Cisco ISE Vs Cisco Anyconnect Posture module with Advanced Endpoint Protection

Similar Messages

• I can't print with symantec endpoint protection

  I can't print with symantec endpoint protection.
  I have to disable the firewall, or reboot my windows 7 computer for the print job to print.  Any ideas what is blocking the printing process and how do I allow so I can print using my HP P2033dn that is connected via ethernet to my time capsule.  Thanks

  In the meanwhile I detected the problem. I made a new user account in windows and now it works correctly. So it isn't a photoshop problem but probably a register error. I have to find out furtherThanks for your reaction.
  [ excessive quoting removed by admin ]

• Problem with Symantec Endpoint protection and iCloud

  iCloud does not function on my PC with Symantec Endpoint Protection. I think it is the stopping of Auto-run that is the problem, but I don't know how to solve this

  Hi Xung,
  Can you elobrate as what is that you are trying to achive and its blocking
  IS it TMG not getting updated
  Client is unable to get live update from internet
  SEPM manager unable to get updates ?
  can you do a logging and share the screenshot of the traffic getting blocked.
  If TMG is unable to get updates then allow the belwo
  From : Localhost
  To : SEPM / GUP servers
  Port : 2967 - Outbound and 8014 Outbound
  Allow for All Users

• Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

  Hi All,
  We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
  1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling 
  RADIUS Probe 
  SNMP Probe                                                                                                                                                                                                                                                  SNMP Trap                                                                                                                                                                                                                                                     HTTP Prob and DNS
  2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
   - Yellow mark issue  -  Once authentication , posturing completed we are getting yellow mark on network  drive but still we are able to connect to network
  - Network Map Drive issue  -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
  For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication ) 
  That would be really great if any one can help me on the same.
  Thanks & Regards
  Pranav

  Hi Pablo ,
  Please find below solutions 
  Yellow mark issue  -  - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
  Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
  Regards
  Pranav

• Cisco Anyconnect 3.X and Symantec Endpoint Protection(SEP11)

  We are currently using Cisco Anyconnect ver 3.0.3050 with SEP11. Some users are getting a Port Scan Attack message from SEP11. Never saw this when using our previous Nortel VPN client. Has anyone seen this before?

  Try adding an Application exception to your SEP policy.
  Creating Centralized Exceptions Policies in the Symantec Endpoint Protection Manager 11
  http://www.symantec.com/business/support/index?page=content&id=TECH104326&locale=en_US

• Cisco ISE 1.2 Guest Portal customization with vWLC redirect

  Hello Support Community,
  we have a problem regarding customized web authentication on ISE 1.2 with Package ISE12CustomPortalPackage-v4.zip. We have a Virtual Wireless Controller where we do a redirect to ISE. When we use default guest portal on https://x.x.x.x:8443/guestportal/Login.action authentication and authorization works fine. When we do redirect to Cisco templates on https://x.x.x.x:8443/guestportal/portals/example/Login.html customized login page is displayed and after correct authentication guest successful page is displayed but we can't go to any webserver although ISE shows authentication and authorization as successful. When we try to reach a webserver after successful authentication we get redirected to customized login site. Virtual Wireless Controller shows client aus "Webauth Required" after successful authentication. Central Web Authentication isn't possible because we have a different AAA Server for 802.1X and only use wired guest access on a particular VLAN from WLC. Are there any known issues regarding customization template or is there something wrong regarding our redirect?
  I hope somebody can help us.
  Best Regards
  Benjamin

  Hello Neno,
  1. I attached screenshots below.
  2. There is nothing related to this client.
  3. I attached Debug below.
  We are currently using MAB on our switches as a fallback to our 802.1X on our wired access. Order and Priority currently is 802.1X/MAB/Auth-Fail-VLAN. CWA is based on a failed MAC-Authentication which leads to an Authorization Profile to permit access with Webauth.
  If you configure Wired guest access on WLC there isn't a possibility to configure MAC-Authentication.
  CWA on our switches isn't possible because we are currently using failed MAC-Authentication to direct clients to our Auth-Fail-VLAN which has restricted access secured by SVI-ACL which allows us HTTP Access to printers (manual Cert Deployment) and automated Cert enrollment to our computers.
  Best Regards
  Benjamin

