External posture validation server LanDesk vs. ACS

Similar Messages

• NAC Framework with TrendMicro Policy Server? External Posture Assessment?

  Hi
  I've got a NAC Framework 2.1 setup using NAC-L2-802.1x with 2950 switches and so far it's working great. I've recently begun testing NAC with TrendMicro OfficeScan, which includes the Trend Policy Server for Cisco NAC.
  I've imported the Trend.adf file, created a new Internal Posture Validation to check these TrendAV settings (DAT version, protection enabled, etc) and it is working great with the clients. (Healthy if up to date, quarantined if out of date).
  What I'm trying to do is get this integrated with the Trend Policy Server for Cisco NAC. I've created an External Posture Validation entry for the Trend Policy Server;
  https://win2k3std:4343/antibody
  And have supplied it with the password (no username is needed to login to the web console of this server). I've also selected Trend:AV as the forwarding credential. I've gone into Network Access Profiles and made sure this was selected as an External Posture Validation Server and set it to quarantine under "Failure Posture Token". When I test this from the client (once I've enable External Posture Validation), it always ends up quarantined (even though the client is fully up to date). If I disable the External Posture Validation server from the NAP, the client test passes as Healthy (since all AV is up to date).
  I've got the Policy Server for Cisco NAC defined under NAC on my Trend OfficeScan server, and on the Policy Server for Cisco NAC, I've got the OfficeScan server defined. Yet, no matter what I've tried, the client always fails with this msg in the CSACS logs;
  Posture Validation Failure on External Policy
  Does anyone have any experience or help with this. Thanks very much.
  Jason Humes

  Please check the links for the Configuration and Troubleshoot of NAC
  www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
  www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860

• ACS / NAC phase 2 / posture validation with symantec AV

  Hi,
  We encounter problem to implement NAC phase 2 with symantec.
  ACS is an appliance one, version 4.0
  We?ve installed the Symantec AV pair on the ACS : that?OK.
  The following softwares are installed on the client PC:
  - Cisco CTA : ctasetup-win-2.0.1.14.exe
  - Aegis SecureConnect 2KXP-4_0_4.msi
  - Symantec client security posture plug-in.msi together with the associated setup.exe
  Moreover, client PC is configured to use EAP-FAST with mschapv2.
  We?ve defined an internal posture validation on the ACS.
  The first rule of this posture is performed on the following Symantec AV pair: Symantec:AV:Dat-Date days-since-lastupdate.
  When the first rule of this posture matches, then the posture token associated (radius authorization component) doesn?t return the associated vlan, so the user must be placed into the vlan associated by default on the port.
  The default rule is associated with another authorization component that returns the quarantine vlan.
  Problem is that we don?t manage to match on this posture.
  It?s as if the client doesn?t send the parameters.
  Logs on the ACS indicates the following:
  - message type : authen failed
  - authen failure code : posture validation failure (general)
  - eap type name : EAP-FAST
  - reason: no matched required credential types in any posture validation rule
  - cisco:PA:OS-type : OK, well retrieved (windows XP professional)
  - cisco:Host:ServicePack: OK, well retrieved (service pack 2)
  - but none of the Symantec AV could be retrieved.
  Symantec indicated to us that their AV server isn?t yet compatible witch ACS.
  So external posture validation isn?t possible in our case.
  Only internal posture validation should work.
  But no way to retrieve Symantec information from CTA.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi.
  Please examine the following directory of client pc. Is Plugins File of Symantec installed?
  \Program Files\Common Files\PostureAgent\Plugins
  \Program Files\Common Files\PostureAgent\Plugins\Install
  Plugin Installation and Upgrade
  Each NAC-compliant application is responsible for installing its own posture plugin on end systems.
  Plugins for Windows environments are installed in this directory:
  \Program Files\Common Files\PostureAgent\Plugins\Install
  When CTA receives a posture request, it scans the PostureAgnt\Plugins\Install directory for new or updated posture plugins. If there are new or updated posture plugins in the PostureAgnt\Plugins\Install directory, CTA performs one of the following actions:
  " If the .dll plugin does not exist in the PostureAgent\Plugins directory, CTA moves the plugin files from the PostureAgent\Plugins\Install directory to the PostureAgent\Plugins directory.
  " If the .dll plugins does exist in the PostureAgent\Plugins directory, then CTA checks to see if the plugin, in the PostureAgent\Plugins\Install directory, is newer than the one in the Plugins directory. CTA then moves the newer plugin to the PostureAgent\Plugins directory and overwrites the older one. If the plugin in the PostureAgent\Plugins\Install directory is older than the one in the Plugins directory, CTA deletes it, and continues to use the original plugin.
  " If the plugin creates an error during registration, CTA moves the plugin to the following directory (if the logging is enabled, the error information is logged):
  http://www.cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870db.html
  best regards,
  sahase

