Network Threat Protection Breaks WPA/WPA2 Negotiations

Updated: 21 May 2010 | 20 comments

smxse

0 0 Votes

Symantec Endpoint Protection Build: 11.0.780.1109

If the Network Threat Protection component is enabled, wireless clients are unable to connect to a wireless access point which requires WPA-PSK (TKIP) or WPA2-PSK (AES) encryption. The authentication negotiation for the wireless connection fails when Network Threat Protection is enabled.

If encryption is disabled on the wireless access point, wireless clients can connect with Network Threat Protection enabled.

If Network Threat Protection is disabled, wireless clients can connect to the wireless access point using WPA or WPA2.

If Network Threat Protection is temporarily disabled, then WPA/WPA2 encryption negotiation succceeds, after which you can re-enable Network Threat Protection and the client continues to be able to use the encrypted wireless connection it obtained while the Network Threat Protection component was temporarily disabled.

I have tested this with two different wireless network adapters:

Netgear WG511T
Intel PRO/Wireless 3945ABG

To ensure it was not a supplicant issue, with both adapters I have used both the vendor wireless configuration utility and the Windows wireless configuration utility.

Both clients are running Microsoft Windows XP Professional SP2 with the KB893357 WPA2 update.

discussion Filed Under:

Security, Endpoint Protection (AntiVirus)

Comments RSS Feed

Comments

Oct

2007

0 Votes 0

ThadJakusz

Hello,

I am also experiencing the same issues as the original poster.

We are unable to resolve wireless connections when Endpoint Network Security is enabled. Both of our wireless networks use WPA2 encryption. I have tried disabling options inside of Network Security, but so far the only way I can resolve a wireless connections to do Disable the entire Network Security.

Thad

Oct

2007

0 Votes 0

T-ReX

I`m having the same problem.

What is the solution?

Thanks

Oct

2007

0 Votes 0

Paul Murgatroyd

Symantec Employee

Accredited

Certified

are your clients managed or unmanaged?

are you using the default SEP ruleset for NTP?

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Oct

2007

0 Votes 0

smxse

Hello Paul,

The two clients on which I tested this version of SEP are currently unmanaged.

I assume the SEP ruleset for NTP to which you are referring is something that would be configured if the clients were managed? If so, then I believe my previous answer also answers this question.

Thanks,

Kevan

Oct

2007

0 Votes 0

Paul Murgatroyd

Symantec Employee

Accredited

Certified

In that case, you need the rule "Allow EAPOL" which exists in the managed client and can be set in an unmanaged client if you generate a package from the SEPM and take the policy to your unmanaged client.

Unfortunately at the moment, an unmanaged client does not have this rule nor does it have the UI to allow the local user to set it.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Oct

2007

0 Votes 0

Hans 2

I don't have a problem with this configuration

HP Laptop

Vista x32 Home premium
Intel PRO/Wireless 3945ABG with latest Intel drivers
SEP11 unmanaged client

Router

Thomson Speedtouch 585iv6
Settings
Interface Type: 802.11g
Actual Speed: 54 Mbps
Channel Selection: Manual
Channel: 9
Security
Broadcast Network Name: Yes
Allow New Devices: New stations are not allowed
Security Mode: WPA-PSK
WPA-PSK Preshared Key: XXXXXXXX
WPA-PSK Encryption: AES
WPA-PSK Version: WPA2

Maybe the problem is with Windows XP or with the drivers. As a workaround create a firewall rule that allows all protocols, both incoming and outgoing traffic with the routers IP or export a policy from a managed client that contains the Allow EAPOL rule and import it to the unmanaged client with smc -importconfig command.

Oct

2007

0 Votes 0

Dan Odle

A few people, myself included, had this issue during the beta testing. However I have found that at least for myself the final versions works fine.

Oct

2007

0 Votes 0

Tony Wilson

I have the full version and it still breaks my wireless connection. This is very annoying, I have to disable network threat protection every time I need internet access. What rule do I have to implement in the firewall to allow access without having to disable network threat protection? I wish there was an option in the firewall that tells you what is trying to connect, and then you decide to allow it access or not. Without this feature you are flying blind. there is no way to see what is trying to come in or out without trawling the logs.

Message Edited by Tony Wilson on 10-19-2007 12:07 AM

Oct

2007

0 Votes 0

fragman

I too am having this isssue. Windows XP SP2, and any WPA network, I can't connect without first disabling the Symantec Endpoint Security Client. After I connect to the WPA network, I can turn it back on. I hope a solution is found soon....

Oct

2007

0 Votes 0

Hans 2

I discovered something else today, with the configuration i'm using above. I can connect with the AP, internet works ok but i can't have filesharing between the vista laptop and two XPSp2 desktops.

The client is managed, Allow wireless EAPOL is there, IPv6 is disabled. The firewall ignores the Microsoft Windows Networking settings. Even if you check "Share my files and printers with others on the network", nothing happens. The firewall blocks all traffic from and to XXXXXX.lan desktops and 137,138 and 139 ports.

The only solution is to create a firewall rule that allows traffic for all the Subnet or for the specific IP's and ports including a broadcast address (192.168.1.255).

Two XP desktops can connect fine to each other by just checking the "Share my files and printers with others on the network" option in SEP and without the need to create a firewall rule.

Message Edited by Hans on 10-19-2007 07:04 PM

Oct

2007

0 Votes 0

finishhimjohnny

So what is the solution for people using unmanaged clients? How do we allow EAPOL? Maybe someone could post an XML file with the needed policy so every person in need could import it?

Oct

2007

0 Votes 0

smxse

Looks like Symantec is working on this issue as there is now official acknowledgement in the knowledgebase

If the link doesn't work, it's document ID 2007101713294448

Oct

2007

0 Votes 0

Tony Wilson

I have managed to get my wireless connection working now with everything turned on. All I did was add the two firewall rules "file & sharing" that symantec say to add for Vista & it now connects to the wireless fine.

Oct

2007

0 Votes 0

zeek

Tony,

Any chance you could post the two rules you are talking about. I have only found 1 rule and after adding that, wireless still doesn't work.

The really odd thing is that one of the PCs on the network, that is not part of the domain nor does it have Endpoint installed, can't even see the SSID of the access point. And this only became an issue after Endpoint was installed.

Ken

Message Edited by zeek on 10-31-2007 09:08 AM

Oct

2007

0 Votes 0

Tony Wilson

Hi Ken, please find the two firewall rules I added that now allows my Windows XP SP-2 laptop to connect to my wireless router with Symantec Endpoint fully enabled.

"Allow Network File & Printer Browsing (TCP)"

Action = Allow Traffic

Protocol = TCP

Remote Ports = 88, 135, 139, 445

Direction = Both

"Allow Network File & Printer Browsing (UDP)"

Action = Allow Traffic

Protocol = UDP

Remote Ports = 88

Local ports = 88, 137, 138

Direction = Both

Hopes this helps

Cheers

Tony

Oct

2007

0 Votes 0

Bx.Cornwell

well, i don't know if those two rules will help anyone else, Tony, but I wish they would have worked for me

Endpoint (unmanaged)

Linksys WMP54GS PCI card and Linksys WRT54GS router, connecting w/ WPA security and TKIP authentication

tried using XP's wifi config window and Linksys wifi config window... in both cases I still had to totally disable Network Threat protection to get through (before and after adding those rules you suggested)...

so there must be something else....

Nov

2007

0 Votes 0

SergeM

I tried to export the EOPOL rule from my managed consol, and import it on an unmanaged laptop but it does not work (The file extention that the consol create and the file extention to do an import on an unmanaged PC is not the same.

Could may be symantec work on that problem very rapidly since basicly all wireless network uses WPA this days!!!!!!!

Could they at lease tell use how to create this rule manually, or provide us with the right policy so that we can importe it.

This should be a very easy procedure. May be there is a registry key that enable the same firewall management system that on managed PC that we can change in order to create the rule ourself.

Serge

Nov

2007

0 Votes 0

Tony Wilson

I have unchecked the two firewall rules I mentioned earlier & my wireless still connects fine. So I am not sure why it is connecting now as that was the only change I made. Weird, because when I first installed SEPP I was having the exact problem as this thread, now all of a sudden I am not. Sorry I cant telll you why it works all of a sudden...

Dec

2007

0 Votes 0

Douglas Sparks

My WAP is a DLink N using WPA2-PSK, and I've been hammering on this for weeks....that is until I tried the above 2 rules. Voila!!! I am back connected and stable, surfing the net and sending/receiving email with the full-blown Network Threat Protection ON. (XP Pro SP2 PC)

Thank you, thank you, thank you!!!!!!!!!!!!!!!!!!!!!!!!!!

Doug

Sep

2009

0 Votes 0

Pankaj Wadkar

Acquiring IP for Wifi Clients

Another Solution :

I have totally removed the " Network Threat Protection" and "Device Control " form my unmanaged SEP installation. Now I can acquire IP from my windows 2003 DHCP server with WPA encryption.

Pankaj

Network Threat Protection Breaks WPA/WPA2 Negotiations

Comments

Acquiring IP for Wifi Clients

Would you like to reply?

Links

Technical Support

Symantec.com

Store

Community Stats