07-18-2006 05:45 AM - edited 03-10-2019 02:40 PM
Hi,
We encounter problem to implement NAC phase 2 with symantec.
ACS is an appliance one, version 4.0
We?ve installed the Symantec AV pair on the ACS : that?OK.
The following softwares are installed on the client PC:
- Cisco CTA : ctasetup-win-2.0.1.14.exe
- Aegis SecureConnect 2KXP-4_0_4.msi
- Symantec client security posture plug-in.msi together with the associated setup.exe
Moreover, client PC is configured to use EAP-FAST with mschapv2.
We?ve defined an internal posture validation on the ACS.
The first rule of this posture is performed on the following Symantec AV pair: Symantec:AV:Dat-Date days-since-lastupdate.
When the first rule of this posture matches, then the posture token associated (radius authorization component) doesn?t return the associated vlan, so the user must be placed into the vlan associated by default on the port.
The default rule is associated with another authorization component that returns the quarantine vlan.
Problem is that we don?t manage to match on this posture.
It?s as if the client doesn?t send the parameters.
Logs on the ACS indicates the following:
- message type : authen failed
- authen failure code : posture validation failure (general)
- eap type name : EAP-FAST
- reason: no matched required credential types in any posture validation rule
- cisco:PA:OS-type : OK, well retrieved (windows XP professional)
- cisco:Host:ServicePack: OK, well retrieved (service pack 2)
- but none of the Symantec AV could be retrieved.
Symantec indicated to us that their AV server isn?t yet compatible witch ACS.
So external posture validation isn?t possible in our case.
Only internal posture validation should work.
But no way to retrieve Symantec information from CTA.
Thanks in advance for your attention.
Best Regards,
Arnaud
07-24-2006 06:11 AM
If you want to integrate say McAfee Antivirus, you need to get 2 things , CTA plugin and *.adf file directly symantec . Then ADF file(s) should be imported into ACS .After that it will be possible to configure AV Vendor related Posture Validation Policies
in ACS
08-15-2006 05:45 AM
I had investigated this issue about 1 year ago. I was able to match on any Symantec AV pair available in ACS except Symantec AV pair: Symantec:AV:Dat-Date days-since-lastupdate.
I finally found in the read-me file, installed along with the Symantec plugin that interacts with CTA, contains a paragraph explaining that the Dat-Date days-since-lastupdate is not supported by the Symantec plugin.
This was a least 1 year ago. I was hoping that Symantec would fix this in future releases of the plugin. It basically, forces you to manually update DAT-DATE policies on Cisco ACS as they change. If this AV pair was supported, the process could be "configure and forget".
I am interested in knowing when this will be supported.
NOTE: At the time, Symantec support did not know a lot about NAC or how it worked with their product.
Thanks,
Mark
08-16-2006 02:14 AM
Hi,
We've finally managed to solve the problem.
Currently, Symantec doesn't support NAC Phase II. They only support NAC Phase I.
They intend to support Phase II with the next Anti-Virus major release (by the end of the year).
But there's a way to have Symantec working with ACS with internal postures, especially Dat-Date days-since-lastupdate.
First, you need to install Symantec VPN Senty. This is used by Symantec to exchange data with CTA.
Then, you need to modify files in the directory /Program Files/Common Files/Posture Agent/Plugins.
There are 2 Files in this directory: SYM_PP.dll and SYM_PP.inf.
We've added a file named SYM_PP2.inf.
We've defined this file with the posture needed. Here are the lines it contains:
[main]
PluginName=SYMC_PP2.dll
VendorID=393
VendorIDName=Symantec Corporation
AppList=av,fw
[av]
AppType=3
AppTypeName=Symantec AntiVirus
AttributeList=attr1,attr2,attr3,attr4,attr5,attr6, attr7
attr1=3,string,Software Name
attr2=4,unsigned32,Software Id
attr3=5,version,Software Version
attr4=6,version,Scan Engine Version
attr5=7,version,Dat Version
attr7=8,Time,Dat Date
attr6=9,unsigned32,Protection Enabled
[fw]
AppType=4
AppTypeName=Symantec Client Firewall
AttributeList=attr1,attr2,attr3,attr4
attr1=3,string,Software Name
attr2=4,unsigned32,Software Id
attr3=5,version,Software Version
attr4=9,unsigned32,Protection Enabled
As you can see, the file calls the SYM_PP2.dll. This is the previous ddl version of symantec. We've been sent it by symantec tech support.
This solution works, but it is officialy not supported by symantec.
Hope that helps.
Best Regards,
Arnaud
02-25-2008 04:32 AM
Hi Arnaud,
Can you send me the SYM_PP2.dll?, i need Dat-Date with symantec and i don't obtain.
Regards.
02-25-2008 05:20 AM
I,
No problem to send you the files.
Please let me know your email address and I'll post them to them.
Best Rebards,
Arnaud
02-25-2008 05:49 AM
08-22-2006 01:10 AM
Hi.
Please examine the following directory of client pc. Is Plugins File of Symantec installed?
\Program Files\Common Files\PostureAgent\Plugins
\Program Files\Common Files\PostureAgent\Plugins\Install
-----
Plugin Installation and Upgrade
Each NAC-compliant application is responsible for installing its own posture plugin on end systems.
Plugins for Windows environments are installed in this directory:
\Program Files\Common Files\PostureAgent\Plugins\Install
When CTA receives a posture request, it scans the PostureAgnt\Plugins\Install directory for new or updated posture plugins. If there are new or updated posture plugins in the PostureAgnt\Plugins\Install directory, CTA performs one of the following actions:
" If the .dll plugin does not exist in the PostureAgent\Plugins directory, CTA moves the plugin files from the PostureAgent\Plugins\Install directory to the PostureAgent\Plugins directory.
" If the .dll plugins does exist in the PostureAgent\Plugins directory, then CTA checks to see if the plugin, in the PostureAgent\Plugins\Install directory, is newer than the one in the Plugins directory. CTA then moves the newer plugin to the PostureAgent\Plugins directory and overwrites the older one. If the plugin in the PostureAgent\Plugins\Install directory is older than the one in the Plugins directory, CTA deletes it, and continues to use the original plugin.
" If the plugin creates an error during registration, CTA moves the plugin to the following directory (if the logging is enabled, the error information is logged):
http://www.cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870db.html
-----
best regards,
sahase
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide