ACS4 posture validation problems

etamminga · ‎06-26-2006

Hi,

We're implementing NAC and are experiencing some problems with NAI's posture valiation attributes.

Frequently the attributes for NAI's virusscan (8.0i enterprise) are not received by ACS and clients get quarantined.

When authentication and authorization succeeds, the NAI's attributes are displayed in the ACS's passed authentication report. But when the user gets quarantined the report doesn't show NAI's attribute values.

This gets me thinking NAI didn't supply the attribute values to CTA.

Does anyone else have ACS4, CTA(latest) and NAI's AntiVirus (8i) working together as expected? If so, what was the solution to the problems you experienced (I'm guessing you've at least had some ...)

Regards,

Erik

aghaznavi · ‎07-03-2006

CTA version 1 is not sending the Cisco:PA attribute to ACS 4.0.But CTA version 2 is working fine.The issue is ACS 4.0 is requesting an attribute, Machine Posture State, of CTA, which CTA 1.0 does not know (Machine Posture State was added to CTA 2.0). CTA should ignore it but it returns an error instead.

m.vuckovic · ‎09-27-2006

I have exactly the same issue with CTA version 2.0.1.14 and VirusScan 8.0i.

cjdock123 · ‎11-17-2006

Hi Eric,

I'm having PV problems similuar to yours. My set-up:

Client pc-->Cisco VPN concentrator-->ACS4.0

If I enable anything but "any" in Network Access Profile/Authorization/System Posture Token, my client cannot connect. Cisco got into the boxes and then generated very detailed reports and they show that PostureValidation.dll is missing from the acs install directory. C:\Program Files\CiscoSecure ACS v4.0\Authenticators is where it should be. I re-installed but that didn't add that dll file.

Do you have that file in that directory?

Thanks,

Chuck

etamminga · ‎11-20-2006

Hi Chuck,

I'm sorry. We're using the appliance version of ACS and thus do not have access to the harddrive.

For your information, we've stopped the NAC pilot because of too many problems with the combination ACS / Switches / Windows 2000/XP and McAfee. Both on the authentitcation as on the validation points the pilot failed dramatically. We keep hitting problems of which we amaze ourselves that they even exist. Most likely Cisco did little testing before they shipped the product (ACS).

Regards,

Erik

natxoc · ‎11-23-2006

I have the same problem with Panda Antivirus

and ACS 3.3, "same times" the Panda attributes ACS are not recived by ACS and logs a external DB account restriccion.

etamminga · ‎11-23-2006

Hi Natxoc,

I think "External DB account restrictions" are authentication failures and not authorization failures. The attributes for anti-virus are checked in the authorization section of the whole process. So have another look at your problem to be sure it's not an authentication problem.

Regards,

Erik

natxoc · ‎11-23-2006

Erik, Thanks

yes External DB account restrictions are authentication failures. ACS fail in authentication becouse the "Mandatory credentials" are not sent by the client (Panda credentials)to ACS (Or not recived by ACS).

I have created another external DB with CTA the only mandatory credentials and posture token CHECKUP and now there are not clients with the DB account fail they get the Checup token.

axfood · ‎12-28-2006

Hello

I think you have install the acs4 add-on (nai.adf file)for NAI AV from your description. You find example in ACS 4.0 documentation.

And on the client, verify you have this.

http://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=KB45653&sliceId=SAL_Public&dialogID=5672976&stateId=0%200%204773882

Apply latest Vscan 8.0 Patch14 and latest McAfee Common Management Agent 3.6.0.

For the CTA 2.0.1, in the CiscoTrustAgent dir add "PPMsgSize=4096" in ctad.ini at the GENERAL part (top of the file).

This allow bigger messages from Posture Agent (NAI) to CTA.

Reboot and get healthy

//

Christer