Posture validation

Similar Messages

• ACS / NAC phase 2 / posture validation with symantec AV

  Hi,
  We encounter problem to implement NAC phase 2 with symantec.
  ACS is an appliance one, version 4.0
  We?ve installed the Symantec AV pair on the ACS : that?OK.
  The following softwares are installed on the client PC:
  - Cisco CTA : ctasetup-win-2.0.1.14.exe
  - Aegis SecureConnect 2KXP-4_0_4.msi
  - Symantec client security posture plug-in.msi together with the associated setup.exe
  Moreover, client PC is configured to use EAP-FAST with mschapv2.
  We?ve defined an internal posture validation on the ACS.
  The first rule of this posture is performed on the following Symantec AV pair: Symantec:AV:Dat-Date days-since-lastupdate.
  When the first rule of this posture matches, then the posture token associated (radius authorization component) doesn?t return the associated vlan, so the user must be placed into the vlan associated by default on the port.
  The default rule is associated with another authorization component that returns the quarantine vlan.
  Problem is that we don?t manage to match on this posture.
  It?s as if the client doesn?t send the parameters.
  Logs on the ACS indicates the following:
  - message type : authen failed
  - authen failure code : posture validation failure (general)
  - eap type name : EAP-FAST
  - reason: no matched required credential types in any posture validation rule
  - cisco:PA:OS-type : OK, well retrieved (windows XP professional)
  - cisco:Host:ServicePack: OK, well retrieved (service pack 2)
  - but none of the Symantec AV could be retrieved.
  Symantec indicated to us that their AV server isn?t yet compatible witch ACS.
  So external posture validation isn?t possible in our case.
  Only internal posture validation should work.
  But no way to retrieve Symantec information from CTA.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi.
  Please examine the following directory of client pc. Is Plugins File of Symantec installed?
  \Program Files\Common Files\PostureAgent\Plugins
  \Program Files\Common Files\PostureAgent\Plugins\Install
  Plugin Installation and Upgrade
  Each NAC-compliant application is responsible for installing its own posture plugin on end systems.
  Plugins for Windows environments are installed in this directory:
  \Program Files\Common Files\PostureAgent\Plugins\Install
  When CTA receives a posture request, it scans the PostureAgnt\Plugins\Install directory for new or updated posture plugins. If there are new or updated posture plugins in the PostureAgnt\Plugins\Install directory, CTA performs one of the following actions:
  " If the .dll plugin does not exist in the PostureAgent\Plugins directory, CTA moves the plugin files from the PostureAgent\Plugins\Install directory to the PostureAgent\Plugins directory.
  " If the .dll plugins does exist in the PostureAgent\Plugins directory, then CTA checks to see if the plugin, in the PostureAgent\Plugins\Install directory, is newer than the one in the Plugins directory. CTA then moves the newer plugin to the PostureAgent\Plugins directory and overwrites the older one. If the plugin in the PostureAgent\Plugins\Install directory is older than the one in the Plugins directory, CTA deletes it, and continues to use the original plugin.
  " If the plugin creates an error during registration, CTA moves the plugin to the following directory (if the logging is enabled, the error information is logged):
  http://www.cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870db.html
  best regards,
  sahase

• Posture validation in SOHO - Extended wireless from corporate

  Hi,
  I have a customer moving from Cisco NAC based solution to Cisco ISE.  NAC should be provided to wireless and the SOHO users(wireless).  We implemented airspace ACL on the Cisco ISE, which will push the ACL to wireless Aps(flexconnect acl) based on the posture validation. If the posture validation fails, ACL specific to a particular end point will be pushed into AP.
   However, the same airspace ACL is not working on the VPN routers(800 series). VPN routers integrated wireless solution doesn’t understand the airspace ACL av:pair and don’t think we can configure flexconnect ACLs on the SOHO routers. Do you think of anyother idea where we can enforce the ACL based on the posture validation?. Downloadable acl works on an interface. I don’t think it can be enforced on per-user basis.
  Is there any way to push the ACL? Do posture validation & remediate the end point with limited access?
  Pardon me for my gmail account. I  havnt received the BT id yet.
  Thanks,
  Ramesh

  Had a similar problem where I wasn't exactly sure how to setup the provisioning part of the flow. I was pretty sure I had all the rules in place.
  I found an excellent Cisco TAC guide here which details setting up Anyconnect for the posture assessment. They include a part to say here's where you put in the NAM or/and VPN settings but you dont' need to. In fact if you do wish to load some you need to use Ciscos standalone NAM Profile Editor.
  Hope the TAC article helps you out, it got me to understand the process of what was happening for client provisioning.

• External posture validation server LanDesk vs. ACS

  Hi,
  I want you to ask wheather somebody has same problem as me and how did you solve it.
  I want to validate security of hosts with LANDesk® Security Suite 8.7 in cooperation with ACS. My problem seems to be in comunication between ACS and LanDesk validation server. Landesk server in log says that no scan has been made on the host. But when i dont forward LanDesk credentials to LanDesk and I Validate them on ACS, it works. I mean ACS can determine whether the scan has been made and with which result.
  So I think problem isn't in CTA or LanDesk host agent(when they send right credentials). It seems to be somewhere between ACS and LD server.
  Didn't you have similar problem?
  p.s. I have been imported LanDesk plugins into CTA and attributes definition file into ACS. But I am not sure if the External posture validation setup in URL field should be "http://ip.a.d.d:12576/pvs.exe" which i found in LD documentation. In google i found another URL "http://ip.a.d.d:12576/avp.exe". None of them works properly. And on LD server isn't such a file.
  Thans for help
  Daniel Sebek

  Hello,
  NAC Appliance:
  • Offers Authentication, Authorization and Remediation
  • Covers Wireless, VPN and LAN.
  • Only can be used as an appliance. No virtualize offerings. For small locations which ISR routers, a 50 and 100 user module is available.
  • Licensed by user count matching and applied to the corresponding enforcement server. Users bundles are 50, 100, 250, 500, 1500, 2500, 3500 and 5000.
  • Uses SNMP V1,2 and 3 or can be in-band / bump in the wire.
  • Can leverage Cisco Profiler or whitelist non-NAC capable devices.
  • Cisco enforcement appliances can provide collecting abilities for Cisco Profiler with an additional license.
  • Can Leverage Cisco Guest server for advance guest access.
  • Comes in HP or IBM appliance formats.
  • IBM appliances are 3315, 3355 and 3395 appliances. They can support ISE
  • HP appliances are 3310, 3350 and 3390 appliances. They cannot support ISE
  ACS 5.X:
  • Offers 802.1x NAC features and device management (TACACS/RADIUS).
  • Can be an appliance or Vmware. Appliances that are IBM hardware can support ISE. VMware can be migrated to ISE for an additional cost.
  • Provides Authentication and Authorization. Does not offer remediation.
  • Requires switches that support 802.1x COA as specified on cisco.com/go/acs to function as the enforcement agent. ACS alone cannot offer access control.
  • 802.1x NAC features do not require additional licenses for up to 500 users/devices. To scale beyond 500 users/devices, an additional large deployment license is required.

• ACS4 posture validation problems

  Hi,
  We're implementing NAC and are experiencing some problems with NAI's posture valiation attributes.
  Frequently the attributes for NAI's virusscan (8.0i enterprise) are not received by ACS and clients get quarantined.
  When authentication and authorization succeeds, the NAI's attributes are displayed in the ACS's passed authentication report. But when the user gets quarantined the report doesn't show NAI's attribute values.
  This gets me thinking NAI didn't supply the attribute values to CTA.
  Does anyone else have ACS4, CTA(latest) and NAI's AntiVirus (8i) working together as expected? If so, what was the solution to the problems you experienced (I'm guessing you've at least had some ...)
  Regards,
  Erik

  Hello
  I think you have install the acs4 add-on (nai.adf file)for NAI AV from your description. You find example in ACS 4.0 documentation.
  And on the client, verify you have this.
  http://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=KB45653&sliceId=SAL_Public&dialogID=5672976&stateId=0%200%204773882
  Apply latest Vscan 8.0 Patch14 and latest McAfee Common Management Agent 3.6.0.
  For the CTA 2.0.1, in the CiscoTrustAgent dir add "PPMsgSize=4096" in ctad.ini at the GENERAL part (top of the file).
  This allow bigger messages from Posture Agent (NAI) to CTA.
  Reboot and get healthy
  Christer

• Posture validation of RemoteAccess VPN users

  Hello Experts,
  We want to implement NAC/ISE for remote access users (terminating on Cisco ASA or IOS Routers), through NAC/ISE we want to know whether the users coming through the VPN ...
  - using company given laptops
  - have required softwares (anti-virus etc) installed and upto date
  Thanks

