Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Network Threat Protection Breaks WPA/WPA2 Negotiations

  • 1.  Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 09, 2007 10:58 PM
    Symantec Endpoint Protection Build: 11.0.780.1109

    If the Network Threat Protection component is enabled, wireless clients are unable to connect to a wireless access point which requires WPA-PSK (TKIP) or WPA2-PSK (AES) encryption.  The authentication negotiation for the wireless connection fails when Network Threat Protection is enabled.

    If encryption is disabled on the wireless access point, wireless clients can connect with Network Threat Protection enabled.

    If Network Threat Protection is disabled, wireless clients can connect to the wireless access point using WPA or WPA2.

    If Network Threat Protection is temporarily disabled, then WPA/WPA2 encryption negotiation succceeds, after which you can re-enable Network Threat Protection and the client continues to be able to use the encrypted wireless connection it obtained while the Network Threat Protection component was temporarily disabled.

    I have tested this with two different wireless network adapters:

    Netgear WG511T
    Intel PRO/Wireless 3945ABG

    To ensure it was not a supplicant issue, with both adapters I have used both the vendor wireless configuration utility and the Windows wireless configuration utility.

    Both clients are running Microsoft Windows XP Professional SP2 with the KB893357 WPA2 update.


  • 2.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 10, 2007 11:06 AM
    Hello,
    I am also experiencing the same issues as the original poster.
     
    We are unable to resolve wireless connections when Endpoint Network Security is enabled.  Both of our wireless networks use WPA2 encryption.  I have tried disabling options inside of Network Security, but so far the only way I can resolve a wireless connections to do Disable the entire Network Security.
     
    Thad


  • 3.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 11, 2007 01:46 AM
    I`m having the same problem.
    What is the solution?
     
    Thanks


  • 4.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 11, 2007 05:47 PM
    are your clients managed or unmanaged?
     
    are you using the default SEP ruleset for NTP?
     
    p.


  • 5.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 11, 2007 06:38 PM
    Hello Paul,

    The two clients on which I tested this version of SEP are currently unmanaged.

    I assume the SEP ruleset for NTP to which you are referring is something that would be configured if the clients were managed?  If so, then I believe my previous answer also answers this question.

    Thanks,

    Kevan


  • 6.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 11, 2007 06:41 PM
    In that case, you need the rule "Allow EAPOL" which exists in the managed client and can be set in an unmanaged client if you generate a package from the SEPM and take the policy to your unmanaged client. 
    Unfortunately at the moment, an unmanaged client does not have this rule nor does it have the UI to allow the local user to set it.


  • 7.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 11, 2007 08:53 PM
    I don't have a problem with this configuration

    HP Laptop

    Vista x32 Home premium
    Intel PRO/Wireless 3945ABG with latest Intel drivers
    SEP11 unmanaged client

    Router

    Thomson Speedtouch 585iv6
    Settings
    Interface Type: 802.11g
    Actual Speed: 54 Mbps
    Channel Selection: Manual
     Channel: 9
    Security
    Broadcast Network Name: Yes
    Allow New Devices: New stations are not allowed
    Security Mode: WPA-PSK
    WPA-PSK Preshared Key: XXXXXXXX
    WPA-PSK Encryption: AES
    WPA-PSK Version: WPA2

    Maybe the problem is with Windows XP or with the drivers. As a workaround create a firewall rule that allows all protocols, both incoming and outgoing traffic with the routers IP or export a policy from a managed client that contains the Allow EAPOL rule and import it to the unmanaged client with smc -importconfig command.



  • 8.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 12, 2007 03:50 PM
    A few people, myself included, had this issue during the beta testing. However I have found that at least for myself the final versions works fine.


  • 9.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 19, 2007 03:05 AM
    I have the full version and it still breaks my wireless connection. This is very annoying, I have to disable network threat protection every time I need internet access. What rule do I have to implement in the firewall to allow access without having to disable network threat protection? I wish there was an option in the firewall that tells you what is trying to connect, and then you decide to allow it access or not. Without this feature you are flying blind. there is no way to see what is trying to come in or out without trawling the logs.


    Message Edited by Tony Wilson on 10-19-2007 12:07 AM


  • 10.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 19, 2007 09:34 AM
    I too am having this isssue.  Windows XP SP2, and any WPA network, I can't connect without first disabling the Symantec Endpoint Security Client.  After I connect to the WPA network, I can turn it back on. I hope a solution is found soon....


  • 11.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 19, 2007 12:03 PM
    I discovered something else today, with the configuration i'm using above. I can connect with the AP, internet works ok but i can't have filesharing between the vista laptop and two XPSp2 desktops.

