Video Screencast Help

Network Threat Protection Breaks WPA/WPA2 Negotiations

Created: 09 Oct 2007 • Updated: 21 May 2010 | 20 comments

Symantec Endpoint Protection Build: 11.0.780.1109

If the Network Threat Protection component is enabled, wireless clients are unable to connect to a wireless access point which requires WPA-PSK (TKIP) or WPA2-PSK (AES) encryption.  The authentication negotiation for the wireless connection fails when Network Threat Protection is enabled.

If encryption is disabled on the wireless access point, wireless clients can connect with Network Threat Protection enabled.

If Network Threat Protection is disabled, wireless clients can connect to the wireless access point using WPA or WPA2.

If Network Threat Protection is temporarily disabled, then WPA/WPA2 encryption negotiation succceeds, after which you can re-enable Network Threat Protection and the client continues to be able to use the encrypted wireless connection it obtained while the Network Threat Protection component was temporarily disabled.

I have tested this with two different wireless network adapters:

Netgear WG511T
Intel PRO/Wireless 3945ABG

To ensure it was not a supplicant issue, with both adapters I have used both the vendor wireless configuration utility and the Windows wireless configuration utility.

Both clients are running Microsoft Windows XP Professional SP2 with the KB893357 WPA2 update.

Discussion Filed Under:

Comments 20 CommentsJump to latest comment

ThadJakusz's picture
Hello,
I am also experiencing the same issues as the original poster.
 
We are unable to resolve wireless connections when Endpoint Network Security is enabled.  Both of our wireless networks use WPA2 encryption.  I have tried disabling options inside of Network Security, but so far the only way I can resolve a wireless connections to do Disable the entire Network Security.
 
Thad
T-ReX's picture
I`m having the same problem.
What is the solution?
 
Thanks
Paul Murgatroyd's picture
are your clients managed or unmanaged?
 
are you using the default SEP ruleset for NTP?
 
p.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

smxse's picture

Hello Paul,

The two clients on which I tested this version of SEP are currently unmanaged.

I assume the SEP ruleset for NTP to which you are referring is something that would be configured if the clients were managed?  If so, then I believe my previous answer also answers this question.

Thanks,

Kevan

Paul Murgatroyd's picture
In that case, you need the rule "Allow EAPOL" which exists in the managed client and can be set in an unmanaged client if you generate a package from the SEPM and take the policy to your unmanaged client. 
Unfortunately at the moment, an unmanaged client does not have this rule nor does it have the UI to allow the local user to set it.

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

Hans 2's picture

I don't have a problem with this configuration

HP Laptop

Vista x32 Home premium
Intel PRO/Wireless 3945ABG with latest Intel drivers
SEP11 unmanaged client

Router

Thomson Speedtouch 585iv6
Settings
Interface Type: 802.11g
Actual Speed: 54 Mbps
Channel Selection: Manual
 Channel: 9
Security
Broadcast Network Name: Yes
Allow New Devices: New stations are not allowed
Security Mode: WPA-PSK
WPA-PSK Preshared Key: XXXXXXXX
WPA-PSK Encryption: AES
WPA-PSK Version: WPA2

Maybe the problem is with Windows XP or with the drivers. As a workaround create a firewall rule that allows all protocols, both incoming and outgoing traffic with the routers IP or export a policy from a managed client that contains the Allow EAPOL rule and import it to the unmanaged client with smc -importconfig command.

Dan Odle's picture
A few people, myself included, had this issue during the beta testing. However I have found that at least for myself the final versions works fine.
Tony Wilson's picture
I have the full version and it still breaks my wireless connection. This is very annoying, I have to disable network threat protection every time I need internet access. What rule do I have to implement in the firewall to allow access without having to disable network threat protection? I wish there was an option in the firewall that tells you what is trying to connect, and then you decide to allow it access or not. Without this feature you are flying blind. there is no way to see what is trying to come in or out without trawling the logs.



Message Edited by Tony Wilson on 10-19-2007 12:07 AM

fragman's picture

I too am having this isssue.  Windows XP SP2, and any WPA network, I can't connect without first disabling the Symantec Endpoint Security Client.  After I connect to the WPA network, I can turn it back on. I hope a solution is found soon....

