06-16-2011 03:41 AM - edited 02-21-2020 04:22 AM
Hello all,
I tried to set up the NAC so that if an application is not running, it will be launched automatically by the agent. Or if a software is not installed, the setup file will be downloaded to the computer and installed.
It works fine when the user has admin privilege, but the “agent stub” cannot launch the application when the user doesn’t have the right privilege.
“Agent stub” was installed manually with admin privilege on the computer. Now the CCA agent can be installed with non-admin user , the IP address is also renewed even if the user doesn’t have the required privilege.
How can i copy file, install and launch programs on non-admin user ?
Solved! Go to Solution.
06-20-2011 11:28 AM
Hi,
Yes, you need 2 subtree, Trust1 and Trust2.
At first you have to sign these two files, if not signed. The "certificate" is a field from the signed file , for.example the 2.5.4.3 means:
2.5.4.3 - COMMON_NAME
witch is the signer name (right click -> Digital Signatures-> Signer Name) . At a Computer Associates (CA) virus installer it is simple "CA".
The FileversionInfo is a simple value from a file (Right Click -> Properties-> Version)
The accepted values for Certificate/Fileversioninfo are:
Supported Value Names Under Certificate
•2.5.4.3 - COMMON_NAME
•2.5.4.4 - SUR_NAME
•2.5.4.5 - DEVICE_SERIAL_NUMBER
•2.5.4.6 - COUNTRY_NAME
•2.5.4.7 - LOCALITY_NAME
•2.5.4.8 - STATE_OR_PROVINCE_NAME
•2.5.4.9 - STREET_ADDRESS
•2.5.4.10 - ORGANIZATION_NAME
•2.5.4.11 - ORGANIZATIONAL_UNIT_NAME
•2.5.4.12 - TITLE
•2.5.4.13 - DESCRIPTION
•2.5.4.14 - SEARCH_GUIDE
•2.5.4.15 - BUSINESS_CATEGORY
•2.5.4.16 - POSTAL_ADDRESS
•2.5.4.17 - POSTAL_CODE
•2.5.4.18 - POST_OFFICE_BOX
•2.5.4.19 - PHYSICAL_DELIVERY_OFFICE_NAME
•2.5.4.20 - TELEPHONE_NUMBER
Supported Value Names Under FileVersionInfo
•ProductName
•CompanyName
•FileDescription
•FileVersion
•InternalName
•LegalCopyright
•OriginalFileName
•ProductVersion
•Comments
•LegalTrademarks
•PrivateBuild
•SpecialBuild
06-23-2011 12:10 AM
Hi,
You need the Launch program feature for remediation, as described here:
Regards,
Attila
06-16-2011 07:36 AM
I am posing the same question to Cisco support right now and I need an answer soon. We all know you don’t give a non –admin user local admin rights on the pc. I have a Nac 4.8.1 soon to be 4.8.2 real ip layer three deployment. You no longer see the option to download the CCAStubAgent.exe on the Cam manager. I really need a senior member of TAC to chime in and answer the question how do you deploy agents today on windows machine with the latest nac build. Please tell me someone did not overlook this in the latest code. I was able to install the agent as admin user and then login as non-admin. The agent works as expected at this point but I can not touch 2000 machines. No I do not have a software deployment suite.
06-16-2011 08:44 AM
I've seen this from cisco
============
Launch Programs Without Admin Privileges
The executable must have:
•A valid digital signature signed by certificates with specific field value(s)
•File version information with specific item value(s)
Note also that:
•The executable must be signed with a code signing certificate with a proper chain of certificates. The code signing certificate must be installed on the client machine.
•The root certificate must also be installed on the client machine and must be in the Trusted Root Certification Authority on Windows.
•You must create a registry key that is particular to the executable being run in addition to installing the certificate
============
I tried to get free code signing certificate for test (PFX file), don't know if it's ok.
the certificate appears under "Trusted Root Certification Authority "
I signed the exe file with SignGUI and now, i can see the tab "digital signature" from the exe file property
I don't know what registry key i need to create.
Is there anyone who can say if it's ok with free certificate and what should be added on registry?
06-17-2011 10:39 AM
Hi,
See this:
On the client computers where the executables will run, you must add a Trust
1. Verifies the digital signature - Ensures the digital signature is trusted.
2. Verifies the signer certificate information based on the information in the registry.
The related registry structure appears as follows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub\Trust
\Certificate\2.5.4.3 "Cisco Systems"
\FileVersionInfo\ProductName "Clean Access"
Where:
•
•For the entries under Certificate, each value can be exact case-insensitive.
•For the entries under FileVersionInfo, each value must appear in the corresponding value in the file information stream, and can also be case-insensitive.
•All the entries under Certificate and FileVersionInfo must be satisfied (AND operations) to qualify as a trusted target.
•If any of the Trust
06-20-2011 07:18 AM
Thanks for your reply.
Let's suppose we need to launch tftpd (exe file : tftpd32.exe) and clamwin Antivirus, does it mean that we need to add
Trust1 under : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub for tftp
and Trust2 under : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub for clamwin
and do we need to create "certificate" and "FileVersionInfo" ?
what value should we use ?
06-20-2011 11:28 AM
Hi,
Yes, you need 2 subtree, Trust1 and Trust2.
At first you have to sign these two files, if not signed. The "certificate" is a field from the signed file , for.example the 2.5.4.3 means:
2.5.4.3 - COMMON_NAME
witch is the signer name (right click -> Digital Signatures-> Signer Name) . At a Computer Associates (CA) virus installer it is simple "CA".
The FileversionInfo is a simple value from a file (Right Click -> Properties-> Version)
The accepted values for Certificate/Fileversioninfo are:
Supported Value Names Under Certificate
•2.5.4.3 - COMMON_NAME
•2.5.4.4 - SUR_NAME
•2.5.4.5 - DEVICE_SERIAL_NUMBER
•2.5.4.6 - COUNTRY_NAME
•2.5.4.7 - LOCALITY_NAME
•2.5.4.8 - STATE_OR_PROVINCE_NAME
•2.5.4.9 - STREET_ADDRESS
•2.5.4.10 - ORGANIZATION_NAME
•2.5.4.11 - ORGANIZATIONAL_UNIT_NAME
•2.5.4.12 - TITLE
•2.5.4.13 - DESCRIPTION
•2.5.4.14 - SEARCH_GUIDE
•2.5.4.15 - BUSINESS_CATEGORY
•2.5.4.16 - POSTAL_ADDRESS
•2.5.4.17 - POSTAL_CODE
•2.5.4.18 - POST_OFFICE_BOX
•2.5.4.19 - PHYSICAL_DELIVERY_OFFICE_NAME
•2.5.4.20 - TELEPHONE_NUMBER
Supported Value Names Under FileVersionInfo
•ProductName
•CompanyName
•FileDescription
•FileVersion
•InternalName
•LegalCopyright
•OriginalFileName
•ProductVersion
•Comments
•LegalTrademarks
•PrivateBuild
•SpecialBuild
06-21-2011 07:58 AM
Thanks for your reply.
I would like to post all steps we did.
Please, correct if there's something wrong.
1/ code signing
- we asked for a free certificate from internet and we got a pfx file
- we used a free tool (SignGUI) and got spc, cer and pvk file from the pfx
- we launched signcode.exe to sign excutable files (clamwinTray.exe and tftpd32.exe)
- we chose "custom" option and "selected from file" on digital signature wizard, we selected the spc file
- we specified the location of pvk file
- we selected sha1 as hash algorithm
- "all cerificates in the certification path, including the root certificate" was chosen under "certifcate in the certification path"
- we got a message "digital signing wizard was completed successfully"
- from "digital signatures" tab of the executable file, we had "cerificate issued to certificate_usernac" and "cerificate issued by Root Agency"
2/ registry key
- under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub, we created 2 subtree, Trust1 and Trust2.
