General NAC/CCA Issues

Unanswered Question
Jun 10th, 2008

We are attempting to roll out CCA Agent to all of our faculty and staff this summer and have encountered some issues. Curious if anyone has seen and has resolutions to the following:

1) Using a WSUS Windows critical Requirement, Non-Local Admins are prompted that Windows requires updates. When logged on as a local admin, it states there are no updates required.

1a) Is there a way to allow non local admins to install Windows Updates?

1b) Is there a way to allow non local admins to install Anti-Virus software (specifically Symantec) and keep the virus defintions up to date?

2) Cisco Clean Access Agent will occasionally not be able to tell the virus definition date of our Symantec software. When you click on Properties of Clean Access in the taskbar it is blank. However, the application states virus definitions are up to date. Only fix we have been able to identify is to uninstall and re-install Symantec AV.

3) Users who are on the domain get mapped drives pushed to them. On occasion the mapped drive works correctly and at times it does not (assuming a disconnect with being quarantined or posture assesed while the mapped drive is occurring). Best practice here?

4) Overall duration of CCA Agent posture assessment. It seems to take awhile on select compters and not so long on others. Theoretically the same assesssments are being made.

5) 'Unexpected Error' when logging on as a non local admin and CCA Agent attempts to start.

6) Is there a best practice for 'public computers' like in the library? I hate to have computers have filters or ignore certain VLANs because this weakens the overall security of the network as these locations can easily introduce virii or other issues to the net.

7) CCA agent for Mac has not been deployed at all in our environment. What would be appropraite checks for a University environment? Currently on Windows boxes we are checking for Windows Updates (critical), Virus Software, Virus definition date, Auto Update enabled.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
r-frank Tue, 08/19/2008 - 17:31

J,

with your issue

3) Users who are on the domain get mapped drives pushed to them. On occasion the mapped drive works correctly and at times it does not (assuming a disconnect with being quarantined or posture assesed while the mapped drive is occurring). Best practice here?

Did you find a solution.

I have agents deployed who's mapped drives are performed by a logon Script and some are mapped while others do not, its the same drives everytime.

Did you find a resoloution to this ?

Cheers

srue Wed, 08/20/2008 - 10:38

use AD GPO to do your login script. then in NAC you can have it update group policy after posture assessment.

r-frank Wed, 08/20/2008 - 16:40

Hi Srue,

the Script is being performed by AD GPO and the check box for

'Refresh Windows domain group policy after login' has been checked for the Correct Role

5 out of 7 drives are mapped by its the two consistant drives which are not mapped.

thoughts?

Cheers

cityofsurrey Thu, 08/21/2008 - 14:28

3) Users who are on the domain get mapped drives pushed to them. On occasion the mapped drive works correctly and at times it does not (assuming a disconnect with being quarantined or posture assesed while the mapped drive is occurring). Best practice here?

We do not use AD Login scripts and still works for us with this delay command. The login script will wait until all drives are mapped or NAC agent auth. is done.

:CHECK

@echo off

PING x.y.z.z -n 12 -w 1500 >NUL

if errorlevel 1 goto CHECK

4) Overall duration of CCA Agent posture assessment. It seems to take awhile on select compters and not so long on others. Theoretically the same assesssments are being made.

Make sure that same GPO policies applied to all PCs including working and non-working. Also make sure DNS and access list including ports for un-auth and temp role is set correctly.

6) Is there a best practice for 'public computers' like in the library? I hate to have computers have filters or ignore certain VLANs because this weakens the overall security of the network as these locations can easily introduce virii or other issues to the net.

Why not use NAC to assess public computers and than allow them on guest vlans,

2) Cisco Clean Access Agent will occasionally not be able to tell the virus definition date of our Symantec software. When you click on Properties of Clean Access in the taskbar it is blank. However, the application states virus definitions are up to date. Only fix we have been able to identify is to uninstall and re-install Symantec AV.

You might want to try latest 4.1.6 if you have not done so.

grant.maynard Tue, 09/02/2008 - 14:03

1) you may be referring to the stub agent here. "For non-admin users of client machines, use of the Stub Agent is mandatory for WSUS requirements."

2) I've seen that with Sophos.

4) I've seen that too.

Sorry, I realise that's not particularly helpful.

Actions

This Discussion