cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1481
Views
0
Helpful
4
Replies

ISE1.1 : Disable web agent download step for guest users

nicanor00
Level 1
Level 1

Hi

I use ISE 1.1.26

But I have a problem with guest laptops

Most guests do not have the administrator password account on their laptop, so they can not download and install the NAC Agent

Is it possible to disable this step for connecting guests : when the guests connects to the switch, it is redirected to the web portal, enter his login and password provided by the administrator and has access to the network (no need to be redirected to the download page for the NAC Agent)

Please if it is possible, how can I do?

Thank you.

Regards

4 Replies 4

aqjaved
Level 3
Level 3

Reference Material for Windows Cisco NAC Agent Installation and administrative Rights:

The Cisco NAC Agent provides local-machine Agent-based posture assessment and remediation for client machines. The Cisco NAC Agent is designed to provide user login capability on a wide range of Windows client machines, including clients running 64-bit operating systems, and offers "double-byte" support to enable native localization for a large variety of languages.

Users without administrator privileges upgrading their Windows client machine from an earlier version of the Clean Access Agent (version 4.5.1.0 or 4.1.8.0 and earlier) to the Cisco NAC Agent must have the CCAAgentStub.exe Agent Stub installed on the client machine to facilitate upgrade. (Users with administrator privileges do not need this file.) After successful Cisco NAC Agent installation, the user is not required to have administrator privileges on the client machine, nor is the CCAAgentStub.exe Agent Stub file needed.

After users log into the Cisco NAC Agent, the Agent gets the requirements configured for the user role/operating system from the Clean Access Server, checks for the required packages and sends a report back to the CAM (via the CAS). If requirements are met on the client, the user is allowed network access. If requirements are not met, the Agent presents a dialog to the user for each unmet requirement. The dialog (configured in the New Requirement form) provides the user with instructions and the action to take for the client machine to meet the requirement.

Cisco NAC Agent Download

This figure illustrates the general user sequence for the initial download and install of the Cisco NAC Agent, if the administrator has required use of the Agent for the user's role and OS.

Figure 11-1 Downloading the Cisco NAC Agent

The Cisco NAC Agent software is always included as part of the Clean Access Manager software. When the CAM is installed, the Agent Installation file is already present and automatically published from the CAM to the CASs. To distribute the Agent to clients, you simply require the use of the Agent in the CAM web console for the desired user role/operating system. Once downloaded and installed, the Agent performs checks on the client according the requirements you have configured in the CAM.

First-time users can download and install the Agent by opening a web browser to log into the network. If the user's login credentials associate the user to a role that requires the Agent, the user will be redirected to the Agent download page. After the Agent is downloaded and installed, the user is immediately prompted to log into the network using the Agent dialogs, and is scanned for requirements. After successfully meeting the requirements configured for the user's role and operating system and passing scanning (if enabled), the user is allowed access to the network.

For Reference or detail please visit the:

Link-1: http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/461/cam/m_webagt.html#wp1494107

Link-2:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/461/cam/m_agntd.html#wp1118918

Hi Ageel and thaks for your answer.

What is CCAAgentStub.exe ? do I need administrator privileges to install it on GUEST computer ?

Anyway, I would like to know if it possible to delete this step of download and install NAC WEB agent for the user GUEST

So when the guests connects to the switch, it is redirected to the web  portal, enter his login and password provided by the administrator and  has access to the network (no need to be redirected to the download page  for the NAC WEB Agent)

How can I configure it ?

Regards

What is CCAAgent

Users without administrator privileges upgrading their Windows client machine from an earlier version of the Clean Access Agent (version 4.5.1.0 or 4.1.8.0 and earlier) to the Cisco NAC Agent must have the CCAAgentStub.exe Agent Stub installed on the client machine to facilitate upgrade. (Users with administrator privileges do not need this file.) After successful Cisco NAC Agent installation, the user is not required to have administrator privileges on the client machine, nor is the CCAAgentStub.exe Agent Stub file needed.

Client-side Installation and Log-In

When users first log into a network that is managed by Cisco ISE and requires access via an agent, they are prompted to install temporal or persistent agents (as well as possible associated client provisioning Resources) on the client machine to facilitate network access, client posture assessment, and other Cisco ISE network services.

Note: To download agents and other client provisioning resources, users must have administrator privileges on

their client machines and the browser session through which they are attempting to log into Cisco ISE. In addition, to successfully install the agent, users will likely need to explicitly accept ActiveX or Java applet installer functions.

19-31

Client-side Installation and Log-In

Once the browser session from that client machine reaches the specified access portal, Cisco ISE prompts the user to download and install a persistent agent (like the Cisco NAC Agent or Mac OS X Agent) or temporal agent (like the Cisco NAC Web Agent). This figure shows a Cisco ISE welcome screen, prompting the user to download and install the Cisco NAC Agent on the client machine.

Once the user validates and accepts any certificate (or certificates) required to facilitate agent download and installation on the client machine, the ActiveX or Java applet installer process launches and provisions the agent installation package on the client machine.

Creating Guest Users:

This section shows you how to create guest user accounts through the Cisco ISE Admin portal. You can also create guest user accounts through the Sponsor portal, as a sponsor. For instructions on how to create guest users through the Sponsor portal.

Note When you create guest user accounts through the Admin portal (rather than the Sponsor portal) the users

are not automatically required to change their passwords after they first log in. Guests accounts created through the Sponsor portal automatically redirect the users to the Change Password page after they log in for the first time.

To create a guest account through the Admin portal, complete the following steps:

Step 1 In the Cisco ISE Admin user interface, choose Administration > Identity Management > Identities.

Step 2 In the Identities panel on the left, expand Users. Then in the right panel, click Add.

Step 3 In the Network Access User panel, do the following:

a. Enter a name for the account in the Name field.

b. Choose Enabled or Disabled, as desired. Enabled is selected by default.

c. Enter an Email address.

Step 4 In the Password panel, enter a Password for the account, and then Re-Enter Password.

Step 5 In the User Information panel, enter the First Name and Last Name of the user.

Step 6 In the Account Options panel, enter a Description for the account and check the Password Change check box if you want the user to change their password on the next login. Note If you do not check the Password Change check box, the user is not automatically redirected to the Change Password page on their next login.

Step 7 In the User Groups panel, choose Guest from the pop-up dialog, and then click Submit.

Please check the following link, it will definitely helpful for you.

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/461/cam/m_webagt.html#wp1494107

Venkatesh Attuluri
Cisco Employee
Cisco Employee

Review this link for  Central Web Authentication with a Switch and Identity Services Engine Configuration Example

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml