Just a comment, When we rolled out L3 OOB we used SMS (actually SCCM) to push the Agent out. V4.1.3 of the agent. I packaged it and the stub. Configured the advert to run the agent stub first as a requirement. So far very few problems. All problems were corrected by uninstalling and forcing SMS to run the install again (this probably indicates user did something during install).
---- -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Sichel Sent: Thursday, August 28, 2008 12:16 PM To: [email protected] Subject: Have Experience with the Stub agent ? DO I EVER!!! Basically it says that I do not have sufficient privileges to install the Agent for all users of the machine. Can anyone shed some light for me? Thanks in advance. Brian Beausoleil - Network Administrator Office of Information Technology SOUTHERN CT STATE UNIVERSITY I have been working on this for over a month with TAC. It appears, but has not been POSITIVELY established, that there is a bug that may be related to either the cert used or the particular executable. I am conducting some (hopefully) final tests today. Having said that, here are a few gotchas to check. These all apply to Windows, I have no idea how to deal with this on Mac or Linux/BSD. Stub agent ONLY works with executables, no batch files allowed. My TAC guy did not know if an executable called by an executable would work or if a script called by an executable would work. The executable must be signed with a code signing cert with a proper chain of certs. You must use an exact version of code signing executable from Microsoft to keep Cisco happy. I do not know if it REALLY matters, but TAC can give you a link to the "sanctioned" version. Cisco admits that instructions are " a little vague" on this, however TAC has a great PDF that makes it pretty easy and painless. The root cert must be installed on the client machine as well as the code signing cert, and it must be in the Trusted Root Certification Authority on Windows. And here's the one that TOTALLY got me, YOU MUST CREATE A REGISTRY KEY THAT IS PARTICULAR TO THE EXECUTABLE BEING RUN IN ADDITION TO INSTALLING THE CERT! Whoops, I totally missed this one and in case you did too, get the PDF from TAC, it explains (more or less) how to create the registry key that you need. If you do those things, have exactly the right executable, it works great. If the wind is from the southwest however, or Clean Access dislikes your executable (Heaven knows why) your pretty stuck. I am using a compiled scripting language AutoIt3 which is a gift from above for Clean Access in a Windows environment, but the compiled code, which is a self running exe file, fails utterly. The Spybot installer however, for instance, works fine. Go figure. Anyway hope all this helps. Good luck storming the castle. Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008) Network Engineer Ponderosa Telephone (559) 868-6367