• External Posture Server

  I'm trying to set ACS 4.0 up to validate posture via an external validation server, namely Symantec 10 AV. I have searched high and low and cannot find what to use for the URL for the AV server. Has anyone else successfully done this? I am also trying to validate posture to a Windows WSUS server a well, so any information that you can provide for that URL would be greatly appreciated.
  Thanks

  Thanks. I understand that is the procedure. Unfortunately, neither Symantec nor Microsoft offers any type of support for this. No information whatsoever has been published. I need the specific URL for either/both servers. Even TAC dodges the question.
  I'll keep plugging away.
  Thanks

• Posture validation

  Dear Team,
     I have an internal Windows and Antivirus server. I want to do posture validation and want to make sure that end points
  checks the updated from the external server.
  Could you please let me know where do we define information about the internal servers in ISE?
  Minakshi

  Posture Services on the Cisco ISE Configuration Guide
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116143-config-cise-posture-00.html

• How to monitor a certificate period validity installed on the ACS ?

  Hello,
  I have to monitor a certificate period validity installed on the ACS with Centreon.
  Someone can help me ?
  Thanks,
  Regards,
  Oliver.

  Step 1 In the navigation bar, click System Configuration.
  Step 2 Click ACS Certificate Setup.
  Cisco Secure ACS displays the Installed Certificate Information table on the ACS Certificate Setup page.
  Note If your Cisco Secure ACS has not already been enrolled with a certificate, you do not see the Installed Certificate Information table. Rather, you see the Install new certificate table. If this is the case, you can proceed to Step 5.
  Step 3 Click Enroll New Certificate.
  A confirmation dialog box appears.
  Step 4 To confirm that you intend to enroll a new certificate, click OK.
  The existing Cisco Secure ACS certificate is removed and your CTL configuration is erased.
  Step 5 You can now install the replacement certificate in the same manner as an original certificate. For detailed steps, see Installing a Cisco Secure ACS Server Certificate.

• Can't connect to external MS SQL server

  I have two primaries and an external db. The two primaries were updated from 11.2.3 to 11.3. Everything is working great and the upgrade was successful.
  My database runs on an external MS SQL server. It hosts both the zcm database and the audit database.
  When I installed ZRS 5 I pointed it at one of my primaries. The install says it was successful and it appears to have successful pulled in my configuration for both zcm and zcm_audit to /opt/novell/zenworks-reporting/conf/zrs-configuration.xml.
  I can log in to ZRS 5. When I try to create a report or run an existing report from the library I always get a connection error. It definitely looks like it can not connect to my external MS SQL db. I cranked all of the logging under Server Settings to DEBUG but I can not seem to find the logs.
  I also tried following the Cool Solution using the downloaded zip and pointed it at my external db. It would not connect either. I know the username and password is correct and I tried the username in different styles: username@server, server\username, username. The only thing I can think of is my sql password for both of my users contains an extended character ! and =.
  Any help as to where to look or what might be the issue is greatly appreciated.
  Thanks in advance,
  Jeff

