Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus

Similar Messages

• Cisco Nac agent "List of Antivirus & Anti-Spyware Products Detected by the Agent "

  Hi All,
  We have posture assessment working with cisco Nac agent. Checking only symantec Antivirus def update and installation. Since there is windows defender in all the user pcs and turned off not in use. But cisco Nac agent is showing both windows defender and symantec in List of Antivirus & Anti-Spyware Products Detected by the Agent field. We dont want windows defender to show in this list.
  Anyone encountered this list before?? Please suggest.. I want to get rid of windows defender from this list in nac agent.

  Closest enhancement I could check on this is
  CSCts34764    NAC: Request for ANY rule to pass if 1 AS/AV definition is up to date
  Currently Windows Defender AnitSpyware comes installed on all Windows 7 machines.  Many users disable this and install their own AntiSpyware product.  Currently when using the ANY AntiSpyware up to date rule, it will fail if say MSE is up to date but not Windows Defender (since it is disabled).
  This is an enhancement request to add the ability to pass the ANY check if 1 AntiSpyware or AntiVirus definition is up to date but another is installed and out of date.  Currently if a customer wants to accomplish this they need to create a rule for every AntiVirus or AntiSpyware product and use the "Any Selected Rule Succeeds" option which is very cumbersome to configure.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco WLC and Microsoft NAP

  Hi, I want to integrate my Cisco WLC directly into Microsoft NAP. Is this possible?
  Thanks

  follow the table in the link http://www.cisco.com/en/US/docs/security/nac-nap/1.0/release/notes/NACNAPRN.html#wp1134942 for the integration of WLC and Microsoft NAP

• Cisco NAC and Microsoft NAP

  Dear all,
  I need to know what are the differences between Cisco NAC and Microsoft NAP ?
  Can NAP be used instead of NAC or not ? why ? why not ?

  I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
  Here is the link that will help you with the basics.
  http://www.cisco.com/en/US/netsol/ns466/index.html
  We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
  Thanks,
  Tarik

• Integrating Microsoft NAP with Cisco ASA

  Hello everyone,
  I'm quite new to the Cisco world. I wonder if and how it is possible to marry Cisco ASA with Microsoft NAP (in Terms of VPN Enforcement). Does anybody know some helpful documents? Is an ACS Server/Appliance necessary?
  Thanks in advance and kind regards

  Hello Jatin,
  thanks for your reply.
  Microsoft states that authentication via PEAP is necessary for NAP to work:
  "One security feature of PEAP is the transmission of Statement of Health (SoH) messages."
  (see http://blogs.msdn.com/b/openspecification/archive/2009/06/05/peap-phase-2-encapsulation-examples-for-a-client-authenticating-with-ms-chapv2.aspx?Redirected=true)
  However, I found this topic which states that PEAP auth. is not possible with the ASA: https://supportforums.cisco.com/thread/2028742
  Is that true?

• Cisco Jabber for Windows - Anti-Virus Software

  Hello,
  Cisco Jabber for Windows could not resolve outlook contacts, when a client has installed McAffee Anti-Virus Software.
  Is there any documentation available, how to setup a Anti-Virus Software, to get Cisco Jabber for Windows running?
  Cisco Jabber for Windows Version 9.2.4 Build 4528
  Outlook 2013
  Thanks
  Alex

  this is all what we mention about antivirus;  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9_2/JABW_BK_J6915A59_00_jabber-windows-server-setup/JABW_BK_J6915A59_00_jabber-windows-server-setup_chapter_00.html
  Some antivirus or firewall applications, such as Symantec EndPoint Protection, block inbound CDP packets, which disables desk phone video capabilities. You should configure your antivirus or firewall application to allow inbound CDP packets. See the following Symantec technical document for additional details about this issue: Cisco IP Phone version 7970 and Cisco Unified Video Advantage is Blocked by Network Threat Protection.
  with that being said; we probably would like to get the jabber process excluded from the antivirus list so that it allows for inbound MAPI communication as that is what is used for quering for the outlook contact.
  The only process that ever runs from Jabber for windows is "CiscoJabber.exe" which is located in the following path:
  C:\Program Files (x86)\Cisco Systems\Cisco Jabber
  i hope this helps.

