e Trust Agent for Cisco Network

Admission Control (NAC)

Installation Guide
r1
This documentation and related computer software program (hereinafter referred to as the "Documentation") is for
the end user's informational purposes only and is subject to change or withdrawal by Computer Associates
International, Inc. ("CA") at any time.

This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part,
without the prior written consent of CA. This documentation is proprietary information of CA and protected by the
copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for
their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy.
Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of
the license for the software are permitted to have access to such copies.

This right to print copies is limited to the period during which the license for the product remains in full force and
effect. Should the license terminate for any reason, it shall be the user's responsibility to return to CA the
reproduced copies or to certify to CA that same have been destroyed.

To the extent permitted by applicable law, CA provides this documentation "as is" without warranty of any kind,
including without limitation, any implied warranties of merchantability, fitness for a particular purpose or
noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or
indirect, from the use of this documentation, including without limitation, lost profits, business interruption,
goodwill, or lost data, even if CA is expressly advised of such loss or damage.

The use of any product referenced in this documentation and this documentation is governed by the end user's
applicable license agreement.

The manufacturer of this documentation is Computer Associates International, Inc.

Provided with "Restricted Rights" as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and
(2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.

© 2005 Computer Associates International, Inc.

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contents

Chapter 1: Overview 5
How the eTrust Agent for Cisco NAC Works ............................................................................... 5
Computer Associates NAC-Enabled Applications ................................................................... 6
System Requirements ...................................................................................................... 6
Product Components ........................................................................................................ 7
Setting Up eTrust Agent for Cisco NAC ..................................................................................... 7
Add Computer Associates Attributes to the NAC Database ........................................................... 8
Install the Cisco Trust Agent ............................................................................................. 8
Install the eTrust Agent for Cisco NAC ................................................................................ 9
Verify the Installation....................................................................................................... 9

Appendix A: Computer Associates Attribute Information 11

Application Types ................................................................................................................ 11
eTrust Antivirus Attributes .............................................................................................. 12
eTrust PestPatrol Anti-Spyware Attributes ......................................................................... 13

Contents iii
Chapter 1: Overview
This chapter provides a brief description of how the eTrust Agent for Cisco
Network Admission Control (NAC) works and lists the Computer Associates
applications that are currently NAC-enabled. In addition, this chapter describes
system requirements and product components.

Note: This document assumes that Cisco NAC is fully installed and running in
your network environment. For information about Cisco NAC, refer to the
following Cisco documents:

Network Admission Control (NAC) home page:

http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solu
tion_home.html

NAC User Guide for Cisco Secure ACS 3.3

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user
_guide_chapter09186a0080233612.html

NAC Attribute Management

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user
_guide_chapter09186a0080233621.html#wp617627

How the eTrust Agent for Cisco NAC Works

The eTrust Agent for Cisco NAC discovers the posture attributes for Computer
Associates applications on an end-point device that attempts to access or use
resources on a network administered with Cisco NAC. The Cisco Trust Agent
(CTA), also located on the end-point device, passes the posture attributes to a
Cisco Access Control Server (ACS). The ACS compares the posture attributes
with a set of policies previously defined by a network administrator. Based on
the results of the comparison, the end-point device may either be granted full
primary network access or placed into a separate virtual network, where the
device can go through a remediation process before it is allowed to connect to
the primary network.

Overview 5
How the eTrust Agent for Cisco NAC Works

Computer Associates NAC-Enabled Applications

The following Computer Associates applications are NAC-enabled:

„ InoculateIT 6
„ eTrust Antivirus r6, r7, r7.x
„ eTrust PestPatrol Anti-Spyware r5
„ eTrust PestPatrol Anti-Spyware Corporate Edition r5

The eTrust Agent for Cisco NAC discovers the posture attributes of these
applications if they exist on an end-point device.

System Requirements

An end-point device running the eTrust Agent for Cisco NAC requires the
following:

System Components

Pentium-class processor

Network connection

Operating System

English version of:

Windows NT, with Service Pack 6

Windows 2000

Windows XP Professional

Hard Disk Space

20 MB

Memory

128 MB for Windows NT and Windows 2000

256 MB for Windows XP

Software

Cisco Trust Agent 1.0

6 Installation Guide
 Setting Up eTrust Agent for Cisco NAC

Product Components

The eTrust Agent for Cisco NAC consists of the following components:

cai-pp.txt

The cai-pp.txt file contains information for Computer Associates

applications in the form of attribute/value pairs. You use this file with the
CSUtil.exe program to add the Compute Associates product attribute
definitions to the Cisco Secure ACS NAC database.

cai-pp.dll

The cai-pp.dll file is the eTrust Agent for NAC, which discovers the posture
attributes of Computer Associates applications running on an end-point
device. You use the CAPPInstall.exe program to install the plug-in on an
end-point device.

cai-pp.inf

The cai-pp.inf file contains the eTrust Agent attribute definitions. The Cisco
Trust Agent uses this file to communicate Computer Associates product
attributes to the Cisco Secure ACS database.

Setting Up eTrust Agent for Cisco NAC

This chapter contains procedures for setting up eTrust Agent for Cisco NAC.
The set up process includes:
„ Adding Computer Associates attributes to the Cisco Secure ACS NAC
database
„ Installing the Cisco Trust Agent on all end-point devices
„ Installing the eTrust Agent for Cisco NAC on all end-point devices
„ Verifying the installation

Note: The procedures in this chapter assume Cisco NAC is currently running in
your network environment and is administered with Cisco Secure ACS 3.3.

Overview 7
Add Computer Associates Attributes to the NAC Database

Add Computer Associates Attributes to the NAC Database

Before you can define policies for Computer Associates posture attributes, you
must first add the attribute/value pairs to the Cisco Secure ACS NAC database.

Note: The following procedure assumes Cisco Secure ACS 3.3 is installed at:
C:\Program Files\CiscoSecure ACS v3.3

To add Computer Associates attributes to the Cisco Secure ACS NAC database,
follow these steps:

1. Go to the Computer Associates SupportConnect website,

http://supportconnect.ca.com, and locate the eTrust Agent for Cisco NAC.

2. Download the eTrust Agent for Cisco NAC to a system typically used for
network management tasks.

3. Extract the contents of the downloaded zip file to a temporary directory,

such as C:\Temp.

4. On the Cisco Secure ACS 3.3 for Windows system, copy the file cai-pp.txt
to: C:\Program Files\CiscoSecure ACS v3.3\Utils

The cai-pp.txt file contains the attribute/value pairs for NAC-enabled

Computer Associates applications.

5. From the C:\Program Files\CiscoSecure ACS v3.3\Utils directory, run the

following command:

CSUtil.exe -addavp cai-pp.txt

The CSUtil.exe program adds the attribute/value pairs to the Cisco Secure
ACS NAC database.

Use the Cisco Secure ACS user interface to configure policies for Computer
Associates products. For instructions, refer to the Cisco document NAC User
Guide for Cisco Secure ACS 3.3.

Install the Cisco Trust Agent

Install the Cisco Trust Agent on all end-point devices, such as desktop
computers, workstations, laptops, and servers that connect to or use network
resources. Download and install the Cisco Trust Agent 1.0 from the Cisco
website, http://www.cisco.com.

8 Installation Guide
 Add Computer Associates Attributes to the NAC Database

Install the eTrust Agent for Cisco NAC

Install the eTrust Agent for Cisco NAC on all end-point devices, such as
desktop computers, workstations, laptops, and servers that connect to or use
network resources.

To install the eTrust Agent for Cisco NAC on an end-point device, follow these
steps:

1. From the directory you downloaded the eTrust Agent for Cisco NAC,
distribute CAPPInstall.exe to all end-point devices.

2. Run the following command to silently install the eTrust Agent for NAC on
the end-point device:

CAPPInstall.exe -silent

The files cai-pp.dll and cai-pp.inf are installed in

%CommonProgramFiles%\Cisco Systems\CiscoTrustAgent\Plugins\Install.
The next time the Cisco Trust Agent runs, these files are automatically
moved up one directory level to \Plugins.

Verify the Installation

Use Cisco Secure ACS to verify that the Computer Associates attributes have
been installed. For instructions, refer to the Cisco document NAC User Guide
for Cisco Secure ACS 3.3.

To verify the installation of the eTrust Agent for Cisco NAC on an individual
end-point device, restart the device and check that the following files exist in
%CommonProgramFiles%\Cisco Systems\Cisco TrustAgent\Plugins:
„ cai-pp.dll
„ cai-pp.inf

For further assistance, see the Computer Associates SupportConnect website

at http://supportconnect.ca.com, where you may check the Knowledge Base
for additional information or contact a Customer Support representative.

Overview 9
Appendix A: Computer Associates
Attribute Information
This appendix contains the attribute information for Computer Associates
applications that are NAC-enabled. For information on how to manage NAC
attributes, refer to the Cisco document NAC Attribute Management.

Application Types
The Cisco Trust Agent uses a Cisco-defined application type to uniquely
identify and report posture attributes of NAC-enabled products from a single
vendor. The following types apply to Computer Associates products:

Application Type

eTrust Antivirus 3

eTrust PestPatrol Anti-Spyware 6

Computer Associates Attribute Information 11

Application Types

eTrust Antivirus Attributes

Cisco has defined eight standard NAC attributes for anti-virus applications. The
eTrust Agent for Cisco NAC supports the reporting of these eight anti-virus
attributes to the Cisco Secure ACS NAC database as follows:

Software-Name

The product name: eTrust Antivirus

Software-ID

The product ID as defined by Computer Associates: 1

Version

The product version number, as displayed in the eTrust Antivirus Version

Information dialog

Scan-Engine-Version

The version of the currently active Realtime scan engine, as displayed in

the Details for area of the eTrust Antivirus Version Information dialog

DAT-Version

The signature version of the currently active Realtime scan engine, as

displayed in the Engine Information area of the eTrust Antivirus Version
Information dialog

DAT-Date

The date and time the currently active Realtime scan engine was last
updated, as displayed in the Engine Information area of the eTrust
Antivirus Version Information dialog

Note: The Last Update date/time provides a more accurate representation

of the device’s posture than the Build Date of the virus signatures.

Protection-Enabled

Current status of Realtime Monitor: 1 if enabled, 0 if disabled

Action

A hexadecimal string that represents how infected files are treated by the
Realtime scanner:

00000000 – Report only

00000001 – Cure

00000002 – Rename

00000003 – Delete

00000004 – Move

12 Installation Guide
 Application Types

eTrust PestPatrol Anti-Spyware Attributes

Cisco has defined eight standard NAC attributes for anti-spyware applications.
The eTrust Agent for Cisco NAC supports the reporting of these eight anti-
spyware attributes to the Cisco Secure ACS NAC database as follows:

Software-Name

The name of the product, either eTrust PestPatrol Corporate Edition or

eTrust PestPatrol

Software-ID

The product ID as defined by Computer Associates: 2

Version

The product version number:

eTrust PestPatrol Anti-Spyware: Version number of the file PestPatrol5.exe

eTrust PestPatrol Anti-Spyware Corporate Edition: The ImagePath value

from
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PestPatrol
Remote”, and ProductVersion from version information resource of
ppRemoteService.exe

Scan-Engine-Version

The version number of the eTrust PestPatrol COM control ppctl.dll

DAT-Version

Currently 5.0.0.x, where x is the current sequence number of pploc.dat as

indicated in lfinfo.dat

DAT-Date

The creation date and time extracted from the database header of
pploc.dat

Protection-Enabled

Current status of Active Protection: 1 if enabled, 0 if disabled

Action

Currently an empty string

Computer Associates Attribute Information 13