  I'm not sure, but I may recall hearing that it requires SQL Server Auth
  Credentials.
  Again I'm only about 51% sure here.
  "jcrawfor" wrote in message news:[email protected]..
  I have two primaries and an external db. The two primaries were updated
  from 11.2.3 to 11.3. Everything is working great and the upgrade was
  successful.
  My database runs on an external MS SQL server. It hosts both the zcm
  database and the audit database.
  When I installed ZRS 5 I pointed it at one of my primaries. The install
  says it was successful and it appears to have successful pulled in my
  configuration for both zcm and zcm_audit to
  /opt/novell/zenworks-reporting/conf/zrs-configuration.xml.
  I can log in to ZRS 5. When I try to create a report or run an existing
  report from the library I always get a connection error. It definitely
  looks like it can not connect to my external MS SQL db. I cranked all
  of the logging under Server Settings to DEBUG but I can not seem to find
  the logs.
  I also tried following the Cool Solution using the downloaded zip and
  pointed it at my external db. It would not connect either. I know the
  username and password is correct and I tried the username in different
  styles: username@server, server\username, username. The only thing I
  can think of is my sql password for both of my users contains an
  extended character ! and =.
  Any help as to where to look or what might be the issue is greatly
  appreciated.
  Thanks in advance,
  Jeff
  jcrawfor
  jcrawfor's Profile: https://forums.novell.com/member.php?userid=3343
  View this thread: https://forums.novell.com/showthread.php?t=476344

• Failed to connect to the server, specify a valid server name and ID and pw

  I am trying to install business one on a clients application server, where their sql server software is installed on a different server. When I get to the point of the installation where it asks for connection information: sql type, sql server name, logon and password, it fails after entering the correct info. I have double checked this info, typed it repeatedly and correctly and I continue to receive the following error: Failed to connect to the server, specify a valid server name and ID and password and try again. Can anyone lead me in the right direction to determine what my issue is? I can connect to sql server with the sa logon, on the sql server and I can access/ping the sql server from the application server, I just can't connect to sql server through the installation. I checked the sql server settings that I know of, so I don't know if it is an issue there or if it is a port issue or what.
  Thanks for any help.

  Following is whjat the customers IT team reported they did to get the install running:
  RIGHT!  Worked it out!    It wasn't firewall in the end at all, it was that the SAP B1 installation isn't aware of SQL Server 2008 R2 (version 10.50.x.x).
  The vbscript was looking for the presence of SQL Server 2008 (version 10.0.x.x) in the registry and not by scanning ports or suchlike.
  If you use the autorun installation from this folder; E:\BusinessEvolution\Software\SAP_Extract_via_WINZIP it should work fine - I've modified the checksql.htm to look for SQL 2008 R2 and now autorun goes past that first problem.
  Not sure if that will be any help to you? In that instance I think we were installing 8.8 PL17...
  The upgrade frpm there to 8.81 PL07 worked fine

• Posture validation in SOHO - Extended wireless from corporate

  Hi,
  I have a customer moving from Cisco NAC based solution to Cisco ISE.  NAC should be provided to wireless and the SOHO users(wireless).  We implemented airspace ACL on the Cisco ISE, which will push the ACL to wireless Aps(flexconnect acl) based on the posture validation. If the posture validation fails, ACL specific to a particular end point will be pushed into AP.
   However, the same airspace ACL is not working on the VPN routers(800 series). VPN routers integrated wireless solution doesn’t understand the airspace ACL av:pair and don’t think we can configure flexconnect ACLs on the SOHO routers. Do you think of anyother idea where we can enforce the ACL based on the posture validation?. Downloadable acl works on an interface. I don’t think it can be enforced on per-user basis.
  Is there any way to push the ACL? Do posture validation & remediate the end point with limited access?
  Pardon me for my gmail account. I  havnt received the BT id yet.
  Thanks,
  Ramesh

  Had a similar problem where I wasn't exactly sure how to setup the provisioning part of the flow. I was pretty sure I had all the rules in place.
  I found an excellent Cisco TAC guide here which details setting up Anyconnect for the posture assessment. They include a part to say here's where you put in the NAM or/and VPN settings but you dont' need to. In fact if you do wish to load some you need to use Ciscos standalone NAM Profile Editor.
  Hope the TAC article helps you out, it got me to understand the process of what was happening for client provisioning.

• Import a valid Server Certificate as a trustStore.?

  How do I import a valid server certificate as a trustStore and put
  this in jre/lib/security.
  I have a Java class that needs to connect to a valid HTTPS Server
  having a certificate issued by a CA.
  Now,I have a Java client that connects to this server,and sends and
  receives data.
  I will need to import the server certificate into the jre/lib/security
  directory?
  I guess we need to do this so that the client accepts the server's
  certificate
  Has anyone understood my question?
  Attached is my java class:
  public class HttpsSender
  String sURL = "SomeServerAddress";
  public static String ec(String sMess)
  String response=null;
  try {
  Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
  System.setProperty("java.protocol.handler.pkgs","com.sun.net.ssl.internal.www.protocol");
  /* Temporarily testing on Tomcat and hence the Context:A_SYMBIAN_SERVLET */
  URL url;
  String uri = "https://" + sURL
  url = new URL(uri);
  HttpsURLConnection hpCon= (HttpsURLConnection)url.openConnection();
  hpCon.setRequestMethod("POST");
  hpCon.setDoOutput(true);
  hpCon.setDoInput(true);
  /** Transfer Data over https */
  DataOutputStream dos = new DataOutputStream(hpCon.getOutputStream());
  dos.writeUTF(sMess);
  /* Response from the Receiving Servlet.*/
  DataInputStream dis = new DataInputStream(hpCon.getInputStream());
  try {
  response = dis.readUTF();
  }finally
  dos.close();
  dis.close();
  }catch(IOException e)
  System.out.println("Error in Client " + e);
  return response;
  } // End of Method Encrypt.

  You can import a valid server certificate into a Store with the keytool!
  Good link:
  http://forum.java.sun.com/thread.jsp?forum=2&thread=4240
  You must provide to the Java-VM where it can find the TrustStore:
  -> on command line:
  java -Djavax.net.ssl.trustStore=XXX/jssesamples/samplecacerts
  For Testing the Debug Output can be usefull! Enable with:
  java -Djavax.net.debug=handshake,ssl
  -> in source code:
  System.setProperty("javax.net.ssl.trustStore",STORE_FILE);
  System.setProperty("javax.net.ssl.trustStorePassword",STORE_PASS);

• RADIUS-3-NOSERVERS: No radius hosts configured or no valid server present in the server group

  Hi,
  I currently have an C2960 switch with IOS 15.0(2) SE4. To log on the CLI of the switch authentication against a RADIUS server takes place. Accounting is not wanted. The config of the switch is as follows:
  aaa new-model
  aaa group server radius RADIUSGROUP
   server xxx.xxx.xxx.1 auth-port 1812 acct-port 0
   server xxx.xxx.xxx.2 auth-port 1812 acct-port 0
  aaa authentication login default group RADIUSGROUP local
  aaa authentication dot1x default group RADIUSGROUP
  aaaauthorization network default group RADIUSGROUP
  radius server host xxx.xxx.xxx.1 auth-port 1812 acct-port 0 key 7 [encrypted password]
  radius server host xxx.xxx.xxx.2 auth-port 1812 acct-port 0 key 7 [encrypted password]
  It works fine, the authentication and the login are successful, but every login generates a message in the logging of the switch:
  RADIUS-3-NOSERVERS: No radius hosts configured or no valid server present in the server group
  What is going wrong???
  Any help would be appreciated.

      That's going to be something you are going to have to go the cisco TAC with .  That looks to be some kind of software bug.  Also a feature probably not a lot of people actually use and have knowlwedge about.

• Sync Addon Setup says "Please enter valid server URL" for Custom Sync Server settings

  While setting up the Sync add-on, I selected "Use a custom server" setting.
  I wish to keep the syncing information on my own server space where my personal website is also hosted.
  No matter what URL i enter (the ftp one or the http addr) it still show a "Please enter a valid server URL" message under the textbox and the next button stays disabled.
  Please help!
  This is important for me because xmarks is of no use to me anymore as it is blocked by our company firewall.
  Hoping "Firefox Sync" proves to be the solution!
  Thanks in advance.

  If you follow the "strong recommendation" to use the Weave Minimal server make sure to watch out for these pitfalls. Took me a while...
  # Don't try to create a new account in Firefox. You must create the account on the command line on the server.
  # Don't forget to take note of the long string printed by the create_user script, that's your SyncKey, and you need it later.
  # In the server URL field in the "sign in with existing account" dialogue, you must enter a trailing slash, ie. if you installed Weave Minimal at https://myserver/weave, you must enter this at https://myserver/weave/
  Good luck. It does work!

• Sync Setup - Custom server – valid server URL

  Unter Tools > Set up sync > Server > "Use a custom server ..."
  Dort wird leider keine meiner eingegebenen URLs als korekt angesehen. Es erscheint immer der test "Pleas enter a valid server URL" . Ich habe diese eingaben getätigt.
  http://localhost:5000/
  http://localhost:5000
  localhost:5000/
  localhost:5000
  localhost
  Der Server liegt auf localhost port 5000.
  Ich hoffe ihr könnt mir helfen.
  Grüße

  If you follow the "strong recommendation" to use the Weave Minimal server make sure to watch out for these pitfalls. Took me a while...
  # Don't try to create a new account in Firefox. You must create the account on the command line on the server.
  # Don't forget to take note of the long string printed by the create_user script, that's your SyncKey, and you need it later.
  # In the server URL field in the "sign in with existing account" dialogue, you must enter a trailing slash, ie. if you installed Weave Minimal at https://myserver/weave, you must enter this at https://myserver/weave/
  Good luck. It does work!

• NAC Framework NAC-L3-IP, passing posture validation, but no ACLs downloaded

  Hi
  I've got the NAC Framework NAC-L3-IP setup using an 1800 router and Cisco ACS Server 4.2. When my client attempts to reach the internet (through our NAD configured for network admission), I get a popup saying the Posture is Healthy, the ACS server says its good, yet I never get any of my configured ACLs downloaded to the router. I think my problem is with my RADIUS AUthorization Components...what should the Healthy RAC look like? This is what I've currently got;
  IETF Session-Timeout (27) 36000
  IETF Termination-Action (29) RADIUS-Request (1)
  Cisco IOS/PIX 6.0 cisco-av-pair (1) status-query-timeout=300
  I've got that RAC tied to a NAP and a downloadable ACL also associated to it through the Network Access Profiles page.
  Can anyone provide help with this. Thanks

  Ooops, nevermind, I had to enable aaa authorization network default group radius and then the ACLs downloaded as expected. Thanks!
  Jason

• Lync 2013 client can't connect externally to edge server

  So I have my edge server set up in the DMZ. 3 ips bound to an interface for external connectivity.
  sip.domain.org (A record)
  webconf.domain.org (A record)
  av.domain.org (A record)
  _sip.tls.domain.org:443 pointing to the same IP as sip.domain.org
  External Lync Clients should be using this srv record to auto-connect, correct?
  I have purchased a thawte ssl cert and bound it correctly to the external interface.  Internal interface is a PKI internal CA cert. Sometimes when doing a testconnectivity from MS, it comes up stating " The certificate couldn't be validated because
  SSL negotiation wasn't successful", when other times I run the test and it states that it validates the cert correctly, analyzing the cert - no problems found, etc, all looks good and then fails at "couldn't sign in Error Unknown (0x80131500) 
  Error type: TLSFailureException.
  Not sure where to start looking or why it shows the cert is good sometimes and others not.
  Also when I launch the Lync Server Admin Console, Under Topology,  my edge server is showing Replication with a red X.  Don't know what to look for either.

  Hi jackl2001,
  By default, no policies are configured to support external user access, including remote user access, federated user access, even if you have already enabled external user access
  support for your organization. To control the use of external user access, you must configure one or more policies, specifying the type of external user access supported for each policy.
  Click on the link below for more details.
  Managing federation and external access to Lync Server 2013
  http://technet.microsoft.com/en-us/library/gg520966.aspx
  Best regards,
  Eric