• Does Cisco NAC Appliance deployment require CS-ACS?

  I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
  If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
  I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
  Anybody have any ideas on that?
  Thanks!

  Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
  Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
  Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
  Hope this helps.

• Integrating Cisco ACS and Cisco NAC Manager - Downloadable ACL

  Hi There
  I have Cisco NAC setup in my environment. These are all working fine. The users will get themselves authenticated via Cisco NAC Manager. The Cisco NAC Manager talks to the Cisco ACS for the user database portion. These are all working fine. I would like to enable Downloadable ACL. I have tried using the CISCO-AV-PAIR method and creating a downloadable ACL entry in Shared Components, but nothing works. It's either I'm doing it wrongly or this setup of mine doesn't support downloadable ACL? Please kindly advice.
  Regards,
  Ram
  +6-012-2918870

  Hi,
  That is not possible.
  You cannot push ACLs into the NAC manager.
  If you are doing Radius authentication from NAC manager, what you can do is to create Roles on the NAC manager, and on those roles you define traffic policies.
  Using Radius attributes you can then map users to Roles.
  Please take a look into this:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco ISA-570, Norton Anti Virus sperrt Outlook Termineinladungen

  Hallo zusammen,
  wenn ich versuche per Outlook jmd. zu einem Termin einzuladen bekommen ich folgende Fehlermeldung von meinem Norton Anti Viren Program:
  Ihre E-Mail konnte nicht gesendet werden, weil die Verbindung zu Ihrem Mail-Server unterbrochen wurde.
  Die E-Mail geht somit nicht raus, ich habe allerdings keine Probleme normale E-Mails mit und ohne Anhang zu verschicken. Habe kurzzeitig in der Firewall mal die  "SMTP Email Attachments" Funktion ausgeschaltet um zu schauen ob das Problem daran liegt, leider hat ich damit kein Erfolg. Erfolg habe ich erst dann wenn ich in den Norton Anti Virus Einstellungen die E-Mail ausgänge nicht überprüfen lasse.
  Wenn ich mich mit meinem PC in einen anderen Netzwerk ausserhalb der Firewall befinde habe ich dieses Problem nicht. Auch andere PCs in dem Cisco Netzwerk kämpfen mit dem gleichen Fehler.
  Hat jemand das gleiche Problem und abhilfe hierzu?
  Danke im voraus

  Cisco hat vor kurzem ein neues Firmware Update rausgebracht, nachdem ich das installiert habe war das Problem behoben.

• Host based Anti-Virus and Cisco Security

  Hello Everyone,
  Happy Friday. I was wondering if there are any advantages to using 1 brand of anti-virus on PCs and servers as relates to Cisco Security. I know Symantec is soemthing of a competitor as opposed to Trend and Cisoc even uses Trend signature in some of their devices. I personally have a likeing for SYmantec as far as AV goes but if there is an advantage that is easily explited by a Cisco network of using something else I would like to know about it.
  Thanks in advnace. All replies rated.

  Hello angel-moon,
  If you are talking about host based security then Cisco provides CSA,which is an extensive Host based IPS + Antivirus tool
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/csa/csa52/index.htm
  hope it helps !

• Cisco ISE NAC agent and Microsoft roaming profiles

  Hi there,
  I have installed Identity services engine version 1.1.3 in didstributed mode. The NAC agent is installed on the end user PC joined to the domain. when a user with a roaming profile logs into the PC, the NAC agent fails to run posture assesment, but if a user with non-roaming profile logs in, the NAC agent does posture and full network access is granted.
  Is there something i need to do to enable the NAC agent to perform posture for users with a roaming profile.
  Regards,
  Henry

