Guest

Cisco NAC Appliance (Clean Access)

NAC Appliance OS/SP/Hotfix Support Guidelines

  • Viewing Options

  • PDF (135.0 KB)
  • Feedback

PB648834

This document describes Cisco NAC Appliance timelines for incorporating support for new releases of various third-party software packages.

Microsoft OS and Service Pack Release Policy

The NAC Appliance product line provides support for Microsoft products through NAC/Web Agent platform support, OS detection, and various posture checks. Major updates to currently supported OSs are provided in the form of Service Packs. Microsoft provides its technology partners with a well-known structured release process for these updates. According to this process, the NAC Appliance has the following targets for supporting new releases:

Type

NAC Appliance Support

Operating System General Availability (GA)

Support the release with an FCS product on the same day

Operating System Release to Manufacturing (RTM)

Target will be to support an Early Field Trial (EFT) version of NAC within four weeks

Operating System Beta Availability (Beta)

Support for beta versions of new operating systems will be provided on a "best effort" basis

Service Pack GA

Support the release with an FCS product on the same day

Service Pack RTM

Target will be to support an EFT version of NAC within four weeks

Service Pack Beta

Support for beta versions of new service packs will be provided on a "best effort" basis

Note: While not common, Microsoft may introduce changes post-RTM that affect our ability to deliver support at FCS. Under these situations, appropriate guidance will be provided on the release date.

Microsoft Hotfix Release Policy

Microsoft releases fixes for Critical and Important issues on a monthly basis. These fixes are distributed via the Windows Server Update Services (WSUS). Customers can use WSUS for both posture assessment and remediation, but the speed of posture assessment is limited by the nature of WSUS and its global accessibility. One alternative is for the customer to maintain a private WSUS server. Another alternative is to use local posture assessment rules that are provided by Cisco as a service to our customers. Cisco provides a minimum set of rules for the NAC Appliance to address Microsoft Critical Hotfixes. This allows for faster local posture assessment processing. Customers must create additional local rules to maintain and enforce their individual security policies.
In order to stay up to date with Microsoft Hotfix releases, Cisco provides monthly updates to the posture assessment rules that incorporate the latest releases from Microsoft.

Type

NAC Appliance Support

Monthly Hotfix Update

Updated checks and rules are generally available to customers within 72 hours of the Microsoft release.

Out-of-Band (OOB) Hotfix

Due to the unpredictable nature of OOB hotfixes, integration and delivery of OOB hotfixes are provided on a "best effort" basis. At minimum, they will be included in the next scheduled hotfix release.

Cisco provides Hotfix updates to the NAC product through the Cisco Clean Access Update Service. Customers can schedule automatic updates or perform manual updates using the Cisco Clean Access Manager.

Microsoft Hotfix Update Content

Cisco recognizes that different customers have different Microsoft Windows deployment requirements, and different security requirements. In order to achieve a reasonable level of security and still maintain compatibility across a diverse customer base, Cisco incorporates a subset of the Microsoft hotfixes into its NAC hotfix rules updates. The following criteria are applied:

• The fix must apply to either a supported version of the Microsoft Windows operating system or a supported version of Internet Explorer. End-of-life policies are beyond the scope of this document; however, Cisco will support applicable Windows operating systems at least until Microsoft reaches their end-of-support milestone for the product.

• The Severity Rating must be critical. Important severity fixes will not be included in the rules provided by Cisco.

• The fix must not be for an add-on application. Cisco will not include fixes that are for Windows applications. To do so would force Cisco customers who do not use a given application to install the application, or be unable to remediate. Examples include but are not limited to Microsoft Office, Windows Media Player, and DirectX.

• The fix must not be for a component or service of an add-on application. Examples include but are not limited to video drivers, codecs, update services, and .NET.

• The inclusion of the check must not provide false failures on any subset of systems, thus preventing network access for systems that pose no critical risk to the network.

Inclusion of an individual Hotfix is at the sole discretion of Cisco. Cisco will document which Critical fixes are included and which fixes are not included in each monthly release. For Critical fixes that are not included, a brief explanation will be provided. While careful consideration is given to each individual hotfix, there may be concerns raised by individual customers regarding specific fixes. These concerns should be addressed through the normal customer support channels.

Apple OSX Release Policy

Support for the Apple OSX operating system occurs primarily through Mac Agent platform support, OS detection, and various posture checks. Apple provides its technology partners with early access to these operating systems through "Developer Seed" releases; however, they do not typically pre-announce product release dates. Considering this, the NAC Appliance product has the following targets for supporting new Apple OSX releases:

Type

NAC Appliance Support

Seed Release Availability

Target support for the seed with an EFT version of NAC within four weeks of release.

General Availability

Target support for the release with FCS product within four weeks.

Minor Software Update/Hotfix

Generally, these do not impact the NAC Appliance. If they do, please contact the Cisco Technical Assistance Center (TAC).

Mobile Device Policy

The NAC Appliance product provides support for a number of mobile device operating systems. These devices are supported with web authentication only (i.e., no persistent or temporal agent support). For currently supported mobile platforms ( http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html) the NAC Appliance product team targets support within four weeks of general availability. Beta versions of mobile device operating systems are supported on a "best effort" basis.

Compliance Module and AV/AS Support Policy

Cisco also works with technology partners to help provide the broadest support possible for antivirus and antispyware (AV/AS) applications and updates. While attempts are made to support product updates as they are released, there may be situations where a particular application or version may not be immediately available. Generally, support for new AV/AS applications and new versions are introduced with new NAC Agent releases. Updates to AV/AS definitions for currently supported applications are revised monthly and dynamically distributed through the Cisco Clean Access Update Service.
Starting with NAC Appliance Release 4.8, the NAC Agent (Windows only) supports a separate Compliance Module that allows new AV/AS applications and versions to be supported independent of NAC Agent software releases. The Cisco NAC Appliance product team targets new Compliance Module releases every three months. The Compliance Module is available for download via the standard Cisco.com support channel.
Customer concerns with currently supported AV/AS applications or versions should be directed to the standard product support channels.

Web Browser Support Policy

For many operations, the NAC Appliance product uses the capabilities of a web browser installed on a client system. For currently supported web browsers ( http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/agntsprt.html) the NAC Appliance product team targets support for new versions within four weeks of general availability. Beta versions of web browsers are supported on a "best effort" basis.