Guest

Cisco NAC Appliance (Clean Access)

NAC Appliance: Mac OSX AV Posture on Cisco NAC Release 4.5 Configuration Example

Cisco - NAC Appliance: Mac OSX AV Posture on Cisco NAC Release 4.5 Configuration Example

Introduction

This document describes how to configure Mac OS X Clean Access Agent posture assessment via the Network Admission Control (NAC) Manager web console for release 4.5.

Mac posture assessment in this release is limited to AV/AS support only. Refer to the Cisco NAC Appliance (Clean Access) Release Notes for the list of AV/AS that are supported on Mac OSX.

Prerequisites

Requirements

Complete these steps before you attempt this configuration:

This document assumes you are running Cisco NAC Appliance Release 4.5 and that you have completed the following steps according to the guidelines in the Cisco NAC Appliance – Clean Access Manager Installation and Configuration Guide, Release 4.5:

  1. Install or upgrade your NAC Manager and NAC Server with Cisco NAC Appliance release 4.5 as described in Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.5.

  2. Ensure that the latest Mac OS X Agent (version 4.5) and AV/AS support packages are available on your NAC Manager as described in Configure and Download Updates.

  3. Create a default user login page as described in User Login Page.

  4. Require use of the Mac OS X Clean Access Agent 4.5 as described in Require Use of the Agent.

  5. Create one or more user roles for Macintosh users as described in Create User Roles.

Note: Please refer to the MAC OS X Agent restrictions section for OS X versions and AV/AS Products and Requirement Types that are supported for Mac posture assessment.

Components Used

The information in this document is based on the Cisco NAC Release 4.5.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Mac Posture Assessment with Clam AntiVirus (ClamAV)

The goal of this procedure is to verify that ClamAV 1.1.0 is installed and updated with the latest virus definitions on the client machine.

If ClamAV 1.1.0 is not installed on the client machine, you must provide the user with a link to the ClamAV website in order to download and install the software. Next, you must verify that ClamAV is updated with the latest definitions. If not, the Clean Access agent can communicate with Clam AV through an API call (with the AV Update requirement type) and request ClamAV to update itself.

Note: As of Cisco NAC 4.5 release, the AV Update requirement type is supported only with ClamWin AV. For all other AV/AS, a Link Distribution or Local Check type of requirement can be configured to remediate users if their virus definitions are not updated.

Step 1. Configure a Rule to Check if ClamAV is Installed

  1. Go to Device Management > Clean Access > Clean Access Agent > Rules > New AV Rule.

    osx_nac_config01a.gif

  2. Type a name for the rule. This example uses Is_Clamwin_Installed_OSX.

    Note: Be descriptive so that you can easily identify the purpose of the rule. You can use digits and underscores in the name, but no spaces.

  3. Choose ClamWin from the Antivirus Vendor drop-down list.

  4. Choose Installation from the Type drop-down.

  5. Choose Mac OSX from the Operating System drop-down list.

    The table at the bottom of the page is populated with these values.

    osx_nac_config01b.gif

  6. Check the Installation check box for 1.x.

  7. Type a description in the Rule Description text field, and click Save Rule.

The new AV rule is added to the bottom of the Rule List.

osx_nac_config02.gif

Step 2. Configure a Requirement to Remediate Users if ClamAV is not Installed

If the Clean Access Agent detects that ClamAV 1.1.0 is not installed on the client machine, it quarantines the user. At this point, you can configure a Link Distribution requirement type in order to provide the user with a link to download ClamAV 1.1.0.

  1. Click the Clean Access Agent tab, and then click Requirements.

  2. Click New Requirement.

    osx_nac_config03.gif

  3. Choose Link Distribution from the Requirement Type drop-down list.

  4. Choose Mandatory from the Enforce Type drop-down list.

    In this example, the end user is informed of this requirement and cannot proceed or have network access unless the client system meets the requirement.

    Refer to Configuring an Optional/Audit Requirement for information about other enforcement types.

  5. Choose the execution priority level for this requirement on the client machine.

    A high priority (for example, 1) means this requirement is checked on the system ahead of all other requirements (and appears in the Clean Access Agent dialogs in that order). This example assumes that the ClamWin installation check is the first posture requirement and sets the priority to one (1).

    Note: The Mac OS X Agent does not support automatic remediation. Therefore, the remediation type is set to manual. Also, functions that appear on the New Requirement configuration page (Remediation Type, Interval, and Retry Count) do not serve any purpose when you create requirement types for Macintosh client remediation.

  6. In the File Link URL text field, type the URL to which the end users should be directed in order to download ClamAV 1.1.0.

  7. In the Requirement Name text filed, type a unique name that conveys the action to the end user.

    This name is visible to users in the Clean Access Agent dialogs. This example uses Download ClamAV.

  8. In the Description text field, type a description of the requirement and instructions to guide users who fail to meet the requirement.

  9. Click the Mac OS check box listed in the Operating System section.

  10. Click Add Requirement in order to add the requirement to the Requirement List.

The new requirement is added to the Requirement List.

osx_nac_config04.gif

Step 3. Map the Link Distribution Requirement with the AV Installation Rule

  1. Click the Clean Access Agent tab, and then click Requirements.

  2. Click Requirement-Rules.

    osx_nac_config05a.gif

  3. From the Requirement Name drop-down list, choose the requirement you created in Step 2.

  4. Choose Mac OSX from the Operating System drop-down list.

    Rules created for the chosen operating system are displayed at the bottom of the page.

    osx_nac_config05b.gif

  5. Click the check box for the rule you created in Step 1, and then click Update.

Step 4. Configure a Rule to Check if ClamAV is Updated

  1. Go to Device Management > Clean Access > Clean Access Agent > Rules > New AV Rule.

    osx_nac_config06a.gif

  2. Type a name for the rule. This example uses Is_ClamAV_Updated_OSX.

    Note: Be descriptive so that you can easily identify the purpose of the rule. You can use digits and underscores in the name, but no spaces.

  3. Choose ClamWin from the Antivirus Vendor drop-down list.

  4. Choose Virus Definition from the Type drop-down list.

  5. Choose Mac OSX from the Operating System drop-down list.

    The Virus Definition Checks for Mac OSX table at the bottom of the page is populated.

    osx_nac_config06b.gif

  6. Check the Installation check box for 1.x.

  7. Type a description in the Rule Description text field, and click Save Rule.

The new AV rule is added to the bottom of the Rule List.

osx_nac_config07.gif

Step 5. Configure a Requirement to Remediate Users if ClamAV is not Updated

If the Clean Access Agent detects that ClamAV 1.1.0 is not updated on the client machine, it quarantines the user. At this point, the user is provided with an Update button in order to remediate.

Once the user clicks the Update button, the Clean Access agent communicates with the underlying ClamAV software and asks ClamAV to update itself.

You can configure an AV Definition Update requirement type in order to implement this functionality.

  1. Click the Clean Access Agent tab, and then click Requirements.

  2. Click New Requirement.

    osx_nac_config08.gif

  3. Choose AV Definition Update from the Requirement Type drop-down list.

  4. Choose Mandatory from the the Enforce Type drop-down list.

    In this example, the end user is informed of this requirement and cannot proceed or have network access unless the client system meets the requirement.

    Refer to Configuring an Optional/Audit Requirement for information about other enforcement types.

  5. Choose the execution priority level for this requirement on the client machine.

    A high priority (for example, 1) means this requirement is checked on the system ahead of all other requirements (and appears in the Clean Access Agent dialogs in that order). This example assumes that the ClamWin update check is the second posture requirement and sets the priority to two (2).

    Note: The Mac OS X Agent does not support automatic remediation. Therefore, the remediation type is set to manual. Also, note that the Remediation Type, Interval, and Retry Count options that appear on the New Requirement configuration page do not serve any purpose when you create requirement types for Macintosh client remediation.

  6. Choose ClamWin – (Mac OS) from the Antivirus Vendor Name drop-down list.

    caution Caution: Make sure you choose the ClamWin – (Mac OS) option, not the ClamWin option.

    Note: As of Cisco NAC 4.5 release, the AV Update requirement type is supported only with ClamAVon Mac OSX. For all other AV/AS on Mac OSX, a Link Distribution or Local Check requirement type can be configured to remediate users if their virus definitions are not updated.

  7. In the Requirement Name text field, type a unique name that conveys the action to the end user.

    This name is visible to users in the Clean Access Agent dialogs. This example uses Update ClamAV.

  8. In the Description text field, type a description of the requirement and instructions to guide users who fail to meet the requirement.

  9. Click the Mac OS check box listed in the Operating System section.

  10. Click Add Requirement in order to add the requirement to the Requirement List.

The new requirement is added to the Requirement List.

osx_nac_config09.gif

Step 6. Map the AV Definition Update Requirement with the Virus Definition Rule

  1. Click the Clean Access Agent tab, and then click Requirements.

  2. Click Requirement-Rules.

    osx_nac_config10a.gif

  3. From the Requirement Name drop-down list, choose the requirement you created in Step 5.

  4. Choose Mac OSX from the Operating System drop-down list.

    Rules created for the chosen operating system are displayed at the bottom of the page.

    osx_nac_config10b.gif

  5. Click the check box for the rule you created in Step 4, and then click Update.

Step 7. Map the Requirements to Roles

At this point, you can link the posture requirements (which have been mapped to rules) to the role in which the end user is placed.

  1. Click the Clean Access Agent tab, and then click Role-Requirements.

  2. Click Role-Requirements.

    osx_nac_config11a.gif

  3. Choose Normal Login Role from the Role Type drop-down list.

  4. From the User Role drop-down list, choose the role where you want the posture requirements to be applied. This example applies the posture requirements to the employee role.

    The requirements created earlier in this example are displayed at the bottom of the page.

    osx_nac_config11b.gif

  5. Check the check boxes for the requirements that you want to apply to this role, and click Update.

Step 8. Allow Access to the Remediation Site in Temporary Role

Once users are found to be non-compliant, they are quarantined and placed in the temporary role. At this point, the users must be able to reach the remediation resources (AV server, websites, patch servers, etc.) so that they can remediate themselves.

For this purpose, you must open appropriate access in the Temporary Role. In this example, the users must be able to reach http://www.clamxav.com leavingcisco.com for both the requirements (installation and virus definition update).

  1. Choose User Management > User Roles, and then click the Traffic Control tab.

  2. Click Host.

    osx_nac_config12.gif

  3. Choose Temporary Role from the drop-down list, and scroll down to the bottom of the list.

  4. Add clamxav.com to the Allowed Host list, and click Add.

    osx_nac_config13.gif

    This step ensures that traffic from the clients to http://www.clamxav.com leavingcisco.com is allowed through the NAC servers.

    Note: These two conditions are important:

    • The NAC server uses the DNS response from the DNS server to dynamically open up access. Hence, the return traffic from the DNS server (DNS response) must go through the NAC server.

    • You must have a trusted DNS server defined. For best practices, Cisco recommends that you add specific DNS server entries here as opposed to trusting all DNS servers (*). This example adds the DNS server IP (192.168.2.44) as a trusted DNS server. You can add multiple trusted DNS servers. If you do not have a trusted DNS server defined, the NAC Manager advises you accordingly through a message as shown in this image:

      osx_nac_config14.gif

Verify the End User Experience

Use this section to confirm that your configuration works properly.

This Mac posture verification scenario assumes that your initial NAC setup (NAC Manager and Server) is complete and that the NAC Server is reachable from the client machines. Cisco Clean Access Agent 4.5.0.0 should be installed on the Mac that runs OSX 10.4 or higher. This scenario assumes that the Mac does not have ClamAV installed prior to this test.

  1. Log in to your Clean Access Agent (version 4.5.0.0).

    osx_nac_config15.gif

    You are quarantined and asked to remediate.

    osx_nac_config16.gif

    Note: The RUN check boxes are checked, but not editable, because the requirements are mandatory. If a requirement was configured as Optional, the RUN check box would be editable, and you can choose to skip that requirement.

  2. Click Remediate.

    You are redirected to the ClamAV website.

    osx_nac_config17.gif

  3. Download and install ClamAV.

    You might be prompted to run the Clam Antivirus Engine before you can use ClamAV as shown in this image:

    osx_nac_config18.gif

  4. Follow the onscreen instructions in order to complete the installation.

    osx_nac_config19.gif

    The Clean Access agent displays the status of the Download ClamAV requirement as successful and moves on to the second requirement (Update ClamAV).

    osx_nac_config20.gif

    Once ClamAV is updated, the status of the Update ClamAV requirement displays successful.

    osx_nac_config21.gif

  5. Click Complete to log in to the network.

    Once you successfully log in to the network, this messages appears.

    osx_nac_config22.gif

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Oct 22, 2008
Document ID: 107922