locked
NAP and Sophos AV? RRS feed

  • Question

  • Does anyone have any experience with NAP and Sophos that they would like to share? We use Sophos 7.5.1 on our network, and we're thinking about deploying 802.1X and NAP (with dynamic VLAN distribution). In my lab test Sophos is not being recognized as a valid AV client by NAP, therefore I'm not "fully compliant", but maybe it's just an error somewhere in my configuration?

    Also, we have a few MACs on our network (sigh). How do you guys deal with MACs in your NAP environment? Manual static VLANS? 

    Thanks!

    Dan
    Wednesday, July 30, 2008 11:30 PM

Answers

  • Hi Dan,

    I don't have experience with Sophos, but I can point you to a couple of resources.  Check the Security Center FAQ regarding how Security Center detects 3rd party products. In order to use the Windows SHA/SHV, Sophos will need to be detected as a valid AV by Security Center.

    There are a couple of ways to deal with Macintosh computers. First, some partners are developing NAP support. If these solutions don't work for you, then you can place these devices and any other health-check-exempted devices on a full access VLAN. You can do that a couple of ways. One would be with the manual static method you described, or if these devices support 802.1X with PEAP, you should be able to authenticate them using your NAP policies. They will match the a "non NAP-capable" policy and you can set the VLAN access in this policy dynamically. 

    I hope this helps,
    -Greg 
    Saturday, August 2, 2008 6:10 PM

All replies

  • Hi Dan,

    I don't have experience with Sophos, but I can point you to a couple of resources.  Check the Security Center FAQ regarding how Security Center detects 3rd party products. In order to use the Windows SHA/SHV, Sophos will need to be detected as a valid AV by Security Center.

    There are a couple of ways to deal with Macintosh computers. First, some partners are developing NAP support. If these solutions don't work for you, then you can place these devices and any other health-check-exempted devices on a full access VLAN. You can do that a couple of ways. One would be with the manual static method you described, or if these devices support 802.1X with PEAP, you should be able to authenticate them using your NAP policies. They will match the a "non NAP-capable" policy and you can set the VLAN access in this policy dynamically. 

    I hope this helps,
    -Greg 
    Saturday, August 2, 2008 6:10 PM
  • Greg,

    I am also curious on this. Since your last post, have you come across any success story for Sophos + NPS?

    regards,

    Abhijt

    Thursday, September 26, 2013 7:23 AM