  By using an ISE Inline Posture Node (IPN), you can posture the clients connecting through VPN to your network.  You can set up Posture rules and Remediation sites for the software requirements. 
  Using the Profiling service, you can also determine the device from which they are connecting.  You could go so far as to create rulesets based upon MAC addresses so that when a company-owned device is connected specific access can be granted.
  Note that the IPN for the ISE must be a physical appliance (not a Virtual Node) and that you will need an Advanced Services License to enable posturing and profiling.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• NAC Framework NAC-L3-IP, passing posture validation, but no ACLs downloaded

  Hi
  I've got the NAC Framework NAC-L3-IP setup using an 1800 router and Cisco ACS Server 4.2. When my client attempts to reach the internet (through our NAD configured for network admission), I get a popup saying the Posture is Healthy, the ACS server says its good, yet I never get any of my configured ACLs downloaded to the router. I think my problem is with my RADIUS AUthorization Components...what should the Healthy RAC look like? This is what I've currently got;
  IETF Session-Timeout (27) 36000
  IETF Termination-Action (29) RADIUS-Request (1)
  Cisco IOS/PIX 6.0 cisco-av-pair (1) status-query-timeout=300
  I've got that RAC tied to a NAP and a downloadable ACL also associated to it through the Network Access Profiles page.
  Can anyone provide help with this. Thanks

  Ooops, nevermind, I had to enable aaa authorization network default group radius and then the ACLs downloaded as expected. Thanks!
  Jason

• Posture Validation (NOD32, WinXP)

  Hallo! I'm implementing NAC Framework solution. I have already installed CTA, ACS and configured Cisco Catalyst 3560G to use NAC. So on the ACS i can receive some posture information from CTA (cta version), but, unfortunalety, i can't receive OS version, anti-virus software version and so on (i have WinXP Home Edition, and Eset NOD32 on the client). What could be the problem? I can suppose, that i need to install NOD32 Posture Plugin, but i can't find it on the www.eset.com. And what can i do with OS attributes?
  Thank You in advance!
  P.S. Sorry For my poor english 8)

  Thnx! Posture works fine (ACS receive CTA info, and now i configured it to receive OS info) - so at this point everything is ok! But i still have problems with my antivirus software (Eset NOD32). I can't find any *.adf (attribute defenition files) and *.inf and *.dll files to make posture work right.Do you have any suggestions - where i can find it on the web? ("C:\program files\common files\PostureAgent\Plugins folder" in this directory i only have info about CTA and Network Associates AV)

• NAC 4.1 Posture Validation

  Hi,
  Whether Cisco NAC 4.1 does system check continuously after being logged in?

  Hi Rishi,
  The "Silent" Posture assessment sounds like a great feature request. Unfortunately, here is what the documentation states:
  "In most OOB deployments (except L2 OOB Virtual Gateway where the Default Access VLAN is the Access VLAN in Port profile), the client, after posture assessment, needs to acquire a different IP address from the Access VLAN."
  I don't see anyway around having end users go through the authentication/posture assessment again.
  You are correct that in OOB mode end users have the ability to do something "nasty" after they have been allowed on the network.
  I suppose another layer of security is what is needed in these cases, like a Cisco Security Agent to prevent Day Zero attacks.
  Hope this helps.
  Paul

• ISE 1.0 Posture and Client provisioning

  I've configured 802.1x with dynamic VLAN for users and MAB for phones - it works fine. Now I wanna to implement client provisioning and posture validation for users. After reading ISE user guide there are still several big questions:
  1. Is it possible to combine 802.1x and posture? (it was not recommended with NAC)
  2. How can I bind existing 802.1x authorization profile and posture policy?
  3. What is a switch configuration for client provisioning to work(redirect, quarantine zone, download NAC agent)?
  4. Do ISE posture and client provisioning have L2 virtual gateway, trusted and untrusted ports, as in NAC?

  With ISE you can perform 802.1x first and after that optionally you can perform posture. This is done with Radius, that's why it's really and completely out of band, and there's no such concept of trusted or untrusted port because the traffic is never inline.
  Still, with ISE you have another option of "inline Posture", in which there's trusted and untrusted ports. I guess that's for some specific cases in which you can't go out-of-band.
  On the other hand, so called "out-of-band" NAC was really always an inline solution, only after the user has authenticated and security policies have been verified then the user goes "out-of-band".

