Cisco Clean Access is a security policy compliance solution that
enables users to satisfy network access requirements specified by network
administrators. Cisco Clean Access restricts access to the network until the
user complies with the access requirements. Cisco Clean Access also helps the
user comply with the requirements through an easy-to-use client application
that assesses a system, detects non-compliance, and aids the user in
remediation so as to achieve compliance. Currently, this agent (client
application) is available only for Microsoft Windows operating systems which
include Windows 98, Windows Me, Windows 2000 Professional and Windows XP (both
Home and Pro – only the 32-bits version of Pro is supported).
Malicious users, who might want to avoid agent installation in order to
avoid compliance requirements checks, can modify their system to pose as a
non-Windows system. This document provides suggestions on how to detect such
users and potentially block their access to the network.
There are no specific requirements for this document.
The information in this document is based on these software versions:
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
In addition to the client-based scans and remediation, Cisco Clean
Access also provides mechanisms to perform network-based scans on systems and
provide web-based remediation. The network-based scans are primarily used for
non-Windows systems. However, the scans are not limited to non-Windows
In order to use the Network Scanning feature, the network administrator
needs to download and install the required plug-ins for the Nessus open source
vulnerability scanner on the Cisco Clean Access server. Refer to
Network Scanning in Cisco NAC Appliance - Clean Access Manager
Installation and Configuration Guide, Release 4.1(2) for information
about how to download and install Nessus plug-ins.
You can use multiple Nessus plug-ins in this scenario. Some of them are
(this is a non-exhaustive list):
Plug-ins for Operating System Identification (for
example, plug-in #11936)—When you run these plug-ins against a target system,
they provide the detected operating system name as the result of a scan. These
plug-ins need to be modified in order to be used within Cisco Clean Access.
Specifically, the plug-ins need to be modified to return a HOLE if the
operating system that is scanned is not a non-Windows operating system. For
example, if the Linux system that is scanned turns out to be a Windows system,
then the plug-in should return a HOLE result.
Plug-ins for Port Scanning (for example, nmap.nasl
)—When you run these plug-ins against a target system, you can configure them
to provide a list of open ports, listeners, and so forth. These plug-ins also
have the ability to detect which operating system is used on the host through
techniques such as TCP fingerprinting. You need to modify these plug-ins in the
same way as the plug-ins for operating system identification. They need to
return a HOLE if the operating system that is scanned is not a non-Windows
operating system. Specifically, you need to modify the plug-ins to return a
HOLE if the expected operating system is not a non-Windows operating system.
For example, if the Linux system that is scanned turns out to be a Windows
system, then the plug-in should return a HOLE result.
Plug-ins to Obtain Information from Windows Systems
(for example, Server Message Block [SMB]-related plug-ins and plug-in
#10859)—The reasoning behind this approach is that it is sufficient enough to
detect whether a machine that purports to be a Linux host, Mac host, or any
other non-Windows system, is actually a Windows system. The easiest way to do
this is to enable some SMB-related Nessus plug-ins, specifically plug-in id#
10859 (SMB get host SID). This plug-in should only return values for Windows
systems. Hence, if it returns any information, it can be safely concluded that
the system runs a Windows operating system. You can also use plug-ins that
recover information from Windows systems that use NETBIOS. If a system returns
NETBIOS information, it is likely to be a Windows system.
Caution: There might be false positives such as Linux machines that run
Complete these steps in order to configure a Cisco Clean Access Manager
to perform a network scan using the Nessus plug-ins:
Open the Cisco Clean Access Manager web console in a browser and
login as an administrator.
Select Clean Access > Network Scanner to access
the Scan Setup page.
With the Role set to the user role you wish to scan, and the
operating system set to All, select the plug-in mentioned in
the Plug-ins to Obtain Information from Windows
Systems bulleted item within this document (for example, #10859).
Set the 'Vulnerable If…' setting to HOLE, WARN,
INFO in the Vulnerabilities section.
Disable the scan for Windows operating systems:
Select WIN_ALL from the operating system
Disable the scan for this selection.
This document provides a mechanism to use the Cisco Clean Access
Network Scanning feature to detect users who pretend to use a non-Windows
system. Note that there might be several other plug-ins available that can do a
better job at detecting operating systems. As an example, using the nmap
network scanning tool, xprobe2 from Sys-security, and so forth might fit your
needs better. Also note that network scanning might not be able to provide
reliable results if the client machine runs a personal firewall.
Nessus is a registered trademark of Tenable Network Security.
You need to register with Tenable Security in order to obtain Nessus
When you modify/author plug-ins, ensure that you are compliant with
the licensing and trademark requirements for Nessus and Tenable Network