We're implementing NAC and are experiencing some problems with NAI's posture valiation attributes.
Frequently the attributes for NAI's virusscan (8.0i enterprise) are not received by ACS and clients get quarantined.
When authentication and authorization succeeds, the NAI's attributes are displayed in the ACS's passed authentication report. But when the user gets quarantined the report doesn't show NAI's attribute values.
This gets me thinking NAI didn't supply the attribute values to CTA.
Does anyone else have ACS4, CTA(latest) and NAI's AntiVirus (8i) working together as expected? If so, what was the solution to the problems you experienced (I'm guessing you've at least had some ...)
CTA version 1 is not sending the Cisco:PA attribute to ACS 4.0.But CTA version 2 is working fine.The issue is ACS 4.0 is requesting an attribute, Machine Posture State, of CTA, which CTA 1.0 does not know (Machine Posture State was added to CTA 2.0). CTA should ignore it but it returns an error instead.
I'm having PV problems similuar to yours. My set-up:
Client pc-->Cisco VPN concentrator-->ACS4.0
If I enable anything but "any" in Network Access Profile/Authorization/System Posture Token, my client cannot connect. Cisco got into the boxes and then generated very detailed reports and they show that PostureValidation.dll is missing from the acs install directory. C:\Program Files\CiscoSecure ACS v4.0\Authenticators is where it should be. I re-installed but that didn't add that dll file.
I'm sorry. We're using the appliance version of ACS and thus do not have access to the harddrive.
For your information, we've stopped the NAC pilot because of too many problems with the combination ACS / Switches / Windows 2000/XP and McAfee. Both on the authentitcation as on the validation points the pilot failed dramatically. We keep hitting problems of which we amaze ourselves that they even exist. Most likely Cisco did little testing before they shipped the product (ACS).
I think "External DB account restrictions" are authentication failures and not authorization failures. The attributes for anti-virus are checked in the authorization section of the whole process. So have another look at your problem to be sure it's not an authentication problem.
yes External DB account restrictions are authentication failures. ACS fail in authentication becouse the "Mandatory credentials" are not sent by the client (Panda credentials)to ACS (Or not recived by ACS).
I have created another external DB with CTA the only mandatory credentials and posture token CHECKUP and now there are not clients with the DB account fail they get the Checup token.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...