• ISe with NAC agent pop up and Posture waiting

  Hi,
  I have ISE running ver 1.1.1.268. We limited access certain services before authuenticate with ACL-DEFAULT(given below) as per the Trustsec desgin guide.
  Now the issue is that when you have ACL-DEFAULT on the port NAC agent doest not pop-up and doest not start the posture part and saying waiting for Posture validation. When the ACL-DEFAULT removed from the access port NAC agent popup and do the posture validation.
  However we do not want user to get access to network before the authorization and that is the reason we use the ACL-DEFAULT.
  Please can someone advise me how to achieve the above both task. Why the NAC agent does not popup and do the posture when ACL-DEFAULT there in the switch.
  Here is what I have configured on ACL-DEFAULT.
  ip access-list extended ACL-DEFAULT
  remark DHCP
  permit udp any eq bootpc any eq bootps
  remark DNS
  permit udp any any eq domain
  permit tcp any any eq domain
  permit udp any any eq 389
  permit tcp any any eq 135
  permit tcp any any eq 445
  permit udp any any eq 445
  permit tcp any any range 135 139
  permit tcp any any eq 389
  permit tcp any any eq 3268
  permit icmp any any
  remark PXE / TFTP
  permit udp any any eq tftp
  permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Pri)
  permit tcp any host 172.xx.xx.xx eq 8443 (ISE-Sec)
  remark Drop all the rest
  deny   ip any any log
  Appreciate if someone can give a solid resolution and explanation to this.

  Hi Saurav,
  We have already allowed those ports with another acl (ACL-POSTURE-REDIRECT). Our issue is not with the web nac agent.
  The issue is with NAC agent installed on corperate PCs connecting via wired port. With the ACL-DEFAULT it does not pop-up and does not do the posturing, however once we removed the ACL-DEFAULT from the access port, everything works fine.
  Since we do not want any user to access unwanted services before authorization we add this ACL on the access-port and as per the trustsec desgin this has to be there if you want to have ISE with closed mode.
  thanks

• NAC Framework with TrendMicro Policy Server? External Posture Assessment?

  Hi
  I've got a NAC Framework 2.1 setup using NAC-L2-802.1x with 2950 switches and so far it's working great. I've recently begun testing NAC with TrendMicro OfficeScan, which includes the Trend Policy Server for Cisco NAC.
  I've imported the Trend.adf file, created a new Internal Posture Validation to check these TrendAV settings (DAT version, protection enabled, etc) and it is working great with the clients. (Healthy if up to date, quarantined if out of date).
  What I'm trying to do is get this integrated with the Trend Policy Server for Cisco NAC. I've created an External Posture Validation entry for the Trend Policy Server;
  https://win2k3std:4343/antibody
  And have supplied it with the password (no username is needed to login to the web console of this server). I've also selected Trend:AV as the forwarding credential. I've gone into Network Access Profiles and made sure this was selected as an External Posture Validation Server and set it to quarantine under "Failure Posture Token". When I test this from the client (once I've enable External Posture Validation), it always ends up quarantined (even though the client is fully up to date). If I disable the External Posture Validation server from the NAP, the client test passes as Healthy (since all AV is up to date).
  I've got the Policy Server for Cisco NAC defined under NAC on my Trend OfficeScan server, and on the Policy Server for Cisco NAC, I've got the OfficeScan server defined. Yet, no matter what I've tried, the client always fails with this msg in the CSACS logs;
  Posture Validation Failure on External Policy
  Does anyone have any experience or help with this. Thanks very much.
  Jason Humes

  Please check the links for the Configuration and Troubleshoot of NAC
  www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/48/cam/48cam-book/m_agntd.html
  www.cisco.com/c/en/us/td/docs/security/nac/appliance/configuration_guide/47/cam/47cam-book/m_agntd.html#wp1234860

• Poture Validation of anti-virus products

  Hi all
  I have recently setup set up NAC framework to support dot1x for wireless and wired clients. My ACS appliance is successfully authentication users via eap-fast using personal and machine certs and it successfully posture checks that the users are using the correct CTA client, windows OS with correct patches.
  But for the life of me I cannot work out how to set up my ACS NAP posture validation rules to check Symantec's Anti-virus version 10 and check the current dat file.
  I have researched to the point where I think I have to upload NAC attributes to ACS appliance but not sure how. Setting up NAP posture rules to check against Cisco or Windows software is not that difficult and was well documented, but how to posture check a 3rd party software application is not well documented.
  The url I have been looking at is
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00802335eb.html#wp366304
  I'm just not 100% sure I'm on the right track here??
  If anyone knows or has info how to setup NAP to posture check against 3rd party vendor software (like Symantec?s anti-virus) , I'd love to read up more about it.
  One last question, if I am on the right track here, would I setup a posture validation rule for Symantec by just duplicating the rule I have for checking my CTA client ?
  e.g rule
  Cisco:PA:PA-NAME = Symantec Anti-Virus
  and
  Cisco:PA:PA-Version >= X.X.X
  and
  Cisco:PA:Machine-Posture-State >= 1
  Brain bender 
  Thanks all
  Dale

