NAC Remediation

Similar Messages

• Creating NAC remediation rules based on MAC address

  Hi All,
  Any idea please. Is it possible to control PCs allowed on the network based on MAC address list in NAC? I.e Create a list of MAC addresses for PCs on my network in NAC; then each pc granted network access (passed NAC authentication and remediation) on the network only if its MAC address is in that list.
  So my checks will be:
  1. Have antivirus updated
  2. Have antispyware updated
  3. Have windows updates installed
  4. Have MAC address registered in the MAC list
  5. etc.
  Then after the above checks pass --> GRANT network access.
  regards,
  Stanlaus.

  I have been doing some of this, and while it does provide some of the functionality that is lost without the ability to apply rules only to read messages, it is not a complete solution. One of the biggest drawbacks is that it is not easy to selectively limit what new mail shows up the smart mailbox. One approach that works, sort of, is to limit the smart mailbox to only messages from people in my address book. However, not all relevant messages are from people already in my mailbox, so it requires constantly double checking to make sure that things are slipping through the cracks.
  The best thing about being able to apply rules, after receiving them, based on the status of a message is that it puts the control in the users hands. It allows you to selectively apply rules, only when you want to apply them. Rather than always/never, you have the ability to apply rules "sometimes/as needed." It allows for fuzzy logic, rather than hard conditions.

• Cisco NAC Remediation Config Assistance

  I'm deploying NAC for a large enterprise. They would like the use the NAC for posture assessments but manual remediation. If the users do not meet the windows patch and AV requirements they are expected to manually remediate their systems, not using the CCA agent.
  Is this possible? I cannot find a specific example of this. Their reasons for this design is they have multiple partners using this service but they cannot remediate systems which they do no manage, we can only enforce the policies.
  Thanks for the assistance.

  There will be three requirements:
  - a custom requirement checking for registry entries and files to determine if the system is a corporate asset or not.
  - a windows patch check
  - AV checks
  The customer does not require remediation from the NAC at all. They only wish to use the product for posture assessment only. I do not want to offer the option of remediation at all. There are two reasons for this decision:
  1) They cannot perform remediation to 3rd party systems since they do not manage the asset.
  2) They currently have software deployment farmed out to another company which do not use WSUS. They use tivoli.
  Any advice would be appreciated. Thanks!

• Nac remediation failed

  Hi All,
  Anyone encountered this issue. Recently upgraded to 4.9. Using L2 OOB wireless. Symantec endpoint protection ver 11, virus definition is out of date, when user clicked repair, takes a long time to remediate and then gave a failed error. "The remediation you are attempting had a failure. If the problem persist contact the system admin"
  Traffic control is allowing update in temporary role, and there's no blocking from quarantine vlan to symantec server. Also we notice that the definition gets updated after a while.
  Thanks.
  Regards
  Joachim

  Hi Joachim,
  In my enviroment, we have workstations with SEP ver 11 too and i would like to know  where your users are searching for updates during the remediation process.
  We have Symantec Endpoint Protection Manager acting as antivirus server  and when the NAC Agent calls the Symantec LiveUpdate to perform the repair, users will get updates on the Internet and not on
  Antivirus Server.
  Could you give me more information about your environment?
  regards,
  Daniel Stefani

• NAC Remediation issue

  Hi,
  I made a requirement for AV update, NAC detects the infected client and launch the AV (Trend micro client) so he can update his AV but after that NAC shows unknown result in CCA and does not show any message regarding successful remediation.
  (Traffic is allowed towards AV server)
  Any idea?

  Hello,
  Here are the links to the Windows and MacOS supported AV/AS on NAC 4.8.2:
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/WinAV-AS-vers86.pdf
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/MacOSXAV-AS-ver9.pdf
  Regards.

• ISE1.2 NAC Agent/Compliance and SCCM Software Updates

  Hi guys,
  We are testing out ISE1.2 in the lab and are trying to achieve posture compliance assessment and remediation of Windows security patches with Windows clients running the SCCM Agent with SCCM 2012 infrastructure.
  Can you confirm whether support for SCCM 2012 is currently available for shipping ISE versions, or planned for a future ISE release?
  If this feature/integration is currently supported, could you point me in the direction of example configurations?
  All helpful replies rated!
  Many thanks, Ash.

  We use SCCM 2012 R2 in our environment, and we setup the NAC remediation for critical updates.

• NAC Agent 4.9 issue while remediation with in ISE

  We are installed NAC agent 4.9 where we have configured posture policy for Symantec Endpoint Protection version 11x  in ISE 1.1.1. Where when enduser fallen down to remediation and try to remediate to collect the latest anti virus definitions from Local Antivirus, when clicking on the update button we get a message stating
  "The Remediation you are attempting is reporting an access denied error.  This is usually due to a privileg issue.  Please contact your system
  administrator"
  It continuosly asking that prompt and giving that priviligae message.
  Are we need to have administrator rights for remediation ? and  this prompt is appearing again and again till the remediation timer and then it fallen down to Non-compliant (Restricted ) profile.
  Please find attached screen shots for the same

  I figured out a solution that works you must disable Online Certificate Status Protocol (OCSP) on the affected system. To do this :
      Open Keychain Access. Keychain Access can be found by selecting Go in the Finder and choosing the Utilities option. Keychain access should be listed in the folder that appears. Double-click the Keychain Access icon to open it.
      Select Keychain Access -> Preferences from the menu at the top of the screen
      Choose the Certificates tab
      Change the OCSP option from Best Effort to Off
      Close the Preferences dialog and quit Keychain Access
      You should be able to NAC now

• NAC Agent - Loop in Remediation WSUS

  Hello,
  I´m implementing WSUS Posture in my ISE environment.
  When NAC Agent detect a new Windows Update, the Remediation Action is Automatic. I configured Show UI the Wizard Interface and this is working well. 
  But, after the windows update instalation, the NAC Agent stay in Remediation Process. Looking for WindowsUpdate.log file, I see repetitive messages like: 
  Updates Found = 0 OR Found 0 Updates and X categories in search.
  If I use the Windows Update from Windows to Search and Install the Updates, work very well too.
  The image attached, ilustrate my problem(In this point, The Windows Update instalation was done):

  Updating..
  Approximately after 30 minutes, NAC Agent finished the process of Remediation. (Only 1 Windows Update package)
  apparently the station sends many reports to WSUS and while it does, the NAC Agent continues Remediation on the process, even after installing the update. 
  I'm sure there are how to optimize it, but if anyone has any tips I'd appreciate it.
  Best Regards,
  Daniel Stefani

• Nac Agent do not execute remediation

  Hi to all,
  in a lab enviroment i have configured a CAM/CAS solution on 3310 server and I have installed 2 pc (one windows Vista and one XP) with nac client 4.6.2.133 version.
  My problem is auto-remediation and manual-remediation, client get me a temporaney access but do not start a live update programa (i use symantec endpoint protection 11).
  I have admin right on both pc.
  Why I can solve the problem?
  Thanks for help

  There is not automatic remediation for all products. You must launch the endpoint protection, click live-update, then re-scan on the NAC agent and you will pass.
  Quote from Cisco Doc (http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_agent.html):
  "•Not all product versions of a particular vendor may support the Clean Access Agent launching the automatic update of the product. In this case, you can provide instructions (via the Description field of the AV or AS Definition Update requirement) to have users update their AV or AS definition files from the interface of their installed AV or AS product."
  If you have verified that your requirement-rule is specifically for Symantec Endpoint Protection 11, and the rule has automatic remediation configured, then it may fall into this scenario. You may also have it configured where the endpoint protection is not accessible to the end-user and requires admin rights to launch. Please put the client in debug and send the results to TAC for analysis, as it would be the best bet for you to get a clear answer.
  Hope that helps, rate if it does.
  Cheers,
  Tim

• Problems with the Cisco NAC agent, does not perform remediation??

  Good Morning
  I'm doing an implementation of NAC, but when the user is authenticated, the agent informs you that does not comply with defined security policies, to start the repair and re-scan the machine error appears "NAC Server is not available on the net" . The policy I am doing is to check a file on local disk C
  Deputy error screen
  I appreciate your responses as soon as possible

  the problem i have is when it moves into remediation....phase 2. If no remediation is being done (ie no checks, rules scans etc) then it moves directly from phase 1 (authentication) to phase 3 (authenticated user and assign role) and all works fine.
  I've looked under all the traffic rules and can see nothing that would mean it could not contact the CAS. There are some differences in 4.7, like the ethernet traffic filter. It seems to me when put in the temp role, the vlan should still be the auth vlan. There is a role based vlan option under edit roles, but it states that is only for normal login, not tem agent, so it should not apply.
  Im starting to think something has gone wrong with the upgrade code somewhere....TAC looked at my config  and could see nothing on a quick check, im working with them to resolve the issue

• NAC Appliance and BigFix Automatic remediation

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit

  Hi,
  I want to integrate NAC appliance with BigFix for automatic remedtiation of windows client. Please provide me document me for same if anyone did in their organization.
  Regards,
  Amit

• NAC Cisco Clean Access Agent - launch self signed application, remediation

  Hi,
  we are trying to run custom executable in remediation process with non-admin rights. As I understand it there are following requirements in order to be able to do that:
  1) CAA Stub have to be installed
  2) Application have to be signed with trusted certificate
  3) Certificate and Application details have to be written in registry structure to be trusted by agent stub.
  We've followed every step in documentation but still receiving the same error in event log:
  "jada_jada.exe" is not a qualified file to be executed.
  Can't figure out why is it refusing to execute it, we tried every combination.
  Any idea what may be preventing it?
  Thanks

  Hi,
  thank you for reply ... yes I have root cert installed on client machine, when I look at file properties, it says certificate is OK. One thing that comes to my mind though is that I am member of domain, so maybe certificate have to be installed as root at domain controller?
  When I have the opportunity I will try it.

• NAC Appliance remediation

  We are currently testing the NAC appliance before we roll it into production in an enviroment that does not have a software distribution system. I was just wondering various methods people use to have end users self-remediate their machines when using a file or link requirement with the CAS.
  The main requirement is that the CSA agent must be installed on the end users machine. The user can successfully download the CSA agent exe from the CAS. However, the installation requires admin rights, but because our users do not have this the installation fails and the user can not become compliant.
  Any suggestions on best practices or methodologies used in a production environment would be greatly appreciated.

  Following links may help you
  http://www.cisco.com/en/US/products/sw/secursw/ps5057/prod_bulletin0900aecd805baf90.html
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cam/m_agent.html

• NAC and AD, Machine GPOs, Roaming Profiles = Chaos

  I've just observed a hapless Cisco consultant try to make NAC 4.1 work on computers with machine GPOs, roaming profiles, logon scripts within user GPOs, and for that matter legacy logon scripts with "run logon scripts synchronously" enabled. All of these technologies seem to fail on a NAC-enforced connection.
  We assign software on machine GPOs and we use roaming user profiles, and it seems we either need to have a domain controller and profile share on the isolation VLAN, which defeats the purpose of NAC, or perform some kind of machine authentication, which can occur before GPO processing and net logons can happen.
  While I'm not the Cisco consultant, it wasn't hard to recognize this problem.
  Everything I've read about NAC and CAA suggests this is a per-user compliance solution and not a per-machine solution. Surely others have observed this, and I think this is what machine authentication (802.1x) NAC, as opposed to user authentication NAC, is all about. At the risk of sounding like a total n00b, where can I start researching a NAC solution that supports what I want and lets us use the Cisco NAC gear we've already invested in?

  I have had similar issues and have solved many with a custom script that runs at log on. It is a compiled script and works great, AutoIT3.
  The policy part takes care of itself if you leave machines logged in long enough or do a gpupdate /force. This will force the group policy to synchronize but you will need to log off and on again.
  The roaming profile is much tougher. I am still trying to get this working. If anyone has any info on EXACTLY what takes place on a roaming profile synchronization, I would be grateful. If I can I will replicate that process in my script and solve this issue also.
  I have fixed the log in script stuff with a delayscript that I use (ironically) clean access to install. You have to launch it with the users credentials, though and not from Clean Access which uses the SYSTEM users credentials in its stub agent!
  This is a known issue to Cisco but any prodding of them to get it working would help. Their solution is braindead, just give unremediated machines full access! If they fail remediation, kick them off then. Gee, that gives the unremediated machine a mere two to three minutes to attack your AD DCs on each log in attempt. Not good.
  Anyway, that's where I am at. Most of this can be dealt with, some is still problematical.
  Dan S.

• ISE Posture Condition for Windows Service Pack and Remediation

  Hi,
  We having ISE ver 1.1.1 and currently on PoC. I have the following points to be clarified for Posture and Remediation.
  1) How to configure a condition to check Windows Service pack (may be more than 1 Windows favor such as XP, Win 7 and Win 8) and how to remediate in case client is not complying with Windows requirement.
  2) I configure AV condition and looks its working fine, however I still couldnt find the place to how to remediate in case client is not having proper verion and AV definition on his PC.
  3) We have a Authorization profile configured with dACL"Posture Remediation" where we allowing AV server update url and also matching ACL configured on switch "Posture Redirect", wants to know the exact purpose on these two ACLs.
  4) where can we see the logs of none-complaints logs and find out the reason for non-complaints
  appreciate if someone can please give us a proper document to achive the above task or send me any working senario configuration steps.
  thanks in advance.

  1. Windows Server Update Services (WSUS)  remediation remediates Windows clients from a locally managed WSUS server, or  Microsoft-managed WSUS server with the latest Windows service packs, hotfixes,  and patches (WSUS updates) for compliance. You can create a WSUS remediation  where a NAC Agent integrates with the local WSUS Agent to check whether the  endpoint is up-to-date for WSUS updates. You can also duplicate, edit or delete  WSUS remediations from the remediations list.
  You can configure Windows clients to  receive the latest WSUS updates from a Microsoft-managed WSUS server, or locally  administered WSUS server for compliance.
  The Windows server update services (WSUS)  remediations list page displays all the WSUS remediations along with their  names, description, and as well as their modes of  remediation
  check the following link for  configuration
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554782
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1554884
  2.for AV/AS Remidiaton  configuration check  this link http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_pos_pol.html#wp1657420