I have implemented Cisco NAC for remote VPN users. As part of this they go through 3 checks:
1. Antivirus installation check
2. Antivirus definition check
3. File check
I have configured the definition check to remediate via internal update servers if 30 days or more out of date.
The issue I'm seeing is that the end user recieves the following Cisco Agent error during the remediation process (while in the temporary role):
"The remediation you are attempting is reporting an access denied error. This is usually due to a privilege issue. Please contact your system administrator."
The definition update happens in the background though (I have allowed the required access through the NAC server) and once complete places the user in the correct role. Therefore It's no so much an issue, just a misleading message displayed to the user.
Has anyone seen this before or know where this is configure?
Can you please post an agent log file from an affected machine?
If it's 4.7, it would be just running the Cisco Log Packager utility from the Start -> Programs menu.
I also have same problem. we are using symantec endpoint 11. though user has full administrative right on the workstation it doesn't have a privilege to update the virus definition, manual definition update option has been disabled by antivirus server configuration. for the successful remediation, does user needs to have manual update privilege?
If the AV server has the update options disabled, I don't think NAC can do anything here. You'll have to work with the AV server's admin to ensure that your users can do manual update of their AV, if need be.
my problem is when NAC try to remediate the client it is getting error message (images are attached). That means if user doesn't have a privilege to udpate the antivirus, NAC agent also can not do the remediation process am I right?
The screenshots suggest you have a newer version of the agent running. This agent should have been installed as an administrator. If it wasn't then you would see the privilege problems.
Can you please verify whether the agent was installed as an admin? If not, can you install it as one and try your test again?
this agent has been installed via centrally, pushing from the software deployement server. and we have to install to all computers (aobut 1500) by same way. int this scenario, its not easy to install the agent with administrative privilege on the all pcs. so, which version of nac agent should I use to eliminate this problem?
I am still having this problem.
Even though the agent displays that error message, the AV still updates in the background. The problem then is that the agent fails to realise that the definitions are then fully up to date and does not re-check posture automaticly. therefore i am having to disconnect and re-connect the network cable for the agent to realise that I am not fully compliant.
Is there anything that i can do to make this posture / remediation process, automatic and seemless?
I have the same problem. My users get redirected to a web page with a link to install the NAC agent, this installation used to fail. So I made the user an admin on his own machine.
The installation now succeeds, so the agent is being installed as a Local Admin, however I still get the exact same error above.
Currently my ISE is handing out agent version 184.108.40.206
Any help appreciated.