NAC Installation Issues/Questions

Unanswered Question
Oct 1st, 2010

I have been attempting to get NAC deployed in the last month.  I have come up with a few issues.

I upgraded to 4.8 and that went smoothly.  I have an in-band deployment and will be using an ASA VPN connections

once I get everything working correctly.  A couple of the issues I've experienced are:

  • Windows NAC Agent.  I have the NAC Agent installed on a couple of virtual workstations and get no login option and the Agent just does not seem to be communicating with the server.  I can do a Web based check on systems but not using the Windows Agent.  I need to use the windows agent.  I've searched through the documentation and did not find too much information on how to t/s this.  There is SOME and I have checked out all of the suggestions with no luck.  Any ideas on what to check?
  • Check and Rule updates.  I have had updates running daily for about two weeks and only seem to get updates on virus signatures, etc.  There have been no checks pushed on operating system issues.  I know there have been some microsoft patches put out in the last couple of weeks but there is no sign of them in the checks.  Is there a configuration item I am missing or is it just that these updates only come once a month or so?....in our implementation we need to get all updates checked immediately.  I'd rather avoid having to manually create checks all the time....
  • Snapshots.  I am currently doing most of my work in a lab environment for testing.  I intend to deploy the appliances to one of our remote locations in the next couple of weeks.  We have additional NAC appliances which we are going to stand up in our home office location.  I attempted to take a snapshot from the appliance I am currently using and upload it to another.  Hard to tell if it works or not.  I get a warning that it must be a valid file...hit OK and I don't believe anything really happens.  I don't see any kind of entry in the event log.  What I would LIKE to happen is to be able to configure new rules, etc at our home office and be able to deploy this by some sort of upload rather than having to create them twice.  Is there a way to do this?

I have a few more questions but will save them for later.  Any assistance is greatly appreciated!

Liam

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Faisal Sehbai Sat, 10/02/2010 - 20:38

Liam,

Regarding the agents not logging in, are you sure they're able to communicate with the CAS? You said it's an Inband solution for VPN but didn't mention what mode it's in. If it's Real-IP, can you ping the untrusted side of the CAS? If VGW, can you ping your default gateway for your VPN pool? What happens when you try to browse to the CAS's IP address?

Checks and rules are updated a number of times every day. The MS rules are updated within 48-72 hours after MS releases them on the second Tuesday of the month. For a faster evaluation, I'd say use the WSUS check which makes your clients check in with the MS servers directly, hence expediting the process.

Regarding the snapshot question, not entirely sure what you're aiming for there. If the intent is to configure the rules/requirements on one CAM and have them updated on the other, look at Policy sync options. Policy sync is designed with that particular need in mind. This however won't work if you're looking to replicate your entire environment (for example, policy sync won't copy over your CAS settings)

Write back here with more questions, if/when you have any.

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

docmilligan Sun, 10/03/2010 - 12:29

Faisel,  Responses in Blue below:

Liam,

Regarding the agents not logging in, are you sure they're able to communicate with the CAS? You said it's an Inband solution for VPN but didn't mention what mode it's in. If it's Real-IP, can you ping the untrusted side of the CAS? If VGW, can you ping your default gateway for your VPN pool? What happens when you try to browse to the CAS's IP address?

We are in a Real-IP environment.  We can ping the server and the manager from the clients.  We can also browse to the CAS's IP address where we get a login request for the Web Assessment by the server.  Log in at that time with user name and password and get the assessment page where we can download and install the windows agent or use the web agent.  If we download and install the windows agent again it reinstalls and then does nothing (still don't get a login option from the Agent icon on the system tray).  If we do an assessment using the Web assessment agent, an assessment is completed on the system.

Checks and rules are updated a number of times every day. The MS rules are updated within 48-72 hours after MS releases them on the second Tuesday of the month. For a faster evaluation, I'd say use the WSUS check which makes your clients check in with the MS servers directly, hence expediting the process.

Since they come out on the second Tuesday of the month we will wait a couple of more weeks then...we probably started downloading around the third week of the month.

Regarding the snapshot question, not entirely sure what you're aiming for there. If the intent is to configure the rules/requirements on one CAM and have them updated on the other, look at Policy sync options. Policy sync is designed with that particular need in mind. This however won't work if you're looking to replicate your entire environment (for example, policy sync won't copy over your CAS settings)

Basically, what we are aiming for is this:  We have to ship two appliances (NAS/NAM) to our remote server farm for placement on our network this week.  I'd like to get them pretty much fully configured by the time they leave and have to do minimal changes once deployed.  We will eventually be adding the HA option to these two appliances and understand that we can sync between the NAMS in the HA deployment.  What I'd like to do is be able to make configuration changes in my lab (I have two more NAS/NAMs which will be deployed after the first set) and be able to import the additional checks and rules that I will be making in the next few weeks to the NAS/NAM that are being deployed this coming week.  From what I can tell the check, rule and requirement configuration is going to be a constantly moving target (as new checks come out I will have to configure them for use).  We are trying to avoid having to create them twice (once for our home office here and another time for our remote site.  EVENTUALLY, we will have four NAS/NAMs deployed at each site (for HA) and I'd like a way to be able to create the checks, rules and requirements here once and be able to import them into the remote location's NAS/NAMs.  They will be two separate installations on two separate domains.  My hope was to take all the work I have done on the set of appliances that are being deployed this week and save it via a snapshot so I could import it into the new NAM that I am going to install in my lab this week so I can start from where I left off rather than have to recreate everything from scratch.  Does this make better sense?

Thanks for your assistance!

Write back here with more questions, if/when you have any.

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

docmilligan Sun, 10/03/2010 - 15:29

OK...have a quick update...I got the Windows CAS Agent to work.  The Login option is no longer greyed out.  Seems it was a certificate issue.  I found something regarding server authentication...the thread stated that with 4.7 and greater there are multiple things used to authenticate with the server and if they don't all match up you won't get a logon with the agent.  What I did was:

  • Recreate the Server's temporary SSL certificate to just include the FQDN in the CN field...nothing further.
  • Made sure the new cert was in the trusted store for the Manager so it could connect to the server
  • Modified the NACAgentConfig.xml file to include the [FQDN] field
    • Also verified the IP for the Discovery Host was correct.  Note that this file has to be opened by an administrator to save it so when you run notepad to modify the file you need to RUNAs Administrator.
  • Restarted the Agent.
  • After a minute or so I was given a warning that the certificate wasn't trusted and the option to add it to my certificate store.  Since I am in a lab environment at present I added it to the store.  Once I go live it won't be an issue since the DOD certificate I will be using will be trusted by the workstations.
  • A short time after I installed the certificate I got the NAC Agent Login screen and was able to log in and have the workstation checked by the Server.

Got over that hill, now on to the next....trying to get the ASA SSO authentication to work....That should not be TOO difficult...we'll see tomorrow.

We'd still like to find a way to be able to back up and restore our checks, rules and requirements.

Thanks.

docmilligan Tue, 10/05/2010 - 08:58

Back to the drawing board I guess...had to change the FQDN on the certificate for the server (I had fat fingered it)...changed the certificate, published it everywhere I needed to publish, changed ServerNameRules filed of the XML NACAgentConfig.xml file to the new FQDN.  It stopped working.  I made sure the old certificate was no longer listed in the workstation's certs.....shortly after I start the agent I get a notice that the cert is not trusted...I install the certificate and tell the warning box to proceed (hit the yes)....the box goes away...nothing else happens...we have monitored activity on ports 8905 and 8906 using wireshark but the agent just won't pop-up and do its thing.

Any more ideas???

Faisal Sehbai Tue, 10/05/2010 - 18:21

William,

Answering a few points raised in your previous messages:

- The checks and rules don't have to be such a moving target as you are making them out to be. Microsoft patches happen once a month, and if you use the WSUS or WU requirements, the WU/AU client on the machines will take care of them and you don't have to change anything in the checks/rules at all for it to work

- Similarly for AV updates, if you set your CAM to update it's checks/rules every often, you will get the latest definitions added to the CAM, and thus the CAM will be able to check for those. For this to work, you don't need to change any rules/requirements

- The discovery host that you put in the agent's properties should be the VIP (IP or DNS name) of the CAM. It can be any host living on the trusted side. The basic idea is to generate traffic towards the trusted network, and when the CAS (which should be in the pathway of that traffic - if things are laid out right) intercepts it, it will ask the agent to authenticate and then based on the authentication (and role applied) it will ask for posture.

If you are getting stuck at any of these, may I suggest opening a TAC case so an engineer can look at your setup live and help fix things or suggest better ways of doing things?

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

Actions

This Discussion