10-01-2010 09:42 AM - edited 02-21-2020 04:06 AM
I have been attempting to get NAC deployed in the last month. I have come up with a few issues.
I upgraded to 4.8 and that went smoothly. I have an in-band deployment and will be using an ASA VPN connections
once I get everything working correctly. A couple of the issues I've experienced are:
I have a few more questions but will save them for later. Any assistance is greatly appreciated!
Liam
10-02-2010 08:38 PM
Liam,
Regarding the agents not logging in, are you sure they're able to communicate with the CAS? You said it's an Inband solution for VPN but didn't mention what mode it's in. If it's Real-IP, can you ping the untrusted side of the CAS? If VGW, can you ping your default gateway for your VPN pool? What happens when you try to browse to the CAS's IP address?
Checks and rules are updated a number of times every day. The MS rules are updated within 48-72 hours after MS releases them on the second Tuesday of the month. For a faster evaluation, I'd say use the WSUS check which makes your clients check in with the MS servers directly, hence expediting the process.
Regarding the snapshot question, not entirely sure what you're aiming for there. If the intent is to configure the rules/requirements on one CAM and have them updated on the other, look at Policy sync options. Policy sync is designed with that particular need in mind. This however won't work if you're looking to replicate your entire environment (for example, policy sync won't copy over your CAS settings)
Write back here with more questions, if/when you have any.
HTH,
Faisal
--
If you find this post helpful, please rate so others can find the answer easily
10-03-2010 12:29 PM
Faisel, Responses in Blue below:
Liam,
Regarding the agents not logging in, are you sure they're able to communicate with the CAS? You said it's an Inband solution for VPN but didn't mention what mode it's in. If it's Real-IP, can you ping the untrusted side of the CAS? If VGW, can you ping your default gateway for your VPN pool? What happens when you try to browse to the CAS's IP address?
We are in a Real-IP environment. We can ping the server and the manager from the clients. We can also browse to the CAS's IP address where we get a login request for the Web Assessment by the server. Log in at that time with user name and password and get the assessment page where we can download and install the windows agent or use the web agent. If we download and install the windows agent again it reinstalls and then does nothing (still don't get a login option from the Agent icon on the system tray). If we do an assessment using the Web assessment agent, an assessment is completed on the system.
Checks and rules are updated a number of times every day. The MS rules are updated within 48-72 hours after MS releases them on the second Tuesday of the month. For a faster evaluation, I'd say use the WSUS check which makes your clients check in with the MS servers directly, hence expediting the process.
Since they come out on the second Tuesday of the month we will wait a couple of more weeks then...we probably started downloading around the third week of the month.
Regarding the snapshot question, not entirely sure what you're aiming for there. If the intent is to configure the rules/requirements on one CAM and have them updated on the other, look at Policy sync options. Policy sync is designed with that particular need in mind. This however won't work if you're looking to replicate your entire environment (for example, policy sync won't copy over your CAS settings)
Basically, what we are aiming for is this: We have to ship two appliances (NAS/NAM) to our remote server farm for placement on our network this week. I'd like to get them pretty much fully configured by the time they leave and have to do minimal changes once deployed. We will eventually be adding the HA option to these two appliances and understand that we can sync between the NAMS in the HA deployment. What I'd like to do is be able to make configuration changes in my lab (I have two more NAS/NAMs which will be deployed after the first set) and be able to import the additional checks and rules that I will be making in the next few weeks to the NAS/NAM that are being deployed this coming week. From what I can tell the check, rule and requirement configuration is going to be a constantly moving target (as new checks come out I will have to configure them for use). We are trying to avoid having to create them twice (once for our home office here and another time for our remote site. EVENTUALLY, we will have four NAS/NAMs deployed at each site (for HA) and I'd like a way to be able to create the checks, rules and requirements here once and be able to import them into the remote location's NAS/NAMs. They will be two separate installations on two separate domains. My hope was to take all the work I have done on the set of appliances that are being deployed this week and save it via a snapshot so I could import it into the new NAM that I am going to install in my lab this week so I can start from where I left off rather than have to recreate everything from scratch. Does this make better sense?
Thanks for your assistance!
Write back here with more questions, if/when you have any.
HTH,
Faisal
--
If you find this post helpful, please rate so others can find the answer easily
10-03-2010 03:29 PM
OK...have a quick update...I got the Windows CAS Agent to work. The Login option is no longer greyed out. Seems it was a certificate issue. I found something regarding server authentication...the thread stated that with 4.7 and greater there are multiple things used to authenticate with the server and if they don't all match up you won't get a logon with the agent. What I did was:
Got over that hill, now on to the next....trying to get the ASA SSO authentication to work....That should not be TOO difficult...we'll see tomorrow.
We'd still like to find a way to be able to back up and restore our checks, rules and requirements.
Thanks.
10-05-2010 08:58 AM
Back to the drawing board I guess...had to change the FQDN on the certificate for the server (I had fat fingered it)...changed the certificate, published it everywhere I needed to publish, changed ServerNameRules filed of the XML NACAgentConfig.xml file to the new FQDN. It stopped working. I made sure the old certificate was no longer listed in the workstation's certs.....shortly after I start the agent I get a notice that the cert is not trusted...I install the certificate and tell the warning box to proceed (hit the yes)....the box goes away...nothing else happens...we have monitored activity on ports 8905 and 8906 using wireshark but the agent just won't pop-up and do its thing.
Any more ideas???
10-05-2010 06:21 PM
William,
Answering a few points raised in your previous messages:
- The checks and rules don't have to be such a moving target as you are making them out to be. Microsoft patches happen once a month, and if you use the WSUS or WU requirements, the WU/AU client on the machines will take care of them and you don't have to change anything in the checks/rules at all for it to work
- Similarly for AV updates, if you set your CAM to update it's checks/rules every often, you will get the latest definitions added to the CAM, and thus the CAM will be able to check for those. For this to work, you don't need to change any rules/requirements
- The discovery host that you put in the agent's properties should be the VIP (IP or DNS name) of the CAM. It can be any host living on the trusted side. The basic idea is to generate traffic towards the trusted network, and when the CAS (which should be in the pathway of that traffic - if things are laid out right) intercepts it, it will ask the agent to authenticate and then based on the authentication (and role applied) it will ask for posture.
If you are getting stuck at any of these, may I suggest opening a TAC case so an engineer can look at your setup live and help fix things or suggest better ways of doing things?
HTH,
Faisal
--
If you find this post helpful, please rate so others can find the answer easily
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: