https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585245#M426981 <HTML><HEAD></HEAD><BODY><P>I have exactly the same issue with CTA version 2.0.1.14 and VirusScan 8.0i.</P></BODY></HTML> Wed, 27 Sep 2006 12:01:42 GMT m.vuckovic 2006-09-27T12:01:42Z https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585243#M426977 <P>Hi,</P><P></P><P>We're implementing NAC and are experiencing some problems with NAI's posture valiation attributes.</P><P></P><P>Frequently the attributes for NAI's virusscan (8.0i enterprise) are not received by ACS and clients get quarantined. </P><P>When authentication and authorization succeeds, the NAI's attributes are displayed in the ACS's passed authentication report. But when the user gets quarantined the report doesn't show NAI's attribute values.</P><P></P><P>This gets me thinking NAI didn't supply the attribute values to CTA.</P><P></P><P>Does anyone else have ACS4, CTA(latest) and NAI's AntiVirus (8i) working together as expected? If so, what was the solution to the problems you experienced (I'm guessing you've at least had some ...)</P><P></P><P>Regards,</P><P>Erik</P> Sun, 10 Mar 2019 21:38:31 GMT https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585243#M426977 etamminga 2019-03-10T21:38:31Z https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585244#M426979 <HTML><HEAD></HEAD><BODY><P>CTA version 1 is not sending the Cisco:PA attribute to ACS 4.0.But CTA version 2 is working fine.The issue is ACS 4.0 is requesting an attribute, Machine Posture State, of CTA, which CTA 1.0 does not know (Machine Posture State was added to CTA 2.0). CTA should ignore it but it returns an error instead.</P><P></P></BODY></HTML> Mon, 03 Jul 2006 13:48:31 GMT https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585244#M426979 aghaznavi 2006-07-03T13:48:31Z https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585245#M426981 <HTML><HEAD></HEAD><BODY><P>I have exactly the same issue with CTA version 2.0.1.14 and VirusScan 8.0i.</P></BODY></HTML> Wed, 27 Sep 2006 12:01:42 GMT https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585245#M426981 m.vuckovic 2006-09-27T12:01:42Z https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585246#M426983 <HTML><HEAD></HEAD><BODY><P>Hi Eric,</P><P>I'm having PV problems similuar to yours. My set-up:</P><P>Client pc--&gt;Cisco VPN concentrator--&gt;ACS4.0</P><P>If I enable anything but "any" in Network Access Profile/Authorization/System Posture Token, my client cannot connect. Cisco got into the boxes and then generated very detailed reports and they show that PostureValidation.dll is missing from the acs install directory. C:\Program Files\CiscoSecure ACS v4.0\Authenticators is where it should be. I re-installed but that didn't add that dll file.</P><P>Do you have that file in that directory? </P><P>Thanks,</P><P>Chuck</P></BODY></HTML> Fri, 17 Nov 2006 21:14:29 GMT https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585246#M426983 cjdock123 2006-11-17T21:14:29Z https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585247#M426984 <HTML><HEAD></HEAD><BODY><P>Hi Chuck,</P><P></P><P>I'm sorry. We're using the appliance version of ACS and thus do not have access to the harddrive. </P><P>For your information, we've stopped the NAC pilot because of too many problems with the combination ACS / Switches / Windows 2000/XP and McAfee. Both on the authentitcation as on the validation points the pilot failed dramatically. We keep hitting problems of which we amaze ourselves that they even exist. Most likely Cisco did little testing before they shipped the product (ACS).</P><P></P><P>Regards,</P><P>Erik</P></BODY></HTML> Mon, 20 Nov 2006 08:26:24 GMT https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585247#M426984 etamminga 2006-11-20T08:26:24Z https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585248#M426985 <HTML><HEAD></HEAD><BODY><P>I have the same problem with Panda Antivirus</P><P>and ACS 3.3, "same times" the Panda attributes ACS are not recived by ACS and logs a external DB account restriccion.</P></BODY></HTML> Thu, 23 Nov 2006 11:50:47 GMT https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585248#M426985 natxoc 2006-11-23T11:50:47Z https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585249#M426986 <HTML><HEAD></HEAD><BODY><P>Hi Natxoc,</P><P></P><P>I think "External DB account restrictions" are authentication failures and not authorization failures. The attributes for anti-virus are checked in the authorization section of the whole process. So have another look at your problem to be sure it's not an authentication problem.</P><P>Regards,</P><P>Erik</P></BODY></HTML> Thu, 23 Nov 2006 14:13:17 GMT https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585249#M426986 etamminga 2006-11-23T14:13:17Z https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585250#M426987 <HTML><HEAD></HEAD><BODY><P>Erik, Thanks</P><P></P><P> yes External DB account restrictions are authentication failures. ACS fail in authentication becouse the "Mandatory credentials" are not sent by the client (Panda credentials)to ACS (Or not recived by ACS).</P><P>I have created another external DB with CTA the only mandatory credentials and posture token CHECKUP and now there are not clients with the DB account fail they get the Checup token.</P><P></P></BODY></HTML> Thu, 23 Nov 2006 16:45:36 GMT https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585250#M426987 natxoc 2006-11-23T16:45:36Z https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585251#M426988 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>I think you have install the acs4 add-on (nai.adf file)for NAI AV from your description. You find example in ACS 4.0 documentation.</P><P></P><P>And on the client, verify you have this.</P><P><A class="jive-link-custom" href="http://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&amp;docType=kc&amp;externalId=KB45653&amp;sliceId=SAL_Public&amp;dialogID=5672976&amp;stateId=0%200%204773882" target="_blank">http://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&amp;docType=kc&amp;externalId=KB45653&amp;sliceId=SAL_Public&amp;dialogID=5672976&amp;stateId=0%200%204773882</A> </P><P></P><P>Apply latest Vscan 8.0 Patch14 and latest McAfee Common Management Agent 3.6.0. </P><P></P><P>For the CTA 2.0.1, in the CiscoTrustAgent dir add "PPMsgSize=4096" in ctad.ini at the GENERAL part (top of the file).</P><P>This allow bigger messages from Posture Agent (NAI) to CTA.</P><P></P><P>Reboot and get healthy</P><P></P><P>//</P><P>Christer </P></BODY></HTML> Thu, 28 Dec 2006 14:36:42 GMT https://community.cisco.com/t5/network-access-control/acs4-posture-validation-problems/m-p/585251#M426988 axfood 2006-12-28T14:36:42Z