This article describes how to upgrade the Endpoint Security Assessment Plug-In (ESAP) in an L2 authentication (802.1x) environment.
The ESAP package library on a client machine (Junos Pulse or OAC) will not upgrade in an L2 authentication (802.1x) environment even if the ESAP package was already upgraded on the UAC appliance.
From client logs, you may see the following outputs:
00177,09 2014/01/03 10:42:02.281 3 xxx OdTray.exe odTray p1416 t1594 OdTrayWindow.cpp:567 - 'odTray' OD_CONNECT_STATUS (detailed) - L2_DISCONNECTED L2_AUTHENTICATION_FAILED
00152,09 2014/01/03 10:44:30.633 1 xxx jTnccService.exe OpswatIMC p1512 tCAC opssdk.cpp:603 - 'OpsSDK::downloadFile' unable to download file UnifiedSDK.zip.
The client-side ESAP package upgrade requires L3 connectivity to the UAC appliance. If the L2 authentication network (with 802.1x) is configured with no open port for the UAC appliance, the client is unable to obtain an IP address when L2 authentication fails. If the remediation VLAN is unable to reach the UAC appliance via L3, the HostChecker module cannot download the ESAP package from the UAC appliance. Thus, the client ESAP libraries cannot upgrade.
This is by design.
To avoid this situation, use one of the workarounds listed below:
- Switch ESAP check enforcement to evaluation only. It will then accept authentication and assign full network access, which will enable the client to communicate with the UAC appliance. After a periodical check is run, the ESAP library can be upgraded. After the library is upgraded, you can switch the HostChecker option back to enforcement.
- Create a remediation VLAN to access the UAC appliance via L3 access without authentication.
- Install an ESAP 2.5.1 module to each endpoint by using the ESAP 2.5.1 Installer.exe.
- Run the installer with admin credentials.
- You must add arguments as /oac or /pulse (accordingly) to run the installer and update the files.