collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: AND THE CONFIG IS COMPLETED  (Read 8793 times)

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
AND THE CONFIG IS COMPLETED
« on: December 02, 2013, 02:16:55 AM »
The project so far is that the configuration is completed. Moving to phase of rolling out.

The earlier issues is solved WSUS is now working fine and Window update remediation is work perfectly well.

I am available for anybody who need answer question and clarifications if you are deploying the same.
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 398
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: AND THE CONFIG IS COMPLETED
« Reply #1 on: December 02, 2013, 09:50:43 PM »
Glad to here things are working well  :D. Could you shed some light on the WSUS issue and what the fix was?

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: AND THE CONFIG IS COMPLETED
« Reply #2 on: December 03, 2013, 07:09:53 AM »
Yeah the catch is between selecting severity check and Cisco define check. For some reason with severity check Agent will not be able to contact WSUS and will not be able to cross check the update.

Please an issues just came up AV fails automatic remediation. I thought it's the simplest until I encounter it. The anti-virus server is McAfee is there any way out of this?

Also is there a way of filtering posture check summary from agent to only failed posture.

Find in the attached.

Your urgent response will be appreciated.

Thanks.
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 398
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: AND THE CONFIG IS COMPLETED
« Reply #3 on: December 03, 2013, 01:48:38 PM »
You would want to find out if the NAC agent (actually it's the AV agent) even try to talk to the AV server using packet capture. If it does not, double check the remediation configuration.
Could you elaborate on the filtering posture check? Not sure if I know what you mean.

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: AND THE CONFIG IS COMPLETED
« Reply #4 on: December 03, 2013, 07:40:17 PM »
Really packet capture shows that the packet is not reaching the server during posture but what I notice is if authc is using DOT1X I could not ping though ICMP is allowed but MAB I could ping.

By filter I mean you want to limit security check summary report as indicated in the attached document to only fail posture. You want to remove the pass posture so that user does not need to know what posture is looking for.
Technology makes life easy but I hope the same technology will not send man back to stone age!

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 398
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: AND THE CONFIG IS COMPLETED
« Reply #5 on: December 03, 2013, 11:58:36 PM »
If there is no packet reaching the server, you will need to figure out if the agent is trying but being blocked by the DACL or it does not even try. Can you run packet capture on the client itself and see which is the case?

I don't think you have any control on which posture results are shown to the users. When everything passes, they shouldn't see the list unless the user clicks on the NAC agent icon. When something fails, the whole list is shown to the user for both pass and fail.

Offline adecisco

  • Cisco Newbie
  • *
  • Posts: 96
  • Reputation: 10
  • Discovering new solution is sweet!
    • http://adeolaade.blogspot.com/
  • Certification: N/A
Re: AND THE CONFIG IS COMPLETED
« Reply #6 on: December 04, 2013, 12:13:06 AM »
Thanks MC,

I have sorted out the issues. The problem here is with RACL so what I have to do is invert DACL and specifically use the inverted for RACL and that sort things out.

It's amazing how ACL redirection can be a big pain is not properly handle.

I appreciate you..

Technology makes life easy but I hope the same technology will not send man back to stone age!

 

Related Topics

  Subject / Started by Replies Last post
1 Replies
9168 Views
Last post April 02, 2014, 12:05:45 PM
by MC
1 Replies
7255 Views
Last post May 19, 2014, 10:02:56 PM
by MC
8 Replies
15419 Views
Last post August 31, 2016, 03:21:42 AM
by amsa
0 Replies
4484 Views
Last post October 31, 2016, 01:52:57 PM
by ejeangilles

SimplePortal 2.3.7 © 2008-2024, SimplePortal