NAC attribute definition File

jmoreno · ‎03-14-2006

I need to found the Nac Attributes definition file to Antivirus VirusScan of Network associate. I searched on the WEB but I not find. Somebody know from where I can download.

smahbub · ‎03-20-2006

ACS does not include any non-Cisco attributes by default. Therefore, you must import a NAC Attribute Definition File (ADF) from each vendor application that you would like to validate in your NAC posture-validation policies. The attributes that are added can be used to create conditions for internal policies.

NAC introduces the ability to authorize network hosts not only based upon user or machine identity; but also upon a host's posture validation. The posture validation is determined by comparing the host's credentials to a posture-validation policy which you create from attribute-value pairs (AVPs), which are defined by Cisco and other vendors who are NAC partners. Since the range of NAC attributes extends across many vendors and applications, you must import the non-Cisco attributes.

To import a NAC attribute definition file:

Obtain one or more ADFs for the NAC-compatible applications that you want to validate with ACS.

Place the ADFs in the same directory as the ACS utility, CSUtil.exe , or a directory that is accessible by CSUtil.exe.

On the host that is running ACS, open a cmd command prompt and navigate to the directory that contains CSUtil.exe.

Add the AVPs to ACS by using the command:

CSUtil.exe -addAVP filename.adf

After successfully adding the AVPs, restart CSAdmin, CSLog, and CSAuth.

HarrytheBrain · ‎03-22-2006

in some cases ACS includes the first 2 attributes of vendors, for example altiris or qualys auditserver.

They are in config but not active.

To activate them you need a dummy attribute-definition-file, for example:

[attr#0]

vendor-id=ID

vendor-name=NAME

application-id=6

application-name=Audit

attribute-id=00003

attribute-name=Dummy-attr

attribute-profile=out

attribute-type=unsigned integer

but in your case you will need more then this,

so the only way is to contact the distributor

or your cisco contact for that file.

(i got my 2 adf files i used from cisco,

because the distributor didn't have them,

weird but true)

and don't forget the clientside info files

for the posture agent, you will need them too.

(.inf, .dll)

best regards

harry

abz · ‎04-06-2006

You can use the folloing for network associates as the ADF file. Unfortunately when you try to find these files they are hard to find and nobody seems to know what you are talking about. Just copy and paste these and import them using the CSUtil.exe after importing this you will need to restart CSAdmin, CSLog and CSAuth.

Adam

ADF Below:

[attr#29]

vendor-id=3401

vendor-name=NAI

application-id=3

application-name=AV

attribute-id=00001

attribute-name=Application-Posture-Token

attribute-profile=out

attribute-type=unsigned integer

[attr#30]

vendor-id=3401

vendor-name=NAI

application-id=3

application-name=AV

attribute-id=00002

attribute-name=System-Posture-Token

attribute-profile=out

attribute-type=unsigned integer

[attr#31]

vendor-id=3401

vendor-name=NAI

application-id=3

application-name=AV

attribute-id=00003

attribute-name=Software-Name

attribute-profile=in out

attribute-type=string

[attr#32]

vendor-id=3401

vendor-name=NAI

application-id=3

application-name=AV

attribute-id=00004

attribute-name=Software-ID

attribute-profile=in out

attribute-type=unsigned integer

[attr#33]

vendor-id=3401

vendor-name=NAI

application-id=3

application-name=AV

attribute-id=00005

attribute-name=Software-Version

attribute-profile=in out

attribute-type=version

[attr#34]

vendor-id=3401

vendor-name=NAI

application-id=3

application-name=AV

attribute-id=00006

attribute-name=Scan-Engine-Version

attribute-profile=in out

attribute-type=version

[attr#35]

vendor-id=3401

vendor-name=NAI

application-id=3

application-name=AV

attribute-id=00007

attribute-name=Dat-Version

attribute-profile=in out

attribute-type=version

[attr#36]

vendor-id=3401

vendor-name=NAI

application-id=3

application-name=AV

attribute-id=00008

attribute-name=Dat-Date

attribute-profile=in out

attribute-type=date

[attr#37]

vendor-id=3401

vendor-name=NAI

application-id=3

application-name=AV

attribute-id=00009

attribute-name=Protection-Enabled

attribute-profile=in out

attribute-type=unsigned integer

[attr#38]

vendor-id=3401

vendor-name=NAI

application-id=3

application-name=AV

attribute-id=00010

attribute-name=Action

attribute-profile=out

attribute-type=string

HarrytheBrain · ‎04-07-2006

so it's one standard for all !?

as i see, for an av-client it's just necessary

to change the vendor-id and the vendor-name,

everything else is identical.

The one you posted is for example the same

as the adf for trendmicro (just vendor-id=6101 and

vendor-name=Trend)

abz · ‎04-10-2006

Harry,

I guess so. I do know that it works for doing posture validation.

Adam

slipovse · ‎05-18-2006

ADF files can be downloaded here: http://nac.cisco.com/Public/NACProgram/ADFs/

Silvo

ita_hsieh · ‎06-20-2006

hi Silvo the URL you provided can't be opened?

axfood · ‎06-26-2006

Hello

I have try to save this in a file and run but it don't work. I get this.

C:\Program Files\CiscoSecure ACS v4.0\bin>CSUtil.exe -addAVP c:\test\nac.adf

=== AVP Summary ===

0 AVPs have been added to the dictionary (DB).

C:\Program Files\CiscoSecure ACS v4.0\bin>

axfood · ‎08-29-2006

I solve the problem. It was the number in the file.

The first attribute definition in the file must have the header [attr#0], the second attribute definition in a file must have the header [attr#1], and so on. A break in the numbering causes CSUtil.exe to ignore attribute definitions at the break and beyond. For example, if a file with 10 attribute definitions the fifth attribute is defined as [attr#5] instead of [attr#4], CSUtil.exe ignores the attribute that is defined as [attr#5] and remaining five the attributes following it.

t3watts33 · ‎09-08-2006

Yes, your correct about that attr#. We figured this out the other day. The adf must begin with attr0