Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CCA unreliable Network Scanning using Clientless Mode

Cisco claimed that the Nessus based Network Scanning of CCA using "clientless mode" can determine missing Microsoft patches (CCA agent mode performs flawlessly). Our appliances version 3.6.2 can NOT detect most of the missing patches. When we create a local account known to the CCA, it can only determine less than 50% of the missing patches.

We got the same result also when we scan the computers using Nessus running on Linux, with the Safe Check enabled (I will scan them again with the Safe Check disabled). Thus we know that the poor performance is caused by the inherited Nessus limited scanning capability.

Any advise is welcome!

thanks,

Audie

3 REPLIES
Silver

Re: CCA unreliable Network Scanning using Clientless Mode

I suggest using a sniffer on your client pc to verify that the scan is making it to the host. Please be aware that the scanning module is Nessus and that no Nessus plugins are tested or supported by cisco.

"With release 3.6(0) and above, you can use Nessus 2.2 plugins to perform network scanning in Cisco Clean Access. The filename of the uploaded Nessus plugin archive must be plugins.tar.gz.

Note that most Nessus 2.2 plugins are backwards compatible with Nessus 2.0. Plugins not compatible with Nessus 2.2 can be updated by uploading

a new plugins.tar.gz archive."

http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/cca/cca36/36rnhtm#wp38802

New Member

Re: CCA unreliable Network Scanning using Clientless Mode

Hi Thomas,

Yes the network scan is hitting the computers. The success rate determining missing patches is 5% using clientless. The rate goes up to 50-60% when local account known to CCA is created. The client mode has "great" success rate, but we cannot install it to the client computers.

Cisco SE's have checked the CCA, and stated that the thin-java client is our best hope. It may arrive in the end of this year :-(

thanks,

Audie

New Member

Re: CCA unreliable Network Scanning using Clientless Mode

We have better luck by disabling the "Safe Check". It is an unsupported configuration, but the network scanning get "slightly" better result. The success rate is about 10-20%, and it did not crash the XP computers.

I hope the thin java applet will come out soon.

thanks,

Audie

102
Views
0
Helpful
3
Replies