Hans 2's picture

I discovered something else today, with the configuration i'm using above. I can connect with the AP, internet works ok but i can't have filesharing between the vista laptop and two XPSp2 desktops.

The client is managed, Allow wireless EAPOL is there, IPv6 is disabled. The firewall ignores the Microsoft Windows Networking settings. Even if you check "Share my files and printers with others on the network", nothing happens. The firewall blocks all traffic from and to XXXXXX.lan desktops and 137,138 and 139 ports.

The only solution is to create a firewall rule that allows traffic for all the Subnet or for the specific IP's and ports including a broadcast address (192.168.1.255).

Two XP desktops can connect fine to each other by just checking the "Share my files and printers with others on the network" option in SEP and without the need to create a firewall rule.



Message Edited by Hans on 10-19-2007 07:04 PM

finishhimjohnny's picture

So what is the solution for people using unmanaged clients? How do we allow EAPOL? Maybe someone could post an XML file with the needed policy so every person in need could import it?

smxse's picture

Looks like Symantec is working on this issue as there is now official acknowledgement in the knowledgebase

If the link doesn't work, it's document ID 2007101713294448

Tony Wilson's picture
I have managed to get my wireless connection working now with everything turned on. All I did was add the two firewall rules "file & sharing" that symantec say to add for Vista & it now connects to the wireless fine.
zeek's picture

Tony,

Any chance you could post the two rules you are talking about. I have only found 1 rule and after adding that, wireless still doesn't work.

The really odd thing is that one of the PCs on the network, that is not part of the domain nor does it have Endpoint installed, can't even see the SSID of the access point. And this only became an issue after Endpoint was installed.

Ken



Message Edited by zeek on 10-31-2007 09:08 AM

Tony Wilson's picture
Hi Ken, please find the two firewall rules I added that now allows my Windows XP SP-2 laptop to connect to my wireless router with Symantec Endpoint fully enabled.
 
"Allow Network File & Printer Browsing (TCP)"
Action = Allow Traffic
Protocol = TCP
Remote Ports = 88, 135, 139, 445
Direction = Both
 
"Allow Network File & Printer Browsing (UDP)"
Action = Allow Traffic
Protocol = UDP
Remote Ports = 88
Local ports = 88, 137, 138
Direction = Both
 
Hopes this helps
Cheers
Tony
Bx.Cornwell's picture
well, i don't know if those two rules will help anyone else, Tony, but I wish they would have worked for me
 
Endpoint (unmanaged)
Linksys WMP54GS PCI card and Linksys WRT54GS router, connecting w/ WPA security and TKIP authentication
 
tried using XP's wifi config window and Linksys wifi config window... in both cases I still had to totally disable Network Threat protection to get through (before and after adding those rules you suggested)...
 
so there must be something else....
SergeM's picture
I tried to export the EOPOL rule from my managed consol, and import it on an unmanaged laptop but it does not work (The file extention that the consol create and the file extention to do an import on an unmanaged PC is not the same.
Could may be symantec work on that problem very rapidly since basicly all wireless network uses WPA this days!!!!!!!
Could they at lease tell use how to create this rule manually, or provide us with the right policy so that we can importe it.
This should be a very easy procedure. May be there is a registry key that enable the same firewall management system that on managed PC that we can change in order to create the rule ourself.
 
Serge
 
 
Tony Wilson's picture
I have unchecked the two firewall rules I mentioned earlier & my wireless still connects fine. So I am not sure why it is connecting now as that was the only change I made. Weird, because when I first installed SEPP I was having the exact problem as this thread, now all of a sudden I am not. Sorry I cant telll you why it works all of a sudden...
Douglas Sparks's picture
My WAP is a DLink N using WPA2-PSK, and I've been hammering on this for weeks....that is until I tried the above 2 rules.  Voila!!!  I am back connected and stable, surfing the net and sending/receiving email with the full-blown Network Threat Protection ON.  (XP Pro SP2 PC)
 
Thank you, thank you, thank you!!!!!!!!!!!!!!!!!!!!!!!!!!
 
Doug
 
Pankaj Wadkar's picture

Another Solution :

I have totally removed the " Network Threat Protection" and "Device Control " form my  unmanaged SEP installation. Now I can acquire IP from my windows 2003 DHCP server with WPA encryption.

Pankaj