topic NAC - Posture assessment for non-admin user in Network Security

NAC - Posture assessment for non-admin user

harinirina — Fri, 21 Feb 2020 12:22:50 GMT

Hello all,

I tried to set up the NAC so that if an application is not running, it will be launched automatically by the agent. Or if a software is not installed, the setup file will be downloaded to the computer and installed.

It works fine when the user has admin privilege, but the “agent stub” cannot launch the application when the user doesn’t have the right privilege.

“Agent stub” was installed manually with admin privilege on the computer. Now the CCA agent can be installed with non-admin user , the IP address is also renewed even if the user doesn’t have the required privilege.

How can i copy file, install and launch programs on non-admin user ?

Re: NAC - Posture assessment for non-admin user

Bobby Meador — Thu, 16 Jun 2011 14:36:31 GMT

I am posing the same question to Cisco support right now and I need an answer soon. We all know you don’t give a non –admin user local admin rights on the pc. I have a Nac 4.8.1 soon to be 4.8.2 real ip layer three deployment. You no longer see the option to download the CCAStubAgent.exe on the Cam manager. I really need a senior member of TAC to chime in and answer the question how do you deploy agents today on windows machine with the latest nac build. Please tell me someone did not overlook this in the latest code. I was able to install the agent as admin user and then login as non-admin. The agent works as expected at this point but I can not touch 2000 machines. No I do not have a software deployment suite.

NAC - Posture assessment for non-admin user

harinirina — Thu, 16 Jun 2011 15:44:40 GMT

I've seen this from cisco

============

Launch Programs Without Admin Privileges

The executable must have:

•A valid digital signature signed by certificates with specific field value(s)

•File version information with specific item value(s)

Note also that:

•The executable must be signed with a code signing certificate with a proper chain of certificates. The code signing certificate must be installed on the client machine.

•The root certificate must also be installed on the client machine and must be in the Trusted Root Certification Authority on Windows.

•You must create a registry key that is particular to the executable being run in addition to installing the certificate

============

I tried to get free code signing certificate for test (PFX file), don't know if it's ok.

the certificate appears under "Trusted Root Certification Authority "

I signed the exe file with SignGUI and now, i can see the tab "digital signature" from the exe file property

I don't know what registry key i need to create.

Is there anyone who can say if it's ok with free certificate and what should be added on registry?

NAC - Posture assessment for non-admin user

Attila Horvath — Fri, 17 Jun 2011 17:39:24 GMT

Hi,

See this:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_agent.html#wpxref78883

How the Agent Verifies Digital Signature and Trust on an Executable Program

On the client computers where the executables will run, you must add a Trust key in the registry under the Stub Service definition for the executable that you want to run under the Stub service. It is the administrator's responsibility to populate the required registry keys for the programs to be trusted by the Agent and Agent Stub. The Clean Access Agent Stub verifies the launch program for a trusted digital signature as follows:

1. Verifies the digital signature - Ensures the digital signature is trusted.

2. Verifies the signer certificate information based on the information in the registry.

The related registry structure appears as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub\Trust\

\Certificate\2.5.4.3 "Cisco Systems"

\FileVersionInfo\ProductName "Clean Access"

Where:

• is a numeric number.

•For the entries under Certificate, each value can be exact case-insensitive.

•For the entries under FileVersionInfo, each value must appear in the corresponding value in the file information stream, and can also be case-insensitive.

•All the entries under Certificate and FileVersionInfo must be satisfied (AND operations) to qualify as a trusted target.

•If any of the Trust chain is satisfied, the target is qualified to launch.

NAC - Posture assessment for non-admin user

harinirina — Mon, 20 Jun 2011 14:18:01 GMT

Thanks for your reply.

Let's suppose we need to launch tftpd (exe file : tftpd32.exe) and clamwin Antivirus, does it mean that we need to add

Trust1 under : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub for tftp

and Trust2 under : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub for clamwin

and do we need to create "certificate" and "FileVersionInfo" ?

what value should we use ?

NAC - Posture assessment for non-admin user

Attila Horvath — Mon, 20 Jun 2011 18:28:51 GMT

Hi,

Yes, you need 2 subtree, Trust1 and Trust2.

At first you have to sign these two files, if not signed. The "certificate" is a field from the signed file , for.example the 2.5.4.3 means:

2.5.4.3 - COMMON_NAME

witch is the signer name (right click -> Digital Signatures-> Signer Name) . At a Computer Associates (CA) virus installer it is simple "CA".