• [cisco VPN] Can't build kernel module with 2.6.9-ARCH

  I need to setup a vpn tunnel to my university in order to gain acces to their resources and be able to surf when I am on the campus. With 2.6.8.1 I used the Cisco VPN client 4.0.5 k9. After my upgrade to 2.6.9 I had to rebuild the module, but now it fails to build. Anyone knows how to solve this? Or does anyone know another vpn client that is compatible with Cisco. This piece of software is essential to me. Please help. Here is the output:
  Cisco Systems VPN Client Version 4.0.5 (Rel) Linux Installer
  Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved.
  By installing this product you agree that you have read the
  license.txt file (The VPN Client license) and will comply with
  its terms.
  Directory where binaries will be installed [/usr/local/bin] /usr/bin
  Automatically start the VPN service at boot time [yes] no
  In order to build the VPN kernel module, you must have the
  kernel headers for the version of the kernel you are running.
  For RedHat 6.x users these files are installed in /usr/src/linux by default
  For RedHat 7.x users these files are installed in /usr/src/linux-2.4 by default
  For Suse 7.3 users these files are installed in /usr/src/linux-2.4.10.SuSE by default
  Directory containing linux kernel source code [/lib/modules/2.6.9-ARCH/build]
  * Binaries will be installed in "/usr/bin".
  * Modules will be installed in "/lib/modules/2.6.9-ARCH/CiscoVPN".
  * The VPN service will *NOT* be started automatically at boot time.
  * Kernel source from "/lib/modules/2.6.9-ARCH/build" will be used to build the module.
  Is the above correct [y] y
  Making module
  make -C /lib/modules/2.6.9-ARCH/build SUBDIRS=/home/luk/sources/vpnclient modules
  make[1]: Entering directory `/usr/src/linux-2.6.9-ARCH'
  CC [M] /home/luk/sources/vpnclient/interceptor.o
  /home/luk/sources/vpnclient/interceptor.c: In function `add_netdev':
  /home/luk/sources/vpnclient/interceptor.c:59: sorry, unimplemented: inlining failed in call to 'supported_device': function body not available
  /home/luk/sources/vpnclient/interceptor.c:245: sorry, unimplemented: called from here
  make[2]: *** [/home/luk/sources/vpnclient/interceptor.o] Error 1
  make[1]: *** [_module_/home/luk/sources/vpnclient] Error 2
  make[1]: Leaving directory `/usr/src/linux-2.6.9-ARCH'
  make: *** [default] Error 2
  Failed to make module "cisco_ipsec.ko".

  I modified the pkgbuild posted here by someone (thank you!) so it includes all relevant files (meaning also vpnc-connect and vpnc-disconnect and vpnc.conf).
  pkgname=vpnc
  pkgver=0.2
  pkgrel=1
  pkgdesc="Client for Cisco3000 VPN Concentrator"
  url="http://www.unix-ag.uni-kl.de/~massar/vpnc/"
  license="GPL"
  depends=(libgcrypt)
  source=(http://www.unix-ag.uni-kl.de/~massar/vpnc/vpnc-0.2-rm+zomb.1.tar.gz)
  md5sums=(ded67de747874c4245ed8405146dc94a)
  build() {
  cd $startdir/src/vpnc-0.2-rm+zomb.1
  # We want the CFLAGS specified in makepkg.conf to be used
  mv Makefile Makefile.old
  sed -e 's/-W -Wall -O -g/$(MYCFLAGS)/g' -e 's/LDFLAGS=-g /LDFLAGS=/g' Makefile.old > Makefile
  export MYCFLAGS=$CFLAGS
  make
  install -d $startdir/pkg/usr/sbin
  install vpnc $startdir/pkg/usr/sbin
  install vpnc-connect $startdir/pkg/usr/sbin
  install vpnc-disconnect $startdir/pkg/usr/sbin
  install -d $startdir/pkg/etc
  install vpnc.conf $startdir/pkg/etc
  Guess what, it works
  I can reproduce my steps.
  - makepkg
  - pacman -A vpnc-xxxxxx.tar.gz
  - add tun to the daemons array in rc.conf
  - Modify /etc/vpnc.conf
  - vpnc-connect

• Issue with Symantec EndPoint Protection 11.0

  I am experiencing the exact issue in this article on Symantec's KB:
  http://tinyurl.com/5x6fay
  Can someone at Lenovo please acknowledge this issue (confirm or deny) and let me know how to resolve this without disabling the security features I paid for on this new T400?
  Thank you.
  Michael Reinders

  Ask in a Symantec forum how to configure your software correctly. Your Symantec software blocks LAN access and should be configured to allow it. The E2000 has nothing to do with that.

• Cisco ISE - Posturing of a Linux Endpoint - Is it possible?

  We have a customer who wants to implement Cisco ISE and one of their requests is to posture Linux endpoints in addition to Windows endpoints.
  They have a set of system checks that they perform on Linux machines (catered towards RedHat) which they would like to be performed by ISE.
  From what I know prior to researching for this request was that the NAC agent is only compatible with endpoints running Windows or Mac OSX.
  Digging around, Linux endpoints are postured with a 'default-posture' status and thus an accompanying authorization profile must be set for 'default-posture'. I can't seem to find how to perform file checks, service checks, etc. on a Linux endpoint. Are these type of checks possible with Cisco ISE posture assessment on a Linux endpoint?
  One item that I found is to use the Host Scan package within the AnyConnect Posture module on a Linux endpoint.
  I see this as defeating the purpose of centralizing posturing on the ISE since the AnyConnect and ASA will be doing the posture checking.
  Any thoughts? Thanks in advance.

  Hello Alberto, posture assessment is not yet supported with ISE/AnyConnect. For more info check out the posture section in the ISE 1.3 Admin Guide:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010111.html
  Thank you for rating helpful posts!

• Cisco ISE posture requirements whats the ordering of requirements?

  Hi Everyone,
  I am in the middle of deploying the anyconnect posture module (ac 4.0), with ISE 1.3. I have a problem, with the order of which the posture requirements get checked, it does not seem to order the requirements alphabetically, and can't figure out how to make it check for certain things, before other things. An example :
  I have Symantec SEP 12.1 AV in this environment, and i have the following checks :
  - AV_installed : is the av agent installed ?, if not start installation from a network share
  - AV_started : is the av agent started ?, if not try to start the service
  - AV_uptodate : is the av definitions up to date?, if not start the update function in the av client
  Now this is the order it needs to be checked in, as it would fail if i tried to check if the AV is running, before i check if it's actually installd,  but i can't get posture to do that, going on the names of the rules, these should alphabetically be run in the order i have, but they are not.
  Any ideas?, the documentation for posture is lacking to be polite, i have not been able to find anything describing this process.

  Abhishek,
  This is possible, please use this link for reference:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_pos_pol.html#wp1922448
  Your AV vendor will have to be supported based on the release notes:
  http://www.cisco.com/en/US/docs/security/ise/ComplianceModule/win-avas-3_5_1549_2.pdf
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE posture assesment and client provisioning

  Hello,
  I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
  Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
  Also, please provide me logs related to posture assesment and client provisioning.
  Thanks in advance.

