Specifications
11-39
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 11 Monitoring and Troubleshooting Agent Sessions
Agent Troubleshooting
To Troubleshoot L2 Deployments:
1. Make sure the client machine can get a correct IP address. Open a command tool (Start > Run > cmd)
and type
ipfconfig or ipconfig /all to check the client IP address information.
2. If necessary, type ipconfig /release, then ipconfig /renew to reset the DHCP lease for the client.
To Troubleshoot L3 Deployments:
1. Check whether the Discovery Host field is set to the IP address of the CAM itself under Device
Management > Clean Access > Clean Access Agent > Installation | Discovery Host. This field
must be the address of a device on the trusted side and cannot be the address of the CAS.
2. Uninstall the Agent from the client machine.
3. Change the Discovery Host field to the IP address of the CAM and click Update.
4. Reboot the CAS.
5. Re-download and re-install the Agent on the client.
Note The Login option on the Agent is correctly disabled (greyed out) in the following cases:
• For OOB deployments, the Agent user is already logged in through the CAS and the client port is
on the Access VLAN.
• For multi-hop L3 deployments, Single Sign-On (SSO) has been enabled and the user has already
authenticated through the VPN concentrator (therefore is already automatically logged into Cisco
NAC Appliance).
• MAC address-based authentication is configured for the machine of this user and therefore no user
login is required.
Client Cannot Connect (Traffic Policy Related)
The following errors can indicate DNS, proxy or network traffic policy related issues:
• User can login via Agent, but cannot access web page/Internet after login.
• User cannot access web login page without typing in https://<CAS_IP_address> as the URL.
To troubleshoot these issues:
• Verify and/or change DNS Servers setting on the CAS (under Device Management > CCA Servers
> Manage <CAS_IP> > Network > DNS)
• If enabling the CAS as a DHCP server, verify and/or change the DNS Servers field for the Subnet
List (under Device Management > CCA Servers > Manage <CAS_IP> > Network > DHCP >
Subnet List > List | Edit).
• If remediation sites cannot be reached after login, verify default host policies (Allowed Hosts) are
enabled for the Temporary role (under User Management > User Roles > Traffic Control > Host).
• If using a proxy server, make sure a traffic policy allowing HTTP traffic to the proxy server is
enabled for the Temporary role. Verify the proxy is correctly set in the browser (from IE go to Tools
> Internet Options > Connections > LAN Settings | Proxy server).
See Troubleshooting Host-Based Policies, page 8-29 for additional details.