The FileversionInfo is a simple value from a file (Right Click -> Properties-> Version)

The accepted values for Certificate/Fileversioninfo are:

Supported Value Names Under Certificate

•2.5.4.3 - COMMON_NAME

•2.5.4.4 - SUR_NAME

•2.5.4.5 - DEVICE_SERIAL_NUMBER

•2.5.4.6 - COUNTRY_NAME

•2.5.4.7 - LOCALITY_NAME

•2.5.4.8 - STATE_OR_PROVINCE_NAME

•2.5.4.9 - STREET_ADDRESS

•2.5.4.10 - ORGANIZATION_NAME

•2.5.4.11 - ORGANIZATIONAL_UNIT_NAME

•2.5.4.12 - TITLE

•2.5.4.13 - DESCRIPTION

•2.5.4.14 - SEARCH_GUIDE

•2.5.4.15 - BUSINESS_CATEGORY

•2.5.4.16 - POSTAL_ADDRESS

•2.5.4.17 - POSTAL_CODE

•2.5.4.18 - POST_OFFICE_BOX

•2.5.4.19 - PHYSICAL_DELIVERY_OFFICE_NAME

•2.5.4.20 - TELEPHONE_NUMBER

Supported Value Names Under FileVersionInfo

•ProductName

•CompanyName

•FileDescription

•FileVersion

•InternalName

•LegalCopyright

•OriginalFileName

•ProductVersion

•Comments

•LegalTrademarks

•PrivateBuild

•SpecialBuild

NAC - Posture assessment for non-admin user

harinirina — Tue, 21 Jun 2011 14:58:38 GMT

Thanks for your reply.

I would like to post all steps we did.

Please, correct if there's something wrong.

1/ code signing

- we asked for a free certificate from internet and we got a pfx file

- we used a free tool (SignGUI) and got spc, cer and pvk file from the pfx

- we launched signcode.exe to sign excutable files (clamwinTray.exe and tftpd32.exe)

- we chose "custom" option and "selected from file" on digital signature wizard, we selected the spc file

- we specified the location of pvk file

- we selected sha1 as hash algorithm

- "all cerificates in the certification path, including the root certificate" was chosen under "certifcate in the certification path"

- we got a message "digital signing wizard was completed successfully"

- from "digital signatures" tab of the executable file, we had "cerificate issued to certificate_usernac" and "cerificate issued by Root Agency"

2/ registry key

- under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub, we created 2 subtree, Trust1 and Trust2.

for trust1, we created

- new key : certificate

- new string value : name = 2.5.4.3, value = certificate_usernac

- new key : FileVersionInfo

- new string value : name = ProductName, value = ClamWin Antivirus

for trust2, we created

- new key : certificate

- new string value : name = 2.5.4.3, value = certificate_usernac

- new key : FileVersionInfo

- new string value : name = ProductName, value = Tftpd32

3/ NAC

- we create "Application check" for ClamTray.exe and tftpd32.exe, operator = running, OS = Windows All, rule = automatically created

- we created new requirement with Launch Program

Program Name : SYSTEM_PROGRAMS\ClamWin\bin\ClamTray.exe for ClamWin

Program Name : SYSTEM_DRIVE\tftpd32.exe for tftp

OS = Windows XP (All)

- we configured "Requirement-rules"

- we configured "Role-Requirement"

we always get "Stub Agent failed to launch ... "

Is there anything wrong or missing ?

I would like to know also if it can be used on windows with language other than english.

Looking forward to hearing from you soon.

Thanks and Best Regards.

NAC - Posture assessment for non-admin user

Attila Horvath — Tue, 21 Jun 2011 17:35:36 GMT

It seems to me the steps are OK. The english language is not required, we tried with Hungarian XP lanuage

"Stub Agent failed to launch ..."

Stub agent?

In nac 4.7 and 4.8 the stub agent is obsoloted.

Which NAC version ?

And one more thing, at NACAgentCFG.xml you have to set the

SignatureCheck to 1

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_agntd.html#wp1348376

NAC - Posture assessment for non-admin user

harinirina — Wed, 22 Jun 2011 08:11:47 GMT

Hello,

Thanks for your reply.

We're using nac ver4.1.1 (we have to use it for the moment)

On the document, it is mentionned :

"The root certificate must also be installed on the client machine and must be in the Trusted Root Certification Authority on Windows."

Could you please tell how to do and check this.

After code-signing the executable, we had the following message when checking the certificate from file property

"this certificate cannot be verified up to a trusted certification authority"

how to fix ?

Looking forward to hearing from you soon.

Thanks and Best Regards

NAC - Posture assessment for non-admin user

Attila Horvath — Wed, 22 Jun 2011 09:53:16 GMT

Hi,

According to this page:

http://blogs.msdn.com/b/saurabh_singh/archive/2007/11/07/you-get-a-security-alert-when-you-try-to-access-an-ssl-enabled-web-site-when-certificate-has-been-issued-by-an-internal-root-ca.aspx

When you signed your files with a certificate (root CA), this certificate must exist at Client's

Trusted Root Certification Authorities.

So when you click on your signes file's properties -> Digital signatures -> Details -> View certificate -> Certificate Chain you mustn't see a red cross at root (like here: http://blogs.msdn.com/blogfiles/saurabh_singh/WindowsLiveWriter/Yougetasecurityalertwhenyoutrytoaccessa_834/image_thumb_5.png

If it not helps - I am sorry, but the certificates is not my speciality, in this case I am afraid you need a microsoft expert.

Attila

NAC - Posture assessment for non-admin user

harinirina — Wed, 22 Jun 2011 14:37:21 GMT

Thanks indeed for all your replies, they are extermely helpful.

it was the certificate.

I would like to ask how to do in case the user (without admin privilige) needs to install a software for remediation.

Looking forward to hearing from you soon.

Thanks and Best Regards

NAC - Posture assessment for non-admin user

Attila Horvath — Thu, 23 Jun 2011 07:10:18 GMT

Hi,

You need the Launch program feature for remediation, as described here:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/411/cam/m_agent.html#wp1290357

Regards,

Attila

NAC - Posture assessment for non-admin user

harinirina — Tue, 28 Jun 2011 06:30:13 GMT

Hello Attila,

Thanks a lot for your reply and for this interesting URL.

Sorry for my late reply.

We've tested software setup and Antivirus update using non-admin user, it works fine.

We are going to test windows update and let you know.

We have more question about OOB L3 and IP phone. We'll add other posts asking these. Please, send us your extremely helpful answer, as usual.

Thanks and Best Regards

NAC - Posture assessment for non-admin user

Attila Horvath — Thu, 30 Jun 2011 14:26:27 GMT

Hi,

Read this one: http://www.caysec.com/2008/06/cisco-nac-with-ip-phones.html

/and change this topic's state to answered /

NAC - Posture assessment for non-admin user

harinirina — Fri, 01 Jul 2011 08:04:11 GMT

Thanks Attila.

How about L3 OOB, is it possible to use L3 if the NAC is setup as OOB Virtual Gateway?

i 've put this question in another discussion

https://supportforums.cisco.com/thread/2091996

Looking Forward to hearing from you soon.

Thans and Best Regards

NAC - Posture assessment for non-admin user

saxenanitesh8522 — Tue, 19 Jul 2011 20:40:22 GMT

Hi,

i have a question. i have server where the installation file is there, i have to run sign gui only on that place itself right?

not on all the systems?

NAC - Posture assessment for non-admin user

Attila Horvath — Wed, 20 Jul 2011 07:35:36 GMT

Hi,

It does not matter where do you run the gui, the only important that

your installation file must be signed with a client trusted CA, and this sign

must described at client's registry based things above (see correct answer).

NAC - Posture assessment for non-admin user

harinirina — Mon, 25 Jul 2011 08:50:07 GMT

Hello Attila,

we are trying to setup a NAS as OOB RIP for both L2 and L3 adjacent users.

it is used as DHCP server for L2 users and it works fine.

However for L3 adjacent users, we have some problems.

1- when static route to L3 unauthenticated users is added on the NAS, the user cannot ping the untrusted interface of NAS unless we first launch ping to this untrusted interface from the switch

2 - we removed the static route and added ARP for L3 unauthenticated users network, we can ping the untrusted interface and the cisco Agent pop-up. it seems to work, user can log and then listed under the online users

3 - then, we apply ACL permitting only trafic the untrusted interface of NAS, remediation servers, dhcp, domain, udp 67/68 on the branch router (sub-interface of unauthenticated user) . we can ping the untrusted interface but the cisco Agent doesn't pop-up

On the ACL, we tried to permit the trusted interface of NAS and we can have the popup window of cisco agent; it seems to work

we'd like to know what could be the reason it doesn't work when we add static route on NAS (we've read from some documents static route should be added on NAS)

we would like also to know why we cannot get agent popup when the trusted interface is not permitted (cause no document we've read mentionned that trusted interface should be permitted)

Looking forward to hearing from you soon.

Best Regards