This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Missing NAC Assessment Agent Server

Missing NAC Assessment Agent Server

T_Pitch
New Contributor III

‎02-05-2019 01:56 PM

We've recently deployed the NAC Assessment Agent to all of our computers, but I only have two switches participating in NAC as a test.

So far, I've had 3 computers that are part of my NAC test lose the assessment agent server information. All 3 computers are connected to switches that I have NAC enabled, however I'm not experiencing this with computers connected to non-NAC enabled switches (which may be expected).

Has anyone else experienced this and if so what is the corrective action? I'm waiting on the logs to be emailed to me, I'll review/share those when I receive them.

e24d50e976624db989393fd03a326094_c886c1c3-3369-4708-8511-2952a7c6b093.png

0 Kudos
3 REPLIES 3

Rodney_Lacroix
Extreme Employee

‎02-05-2019 04:56 PM

I would double-check the preferences file after you push the msi to your clients via SCCM.

The agent name is typically named NacAgentService or NacAgentDissolve followed by "_ {ip of gateway }" and is typically downloaded from https://{ ip of gateway }/agent_download when downloaded by a client.

I misspoke earlier when I said that the preferences file was part of the MSI. The agent will use the NAME of the agent file to determine where it needs to first run the DISCOVERY portion of the installation. This will poll and populate the preferences file with the correct information (and updates it if it changes).

Make sure your MSI file that you are pushing out via SCCM is named that same as if you would manually download it from your Access Control Engine. If you are pushing the entire agent out as a package, then I would do the following:

1) Download the agent msi file from the url I've specified
2) Connect/scan
3) Use the updated preferences.xml file in your package contents.
0 Kudos

T_Pitch
New Contributor III

‎02-05-2019 04:00 PM

I downloaded the MSI from the web server of my NAC via the following URL:

https://###.###.###.###:8444/Admin/downloads/NacAgentInstall_###.###.###.###.msi

My initial install was manually, but I pushed this to everyone via SCCM. I'm not certain if the MSI was customized with the IP of my NAC, but it got installed with the correct IP.

I wasn't aware of the READ/WRITE requirement on the folder mentioned, but I did check and my user account does have access.
0 Kudos

Rodney_Lacroix
Extreme Employee

‎02-05-2019 02:07 PM

The order of preferred Access Control Engines is stored within the msi/dmg file that is downloaded from the gateway(s). If you have an engine group of one or more engines, the IP and/or FQDNs of those engines are packaged within a preferences.xml file when the agent is installed.

If you're deploying the agent differently, you may need to manually edit the preferences.xml file on each individual installation.

The preferences.xml file will include up to 3 "Discovery Servers." You can find the file on Windows machines usually under C:\Users\All Users\NAC Assessment Agent. Check the "Discovery Server" (and/or Manual Host) entries to make sure they are correct.

Additionally, whatever user is logged in will need READ (and typically WRITE) access to the same directory, as information on last connection status, etc., need to be written to that file as well.
0 Kudos
GTM-P2G8KFN