  You may go through the below listed link to download a PDF link
  Posture assessment with ISE.
  http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Posture setup in Cisco ISE

  Dears
  I am trying to configure the posture for the ISE but the result is always " Posture status : pending " and the agent can access all network resources without any problem .
  please help

  Please review the below steps:
  Step 1 Choose Administration > System > Deployment >  Deployment.
  The Deployment navigation menu appears. Use the  Table view or the List view button to display the
  nodes in your deployment.
  Step 2 Click the Table view.
  Step 3 Click the quick picker (right arrow)  icon to view the nodes that are registered in your deployment.
  The Table view displays all the nodes that are  registered in a row format in the Deployment Nodes page.
  The Deployment Nodes page displays the Cisco ISE  nodes that you have registered along with their
  names, personas, roles, and the replication status  for the secondary nodes in your deployment.
  Step 4 Choose a Cisco ISE node from the  Deployment Nodes page.
  Note If you have more than one node that is  registered in a distributed deployment, all the nodes that
  you have registered appear in the Deployment Nodes  page, apart from the primary node. You
  have the option to configure each node as a Cisco  Cisco ISE node (Administration, Policy
  Service, and Monitoring personas) or an Inline  Posture node.
  Step 5 Click Edit.
  The Edit Node page appears. This page contains the  General settings tab that is used to configure the
  Cisco ISE deployment. This page also features the  Profiling Configuration tab, which is used to
  configure the probes on each node.
  Note If you have the Policy Service persona  disabled, or if enabled but the Enable Profiler services
  option is not selected, then the Cisco ISE  administrator user interface does not display the
  Profiling Configuration tab. If you have the Policy  Service persona disabled on any Cisco ISE
  node, Cisco ISE displays only the General settings  tab. It does not display the Profiling
  Configuration tab that prevents you from  configuring the probes on the node.
  Step 6 On the General settings tab, check  the Policy Service check box, if it is already active.
  If the Policy Service check box is unchecked, both  the session services and the Profiler service check
  boxes are disabled.
  Step 7 For the Policy Service persona to run  the Network Access, Posture, Guest, and Client Provisioning
  session services, check the Enable Session Services  check box, if it is not already active. To stop the
  session services, uncheck the Enable Session  Services check box.
  The posture service only runs on Cisco Cisco ISE  nodes that assume the Policy Service persona
  and does not run on Cisco Cisco ISE nodes that  assume the administration and monitoring
  personas in a distributed deployment.
  Step 8 Click Save to save the node  configuration.

• Cisco ip phones authenticate 802.1x with cisco ise 1.3

  Dear all,
  I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
  How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
  Thanks

  following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

• Afaria 7 SP3 integration with Cisco ISE

  Hi,
  I am trying to find the configuration procedure that is needed for Afaria MDM to integrate with Cisco ISE 1.2.
  1. What service should be installed/enabled?
  2. Which port or service path (<IP:port/abc/xyz?>) it will listen for the communication from Cisco ISE?
  3. Cisco ISE uses REST API to communicate with Afaria. Does this require REST API installation or service activation?
  4. What type certificates are supported in Afaria for this integration.
  5. Anything that related to this topic.
  Appreciate if someone can provide the configuration procedure or any information possible.
  Regards,
  Mudasir Abbas

  From the user guide it seems that LDAP only allows you to strip the prefix/suffix and can't add the suffix.
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1054421
  Strip start of subject name up to the last occurrence of the separator
  Strip end of subject name from the first occurrence of the separator
  Regards,
  Jatin
  Do rate helpful posts-

• CiscoSystems AnyConnect VPN Client 3.0.3054 Posture module

  Hello,
  I have aproblem installing the posture module of AnyConnect VPN Client. During the installation I get an error:
  "Product: Cisco AnyConnect Posture Module -- Error 1335. The cabinet file 'disk1.cab' required for this installation is corrupt and cannot be used. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package."
  I found out that this error appears when I'm installing from a local copy of the files from the ISO. If the installation is from a virtual drive it installs fine.
  I need to install the client to multiple users so I have to use the source out of the ISO.
  Is there a way to to install this module from HDD?
  Thanks in advance!
  Iliyan

  Thanks for your reply.
  The problem was because of brocken source.
  I downloaded it from another location and everything is fine now
  The discussion can be closed.