Hello Everyone,
I'm trying to get Agentless OnGuard working with Windows 10. I've follow the guides and configured an admin account in ClearPass for WMI Credentials. This is a lab domain with Server 2019, basically default settings.
Right now i am trying this without authentication. The Switch is configured with SNMP and DHCP, and once ClearPass learns the new devices via DHCP or a subnet scan it attempt to run the agentless onguard.
The agent is installed, i can see C:\OnGuard and the files show up there.
When ClearPass tries to login to the endpoint and issue the call to run OnGuard it fails. In ClearPass OnGuard logs i just get an error "Exiting with return value - -3 "
When i look in EventViewer on the endpoint i see error which repeats every time i see the attempt coming from ClearPass. The error says:
"The server-side authentication level policy does not allow the user DOMAIN\adminUSER SID (S-1-5-21-###-####-###-#) from address 10.200.20.235 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application."
10.200.20.235 is my ClearPass server.
This error seems to be related to this article:
KB5004442-Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)Based on this article it seems that Microsoft has updated the security for DCOM, but ClearPass is not doing the new method. I've tried to use the registry key to disable the check but it seems to have no effect.
Has anyone got Agentless onguard working now with ClearPass 6.10.3 and a fully patched Windows 10 host connected to a Windows 2019 DC? Any tips on how to bypass this error?
Thanks,
------------------------------
ELiasz
------------------------------