    The client is managed, Allow wireless EAPOL is there, IPv6 is disabled. The firewall ignores the Microsoft Windows Networking settings. Even if you check "Share my files and printers with others on the network", nothing happens. The firewall blocks all traffic from and to XXXXXX.lan desktops and 137,138 and 139 ports.

    The only solution is to create a firewall rule that allows traffic for all the Subnet or for the specific IP's and ports including a broadcast address (192.168.1.255).

    Two XP desktops can connect fine to each other by just checking the "Share my files and printers with others on the network" option in SEP and without the need to create a firewall rule.


    Message Edited by Hans on 10-19-2007 07:04 PM


  • 12.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 25, 2007 10:15 AM
    So what is the solution for people using unmanaged clients? How do we allow EAPOL? Maybe someone could post an XML file with the needed policy so every person in need could import it?


  • 13.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 26, 2007 08:54 PM
    Looks like Symantec is working on this issue as there is now official acknowledgement in the knowledgebase

    If the link doesn't work, it's document ID 2007101713294448


  • 14.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 28, 2007 05:41 PM
    I have managed to get my wireless connection working now with everything turned on. All I did was add the two firewall rules "file & sharing" that symantec say to add for Vista & it now connects to the wireless fine.


  • 15.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 31, 2007 12:06 PM
    Tony,

    Any chance you could post the two rules you are talking about. I have only found 1 rule and after adding that, wireless still doesn't work.

    The really odd thing is that one of the PCs on the network, that is not part of the domain nor does it have Endpoint installed, can't even see the SSID of the access point. And this only became an issue after Endpoint was installed.

    Ken


    Message Edited by zeek on 10-31-2007 09:08 AM


  • 16.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 31, 2007 06:16 PM
    Hi Ken, please find the two firewall rules I added that now allows my Windows XP SP-2 laptop to connect to my wireless router with Symantec Endpoint fully enabled.
     
    "Allow Network File & Printer Browsing (TCP)"
    Action = Allow Traffic
    Protocol = TCP
    Remote Ports = 88, 135, 139, 445
    Direction = Both
     
    "Allow Network File & Printer Browsing (UDP)"
    Action = Allow Traffic
    Protocol = UDP
    Remote Ports = 88
    Local ports = 88, 137, 138
    Direction = Both
     
    Hopes this helps
    Cheers
    Tony


  • 17.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Oct 31, 2007 07:47 PM
    well, i don't know if those two rules will help anyone else, Tony, but I wish they would have worked for me
     
    Endpoint (unmanaged)
    Linksys WMP54GS PCI card and Linksys WRT54GS router, connecting w/ WPA security and TKIP authentication
     
    tried using XP's wifi config window and Linksys wifi config window... in both cases I still had to totally disable Network Threat protection to get through (before and after adding those rules you suggested)...
     
    so there must be something else....


  • 18.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Nov 11, 2007 10:03 AM
    I tried to export the EOPOL rule from my managed consol, and import it on an unmanaged laptop but it does not work (The file extention that the consol create and the file extention to do an import on an unmanaged PC is not the same.
    Could may be symantec work on that problem very rapidly since basicly all wireless network uses WPA this days!!!!!!!
    Could they at lease tell use how to create this rule manually, or provide us with the right policy so that we can importe it.
    This should be a very easy procedure. May be there is a registry key that enable the same firewall management system that on managed PC that we can change in order to create the rule ourself.
     
    Serge
     
     


  • 19.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Nov 11, 2007 04:46 PM
    I have unchecked the two firewall rules I mentioned earlier & my wireless still connects fine. So I am not sure why it is connecting now as that was the only change I made. Weird, because when I first installed SEPP I was having the exact problem as this thread, now all of a sudden I am not. Sorry I cant telll you why it works all of a sudden...


  • 20.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Dec 06, 2007 12:05 AM
    My WAP is a DLink N using WPA2-PSK, and I've been hammering on this for weeks....that is until I tried the above 2 rules.  Voila!!!  I am back connected and stable, surfing the net and sending/receiving email with the full-blown Network Threat Protection ON.  (XP Pro SP2 PC)
     
    Thank you, thank you, thank you!!!!!!!!!!!!!!!!!!!!!!!!!!
     
    Doug
     


  • 21.  RE: Network Threat Protection Breaks WPA/WPA2 Negotiations

    Posted Sep 24, 2009 03:20 AM
    Another Solution :

    I have totally removed the " Network Threat Protection" and "Device Control " form my  unmanaged SEP installation. Now I can acquire IP from my windows 2003 DHCP server with WPA encryption.

    Pankaj