for trust1, we created
- new key : certificate
- new string value : name = 2.5.4.3, value = certificate_usernac
- new key : FileVersionInfo
- new string value : name = ProductName, value = ClamWin Antivirus
for trust2, we created
- new key : certificate
- new string value : name = 2.5.4.3, value = certificate_usernac
- new key : FileVersionInfo
- new string value : name = ProductName, value = Tftpd32
3/ NAC
- we create "Application check" for ClamTray.exe and tftpd32.exe, operator = running, OS = Windows All, rule = automatically created
- we created new requirement with Launch Program
Program Name : SYSTEM_PROGRAMS\ClamWin\bin\ClamTray.exe for ClamWin
Program Name : SYSTEM_DRIVE\tftpd32.exe for tftp
OS = Windows XP (All)
- we configured "Requirement-rules"
- we configured "Role-Requirement"
we always get "Stub Agent failed to launch ... "
Is there anything wrong or missing ?
I would like to know also if it can be used on windows with language other than english.
Looking forward to hearing from you soon.
Thanks and Best Regards.
06-21-2011 10:35 AM
It seems to me the steps are OK. The english language is not required, we tried with Hungarian XP lanuage
"Stub Agent failed to launch ..."
Stub agent?
In nac 4.7 and 4.8 the stub agent is obsoloted.
Which NAC version ?
And one more thing, at NACAgentCFG.xml you have to set the
SignatureCheck to 1
1
06-22-2011 01:11 AM
Hello,
Thanks for your reply.
We're using nac ver4.1.1 (we have to use it for the moment)
On the document, it is mentionned :
"The root certificate must also be installed on the client machine and must be in the Trusted Root Certification Authority on Windows."
Could you please tell how to do and check this.
After code-signing the executable, we had the following message when checking the certificate from file property
"this certificate cannot be verified up to a trusted certification authority"
how to fix ?
Looking forward to hearing from you soon.
Thanks and Best Regards
06-22-2011 02:53 AM
Hi,
According to this page:
When you signed your files with a certificate (root CA), this certificate must exist at Client's
Trusted Root Certification Authorities.
So when you click on your signes file's properties -> Digital signatures -> Details -> View certificate -> Certificate Chain you mustn't see a red cross at root (like here: http://blogs.msdn.com/blogfiles/saurabh_singh/WindowsLiveWriter/Yougetasecurityalertwhenyoutrytoaccessa_834/image_thumb_5.png
If it not helps - I am sorry, but the certificates is not my speciality, in this case I am afraid you need a microsoft expert.
Attila
06-22-2011 07:37 AM
Thanks indeed for all your replies, they are extermely helpful.
it was the certificate.
I would like to ask how to do in case the user (without admin privilige) needs to install a software for remediation.
Looking forward to hearing from you soon.
Thanks and Best Regards
06-23-2011 12:10 AM
Hi,
You need the Launch program feature for remediation, as described here:
Regards,
Attila
06-27-2011 11:30 PM
Hello Attila,
Thanks a lot for your reply and for this interesting URL.
Sorry for my late reply.
We've tested software setup and Antivirus update using non-admin user, it works fine.
We are going to test windows update and let you know.
We have more question about OOB L3 and IP phone. We'll add other posts asking these. Please, send us your extremely helpful answer, as usual.
Thanks and Best Regards
06-30-2011 07:26 AM
Hi,
Read this one: http://www.caysec.com/2008/06/cisco-nac-with-ip-phones.html
/and change this topic's state to answered /
07-01-2011 01:04 AM
Thanks Attila.
How about L3 OOB, is it possible to use L3 if the NAC is setup as OOB Virtual Gateway?
i 've put this question in another discussion
https://supportforums.cisco.com/thread/2091996
Looking Forward to hearing from you soon.
Thans and Best Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: