Posts Tagged ‘Group Policy NAC’
Install CCA Agent on All Domain Machines & Map Drives Thru Scripts
Tags: CCA, CCA Agent, CCAAgent group policy deployment, Cisco Clean Access Agent, Group Policy CCA, Group Policy NAC, Map Drives, NAC
Posted in Network Management / Monitoring, Security Related, Server Management / Monitoring on February 19th, 2009
Project Primary Goal(s):
Allow for mapping drives without adding exceptions to an unauthenticated role.
Secondary Goal(s):
Develop method for rolling out CCA Agent using group policy or login scripts that will not impact ability to map drives.
I’m starting out with the secondary goal first in this write up.
In order to install the CCA Agent without errors on all domain machines without user intervention I had to use a msiexec command. The reason is that if I just push the msi package thru group policy users will encounter errors when the application first installs (something about already in task bar) and then the program exits. It may also result in the machine attempting to use log in with the machine active directory account rather than the user account (for Active Directory Single Sign-On).
In order to ensure the installation section only ran once I check for the existence of the CCAAgent.exe file.
Now once the application installations part of the logon script is in place I moved on to the Primary Goal of the project.
It is unlikely you would want users in an unauthenticated role to be able to access your fileserver.
The issue is that any script run to map network drives would fail unless the CCA Agent has placed the user into a role where access to the fileshare is allowed first.
A solution to this is create a section in the vbs script that is run at login time verifying the CCA Agent is running before attempting to map a network drive. In order to accomplish this I use a check and wait script.
The below example would install the CCA Agent if it is not installed and map a user drive only after verifying the CCA Agent is running. It gives the CCA Agent 30 seconds after verification of running to perform any sign in activities (I use Active Directory Single Sign-On but it would not change for radius, Kerberos, etc). Set this script in group policy for a domain or OU (Specifically when editing the group policy you would add it to User Configuration > Policies > Windows Settings > Scripts > Logon).
‘——————————————————————-
‘CCAAgent.vbs
‘Install CCA Agent if not installed first.
‘Verify CCA Agent is running.
‘Map network drives.
Dim ADSysInfo
Dim CurrentUser
Dim strGroups
Dim wshNet
Dim fserver
Dim AllProcess
Dim Process
Dim strFoundProcess
Dim numWaits
Dim objFSO
Dim ccainstalledfile
Dim wshShell
ccainstalledfile = “c:\program files\cisco systems\clean access agent\ccaagent.exe”
strFoundProcess = False
numWaits = 0
fserver = “\\servername\homedirectory\”
Set objFSO = CreateObject(”Scripting.FileSystemObject”)
If not (objFSO.FileExists(ccainstalledfile)) then
Set wshShell = Wscript.CreateObject (”WSCript.shell”)
wshShell.Run “%windir%\system32\msiexec.exe /package \\domaincontroller\netlogon\ccaagent.msi /qn”
Set wshShell = nothing
End If
Do While (strFoundProcess = False and numWaits < 20)
Set AllProcess = getobject(”winmgmts:”)
For Each Process In AllProcess.InstancesOf(”Win32_process”)
If (Instr(Ucase(Process.Name),”CCAAGENT.EXE”) = 1) Then
strFoundProcess = True
Exit For
End If
Next
Wscript.Sleep 30000
numWaits = numWaits + 1
Loop
Set wshNet = CreateObject(”WScript.Network”)
Set ADSysInfo = CreateObject(”ADSystemInfo”)
Set CurrentUser = GetObject(”LDAP://” & ADSysInfo.UserName)
strGroups = LCase(Join(CurrentUser.MemberOf))
If (InStr(strGroups, “faculty”) or InStr(strGroups, “staff”)) Then
wshNet.MapNetworkDrive “U:”, fserver & “facstaff\” & wshNet.UserName
End If
If (InStr(strGroups, “students”)) Then
wshNet.MapNetworkDrive “U:”, fserver & “students\” & wshNet.UserName
End If
‘——————————————————————-