  Hello,
  I found the following from the cicso doc. Hope it helps!
  The following failure  scenarios might cause the Cisco NAC Agent to appear following successful  user authentication when the client machine roams between CASs in Layer  3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band  environments. Erroneous Agent login dialogs could also appear if users  roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC  network:
  –ARP poisoning
  –Temporary loss of network connection between the client machine and the CAS
  –Access to untrusted interface IP address on the CAS from non-NAC network segments on NAC-enabled client machines
  Cisco offers the following recommendations to prevent this situation:
  –Ensure  all trusted networks (post-authentication) can reach the CAS untrusted  interface IP address through the CAS trusted interface only
  –Block  discovery packets from all non-NAC networks to the CAS untrusted  interface IP address (discovery packets that arrive on the trusted  interface of the CAS are blocked by default)
  For more information please refer to the following link:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html

• How Cisco NAC and Cisco NAC Agent works

  HI,
  Can anyone help in explaining in detail for Cisco NAC will work in L2 OOB mode?
  Also, what is the path from the time the end user connects to the network till he gets access to the network?
  Please reply soon.Its urgent.

  I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
  Here is the link that will help you with the basics.
  http://www.cisco.com/en/US/netsol/ns466/index.html
  We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
  Thanks,
  Tarik

• Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

  Hi,
       I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
  FQDN: active.test.com
  Domain Name : test.com
  User : ccasso
  2011-02-05 12:00:30.225 +0700 WARN  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Server was not running ...
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Server starting server ...
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Server is now running ...
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - SPN : [ccasso/[email protected]]
  2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - building kdc list for domain active.test.com
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - done building kdc list for domain active.test.com
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - KDC(s) :[10.0.240.100]
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - writeKrbFile: writing to file ../conf/krb.txt
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - creating login context ...
  2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - GSSServer - created login context ...javax.security.auth.login.LoginCon                                                                           
  text@5ad7b2
  2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer                                                                                           
  - Unable to start server ... KDC has no support for encryption type (14)
  2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - Notifying GSSServer status Stopped
  2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
  - server is exiting .

  Hi,
  This error means that your DC does not support the encryption method the ACS wants to use.
  Usually this happens when you run 2008 Server with 2003 functionality...
  You will need to run ktpass.exe according to the DC you are running:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
  For Windows 2008 Server at 2003 Server functional level:
  ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
  PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco NAC: AV Defination Update Scenario !!!

  Hi,
  I just want to brain storm for this scenario to keep check the AV defiantion rule & requirement !!!
  I am using the Cisco NAC (4.8.2.3).... NAC updates are working fine and configured.
  My customer is using the Trend Micro OfficeScan AV (Ver = 10.5). I have configured the AV installation rule & requirement & mapped to the role. I wanted to check the 15 Days older AV Defnations. Configuration seems working fine.
  But, the issue is that, Cisco NAC Agent is showing the "Installed" Defination Date which is different for the each users. The showing date is the one, when they installed the AV on users. So, the users are getting failed to fullfil the 15 days older virus definations. When, i change the 15 days to e.g., 150 days to let th users fulful the requirement, then it works fine.
  The AV console is showing the right date on its software. I also found some registry keys which is keep updating & showing the latest date for AV defiantion date. I can use them but then it would need the administration to change it manually after each 15 days. But, i want to keep it automatic.
  how can we change in cisco nac agent to check the specified registry key???
  Please advise..
  BR,
  Mubasher Sultan

  Yes Correct,... Manuall update of antivirus when the PC is in quarantine state is working...it updates, but same the NAC agent is not triggering the antivirus update,
  Ok thanks Nicolas, i think i have to open TAC case for this issue.
  One thing more, does it has anything to do with av-posture-pack-win-3.4.16.1.tar.gz ??
  should i update this module ???

• Cisco NAC server hang issue

  Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
  The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
  The CAS server was recovered after manually power cycle the hardware. 
  After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
  I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
  That will be great if any one can help me out for the same.
  Thanks,
  Eric

  Hi Bro
  This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
  If all else fail, then a hardware swap would seem like the next best thing.