static route on the CAS untrusted interface (eth1) with VPN concentrator's IP address as the gateway for the VPN subnet using the CAM web console Device Management > CCA Servers > Manage [CAS_IP] > Advanced > Static Routes page.
Known Issues with Web Upgrade in Release 4.1(3), 4.1(6), and 4.1(8)
In Cisco NAC Appliance Release 4.8, web upgrade is no longer supported and cannot be used to upgrade Cisco NAC Appliances on Release 4.1(3) and later. To upgrade your Cisco NAC Appliances from Release 4.1(3) and later, you must run the upgrade script via the in-place Install/Upgrade CD method, as described in Upgrading to Release 4.8(2).
Note
Known Issue with Active HA CAM Web Console Following Failover
For a brief period following a failover event, the administrator web console for the newly "active" CAM retains the limited menu/submenu options previously available while the machine was still the "standby" CAM.
To manually reproduce this scenario:
1.
2.
3.
4.
5.
To get the administrator web console to display properly, simply reload (Ctrl-refresh) the CAM HA-Service IP/hostname web page to display the full GUI for the now "active" CAM.
Known Issue with Cisco NAC Appliance CAM/CAS Boot Settings
When performing CD software installation, if a Cisco NAC Appliance CAM/CAS does not read the software on the CD ROM drive, and instead attempts to boot from the hard disk, you will need to configure the appliance BIOS settings to boot from CD ROM before attempting to re-image or upgrade the appliance from CD. For detailed steps, refer to the "Configuring Boot Settings on the Cisco NAC Appliance CAM/CAS" section of the Cisco NAC Appliance Hardware Installation Guide, Release 4.8(2).
Client machines going across a GRE tunnel in the network are unable to authenticate and the agent doesn't popup.
Known Issue with IP Packet Fragmentation Leading to Disconnect Between CAS and Agent
TCP traffic between the Agent and CAS can break down if the overall network path MTU is smaller than the MTU needed for the CAS to send unfragmented packets and the packet coming from the CAS to the Agent has the "do not fragment" setting enabled.
Note
To address this issue, apply one of the following solutions to your network:
•
•
Example configuration:
interface FastEthernet0/0ip address 10.32.32.101 255.255.255.0ip policy route-map removedontfragduplex autospeed auto!access-list 101 permit tcp host 10.255.253.152 anyaccess-list 101 permit tcp host 10.255.252.152 anyaccess-list 101 permit tcp host 1.1.1.1 any!route-map removedontfrag permit 10match ip address 101set ip df 0NOTE: 10.255.253.152 is the trusted IP Address of the CASNOTE: 10.255.252.152 is the trusted IP Address of the CASNOTE: 1.1.1.1 is the discovery host resolved IP Address.Known Issues with Switches
For complete details, see Cisco NAC Appliance Switch and Wireless LAN Controller Support.
Known Issues with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)
Due to changes in DHCP server operation with Cisco NAC Appliance Release 4.0(2) and later, networks with Cisco 2200/4400 Wireless LAN Controllers (also known as Airespace WLCs) which relay requests to the Clean Access Server (operating as a DHCP server) may have issues. Client machines may be unable to obtain DHCP addresses. Refer to the "Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs) and DHCP" section of Cisco NAC Appliance Switch and Wireless LAN Controller Support for detailed instructions.
Note
Note
Known Issue for Windows Vista and IP Refresh/Renew
When logged in as a machine admin on Windows Vista and using web login with IP refresh configured, IP address refresh/renew via ActiveX or Java will fail due to the fact that Internet Explorer does not run as an elevated application and Vista requires elevated privileges to release and renew an IP address.
Workaround
In order to use the IP refresh feature, you will need to:
1.
2.
3.
See also CSCsm61077.
Known Issue with System Center Endpoint Protection
Previously, the Anti Virus product System Center Endpoint Protection 2012 was recognized by the Compliance Module as System Center Endpoint Protection 2.x. If you are using the updated version of System Center Endpoint Protection 2012 released by Microsoft, then it is detected as Microsoft Security Essential 4.x.
Troubleshooting
This section provides troubleshooting information for the following topics:
•
•
•
•
•
•
•
•
•
•
•
Note
Disabling Administrator Prompt for Certificate on IE 8 and 9
If no certificates or only one certificate is installed in the personal store in Windows then there is an administrator prompt for certificate in IE9. The prompt can be disabled by setting the option on Internet Explorer.
To disable the prompt:
Step 1
Step 2
Step 3
Step 4
Enabling TLSv1 on Internet Explorer Version 6
Cisco NAC Appliance network administrators managing the CAM/CAS via web console and client machine browsers accessing a FIPS-compliant Cisco NAC Appliance Release 4.7(0) network require TLSv1 in order to "talk" to the network, which is disabled by default in Microsoft Internet Explorer Version 6.
To locate and enable this setting in IE version 6:
Step 1
Step 2
Step 3
Step 4
Step 5
Note
Windows Vista and Windows 7—IE 7 and IE 8 Certificate Revocation List
Note
In Release 4.6(1) and later, you can use the "AllowCRLChecks" attribute in the NACAgentCFG.xml file to turn off Certificate Revocation List (CRL) checking for the Cisco NAC Agent during discovery and negotiation with the CAS. For details, see the "Cisco NAC Agent XML Configuration File Settings" section in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(2).
The "Network error: SSL certificate rev failed 12057" error can occur and prevent login for Clean Access Agent or Cisco NAC Web Agent users in either of the following cases:
1.
2.
–
–
To resolve this issue, perform the following actions:
Step 1
Step 2
a.
b.
HA Active-Active Situation Due to Expired SSL Certificates
HA communication for both HA-CAMs and HA-CASs is handled over IPSec tunnels to secure all communications between the two HA pair appliances. This IPSec tunnel is negotiated based on the SSL certificates uploaded to the HA pairs for both CAM and CAS. In case the SSL certificates are not trusted by the two HA peers, have expired, or are no longer valid, the HA heartbeat communication between the two HA pairs breaks down, leading both HA pair appliances to assume the Active HA-Primary) role.
For CASs deployed in VGW mode, this can potentially create a Layer 2 loop that could bring down the network. HA-CAMs with expired or invalid SSL certificates could lead to an Active-Active situation where the database is not synced between the two HA-CAM appliances. Eventually, this situation leads to the CAMs losing all recent configuration changes and/or all recent user login information following an HA-CAM failover event.
As HA communication over IPSec tunnels requires valid SSL certificates on both the CAM and CAS, the CAM-CAS communication also breaks down if the SSL certificate expires on either the CAM or CAS. This situation leads to end user authentications failures and the CAS reverting to fallback mode per CAS configuration.
Administrators can minimize HA appliance Active-Active situations due to expired SSL certificates by using SSL certificates with longer validity periods and/or using serial port connection (if available and not used to control another CAM or CAS) for HA heartbeat. However, when you configure HA-CAMs to perform heartbeat functions over the serial link and the primary eth1 interface fails because of SSL certificate expiration, the CAM returns a database error indicating that it cannot sync with its HA peer and the administrator receives a "WARNING! Closed connections to peer [standby IP] database! Please restart peer node to bring databases in sync!!" error message in the CAM web console.
Note
Note
Agent AV/AS Rule Troubleshooting
When troubleshooting AV/AS Rules:
•
•
When troubleshooting AV/AS Rules, please provide the following information:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Debug Logging for Cisco NAC Appliance Agents
This section describes how to view and/or enable debug logging for Cisco NAC Appliance Agents. Refer to the following sections for steps for each Agent type:
•
•
Copy these event logs to include them in a customer support case.
Generate Cisco NAC Agent Debug Logs
To generate Cisco NAC Agent logs using the Cisco Log Packager utility, refer to the "Create Agent Log Files Using the Cisco Log Packager" section of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(2).
Cisco NAC Web Agent Logs
The Cisco NAC Web Agent version 4.1.3.9 and later can generate logs when downloaded and executed. By default, the Cisco NAC Web Agent writes the log file upon startup with debugging turned on. The Cisco NAC Web Agent generates the following log files for troubleshooting purposes: webagent.log and webagentsetup.log. These files should be included in any TAC support case for the Web Agent. Typically, these files are located in the user's temp directory, in the form:
C:\Document and Settings\<user>\Local Settings\Temp\webagent.log
C:\Document and Settings\<user>\Local Settings\Temp\webagentsetup.log
If these files are not visible, check the TEMP environment variable setting. From a command-prompt, type "echo %TEMP%" or "cd %TEMP%".
When the client uses Microsoft Internet Explorer, the Cisco NAC Web Agent is downloaded to the C:\Documents and Settings\<user>\Local Settings\Temporary internet files directory.
Generate Mac OS X Agent Debug Log
For Mac OS X Agents, the Agent event.log file and preference.plist user preferences file are available under <username> > Library > Application Support > Cisco Systems > CCAAgent.app. To change or specify the LogLevel setting, however, you must access the global setting.plist file (which is different from the user-level preference.plist file).
Because Cisco does not recommend allowing individual users to change the LogLevel value on the client machine, you must be a superuser or root user to alter the global setting.plist system preferences file and specify a different Agent LogLevel.
Note
To view and/or change the Agent LogLevel:
Step 1
Step 2
Step 3
Step 4
Step 5
•
•
•
•
Note
Note
Property List Editor is an application included in the Apple Developer Tools for editing .plist files. You can find it at <CD-ROM>/Developer/Applications/Utilities/Property List Editor.app.
If the setting.plist file is editable, you can use a standard text editor like vi to edit the LogLevel value in the file.
You must be the root user to edit the file.
Creating CAM/CAS Support Logs
The Support Logs web console pages for the CAM and CAS allow administrators to combine a variety of system logs (such as information on open files, open handles, and packages) into one tarball that can be sent to TAC to be included in the support case. Refer to "Support Logs" sections of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(2) or Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(2).
Recovering Root Password for CAM/CAS
Refer to the "Password Recovery" chapter of the Cisco NAC Appliance Hardware Installation Guide, Release 4.8.
Troubleshooting CAM/CAS Certificate Issues
Refer to the "Troubleshooting Certificate Issues" sections of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(2) or Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(2).
Troubleshooting Switch Support Issues
To troubleshoot switch issues, see Cisco NAC Appliance Switch and Wireless LAN Controller Support.
Other Troubleshooting Information
For general troubleshooting tips, see the following Technical Support webpage:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
Documentation Updates
Table 8 Updates to Release Notes for Cisco NAC Appliance, Release 4.8(2)
3/28/13
10/20/11
Added Disabling Administrator Prompt for Certificate on IE 8 and 9
9/28/11
Added HA Active-Active Situation Due to Expired SSL Certificates
8/22/11
Release of Mac OS X Agent Version 4.8.2.591 that supports Mac OS X 10.7 "Lion"
6/2/11
Added CSCtj81255 to Open Caveats - Release 4.8(2)
5/10/11
Updated Open Caveats - Release 4.8(2) and Resolved Caveats - Release 4.8(2)
5/3/11
Release 4.8(2)
Related Documentation
For the latest updates to Cisco NAC Appliance documentation on Cisco.com see: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html or simply http://www.cisco.com/go/cca.
•
•
•
•
•
•
•
•
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2011 Cisco Systems, Inc. All rights reserved.
