Does anyone use the type of requirement Mike is testing successfully in residence halls? Our number one problem with CCA is the Cisco checks and Windows Update disagreeing on whether or not a machine has all necessary updates. We have workarounds in place, but the prospect of just making Windows Update the authority on whether or not a client has all updates is very interesting to me.

After reading this thread, I built and tested this type of requirement myself and it seems to work great as long as I am logged in as administrator. (The ability to just click "Update" from the Agent is very cool.) But having this requirement fail no matter what when a user does not have administrator rights seems like a show stopper. Or is it naïve to think that any residents don't always use their machines as administrator?

If you use this type of requirement with students, have you ever run into a situation where a student wants to use their machine without admin rights? What did you do in that situation?

-Ryan

Ryan Richter
ResNet and Lab Services
Student Computing
California State University, Chico



-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[log in to unmask]] On Behalf Of Mike Diggins
Sent: Monday, April 06, 2009 12:22 PM
To: [log in to unmask]
Subject: Re: Windows Update Services Requirement

I'm not. I thought that was just to allow the Agent to update? Does it 
allow non-administrator accounts to login using the WUA method as well?

-Mike

On Mon, 6 Apr 2009, Prem Ananthakrishnan (prananth) wrote:

> Hi Mike,
>
> Are you using the agent stub? You will need the agent stub for the WSUS
> to work
>
> -Prem
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators
> [mailto:[log in to unmask]] On Behalf Of Mike Diggins
> Sent: Monday, April 06, 2009 9:32 AM
> To: [log in to unmask]
> Subject: Re: Windows Update Services Requirement
>
> I discovered the source of at least some of the failed logins. You can't
>
> run WUA if you're not an Administrator of that machine, and we have
> several (that I know about), that do just that.
>
> Considering that Best Practise is not to run as an Administrator, is
> there
> any work around to this, short of exempting it from the checks?
>
> -Mike
>
>
> On Sun, 5 Apr 2009, Atif Azim (atif) wrote:
>
>> Mike D,
>>
>> Mike S is correct in that this typically happens when the update
> service
>> on that machine is broken, however to ascertain this you should take a
>> look at the agent logs.
>>
>> When you do have access to the clients, can you look at the agent logs
>> and see if there is any information there. In order to set the
> loglevel
>> to debug, please refer to the following link:
>>
> http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/45/
>> 45rn.html#wp607061
>>
>> Please send the agent log to myself and I can have one of our
> technical
>> folks take a look and get back to you. Alternatively you can also
>> forward the logs to TAC and they will follow up with you.
>>
>> Regards,
>> Atif
>>
>> -----Original Message-----
>> From: Cisco Clean Access Users and Administrators
>> [mailto:[log in to unmask]] On Behalf Of Stanclift,
> Michael
>> Sent: Saturday, April 04, 2009 11:22 PM
>> To: [log in to unmask]
>> Subject: Re: Windows Update Services Requirement
>>
>> We run our checks like this as well, when students get those errors it
>> usually is because the update service on their machine is either
> broken
>> or somehow disabled.
>>
>> Michael Stanclift
>> Network Analyst
>> Rockhurst University
>>
>> http://help.rockhurst.edu
>> (816) 501-4231
>> ________________________________________
>> From: Cisco Clean Access Users and Administrators
>> [[log in to unmask]] On Behalf Of Mike Diggins
>> [[log in to unmask]]
>> Sent: Saturday, April 04, 2009 1:27 PM
>> To: [log in to unmask]
>> Subject: Windows Update Services Requirement
>>
>> I'm testing the Windows Update Service in place of the Cisco checks
> for
>> Windows patches. I created a new requirement for this (using the
>> Microsoft update servers, and the Updates to be installed set to
>> Critical.
>>
>>        Enforce Type: Mandatory
>>        Priority: 3
>>        Remediation Type: Manual, Interval 0, Retry Count 0
>>        Windows Updates Validation by Severity
>>        Windows Updates to be Installed: Critical
>>        (Not checked) Upgrade to Latest OS Service Pack
>>        Windows Update Installation Sources: Microsoft Servers
>>        Installation Wizard Interface: Show UI
>>        Requirement Name: Windows Update Services
>>        Description:Critical Windows Updates are missing from your
>>                    computer. Click on the Update button to launch
>> Windows
>>                    Update.
>>
>>        Operating System: Windows XP (ALL), Windows Vista (All)
>>
>> Most users appear to be passing the check successfully. However,
> several
>> are not, and when I look at their report, it shows the following:
>>
>>   3. Windows Update Services (Mandatory)
>>           * Passed Checks:
>>           * Failed Checks:
>>           * Not executed Checks:
>>           * Description:
>>
>> Nothing under the failed checks, yet they're failing the check!? Some
>> other failed reports do show the missing patches. I don't have access
> to
>> the clients today, so I'm wondering what this failure status means?
>>
>> -Mike
>>
>
>
>             _________________________________________
>
> Mike Diggins       			Voice:  905.525.9140 Ext. 27471
> Network Analyst, Enterprise Networks    FAX:    905.522.0511
> University Technology Services 		E-Mail: [log in to unmask]
> McMaster University, Hamilton, Ontario
>


             _________________________________________

Mike Diggins       			Voice:  905.525.9140 Ext. 27471
Network Analyst, Enterprise Networks    FAX:    905.522.0511
University Technology Services 		E-Mail: [log in to unmask]
McMaster University, Hamilton, Ontario