Downloads |
Document ID: 63591
Questions
Introduction
What do I need to do in order to correct when MAC clients do not redirect to the 'Page Not Found' page?
What operating systems are supported?
Does Cisco support Custom APIs?
Does Cisco support the agent on VMware or Shared Drivers?
The Cisco Clean Access Agent displays either the "SecureSmart is not available on the network" or "No SecureSmart Server found on the network" error message. I rebooted the Cisco Clean Access Server and worked around it for a while. How do I fix this?
The Cisco Clean Access Agent receives the "Network Error" error message while it logs on. Why is this?
I have freshly installed the Windows 98 system. When I go to install the 3.2.0 Cisco Clean Access Agent client on the machine I get prompted to update the installer. However, as soon as the Cisco Clean Access Agent attempts to update the installer I get the "The provided instmsi upgrade executable 'C:Windows\Temporary Internet Files\Content.IE5\KXERWHYB\InstMSIA[2].exe' is invalid" error message. How do I fix this?
Who does the Cisco Clean Access Server try to communicate with when it connects using port 8905 as its source port?
I uploaded Cisco Clean Access Agent to my Cisco Clean Access Server. However, the Cisco Clean Access Server does not publish it. I get a message "Checking for the uploaded SmartEnforcer client file.... SmartEnforcer client file not found." How do I fix this?
How do I limit SSH access to the Cisco Clean Access Server?
How do I disable Clean Access Agent for Windows 98/95?
NetPro Discussion Forums - Featured Conversations
Related Information
Introduction
This document answers the most frequently asked questions (FAQs) related to Cisco Clean Access Agent (formerly Perfigo SmartEnforcer).
The product names have changed. This table lists both the old and new names:
| Old Name | New Name |
|---|---|
| SmartManager | Clean Access Manager |
| SecureSmart Server | Clean Access Server |
| SmartEnforcer | Clean Access Agent |
| CleanMachinesAPIs | Clean Access APIs |
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Q. What do I need to do in order to correct when MAC clients do not redirect to the 'Page Not Found' page?
A. Make sure that you do not use a domain name that ends in .local. MAC treats this as a special DNS name for multicast DNS. Therefore, the resolution request is never sent to the DNS server.
Q. What operating systems are supported?
A. Agents are supported only on Windows 98 through XP. Mac and Linux are not supported.
Q. Does Cisco support Custom APIs?
A. No.
Q. Does Cisco support the agent on VMware or Shared Drivers?
A. This list describes what is and is not supported by the NAC agent on VMware.
- VMware in NAT Mode The NAC agent is not supported irrespective of Inband or OOB because, with VMware NAT mode, all the VMs show up with same IP and Mac. Therefore, we cannot differentiate between the different VMs for auth/posture purposes.
- VMware in Bridge Mode (L2 separation between the images, different IP/mac addresses)
- The NAC agent is supported in Inband mode because unique IP and mac addresses for the VMs can be obtained.
- The NAC agent is not supported in OOB mode because, with OOB mode, we have to restrict one mac address per switchport. Multiple mac addresses behind a switchport is not supported with OOB. (IP Phones and PCs connected to the IP Phones are supported.)
The NAC agent is supported on VMware if these statements are true:
- NAC is in Inband mode.
- VMware is in bridged mode.
For all other modes, it is unsupported.
Q. The Cisco Clean Access Agent displays either the "SecureSmart is not available on the network" or "No SecureSmart Server found on the network" error message. I rebooted the Cisco Clean Access Server and worked around it for a while. How do I fix this?
A. This error is caused by the inability of the Cisco Clean Access Agent to communicate with the Cisco Clean Access Server through the SWISS protocol (the encrypted communication over UDP port 8905).
This can be due to:
- Log files have grown too large.
- Check to see if the Apache entries cause the logs to reach 2 gb in size. This issue is fixed in version 3.3.x and later.
- The SS Certificate is invalid. If the certificate of the Clean Access Server is invalid/incorrect, then the HTTPS connection cannot be made properly. Verify that the certificate popup has the bottom two checks for temporary certificate, or three checks for CA-signed certificate.
- The client time is incorrect. If the time on the client machine causes it to not trust the server certificate (for example, client time is set to a time that is earlier than the server time), this causes the certificate time to be in the future from the perspective of the client. Check the time on the Clean Access Server and ensure that the NTP protocol to a time server is allowed.
- There are multiple network cards on the client machine. If the client machine has multiple cards, then it is possible that Windows uses the incorrect card to send the information. Disable the network card that is not in use in order to work around this issue.
- Try to clear the cache on the Enforcer PC.
- Issue either the ipconfig or dnsflush command under the command prompt. OR
- In Internet Explorer, under Tools > Internet Options > Advanced, de-select Check for server certificate revocation.
- Network connectivity is not established.
- Check to make sure that you have a proper IP address.
- The local PC or machine can have some issue after a new installation of Cisco Clean Access Agent.
- Reboot the PC. Issue the service perfigo restart command on the Clean Access Server.
- Destination port 8905 on the Cisco Clean Access Server is blocked by a network firewall or a personal firewall.
- Ensure that port 8905 is opened.
- Third Party software interferes with Cisco Clean Access Agent. Try to disable such software to see if the Clean Access Agent works.
- Try to turn off personal firewalls, disable VPN software, or disable spam blockers.
- A software defect is identified and fixed in Cisco Clean Access Server 3.2.6.
- Upgrade to Cisco Clean Access Manager and Cisco Clean Access Server 3.2.6.
Q. The Cisco Clean Access Agent receives the "Network Error" error message while it logs on. Why is this?
A. The Cisco Clean Access Agent shows this error when it is unable to communicate with the Cisco Clean Access Server using HTTPS. This can happen due to multiple reasons:
- The SS Certificate is invalid. If the certificate of the Cisco Clean Access Server certificate is invalid/incorrect, then the HTTPS connection cannot be made properly. Verify the certificate popup has the bottom two checks for temporary certificate, or three checks for CA-signed certificate.
- The client time is incorrect. The time on the client machine causes it to not trust the server certificate. For example, client time is set to a time that is earlier than the server time. This causes the certificate time to be in the future from the perspective of the client. Check the time on the Cisco Clean Access Server and ensure that the NTP protocol to a time server is allowed.
- Multiple network cards on the client machine. If the client machine has multiple cards, then it is possible that Windows uses the incorrect card to send the information. Disable the network card that is not in use in order to work around this problem.
- Third Party software interferes with the Cisco Clean Access Agent and Cisco Clean Access Server communication. It is possible that software such as Cisco VPN Client, CheckPoint© VPN Client, and personal firewalls possibly affect the communication.
- Try to disable such software to see if the Cisco Clean Access Agent works.
- Clear the cache.
- Issue the ipconfig /dnsflush command under the command prompt, or in Internet Explorer under Internet Options > Advanced, deselect Check for server certificate revocation.
Q. I have freshly installed the Windows 98 system. When I go to install the 3.2.0 Cisco Clean Access Agent client on the machine I get prompted to update the installer. However, as soon as the Cisco Clean Access Agent attempts to update the installer I get the "The provided instmsi upgrade executable 'C:Windows\Temporary Internet Files\Content.IE5\KXERWHYB\InstMSIA[2].exe' is invalid" error message. How do I fix this?
A. Install the full version of the Cisco Clean Access Agent 3.1.3 or 3.2.0 (greater than 5 Mb). Download it from the Perfigo Update Server
.
Q. Who does the Cisco Clean Access Server try to communicate with when it connects using port 8905 as its source port?
A. The Cisco Clean Access Agent communicates with the Cisco Clean Access Server through the SWISS protocol using encrypted communication over UDP port 8905.
Q. I uploaded Cisco Clean Access Agent to my Cisco Clean Access Server. However, the Cisco Clean Access Server does not publish it. I get a message "Checking for the uploaded SmartEnforcer client file.... SmartEnforcer client file not found." How do I fix this?
A. Upload the .exe file, not the .zip file. Make sure to extract the .exe file from the zip folder before you upload it. Also, do not change the original .exe file name.
Q. How do I limit SSH access to the Cisco Clean Access Server?
A. Change the /etc/ssh/sshd_config file by adding a line similar to this one:
ListenAddress IP_address_of_where_you_want_ssh_to_allow_connectionsFor example:
ListenAddress 192.168.151.60Issue the service sshd restart command to restart the SSHD process.
Q. How do I disable Clean Access Agent for Windows 98/95?
A. Under CleanMachines, uncheck Windows All and select each OS independently for Require Use of Clean Access Agent.
NetPro Discussion Forums - Featured Conversations
| NetPro Discussion Forums - Featured Conversations for Security |
| Security: Intrusion Detection [Systems] |
| Security: AAA |
| Security: General |
| Security: Firewalling |
Related Information
- Cisco Clean Access Miscellaneous FAQ
- Cisco Clean Access Manager FAQ
- Cisco Clean Access Manager FAQ 2
- Cisco Clean Access Server FAQ
- Technical Support - Cisco Systems
| Updated: Feb 02, 2006 | Document ID: 63591 |