Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1485
Views
0
Helpful
7
Replies

ACS / NAC phase 2 / posture validation with symantec AV

arnaud.dessauvages
Level 1
Level 1

‎07-18-2006 05:45 AM - edited ‎03-10-2019 02:40 PM

Hi,

We encounter problem to implement NAC phase 2 with symantec.

ACS is an appliance one, version 4.0

We?ve installed the Symantec AV pair on the ACS : that?OK.

The following softwares are installed on the client PC:

- Cisco CTA : ctasetup-win-2.0.1.14.exe

- Aegis SecureConnect 2KXP-4_0_4.msi

- Symantec client security posture plug-in.msi together with the associated setup.exe

Moreover, client PC is configured to use EAP-FAST with mschapv2.

We?ve defined an internal posture validation on the ACS.

The first rule of this posture is performed on the following Symantec AV pair: Symantec:AV:Dat-Date days-since-lastupdate.

When the first rule of this posture matches, then the posture token associated (radius authorization component) doesn?t return the associated vlan, so the user must be placed into the vlan associated by default on the port.

The default rule is associated with another authorization component that returns the quarantine vlan.

Problem is that we don?t manage to match on this posture.

It?s as if the client doesn?t send the parameters.

Logs on the ACS indicates the following:

- message type : authen failed

- authen failure code : posture validation failure (general)

- eap type name : EAP-FAST

- reason: no matched required credential types in any posture validation rule

- cisco:PA:OS-type : OK, well retrieved (windows XP professional)

- cisco:Host:ServicePack: OK, well retrieved (service pack 2)

- but none of the Symantec AV could be retrieved.

Symantec indicated to us that their AV server isn?t yet compatible witch ACS.

So external posture validation isn?t possible in our case.

Only internal posture validation should work.

But no way to retrieve Symantec information from CTA.

Thanks in advance for your attention.

Best Regards,

Arnaud

Labels:
0 Helpful
7 Replies 7

irisrios
Level 6
Level 6

‎07-24-2006 06:11 AM

If you want to integrate say McAfee Antivirus, you need to get 2 things , CTA plugin and *.adf file directly symantec . Then ADF file(s) should be imported into ACS .After that it will be possible to configure AV Vendor related Posture Validation Policies

in ACS

0 Helpful

MARK BAKER
Level 4
Level 4

‎08-15-2006 05:45 AM

I had investigated this issue about 1 year ago. I was able to match on any Symantec AV pair available in ACS except Symantec AV pair: Symantec:AV:Dat-Date days-since-lastupdate.

I finally found in the read-me file, installed along with the Symantec plugin that interacts with CTA, contains a paragraph explaining that the Dat-Date days-since-lastupdate is not supported by the Symantec plugin.

This was a least 1 year ago. I was hoping that Symantec would fix this in future releases of the plugin. It basically, forces you to manually update DAT-DATE policies on Cisco ACS as they change. If this AV pair was supported, the process could be "configure and forget".

I am interested in knowing when this will be supported.

NOTE: At the time, Symantec support did not know a lot about NAC or how it worked with their product.

Thanks,

Mark

0 Helpful

arnaud.dessauvages
Level 1
Level 1
In response to MARK BAKER

‎08-16-2006 02:14 AM

Hi,

We've finally managed to solve the problem.

Currently, Symantec doesn't support NAC Phase II. They only support NAC Phase I.

They intend to support Phase II with the next Anti-Virus major release (by the end of the year).

But there's a way to have Symantec working with ACS with internal postures, especially Dat-Date days-since-lastupdate.

First, you need to install Symantec VPN Senty. This is used by Symantec to exchange data with CTA.

Then, you need to modify files in the directory /Program Files/Common Files/Posture Agent/Plugins.

There are 2 Files in this directory: SYM_PP.dll and SYM_PP.inf.

We've added a file named SYM_PP2.inf.

We've defined this file with the posture needed. Here are the lines it contains:

[main]

PluginName=SYMC_PP2.dll

VendorID=393

VendorIDName=Symantec Corporation

AppList=av,fw

[av]

AppType=3

AppTypeName=Symantec AntiVirus

AttributeList=attr1,attr2,attr3,attr4,attr5,attr6, attr7

attr1=3,string,Software Name

attr2=4,unsigned32,Software Id

attr3=5,version,Software Version

attr4=6,version,Scan Engine Version

attr5=7,version,Dat Version

attr7=8,Time,Dat Date

attr6=9,unsigned32,Protection Enabled

[fw]

AppType=4

AppTypeName=Symantec Client Firewall

AttributeList=attr1,attr2,attr3,attr4

attr1=3,string,Software Name

attr2=4,unsigned32,Software Id

attr3=5,version,Software Version

attr4=9,unsigned32,Protection Enabled

As you can see, the file calls the SYM_PP2.dll. This is the previous ddl version of symantec. We've been sent it by symantec tech support.

This solution works, but it is officialy not supported by symantec.

Hope that helps.

Best Regards,

Arnaud

0 Helpful

Ernesto Fernandez gomez-pinto
Level 1
Level 1
In response to arnaud.dessauvages

‎02-25-2008 04:32 AM

Hi Arnaud,

Can you send me the SYM_PP2.dll?, i need Dat-Date with symantec and i don't obtain.

Regards.

0 Helpful

arnaud.dessauvages
Level 1
Level 1
In response to Ernesto Fernandez gomez-pinto

‎02-25-2008 05:20 AM

I,

No problem to send you the files.

Please let me know your email address and I'll post them to them.

Best Rebards,

Arnaud

0 Helpful

sahasesahase
Level 1
Level 1

‎08-22-2006 01:10 AM

Hi.

Please examine the following directory of client pc. Is Plugins File of Symantec installed?

\Program Files\Common Files\PostureAgent\Plugins

\Program Files\Common Files\PostureAgent\Plugins\Install

-----

Plugin Installation and Upgrade

Each NAC-compliant application is responsible for installing its own posture plugin on end systems.

Plugins for Windows environments are installed in this directory:

\Program Files\Common Files\PostureAgent\Plugins\Install

When CTA receives a posture request, it scans the PostureAgnt\Plugins\Install directory for new or updated posture plugins. If there are new or updated posture plugins in the PostureAgnt\Plugins\Install directory, CTA performs one of the following actions:

" If the .dll plugin does not exist in the PostureAgent\Plugins directory, CTA moves the plugin files from the PostureAgent\Plugins\Install directory to the PostureAgent\Plugins directory.

" If the .dll plugins does exist in the PostureAgent\Plugins directory, then CTA checks to see if the plugin, in the PostureAgent\Plugins\Install directory, is newer than the one in the Plugins directory. CTA then moves the newer plugin to the PostureAgent\Plugins directory and overwrites the older one. If the plugin in the PostureAgent\Plugins\Install directory is older than the one in the Plugins directory, CTA deletes it, and continues to use the original plugin.

" If the plugin creates an error during registration, CTA moves the plugin to the following directory (if the logging is enabled, the error information is logged):

http://www.cisco.com/en/US/products/ps5923/products_maintenance_guide_chapter09186a00806870db.html

-----

best regards,

sahase

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents