cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
646
Views
0
Helpful
6
Replies

General NAC/CCA Issues

j-williams.14
Level 1
Level 1

We are attempting to roll out CCA Agent to all of our faculty and staff this summer and have encountered some issues. Curious if anyone has seen and has resolutions to the following:

1) Using a WSUS Windows critical Requirement, Non-Local Admins are prompted that Windows requires updates. When logged on as a local admin, it states there are no updates required.

1a) Is there a way to allow non local admins to install Windows Updates?

1b) Is there a way to allow non local admins to install Anti-Virus software (specifically Symantec) and keep the virus defintions up to date?

2) Cisco Clean Access Agent will occasionally not be able to tell the virus definition date of our Symantec software. When you click on Properties of Clean Access in the taskbar it is blank. However, the application states virus definitions are up to date. Only fix we have been able to identify is to uninstall and re-install Symantec AV.

3) Users who are on the domain get mapped drives pushed to them. On occasion the mapped drive works correctly and at times it does not (assuming a disconnect with being quarantined or posture assesed while the mapped drive is occurring). Best practice here?

4) Overall duration of CCA Agent posture assessment. It seems to take awhile on select compters and not so long on others. Theoretically the same assesssments are being made.

5) 'Unexpected Error' when logging on as a non local admin and CCA Agent attempts to start.

6) Is there a best practice for 'public computers' like in the library? I hate to have computers have filters or ignore certain VLANs because this weakens the overall security of the network as these locations can easily introduce virii or other issues to the net.

7) CCA agent for Mac has not been deployed at all in our environment. What would be appropraite checks for a University environment? Currently on Windows boxes we are checking for Windows Updates (critical), Virus Software, Virus definition date, Auto Update enabled.

6 Replies 6

r-frank
Level 1
Level 1

J,

with your issue

3) Users who are on the domain get mapped drives pushed to them. On occasion the mapped drive works correctly and at times it does not (assuming a disconnect with being quarantined or posture assesed while the mapped drive is occurring). Best practice here?

Did you find a solution.

I have agents deployed who's mapped drives are performed by a logon Script and some are mapped while others do not, its the same drives everytime.

Did you find a resoloution to this ?

Cheers

use AD GPO to do your login script. then in NAC you can have it update group policy after posture assessment.

Hi Srue,

the Script is being performed by AD GPO and the check box for

'Refresh Windows domain group policy after login' has been checked for the Correct Role

5 out of 7 drives are mapped by its the two consistant drives which are not mapped.

thoughts?

Cheers

Thanks for the GPO insight. I didn't realize that was an option. Thanks!

cityofsurrey
Level 1
Level 1

3) Users who are on the domain get mapped drives pushed to them. On occasion the mapped drive works correctly and at times it does not (assuming a disconnect with being quarantined or posture assesed while the mapped drive is occurring). Best practice here?

We do not use AD Login scripts and still works for us with this delay command. The login script will wait until all drives are mapped or NAC agent auth. is done.

:CHECK

@echo off

PING x.y.z.z -n 12 -w 1500 >NUL

if errorlevel 1 goto CHECK

4) Overall duration of CCA Agent posture assessment. It seems to take awhile on select compters and not so long on others. Theoretically the same assesssments are being made.

Make sure that same GPO policies applied to all PCs including working and non-working. Also make sure DNS and access list including ports for un-auth and temp role is set correctly.

6) Is there a best practice for 'public computers' like in the library? I hate to have computers have filters or ignore certain VLANs because this weakens the overall security of the network as these locations can easily introduce virii or other issues to the net.

Why not use NAC to assess public computers and than allow them on guest vlans,

2) Cisco Clean Access Agent will occasionally not be able to tell the virus definition date of our Symantec software. When you click on Properties of Clean Access in the taskbar it is blank. However, the application states virus definitions are up to date. Only fix we have been able to identify is to uninstall and re-install Symantec AV.

You might want to try latest 4.1.6 if you have not done so.

grant.maynard
Level 4
Level 4

1) you may be referring to the stub agent here. "For non-admin users of client machines, use of the Stub Agent is mandatory for WSUS requirements."

2) I've seen that with Sophos.

4) I've seen that too.

Sorry, I realise that's not particularly helpful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: