Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2449
Views
0
Helpful
9
Replies

ISE - Can't install Web Agent

lhviet001
Level 1
Level 1

‎09-08-2014 01:41 AM - edited ‎03-10-2019 10:00 PM

Dear guys,

 

I have problem in my lab case like sequence below:

  • A guest access into internal network, then will be redirect to Guest Portal.
  • A guest log in successfully using credential (was created by sponsor account)
  • Then, "Client Provisioning" process starts. Base on Client Provisioning policy with OS: Windows 8, guest session will be apply on Web Agent.
  • Then Web Agent install and check status process starts. But, in this phase. I got a error like this:
    • In Chrome & FF browser: "You will not be allowed to access the network due to internal error. please contact your administrator"
    • In IE browser:
  1. "You will not be allowed to access the network due to internal error. please contact your administrator"
  2. "Your login session failed! (status = 36) You will have limited network connectivity. Please try disconnecting and reconnecting to the network to start a new connection (or) contact your system administrator if the problem persists"

In addition:

  • I imported certificated (was signed by AD Root CA) into Local Certificates.
  • I imported AD Root certificated into Certificate Store.

I will be grateful for any help you can provide.

Have a nice day !

 

 

 

 

 

2 people had this problem
Labels:
web_agent_error.zip
0 Helpful
9 Replies 9

mohanak
Cisco Employee
Cisco Employee

‎09-08-2014 09:08 AM

Web agent should handle cert. revocation dialog box similar to Win agent
CSCsl40626
 
Description

Symptom:
Revocation failed dialog box keeps popping up on client machine despite of clicking "Yes" button

Conditions:
This issue is seen on the client machine performing login either using Windows agent or NAC web agent. The issue happens when the Clean Access Server (CAS) certificate root CA is not listed in the trusted store on the client machine. The issue is known to be reproducible on all flavors of Win XP & Win Vista using Windows or NAC web agent

Workaround:

Try selecting Yes. If this does not work you can turn off the security certificates revocation check by changing the options in Internet Explorer IE.

Use the following procedure to change the option in IE:

1. Launch IE
2. From the tool bar, select Tools then Internet Options
3. Select the Advanced tab
4. In the Security section, un-check the option "Check for server certificate revocation"
5. Click on the Apply button
6. Click on the OK button
7. Close IE
8. Try the web login again

 

Product:
Cisco NAC Appliance (Clean Access)

Known Affected Releases:
(1)
4.1(3.6)
0 Helpful

lhviet001
Level 1
Level 1
In response to mohanak

‎09-08-2014 07:20 PM

Dear mohanak,

 

Thank you for your help.

But i have already configured the option "Check for server certificate revocation". The error stil happens.

In addition, my product is Cisco ISE.

 

Thanks !

 

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee
In response to lhviet001

‎09-16-2014 04:00 AM

What version of web / NAC agent is this ?  Please try upload the NAC agent from local machine and see of the problem solved. We need to exclude any corruption while uploading the agent to ISE.

 

0 Helpful

Rui Evora
Level 1
Level 1
In response to Venkatesh Attuluri

‎10-09-2014 02:58 PM

Hi;

 

Are you using the hostname identical to the canonical name that you have in the certificate?

If the CN of the certificate is CN=isepsn01.cisco.com you shoul be using a redirect URL  like, 

http://isepsn01.cisco.com:8443 and not http://10.1.1.1 .

 

Regards; 

0 Helpful

lhviet001
Level 1
Level 1
In response to mohanak

‎09-16-2014 12:56 AM

Dear mohanak,

 

When guest access to guest portal for installing web agent. I got a error like this :

  • -3 "there was an error running the web agent"

Base on "Table 11-4 Java Server Page Status Codes from ActiveX Control or Java Downloader Applet " at link : "http://www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/49/cam/49cam-book/m_report.html#wpxref71558"

 

Anyone got this error ? How i can debug and reslove this error ?

My current ISE version: 1.2.1.198 patch 1.

 

I will be grateful for any help you can provide.

I would greatly appreciate any help you can give me in working this problem

0 Helpful

Rui Evora
Level 1
Level 1
In response to mohanak

‎10-09-2014 02:56 PM

Hi;

 

Are you using the hostname identical to the canonical name that you have in the certificate?

If the CN of the certificate is CN=isepsn01.cisco.com you shoul be using a redirect URL  like, 

http://isepsn01.cisco.com:8443 and not http://10.1.1.1 .

 

Regards; 

0 Helpful

Saurav Lodh
Level 7
Level 7

‎09-18-2014 07:11 PM

This could be bug

0 Helpful

cisco
Level 1
Level 1

‎05-08-2015 01:23 AM

Check the ACL or dACL for the switch OR the ACL on wireless LAN controller, when the Post status on ISE is "Pending".

You need to allow tcp/8443, udp/8905 and tcp/8905 traffic to the IP address of ISE.

 

TCP/8443 is for the web-redirection

UDP/8905 + TCP/8905 is for posture (NAC)

 

This should solve the issue, hopefully ;-)

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎05-13-2015 04:11 AM

your redirection acl should look something like this

 

0 Helpful
li.common.scroll-to.top