Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
3
Replies

Clean Access Failure Detail

kellyrudnick
Level 1
Level 1

‎04-16-2008 05:32 AM - edited ‎03-09-2019 08:31 PM

We have a machine that fails our Clean Access rules, but the description on the agent itself is simple: "Windows", "Notify before download". Where on the CAM (4.3) or CAS can I find details regarding the exact rule that was not met.

Labels:
0 Helpful
3 Replies 3

dosic
Level 1
Level 1

‎04-17-2008 06:33 AM

Agent checks the rules one by one in the order that you spesified at your CAM.

So have a look at your CAM's menu Device Management > Clean Access > Clean Access Agent > Role Requirement

Here you can see the rules that the client software must meet.

Looking at the rules name/description you can find out where the problem is.

Or you can use Reports submenu (Management > Clean Access > Clean Access Agent).

0 Helpful

kellyrudnick
Level 1
Level 1
In response to dosic

‎04-17-2008 08:35 AM

Here is the report from a machine that fails:

windows (Mandatory)

Passed Checks:

pc_Windows-XP-SP2

pc_HotFix908519_XP

pc_HotFix904706_XP

pc_KB908531_MS06-015_XP

pc_KB932168_MS07-020_XP

pc_KB920683_MS06-041_XP

pc_KB914388_MS06-036_XP

pc_KB935840_MS07-031_XP

pc_KB930178_MS07-021_XP

pc_HotFix901214_XP

pc_IE7_0

pc_KB935839_MS07-035_XP

pc_KB925902_MS07-017_XP

pc_KB928843_MS07-008_XP_SP2

pc_HotFix896358_XP

pc_KB931261_MS07-019_XP

pc_KB920213_MS06-068_XP_SP2

Failed Checks:

pc_Windows-XP-SP1, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 1]

pc_KB929969_MS07-004_XP_SP2_IE7, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP0\KB929969\Filelist\ exists ]

pc_IE6_0, Registry Check [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version starts with 6.0]

There are two checks that may conflict:

1.pc_Windows-XP-SP2

2.pc_Windows-XP-SP1

pc_Windows-XP-SP2 = [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 2]

pc_Windows-XP-SP1 = [\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion contains Service Pack 1]

The actual string data is "Service Pack 2"

It passes pc_Windows-XP-SP2

It fails pc_Windows-XP-SP1

Is this just the case of bad rules? I mean the pass/fail result make senses to me, because based on the keys it fails under one condition and passes under the other. The rules were here before I came onboard, and I am not familiar with Clean Access. I would assume the rules are in conflict and we need to decide which we want to enforce? Is there anyway to have the system not enfore the "SP1 rule" if the "SP2 rule" has been met, such as nesting them?

0 Helpful

dosic
Level 1
Level 1
In response to kellyrudnick

‎04-30-2008 06:00 AM

hi, Kellyrudnick.

Your checks may differ and even conflict. It's ok.

Try to creat a Rule. And in the Rule Expression type smth like

(pc_Windows-XP-SP2) | (pc_Windows-XP-SP1)

This statement means check "pc_Windows-XP-SP2"

OR "pc_Windows-XP-SP1".

Think this will help you

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents