Endpoint Protection

Preface – We have deployed CISCO ISE (Radius services) in the Irving Campus (Texas).   CISCO ISE is configured to pre-authenticate devices using 802.1x prior to getting on the wired network.  The client device requirements before getting access on the network is 1. Must be joined to ISC domain, 2. Must have a machine cert trusted by ISE  3. Must be configured to use 802.1x per CISCOs specification (basically authentication configuration on the NIC).

Issue – Since deploying ISE last October, we have random users getting disconnected from the network each day averaging about 5-10 users at one point.  It is very random, the clients somehow loses network connectivity and is unable to re-authenticate with the Radius server.

Troubleshooting – after months of troubleshooting with Cisco and Microsoft, Microsoft recently found in network traces that the EAP request/response from Radius were getting blocked by the DOT3SVC service.  DOT3SVC is the service called “Wired Autoconfiguration” on Windows machine.  This service is responsible for 802.1x authentication.  Microsoft has indicated that this service can be impacted by a filter driver commonly used with Anti Virus software.  SEP Network Threat Protection is running on all client machines.

Symantec Assistance – Please help us with troubleshooting the Symantec portion of this overall issue.  We need help in analyzing the Symantec Network protection logs as it pertains to EAP (802.1x) communication, we need suggestions from Symantec to help capture if Symantec is playing a role in this interruption or not, and also need to see if Symantec has any issues like this in the past that they can share their experience and resolution when deploying SEP with Radius server.

So you've verified it works when disabling the SEP firewall? Have you reviewed the Traffic log using the required setting to see all traffic?

http://www.symantec.com/docs/TECH203497

If you want official support you may need to enable TSE debugging and get it over to them for review It's best to get Symantec/MS/Cisco together on this:

http://www.symantec.com/docs/TECH207795

I've not seen this with our current ISE setup. Exact version of SEP is?

Current Version of SEP is 12.1.7369.6900

If you're going to remain on 12.1 then I'd suggest upgrading to the latest version (12.1.6 MP) on a couple clients to see what the result is.

Other than that, support can assist on what all will be needed to troubleshoot.

Hi Brian - I'm working with Avikar on this issue.

​No, we have not turned off SEP on machines to see if we can rule it out that way.  The issue is so random (so it appears) that the only way for us to know for sure is to remove SEP from an entire floor on the building.  I'd also like to mention the client machines are also running CYCLANCE and Redcloak (spl?).  If SEP is truly blocking would it show in the network protection traffic logs?  What can we do to prove or disprove SEP has anything to do with this without a doubt?

Traffic log would show firewall traffic blocked/allowed assuming it's configured correctly show all actions taken on traffic. 

Easiest and quickest way to go is temporarily disable the firewall and observe. Have you done the same woth Cylance and Red Cloak? 

Again, though, I'd recommend engaging Symantec support. There's a lot going with those machines that isn't the norm. Cylance and Red Cloak are both advanced endpoint protection products so I'm not sure why both need to be installed as they live in the same space.

Yes we have official ticket with support as well as posting in this forum.  This issue has been bugging us for so long and been such a big mystery we are trying to get assistance from all angles.  Yes we are taking same approach with Cyclance..this week we are removing Cyclance completely from the machines for 72 hours for an entire floor and observe.  Being that this occurs every day but to only a few users and very random, we should know pretty quickly if this has impact.  I know removing SEP will never be an option so even if its SEP we may need to figure out how to "allow" this communication.

The Traffic log is where to look. By default the last rule in the stack, which is a 'catch-all', doesn't log so logging needs to be enabled for it. That would show everything being blocked then. But the first place I'd start is just disabling the firewall for a period of time and see what the result is. If it is determined to be the firewall then go to the Traffic log and investigate.

Where do we check to see if firewall is even installed or configured?  From the client I don't see "fire wall" , yet there is network traffic logs showing "Block 15" and the MAC address of CISCO ISE.

​Still waiting on SEP engineer for my case.

Add/Remove Programs >> Programs and Features and select SEP and select Change. Hit Next then Modify and in the list it will show components are installed. If your Traffic log has entries then it should be installed.