Product and Software: This article applies to ECS product and software versions 3.1.9 to 4.0.1.x.
When the Persistent Agent (PA) is installed on the client and functioning properly, the PA client contacts the PA server and lets it know that the agent is still listening. It is important to detect when a client's Persistent Agent is disabled or uninstalled.
Lost Contact with Persistent Agent Event
If the PA doesn't contact the server, a Lost Contact with Persistent Agent event is generated, indicating that the PA cannot communicate with the client.
The server maintains a list of "last poll times" for every Persistent Agent client. The last poll time is the last time the server heard from that agent. The NAC appliance notices that the client might not have a PA when the appliance pings the client's agent and there is no response. The server pings the client three times, for a duration of 12 to 18 minutes, as follows:
The first failed ping is OK and no action is taken.
The second failed ping places the client on a bad MAC list.
The third failed ping generates a Lost Contact with Persistent Agent event. If an alarm has been mapped, the client is moved to the quarantine VLAN. The user sees an HTML page for downloading another PA.
Persistent Agent Scan not Performed Event
When a scheduled scan fails to see the PA on a client, the NAC appliance generates the Persistent Agent Scan not Performed event. This indicates only that the scan could not be performed
Important: These events can help detect a disabled or uninstalled agent. However, the events alone do not mark the client "at risk" to trigger an action. This solution explains how to map the alarms to take action on “at risk” clients.
To mark a client as “at risk” when PA contact is lost and “safe” when the PA is regained, you need to:
(ECS version 4.0.1 only): Add the ValidAgentTest admin scan. (This already exists in 3.1.9 and 4.0. The admin scan is required to be able to map the alarms.)
Map an alarm to one of the events based on your environment and security objectives.
Map an alarm for the Regained Contact with Persistent Agent event to mark the client as "safe” once contact is made with the PA.
Validate your results.