Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
5
Replies

CCA Network Policy to CAA Question

simonbell
Level 1
Level 1

‎03-29-2005 08:21 AM - edited ‎03-09-2019 10:46 AM

We wanted all Agent users to be prompted with our Network Policies. So I configured the User Agreement page, allowed access to the Network Policy for the role, and enabled the option in the General setup. However, the Agent never prompts for the link. Also, while the agent considers them logged in, in "online users" they're still in Temporary Access. Yet they have full network access.

I can't pinpoint what I've got configured wrong... any suggestions?

Labels:
0 Helpful
5 Replies 5

pradeepde
Level 5
Level 5

‎04-04-2005 08:23 AM

Did it give you any error messages?

0 Helpful

simonbell
Level 1
Level 1
In response to pradeepde

‎04-05-2005 04:48 AM

Nope, and looking at the CCA reports, the user didn't fail anything. Yet the agent never prompts

0 Helpful

nchong
Level 1
Level 1

‎04-04-2005 05:40 PM

Hello Simon,

Assuming you are running 3.4.x on both servers and agent.

a. There was a fixed bug, fixed in 3.4.2 and above

00290

Network User Agreement Page reverts back to old behavior whereby user is shown the page only if they are not on the Certified Devices list (i.e. if they haven't gone through the Clean Access process earlier).

b. You need to ensure that your client/agent is 3.4.0 or 3.4.1

c. Check to make sure your Role/OS in the General Setup matches what you want. And under Clean Access > Role - check your make sure your requirements are checked for the Role/OS

d. What is your policy on Temporary Role? Do you have an Allow all IP?

e. If the online user is Temporary, the user should have seen a popup denoting temporary and time left to remediate. Were you seeing this?

Nick

0 Helpful

simonbell
Level 1
Level 1
In response to nchong

‎04-05-2005 05:00 AM

a. Device wasn't previously certified

b. agent is 3.4.0

c. verified

d. temp has limited access:

Block TCP *:* 141.165.5.199 /255.255.255.255 :* CCA Manager

Block UDP *:* *:135

Block TCP *:* *:135

Block TCP *:* *:445

Block TCP *:* *:139

Block TCP *:* *:137

Block TCP *:* *:138

Block UDP *:* *:593

Block TCP *:* *:593

Block TCP *:* *:69

Block UDP *:* *:445

Block UDP *:* *:139

Block UDP *:* *:137

Block UDP *:* *:138

Allow TCP *:* 141.165.4.98 /255.255.255.255 :443 Userid Lookup

Allow TCP *:* 141.165.4.50 /255.255.255.255 :4567 Userid reset

Allow TCP *:* 141.165.5.204 /255.255.255.255 :81 Help pages

Allow TCP *:* 141.165.4.67 /255.255.255.255 :* Computer use policy

Allow TCP *:* 141.165.4.96 /255.255.255.255 :80 Internal Norton Corp download

Allow TCP *:* 141.165.4.96 /255.255.255.255 :443 Internal Norton corp Download

Allow TCP *:* 199.77.203.0 /255.255.255.0 :80 Trendmicro update

Allow UDP *:* *:53 trusted dns server

Block ALL

e. no, the user see's a successful login. After the time limit they're booted. Also, although CCAM has them in temp mode, they have full network access.

I contacted Doug Ramos about this issue and gave him remote access. He felt there might be a bug, but I haven't heard back yet.

0 Helpful

simonbell
Level 1
Level 1
In response to nchong

‎04-18-2005 12:40 PM

upgrading from 3.4.2 to 3.4.4 seems to have fixed the problem.

0 Helpful
Customers Also Viewed These Support Documents