Header Only - DO NOT REMOVE - Extreme Networks

WLAN Authentication based on Client Status with Kaspersky Endpoint orchestration server

Userlevel 6
Currently WLAN Authentication is based on the Microsoft Active Directory computer-account. This works well and guarantees that only company own notebooks are connected to our WLAN network. We use Extreme wireless (identify) and Extreme Control (NAC Gateway + Netsight ADV).

Now we want to enhance that authentication mechanism regarding the anti-virus (update) status. Some road-warriors are not able to update the local antivirus pattern if the are on the road around the globe. We have some problems with virus polluted notebooks.

So we want to depend the successfull WLAN connection additionally with the status of the client within our enterprise antivirus solution (Kaspersky Endpoint-Security 10). Only if the client have current av patterns or the server tell us a complaint (good) state the client should be able to connect to wlan. Otherwise the client should be move over to a quarantine network which have the possibility to update and scan the client. After this process is successfull the client should move to the normal enterprise network. It was very usefull that the client get some information about the current state during the remediation process.

So i am interesseted how can i connect the NAC Gateway with Kaspersky Server - Netsight API (Fusion / OneFabic Connect). And how can i inform the client during remediation process.

Are there some experience how i can achieve this goal ? Maybe especially also with Kaspersky Endpoint Security?

3 replies

Userlevel 6
Is it possible to connect via API to Microsoft WSUS Server to get the client status regarding OS Updates ?
Userlevel 6
Hello Matthias,

It sounds like you may have use for the Extreme NAC Agent and an assessment implementation. The Extreme NAC Agent should be able to do exactly what you are looking to do.

The Agent has the ability to check into the Microsoft Security Center to determine what AV is running, and the last time it was updated. You can configure the assessment tests to quarantine an end system if they do not have AV, or if it hasn't been updated and the solution also allows you to configure self-remediation so the user is informed of their infractions and can remedy and re-attempt network access once updated.

The NetSight/NAC solution does not currently have an API integration with Kaspersky, so I'm thinking that agent based assessment is the best option.

Userlevel 6
Hi Ryan,

you are right but one big disadvantage is that during the NAC authentication i do not know the status of the client so i have to allow an unkown client access to my network. Only after that i can get the needed information. Because network login need a lot of access (to Active Directory, file servers, mails servers etc) in a worst case scenario have allow the bad guiy to my network.

So having these information via NAC API from the Kaspersky Server immediately during NAC Authentication it will be more safe.