NAC agent-multiple antivirus version

Unanswered Question
Sep 3rd, 2009

Hi,

customer has two version of McAfee antivirus. What I need is - user get the same role when login to PC with version X or PC with version Y. Is it possible to create AV install rule with OR logic? Something like if on PC is installed version X OR version Y pass check and give user Role USER.

Thanks for help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Faisal Sehbai Sun, 09/06/2009 - 07:25

Peter,

Roles are assigned based on your authentication (and mapping rules), not on the basis of your posture rules.

So what you can do here is tweak your requirement-rules.

- Goto Clean Access -> Clean Access Agent -> Requirements -> Requirement-Rules

- Chose the requirement

- Chose the correct OS

- Set requirement met to Any

- Checkmark the AV rules for both versions of AV

So now if your user role has this requirement enabled, any of those two AVs would satisfy the requirement.

tabrez_shaikh Sun, 09/06/2009 - 22:21

Dear Fasehbai

Can we have any version of Antivirus Software for Eg Evualuation version will also work.

Can We have Remidiation Server to update the Endpoint Instead of Going to the Internet for any update.

Faisal Sehbai Tue, 09/08/2009 - 04:26

Tabrez,

Yes to both questions. Setting those up will vary, but you can do both those things.

HTH,

Faisal

tabrez_shaikh Tue, 09/08/2009 - 22:41

Dear Faisal

It will be great if you can answer to all of my queries.

1] What are the different category checks that NAC can implement? (for example, anti-virus, operating system, registry check, …)

Please, provide snap shots of NAC policy/rules applied.

2] Service/Warranty: how much is it to renew the software licenses after the warranty expires?

Also, how much is it for the Yearly Subscription/maintenance of Licenses?

Suppose if we didn't renew the service, will our NAC work without updates?

3] Can we enforce updates using a PC placed in quarantine/inside/trusted area instead of using the internet (remediation server)?

4] Application check of end point: does it check for Evaluation, trail, licensed, or un-licensed version of any application (for example, anti virus, OS, …)?

5] Let's say we configured the appliance to be VPN, thereafter is it possible to change it to wireless? If yes, how difficult it is?

6] After implementing the NAC VPN solution in a single-sign-on, how much time delay will it add to authenticating a remote user? In other words, will there be a considerable delay?

Faisal Sehbai Wed, 09/09/2009 - 17:37

1] What are the different category checks that NAC can implement? (for example, anti-virus, operating system, registry check, …)

Faisal: All of the above. It would take a good sized chapter to detail all you're asking for above in Q1, so I would therefore suggest a book for you to pick up and read. The title is "Cisco NAC Appliance: Enforcing Host Security with Clean Access (Paperback)" ISBN for this book is 1587053063.

Also see the Video-On-Demand which explains all the requirement/rules etc. VODs are located here: http://tinyurl.com/d74t9u and you're looking for VOD 5

2] Service/Warranty: how much is it to renew the software licenses after the warranty expires?

Also, how much is it for the Yearly Subscription/maintenance of Licenses?

Suppose if we didn't renew the service, will our NAC work without updates?

Faisal: Your account team is the best resource for this. I don't know the pricing. NAC will continue to work without renewal of service - you just won't get support for it.

3] Can we enforce updates using a PC placed in quarantine/inside/trusted area instead of using the internet (remediation server)?

Faisal: Yes, you can have your internal remediation servers you can point your clients to.

4] Application check of end point: does it check for Evaluation, trail, licensed, or un-licensed version of any application (for example, anti virus, OS, …)?

Faisal: Yes to all. The rule/requirement capabilities of CCA are very flexible and you can get quite creative

5] Let's say we configured the appliance to be VPN, thereafter is it possible to change it to wireless? If yes, how difficult it is?

Faisal: Same CAS can work for both wireless and VPN. How difficult? Depends on your network. Your account team again would be the best resource to get you a design

6] After implementing the NAC VPN solution in a single-sign-on, how much time delay will it add to authenticating a remote user? In other words, will there be a considerable delay?

Faisal: Delay for authentication is minimal (two seconds to five seconds) If you client however needs rememdiation, that delay is separate.

tabrez_shaikh Wed, 09/09/2009 - 21:25

Dear Fasehbai

Thanks for your helpful Information , I will follow the instruction given by you.

Actions

This Discussion