06-26-2006 12:46 PM - edited 03-10-2019 02:38 PM
Hi,
We're implementing NAC and are experiencing some problems with NAI's posture valiation attributes.
Frequently the attributes for NAI's virusscan (8.0i enterprise) are not received by ACS and clients get quarantined.
When authentication and authorization succeeds, the NAI's attributes are displayed in the ACS's passed authentication report. But when the user gets quarantined the report doesn't show NAI's attribute values.
This gets me thinking NAI didn't supply the attribute values to CTA.
Does anyone else have ACS4, CTA(latest) and NAI's AntiVirus (8i) working together as expected? If so, what was the solution to the problems you experienced (I'm guessing you've at least had some ...)
Regards,
Erik
07-03-2006 06:48 AM
CTA version 1 is not sending the Cisco:PA attribute to ACS 4.0.But CTA version 2 is working fine.The issue is ACS 4.0 is requesting an attribute, Machine Posture State, of CTA, which CTA 1.0 does not know (Machine Posture State was added to CTA 2.0). CTA should ignore it but it returns an error instead.
09-27-2006 05:01 AM
I have exactly the same issue with CTA version 2.0.1.14 and VirusScan 8.0i.
11-17-2006 01:14 PM
Hi Eric,
I'm having PV problems similuar to yours. My set-up:
Client pc-->Cisco VPN concentrator-->ACS4.0
If I enable anything but "any" in Network Access Profile/Authorization/System Posture Token, my client cannot connect. Cisco got into the boxes and then generated very detailed reports and they show that PostureValidation.dll is missing from the acs install directory. C:\Program Files\CiscoSecure ACS v4.0\Authenticators is where it should be. I re-installed but that didn't add that dll file.
Do you have that file in that directory?
Thanks,
Chuck
11-20-2006 12:26 AM
Hi Chuck,
I'm sorry. We're using the appliance version of ACS and thus do not have access to the harddrive.
For your information, we've stopped the NAC pilot because of too many problems with the combination ACS / Switches / Windows 2000/XP and McAfee. Both on the authentitcation as on the validation points the pilot failed dramatically. We keep hitting problems of which we amaze ourselves that they even exist. Most likely Cisco did little testing before they shipped the product (ACS).
Regards,
Erik
11-23-2006 03:50 AM
I have the same problem with Panda Antivirus
and ACS 3.3, "same times" the Panda attributes ACS are not recived by ACS and logs a external DB account restriccion.
11-23-2006 06:13 AM
Hi Natxoc,
I think "External DB account restrictions" are authentication failures and not authorization failures. The attributes for anti-virus are checked in the authorization section of the whole process. So have another look at your problem to be sure it's not an authentication problem.
Regards,
Erik
11-23-2006 08:45 AM
Erik, Thanks
yes External DB account restrictions are authentication failures. ACS fail in authentication becouse the "Mandatory credentials" are not sent by the client (Panda credentials)to ACS (Or not recived by ACS).
I have created another external DB with CTA the only mandatory credentials and posture token CHECKUP and now there are not clients with the DB account fail they get the Checup token.
12-28-2006 06:36 AM
Hello
I think you have install the acs4 add-on (nai.adf file)for NAI AV from your description. You find example in ACS 4.0 documentation.
And on the client, verify you have this.
Apply latest Vscan 8.0 Patch14 and latest McAfee Common Management Agent 3.6.0.
For the CTA 2.0.1, in the CiscoTrustAgent dir add "PPMsgSize=4096" in ctad.ini at the GENERAL part (top of the file).
This allow bigger messages from Posture Agent (NAI) to CTA.
Reboot and get healthy
//
Christer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide