cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
856
Views
0
Helpful
8
Replies

ACS4 posture validation problems

etamminga
Spotlight
Spotlight

Hi,

We're implementing NAC and are experiencing some problems with NAI's posture valiation attributes.

Frequently the attributes for NAI's virusscan (8.0i enterprise) are not received by ACS and clients get quarantined.

When authentication and authorization succeeds, the NAI's attributes are displayed in the ACS's passed authentication report. But when the user gets quarantined the report doesn't show NAI's attribute values.

This gets me thinking NAI didn't supply the attribute values to CTA.

Does anyone else have ACS4, CTA(latest) and NAI's AntiVirus (8i) working together as expected? If so, what was the solution to the problems you experienced (I'm guessing you've at least had some ...)

Regards,

Erik

8 Replies 8

aghaznavi
Level 5
Level 5

CTA version 1 is not sending the Cisco:PA attribute to ACS 4.0.But CTA version 2 is working fine.The issue is ACS 4.0 is requesting an attribute, Machine Posture State, of CTA, which CTA 1.0 does not know (Machine Posture State was added to CTA 2.0). CTA should ignore it but it returns an error instead.

m.vuckovic
Level 1
Level 1

I have exactly the same issue with CTA version 2.0.1.14 and VirusScan 8.0i.

cjdock123
Level 1
Level 1

Hi Eric,

I'm having PV problems similuar to yours. My set-up:

Client pc-->Cisco VPN concentrator-->ACS4.0

If I enable anything but "any" in Network Access Profile/Authorization/System Posture Token, my client cannot connect. Cisco got into the boxes and then generated very detailed reports and they show that PostureValidation.dll is missing from the acs install directory. C:\Program Files\CiscoSecure ACS v4.0\Authenticators is where it should be. I re-installed but that didn't add that dll file.

Do you have that file in that directory?

Thanks,

Chuck

Hi Chuck,

I'm sorry. We're using the appliance version of ACS and thus do not have access to the harddrive.

For your information, we've stopped the NAC pilot because of too many problems with the combination ACS / Switches / Windows 2000/XP and McAfee. Both on the authentitcation as on the validation points the pilot failed dramatically. We keep hitting problems of which we amaze ourselves that they even exist. Most likely Cisco did little testing before they shipped the product (ACS).

Regards,

Erik

natxoc
Level 1
Level 1

I have the same problem with Panda Antivirus

and ACS 3.3, "same times" the Panda attributes ACS are not recived by ACS and logs a external DB account restriccion.

Hi Natxoc,

I think "External DB account restrictions" are authentication failures and not authorization failures. The attributes for anti-virus are checked in the authorization section of the whole process. So have another look at your problem to be sure it's not an authentication problem.

Regards,

Erik

natxoc
Level 1
Level 1

Erik, Thanks

yes External DB account restrictions are authentication failures. ACS fail in authentication becouse the "Mandatory credentials" are not sent by the client (Panda credentials)to ACS (Or not recived by ACS).

I have created another external DB with CTA the only mandatory credentials and posture token CHECKUP and now there are not clients with the DB account fail they get the Checup token.

axfood
Level 1
Level 1

Hello

I think you have install the acs4 add-on (nai.adf file)for NAI AV from your description. You find example in ACS 4.0 documentation.

And on the client, verify you have this.

http://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=KB45653&sliceId=SAL_Public&dialogID=5672976&stateId=0%200%204773882

Apply latest Vscan 8.0 Patch14 and latest McAfee Common Management Agent 3.6.0.

For the CTA 2.0.1, in the CiscoTrustAgent dir add "PPMsgSize=4096" in ctad.ini at the GENERAL part (top of the file).

This allow bigger messages from Posture Agent (NAI) to CTA.

Reboot and get healthy

//

Christer