  Hi,
  Have you installed the Symantec NAC Posture Plugin (Symantec Client Security Posture Plug-in
  ) ? You can find this MSI installer on the Symantec CD. This plugin provides an interface to CTA for checking the status of Symantec AV and its parameters as CTA has no way for directly getting this status from the Symantec Application.
  In most cases the Symantec AV attributes are already pre-loaded on the ACS. You can verify this by making sure that you see the System Token named "Symantec:AV".
  After completing the above steps then define a posture validation rule using
  1. Symantec:AV:Protection-Enabled (Healthy for a value of "1" and Quarantine\etc else.)
  2. Symantec:AV:Dat-Version (You will have to manually specify the minimum acceptable version (E.g. 2007.05.1... ) to declare a System Healthy).
  You probably will have to keep updating the 2 above to keep the minimum version in line with the latest available. A workaround to this is to use another 3rd party AV which relies on an external AV server to get this version dynamically (E.g. Trend Micro). In this case ACS doesn't make the decision but forwards the credentials to the external AV. Symantec support for NAC is very limited and i don't see that improving considering they have their own NAC solution to market.
  Thanks,
  Naman

• Cisco ISE posture check for VPN

  Hello community,
  first of all thank you for taking time reading my post. I have a deployment in which requires the feature posture checks on VPN machines from Cisco ISE. I know logically once a machine is in the LAN, Cisco ISE can detect it and enforce posture checks on clients with the Anyconnect agent but how about VPN machines? The VPN will be terminated via a VPN concentrator which then connects to an ASA5555X which is deployed as an IPS only. Are there any clues to this? 
  Thank you!

  The Cisco ASA Version 9.2.1 supports RADIUS Change of Authorization (CoA) (RFC 5176). This allows for posturing of VPN users against the Cisco ISE without the need for an IPN. After a VPN user logs in, the ASA redirects web traffic to the ISE, where the user is provisioned with a Network Admission Control (NAC) Agent or Web Agent. The agent performs specific checks on the user machine in order to determine its compliance against a configured set of posture rules, such as Operating System (OS), patches, AntiVirus, Service, Application, or Registry rules.
  The results of the posture validation are then sent to the ISE. If the machine is deemed complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After successful posture validation and CoA, the user is allowed access to the internal resources.
  http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/117693-configure-ASA-00.html

• ISE authentication fail during windows re-logon

  Background:
  Deployed a Cisco ISE 1.1.2. that is used to authenticate and posture validate for wired users, attached to Cisco IP Phones. Backend database is Microsoft AD.
  Problem:
  At the first time both, users and IP Phones, pass authentication and posture validation steps successfully. When the user logs off from windows, the log off is done whithout any problem, and I can see it switch.
  The problem takes place when the user try to log on again. The ise does not match the configured authenticion rules as in the first time, and put the user directly to default "DenyAccess" policy (rule).
  Anyone out there experienced something similar or have any ideas on why this is happening?
  Thanks.

  Hi
  Possible Causes
  • This could be either a MAB or 802.1X authentication issue.
  • The authorization profile could be missing the Cisco av-pair=”device-traffic-class=voice” attribute. As a result, the switch does not recognize the traffic on the voice VLAN.
  • The administrator did not add the endpoint as static identity, or did not allow an unregistered endpoint to pass. create a policy rule to (“Continue/Continue/Continue” upon failure).
  Resolution
  • Verify that the Authorization Policy is framed properly for groups and conditions, and check to see whether the IP phone is profiled as an “IP phone”or as a “Cisco-device.”
  • Verify the switch port configuration for multidomain and voice VLAN configuration.
  • Add the continue/continue/continue to allow the endpoint to pass:
  Choose Policy > Policy Elements > Results > Authentication > Allowed
  Protocols to create a Protocol Policy. MAC authentications use PAP/ASCII and EAP-MD5 protocols. Enable the following MAB Protocols settings:
  – Process Host Lookup
  – PAP/ASCII
  – Detect PAP as Host Lookup
  – EAP-MD5
  – Detect EAP-MD5 as Host Lookup
  • From the main menu, choose Policy > Authentication.
  • Change the authentication method from Simple to Rule-Based
  • Use the action icon to create new Authentication Method entries for MAB:
  – Name: MAB
  – Condition: IF MAB RADIUS:Service-Type == Call Check
  – Protocols: allow protocols MAB_Protocols and use
  – Identity Source: Internal
  – Hosts: Continue/Continue/Continue