Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(3)
Cisco NAC Appliance Agents
Downloads: This chapterpdf (PDF - 3.2MB) The complete bookPDF (PDF - 16.18MB) | Feedback

Cisco NAC Appliance Agents

Table Of Contents

Cisco NAC Appliance Agents

Windows Clean Access Agent

Windows Clean Access Agent Overview

Configuration Steps for the Windows Clean Access Agent

Windows Clean Access Agent User Dialogs

RADIUS Challenge-Response Windows Clean Access Agent Dialogs

Clean Access Agent Localized Language Templates

Mac OS X Clean Access Agent (Authentication Only)

Mac OS X Clean Access Agent Dialogs

RADIUS Challenge-Response Mac OS X Clean Access Agent Dialogs

Cisco NAC Web Agent

Overview

System Requirements

Configuration Steps for the Cisco NAC Web Agent

Cisco NAC Web Agent User Dialogs

Agent Troubleshooting

Client Cannot Connect/Login

No Clean Access Agent Pop-Up/Login Disabled

Client Cannot Connect (Traffic Policy Related)

AV/AS Rule Troubleshooting

Cisco NAC Web Agent Status Codes

Known Issue for Windows Script 5.6

Known Issue for MS Update Scanning Tool (KB873333)


Cisco NAC Appliance Agents


This chapter presents overviews, login flow, and session termination dialogs for the following Cisco NAC Appliance access portals:

Windows Clean Access Agent

Mac OS X Clean Access Agent (Authentication Only)

Cisco NAC Web Agent

Agent Troubleshooting

Windows Clean Access Agent

This section describes how to configure the Clean Access Agent to allow users to log in to the internal network via a persistent network access application installed on the client machine.

Windows Clean Access Agent Overview

Configuration Steps for the Windows Clean Access Agent

Windows Clean Access Agent User Dialogs

Windows Clean Access Agent Overview

The Clean Access Agent provides local-machine Agent-based vulnerability assessment and remediation for client machines. Users download and install the Clean Access Agent (read-only client software), which can check the host registry, processes, applications, and services. The Clean Access Agent can be used to perform Windows updates or antivirus/antispyware definition updates, launch qualified remediation programs, distribute files uploaded to the Clean Access Manager, distribute website links to websites in order for users to download files to fix their systems, or simply distribute information/instructions.

After users log into the Clean Access Agent, the Agent gets the requirements configured for the user role/operating system from the Clean Access Server, checks for the required packages and sends a report back to the CAM (via the CAS). If requirements are met on the client, the user is allowed network access. If requirements are not met, the Agent presents a dialog to the user for each unmet requirement. The dialog (configured in the New Requirement form) provides the user with instructions and the action to take for the client machine to meet the requirement.

Clean Access Agent vulnerability assessment is configured in the CAM by creating requirements based on rules and (optionally) checks, then applying the requirements to user roles/client operating systems. For more information, see Chapter 11, "Configuring Agent Requirements."


Note For an illustrated overview, see Clean Access Agent Client Assessment Process, page 9-3.


Configuration Steps for the Windows Clean Access Agent

The basic steps needed to configure the Windows Clean Access Agent are as follows:

1. Make sure to follow the steps in Chapter 10, "Distributing the Agent" to enable distribution and download of the Clean Access Agent.

2. Configure Agent requirements using the instructions in Chapter 11, "Configuring Agent Requirements"

a. Configuring AV/AS Definition Update Requirements, page 11-3

b. Configuring a Windows Server Update Services Requirement, page 11-15

c. Configuring a Windows Update Requirement, page 11-22

d. Configuring Custom Checks, Rules, and Requirements, page 11-28

e. Configuring a Launch Programs Requirement, page 11-42

f. Map Requirements to Rules, page 11-56

g. Apply Requirements to User Roles, page 11-58

h. Validate Requirements, page 11-59

i. Configuring an Optional/Audit Requirement, page 11-60

Windows Clean Access Agent User Dialogs

This section illustrates the user experience when Cisco NAC Appliance is installed on your network and the Clean Access Agent is required and configured for the user role.


Note For details on the Clean Access Agent when configured for Single Sign-On (SSO) behind a VPN concentrator, see the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(3).


1. When the user first opens a web browser, the user is redirected to the web login page (Figure 12-53).

Figure 12-1 Login Page

2. The user logs into the web login page and is redirected to the Clean Access Agent Download page (Figure 12-53) for the one-time download of the Clean Access Agent installation file.

Figure 12-2 Clean Access Agent Download Page

3. The user clicks the Download Clean Access Agent button (the button will display the version of the Agent being downloaded).


Note If the "Allow restricted network access in case user cannot use Clean Access Agent" option is selected under Device Management > Clean Access > General Setup > Agent Login, the Get Restricted Network Access button and related text will display in the Download Clean Access Agent page. See Agent Login, page 9-20 for details.


4. The user should Save the CCAAgent_Setup.exe file to a download folder on the client system, then Run the CCAAgent_Setup.exe file.


Note If the CAS certificate is not trusted on the client, the user must accept the certificate in the Security Alert dialog that appears before Clean Access Agent installation can successfully proceed.


5. The Welcome to the InstallShield Wizard for Clean Access Agent dialog appears (Figure 12-60).

Figure 12-3 Clean Access Agent InstallShield Wizard

6. The setup wizard prompts the user through the short installation steps to install the Clean Access Agent to C:\Program Files\Cisco Systems\Cisco Clean Access\Clean Access Agent and adds a desktop shortcut on the client (Figure 12-4).

Figure 12-4 Desktop Shortcut

7. When the InstallShield Wizard completes and the user clicks Finish, the Clean Access Agent login dialog pops up (Figure 12-5) and the Clean Access Agent taskbar icon appears in the system tray.

Figure 12-5 Clean Access Agent Login Dialog

8. The user enters credentials to log into the network. Similar to the web login page, an authentication provider can be chosen from the Provider list (if configured for multiple providers).


Note Clicking the session-based Remember Me checkbox causes the User Name and Password fields to be populated with the last values entered throughout multiple logins/logouts if the user does not exit or upgrade the application or reboot the machine. On shared machines, the Remember Me checkbox can be unchecked to ensure multiple users on the machine are always prompted for their individual username and password.

If Cisco Clean Access employs a RADIUS server for user authentication and the server has been configured to authenticate users with additional credentials, the user may be presented with one or more additional challenge-response dialogs like those described in RADIUS Challenge-Response Windows Clean Access Agent Dialogs.


9. The user can right-click the Clean Access Agent icon in the system tray to bring up the taskbar menu for the Agent (Figure 12-6).

Figure 12-6 Clean Access Agent Taskbar Menu

Taskbar menu options are as follows:

Login/Logout—This toggle reflects the login status of the user.

Login means the user is behind a Clean Access Server and is not logged in.

Logout means the user is already logged into Cisco NAC Appliance.

Disabled (grey) Login occurs when there is no SWISS response from the CAS to the Clean Access Agent. This condition is expected in the following cases:

The Clean Access Agent cannot find a Clean Access Server.

OOB deployments: the Clean Access Agent user has already logged in through the CAS and is now on the Access VLAN.

Multi-hop L3 (VPN/WLC) deployments with SSO: the user has authenticated through the VPN concentrator and therefore is already automatically logged into Cisco NAC Appliance.

Device Filters: MAC address-based authentication is configured for the machine of this user and therefore no user login is required.

Popup Login Window—This option is set by default when the Clean Access Agent is first installed and causes the Agent login dialog to automatically pop up when it detects that the user is behind a Clean Access Server and is not logged in.

Properties—Selecting Properties brings up the Agent Properties and Information dialog (Figure 12-7) which shows all of the AV and AS products installed on the client machine and the Discovery Host for L3 deployments.

Figure 12-7 Properties

About—Displays the version of the Clean Access Agent (Figure 12-8).

Figure 12-8 About

Exit—Exits the application, removes the Clean Access Agent icon on the taskbar, and automatically logs off the user.


NoteAfter exiting the Clean Access Agent or if the taskbar icon is not running, the user can click the Desktop shortcut (Figure 12-7) to bring up the Agent and display the taskbar icon.

If "Popup Login Window" is disabled on the taskbar menu, the user can always right-click the Agent icon from the system tray and select Login (Figure 12-6) to bring up the login dialog.



Note Auto-Upgrade for Already-Installed Agents: When the Clean Access Agent is already installed, users are prompted to auto-upgrade at each login, unless you disable upgrade notification. You can optionally force logout at machine shutdown (default is for users to remain logged in at machine shutdown). You can configure auto-upgrade to be mandatory or optional. With auto-upgrade enabled and a newer version of the Agent available from the CAM, existing Agent users will see one of the following upgrade prompts at login (Figure 12-9 or Figure 12-10).

Figure 12-9 Example Auto-Upgrade Prompt (Mandatory)

Figure 12-10 Example Auto-Upgrade Prompt (Optional)

10. Clicking OK or Yes then brings up the setup wizard to upgrade the Clean Access Agent to the newest version (Figure 12-60). After Agent upgrade and user log in, requirement checking proceeds.


11. After the user submits his or her credentials, the Clean Access Agent automatically checks whether the client system meets the requirements configured for the user role. If network scanning is also configured, the dialog shown in Figure 12-61 additionally appears.

Figure 12-11 Clean Access Agent Scanning Dialog

12. If required software is determined to be missing, the You have temporary access! dialog appears (Figure 12-63). The user is assigned to the Clean Access Agent Temporary role for the session timeout indicated in the dialog. The Temporary role session timeout is set by default to 4 minutes and should be configured to allow enough time for users to access web resources and download the installation package for the required software.

Figure 12-12 Temporary Access—Requirement Not Met

13. When the user clicks Continue, the Clean Access Agent dialog for the AV or custom requirement displays to identify the missing software and present the instructions, action buttons, and/or links configured for the requirement type.

14. The Description text displays what you configured in the Description field of the requirement to direct the user to the next step. Specify instructions for the AV or AS update to be executed, the web resource to be accessed, the installation file you are distributing through the CAM, or any other aspects of the requirement that may need explanation.

For an AV Definition Update requirement (Figure 12-13), the user clicks the Update button to update the client AV software on the system.

Figure 12-13 AV Definition Update Requirement Example

The Clean Access Agent displays a success confirmation once the AV/AS software is updated (see Figure 12-14).

Figure 12-14 AV Definition Update Success Confirmation


Note The Clean Access Agent displays a success confirmation based on the response it receives from the update mechanism of the AV/AS software installed on the client. The Agent does not control the update interaction itself between the AV/AS client software and the update server.


For an AS Definition Update requirement (Figure 12-15), the user clicks the Update button to update the definition files for the Anti-Spyware software on the client system.

Figure 12-15 AS Definition Update Requirement Example

For a Windows Update requirement (Figure 12-16), the user clicks the Update button to set the Windows Update and force updates on the client system if "Automatically Download and Install" is configured for the requirement.

Figure 12-16 Windows Update Requirement Example

For a Windows Server Update Service requirement (Figure 12-17), the user clicks the Update button to set the Windows Server Update Service and force updates on the client system.

Figure 12-17 Windows Server Update Service Requirement Example

For a Launch Program requirement (Figure 12-18), the user clicks the Launch button to automatically launch the qualified program for remediation if the requirement is not met.

Figure 12-18 Launch Program Requirement Example

For a File Distribution requirement (Figure 12-19), the button displays Download instead of Go To Link. When the user clicks download, the Save file to dialog appears. The user needs to save the installation file to a local folder, and run the executable file from there.

Figure 12-19 File Distribution Requirement Example

For a Link Distribution requirement (Figure 12-20), the user can access the website for the required software installation file by clicking Go To Link. This opens a browser for the URL specified in the Location field.

Figure 12-20 Link Distribution Requirement Example

15. Clicking Cancel at this stage stops the login process.

16. For each requirement, the user needs to click Next to proceed after completing the action required (Update, Go To Link, Download). The Clean Access Agent again performs a scan of the system to verify that the requirement is met. If met, the Agent proceeds to the next requirement configured for the role.

17. If a Network Policy page was configured for the role, the following dialog will appear (Figure 12-21) after requirements are met. The user can view the "network usage policy" HTML page (uploaded to the CAM or external server) by clicking the Network Usage Terms & Conditions link. The user must click the Accept button to successfully log in.

Figure 12-21 Network Policy Dialog

See Configure Network Policy Page (Acceptable Use Policy) for Agent Users, page 10-6 for details on configuring this dialog.

18. When all requirements are met (and Network Policy accepted, if configured), the user is transferred from the Temporary role to the normal login role and the login success dialog appears (Figure 12-22). The user is free to access the network as allowed for the normal login role.


Note If the "Do not enforce requirement" option is checked (to make a requirement optional), when the user clicks Next in the Clean Access Agent for the optional requirement, the next requirement dialog will display or the login success dialog will appear if all other requirements are met.



Note The administrator can configure the Login and Logout success dialogs to close automatically after a specified number of seconds, or not to appear at all. See Agent Login, page 9-20 for details.


Figure 12-22 Successful Login

19. If you have enabled the "Allow restricted network access in case user cannot use Clean Access Agent" option under Device Management > Clean Access > General Setup > Agent Login, the Limited ("restricted access") button appears in the Clean Access Agent authentication dialogs and the user can choose to accept "restricted" network access. Once the user clicks the Limited button, they log into the Cisco NAC Appliance system using a "restricted" user role instead of a more generous standard network access role and are presented with a login confirmation dialog like the one in Figure 12-23. For more information on enabling restricted network access, see Agent Login, page 9-20.

Figure 12-23 Limited Network Access

20. To log off the network, the user can right-click the Clean Access Agent icon in the system tray and select Logout. The logout screen appears (Figure 12-75). If the administrator removes the user from the network, the Login dialog will reappear instead (if Popup Login Window is set).


Note The administrator can configure the Login and Logout success dialogs to close automatically after a specified number of seconds, or not to appear at all. See Agent Login, page 9-20 for details.


Figure 12-24 Successful Logout

21. Once a user has met requirements, the user will pass these Clean Access Agent checks at the next login unless there are changes to the user's computer or Clean Access Agent requirements.

22. If a required software installation requires users to restart their computers, the user should log out of the network before restarting. Otherwise, the user is still considered to be in the Temporary role until the session times out. The session timeout and heartbeat check can be set to disconnect users who fail to logout of the network manually.

RADIUS Challenge-Response Windows Clean Access Agent Dialogs

If you configure the Clean Access Manager to use a RADIUS server to validate remote users, the end-user Clean Access Agent login session may feature extra authentication challenge-response dialogs not available in other dialog sessions—beyond the standard user ID and password. This additional interaction is due to the user authentication profile on the RADIUS server, itself, and does not require any additional configuration on the Clean Access Manager. For example, the RADIUS server profile configuration may feature an additional authentication challenge like verifying a token-generated PIN or other user-specific credentials in addition to the standard user ID and password. In this case, one or more additional login dialog screens may appear as part of the login session.

The following section provides and example of the dialog exchange for Windows Clean Access Agent user authentication.

1. The remote user logs in normally and provides their username and password as shown in Figure 12-5.

Figure 12-25 Windows Clean Access Agent Login Dialog

2. If the associated RADIUS server has been configured to authenticate users with additional credentials, the user is presented with one or more additional challenge-response dialogs (like the password renewal scenario shown in Figure 12-26) for which they must provide additional credentials to authenticate and connect.

Figure 12-26 Additional Windows RADIUS Challenge-Response Session Dialog

3. Once the additional challenge-response(s) are validated, the RADIUS server notifies the Clean Access Manager that the user has successfully authenticated and should be granted remote access.

Figure 12-27 Windows RADIUS Challenge-Response Authentication Successful

Clean Access Agent Localized Language Templates

The Clean Access Agent supports multiple European languages using language templates. In addition to English, version 4.1.3.0 of the Clean Access Agent supports German, Italian, Finnish, Czech, Norwegian, Spanish, Danish, French, Russian, Swedish, Turkish, Serbian, Catalan, Hungarian, Dutch, and Portuguese.

The Clean Access Agent picks the correct template based on the Locale settings of the local computer. To use the localized Agent, the user needs to change the Windows locale setting to the corresponding language under Control Panel > Regional and Language Options. For example, to use the Agent in French, the user needs to set the Windows locale to French.

In addition, Clean Access Agent error messages warnings and Properties data are all based on the supported language templates. Cisco recommends using the localized Agent in a localized version of Windows, for example, Russian Agent in Russian Windows, as the English version of Windows may not be able to display all characters correctly. For administrators, the name of requirements/ descriptions are as configured on the CAM. On the CAM, these can be configured using characters of the appropriate language.


Note For Russian, the Clean Access Agent needs to be run on Russian Windows, as the English version of Windows may not be able to display all characters correctly.


For administrators, the name of requirements/descriptions are as configured on the CAM. On the CAM, these can be configured using characters of the appropriate language.

While all text based messages in Clean Access Agent dialogs will appear in the supported language, the names of the actual checks/rules are as configured on the CAM.


Note Clean Access Agent template support is not the same as support for different client operating systems for the Agent Installer or for AV/AS products. The Agent language template only controls what the viewer sees after the Agent is installed.


1. The Clean Access Agent picks the correct template based on the Windows locale settings of client PC (Figure 12-28), set under Control Panel > Regional and Language Options.

Figure 12-28 Clean Access Agent Language Template Based on Locale

2. Requirements configured on CAM will appear in the language template (Figure 12-29).


Note While all text based messages will appear in the supported language, the names of the actual checks/rules/requirements will be as configured on the CAM. On the CAM, these can be configured using characters of the appropriate language.


Figure 12-29 Clean Access Agent Requirement Dialogs (Localized)

3. Errors, messages, warnings and Properties data are all based on the supported language templates (Figure 12-30).

Figure 12-30 Messages, Properties in Language Template


Note Clean Access Agent template support does not mean that the Agent Installer package or the AV/AS product will be supported on a different OS. The language template only controls what the viewer sees after the Agent is installed.


Mac OS X Clean Access Agent (Authentication Only)

This section describes how to enable the Mac OS X Clean Access Agent to allow users to log in to the internal network via a persistent network access application installed on the client machine.

The Mac OS X Clean Access Agent provides local-machine Agent-based authentication medium for client machines. Users download and install the Clean Access Agent (read-only client software), which can check the host registry, processes, applications, and services.

Mac OS X Clean Access Agent Dialogs

Cisco NAC Appliance features a Clean Access Agent that performs authentication on Mac OS X machines. The Agent is in the form of a universal binary that supports Mac OS 10.2 to 10.4. The Mac OS X Clean Access Agent supports single-sign on (SSO) with VPN deployments but does not support SSO with Active Directory.


Note In the CAM web console, you can view the distribution options for the Mac OS X Clean Access Agent under Device Management > Clean Access > Clean Access Agent > Distribution. See Distribution Page, page 10-13 for details.


See also the "SSL Requirements for Mac OS/CAS Communication" section in the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(3) for additional details.

Figure 12-31 Distribution - CAM Web Console

The Mac OS X Clean Access Agent user sequence is as follows.

1. The user is redirected to the Login page (Figure 12-32).

Figure 12-32 Login Page—Mac OS X

2. The user is directed to the Download Clean Access Agent page (Figure 12-33).

Figure 12-33 Download Clean Access Agent—Mac OS X

3. The user clicks the "Download" button and the CCAAgent_Mac OSX.tar.gz.tar file is download to the desktop (Figure 12-34) and untarred.

Figure 12-34 Download Clean Access Agent Setup Executable to Desktop

4. The user double-clicks the CCAAgent.pkg file and the Mac OS installer for the Clean Access Agent starts up (Figure 12-35).

Figure 12-35 Double-Click CCAAgent.pkg to Start Clean Access Agent Installer

5. The user clicks the Continue button to proceed with the Read Me and Select Destination screens of the installer (Figure 12-36).

Figure 12-36 Installation Executes

6. The user clicks the Upgrade button to perform the installation (Figure 12-37). When done, the user clicks Close.

Figure 12-37 Installation Executes (Continued


Note If the Clean Access Agent has never been installed on the machine, the Installation screen (Figure 12-37) displays an "Install" button. If the Agent was installed at one point, even if there is no Agent currently in the system when the installer is invoked, the "Upgrade" button is displayed.


7. After installation, the Clean Access Agent login dialog appears. The Agent icon is now available from the Tool Menu (Figure 12-38). Right-clicking the Agent icon brings up the menu choices:

Login/Logout (toggle depending on login status)


Note If Cisco Clean Access employs a RADIUS server for user authentication and the server has been configured to authenticate users with additional credentials, the user may be presented with one or more additional challenge-response dialogs like those described in RADIUS Challenge-Response Mac OS X Clean Access Agent Dialogs.


Auto Popup Login Window (enabled by default)

About (displays version screen for the Clean Access Agent)

Quit (exits the Clean Access Agent application)

Figure 12-38 Clean Access Agent Login Pops Up / Desktop Icon Available from Tool Menu

8. The Clean Access Agent login status is indicated by the tool tip popup and the color of the Agent icon in the menu.

Figure 12-39 indicates:

CAS is discovered

Login status is "Logged In"

CAS status is Fallback: "Allow All"; user status will be "Bypass"

Clean Access Agent is filtered by MAC address with "Allow/Role", with user status of "Logged-In"

Figure 12-39 Clean Access Agent Login Status (Logged In)

Figure 12-40 indicates the CAS is not discovered.

Figure 12-40 Clean Access Agent Login Status (CAS is Not Discovered)

Figure 12-41 indicates:

CAS is discovered

Login status is not logged in

CAS status is Fallback: "Block All"; user status will be "Blocked"

Clean Access Agent is filtered by MAC address with "Deny"; user status will be "Blocked"

Clean Access Agent is filtered by MAC address with "Check"; user status is not supported currently

Figure 12-41 Clean Access Agent Login Status (CAS is Discovered/Agent Not Logged In)

Figure 12-42 indicates:

CAS is discovered

Login status is "Logged In"

User is logged in via the Agent Temporary role or another Quarantined user access role

Figure 12-42 Clean Access Agent Login Status (Quarantined)

Figure 12-43 indicates that the user is logged in via VPN SSO

Figure 12-43 Clean Access Agent Login Status (VPN Logged In)

Figure 12-44 indicates:

CAS is discovered

Login status is not logged in

Mac OS X Agent has a warning message to deliver. (The warning icon may disappear if the issue is resolved in the background (if the Agent cannot resolve the host address, for example).

Figure 12-44 Clean Access Agent Login Status (Error)


Note The user can click on the exclamation point icon (!) to display details about the specific error.


9. The Clean Access Agent application itself is installed under Macintosh HD > Applications > CCAAgent.app (Figure 12-45).

Figure 12-45 Clean Access Agent—Application Installation Location

10. The Clean Access Agent event.log debug file and preference.plist user preferences file are installed in the <username> > Library > Application Support > Cisco Systems > CCAAgent folder (Figure 12-46).

Figure 12-46 Clean Access Agent—event.log and preference.plist File Locations

11. The preference.plist file (Figure 12-47) will include:

Whether AutoPopup Login Window is checked in the Menu (AutoPopup).

Whether Remember Me is checked in the Login screen (RememberMe).

How frequent the agent will perform Access to Authentication VLAN change detection (VlanDetectInterval).

Figure 12-47 Clean Access Agent—preference.plist File Contents

RADIUS Challenge-Response Mac OS X Clean Access Agent Dialogs

If you configure the Clean Access Manager to use a RADIUS server to validate remote users, the end-user Clean Access Agent login session may feature extra authentication challenge-response dialogs not available in other dialog sessions—beyond the standard user ID and password. This additional interaction is due to the user authentication profile on the RADIUS server, itself, and does not require any additional configuration on the Clean Access Manager. For example, the RADIUS server profile configuration may feature an additional authentication challenge like verifying a token-generated PIN or other user-specific credentials in addition to the standard user ID and password. In this case, one or more additional login dialog screens may appear as part of the login session.

The following section provides an example of the dialog exchange for Mac OS X Clean Access Agent user authentication.

1. The remote user logs in normally and provides their username and password in the Mac OS X Clean Access Agent login dialog as shown in Figure 12-48.

Figure 12-48 Mac OS X Login Dialog

2. If the associated RADIUS server has been configured to authenticate users with additional credentials, the user is presented with one or more additional challenge-response dialogs (like the password renewal scenario shown in Figure 12-49) for which they must provide additional credentials to authenticate and connect.

Figure 12-49 Additional Mac OS X RADIUS Challenge-Response Dialogs

3. Once the additional challenge-response(s) are validated, the RADIUS server notifies the Clean Access Manager that the user has successfully authenticated and should be granted remote access (Figure 12-50).

Figure 12-50 Mac OS X RADIUS Challenge-Response Authentication Successful

Cisco NAC Web Agent

This chapter describes how to configure the Cisco NAC Web Agent to allow users to log in to the network without requiring a permanent, dedicated network access application on the client machine.

Overview

Configuration Steps for the Cisco NAC Web Agent

Cisco NAC Web Agent User Dialogs

Overview


Warning Cisco does not recommend using the Cisco NAC Web Agent on client machines connecting with link speeds slower than 56Kbits/s.


The Cisco NAC Web Agent provides temporal vulnerability assessment for client machines. Users launch the Cisco NAC Web Agent executable, which installs the Web Agent files in a temporary directory on the client machine via ActiveX control or Java applet. When the user terminates the Web Agent session, the Web Agent logs the user off of the network and their user ID disappears from the Online Users list.

After users log into the Cisco NAC Web Agent, the Web Agent gets the requirements configured for the user role/OS from the Clean Access Server, checks the host registry, processes, applications, and services for required packages and sends a report back to the CAM (via the CAS). If requirements are met on the client, the user is allowed network access. If requirements are not met, the Web Agent presents a dialog to the user for each unmet requirement. The dialog (configured in the New Requirement form) provides the user with instructions and the action to take for the client machine to meet the requirement. Alternatively, if the specified requirements are not met, users can choose to accept "restricted" network access (if you have enabled that option in the Device Management > Clean Access > General Setup > Agent Login page) while they try to remediate the client machine so that it meets requirements for the user login role. You can set up a "restricted" user role to provide access to only limited applications/network resources in the same way you configure a standard user login role according to the guidelines in Add New Role, page 6-6.

Cisco NAC Web Agent vulnerability assessment is configured in the CAM by creating requirements based on rules and (optionally) checks, then applying the requirements to user roles/client operating systems. This chapter describes how to configure these requirements.

Figure 12-51 shows the order of events the user experiences when logging into the Cisco NAC Appliance network using the Cisco NAC Web Agent.

Figure 12-51 Cisco NAC Web Agent User Interaction/Experience

System Requirements

Your Cisco NAC Appliance network must meet the following requirements to support the Cisco NAC Web Agent:

Operating System Dependencies

Browser Support

ActiveX and Java Applet Requirements

Microsoft Internet Explorer 7 in Windows Vista

Operating System Dependencies

You can install and launch the Cisco NAC Web Agent on the following operating systems:

Windows 2000 (Service Packs 4 and 6)

Windows XP Professional/Home (Service Packs 1 and 2)

Windows Vista Home Premium/Ultimate (authentication only)


Note Security restrictions for the "Guest" user profile in Windows Vista operating systems prevent ActiveX controls and Java applets from running properly. Therefore, you must be logged into the Windows Vista client machine as a known user (not a "Guest") in order to log into Cisco NAC Appliance via the Web Agent.


Browser Support

You can install and launch the Cisco NAC Web Agent from the following web browsers:

Microsoft Internet Explorer versions 6 or 7 (ActiveX or Java applet)

Firefox versions 1.5 or 2.0 (Java applet only)

ActiveX and Java Applet Requirements

If you plan to use the Java applet version to install the Web Agent files, the client must already have Java version 1.4.2 or higher installed.

If you plan to install the Web Agent files via ActiveX, the client machine must be using Microsoft Internet Explorer. You cannot install via ActiveX on a Firefox web browser.

The user must have permissions for ActiveX download or admin privileges on the client machine to enable installation of ActiveX controls.


Note The Web Agent Java applet might fail to launch when the CPU load on the client machine approaches 100%. (ActiveX runs successfully under these conditions.)


Microsoft Internet Explorer 7 in Windows Vista

By default, Windows Vista checks the server certificate revocation list and prevents the Web Agent from launching on the client machine. To disable this functionality:


Step 1 In Internet Explorer 7, navigate to Menu > Tools > Internet Options.

Step 2 Click the Advanced tab.

Step 3 Under Security, uncheck (disable) the Check for server certificate revocation option.

Step 4 Click OK.


Configuration Steps for the Cisco NAC Web Agent

The basic steps needed to configure the Cisco NAC Appliance system to enable and use the Cisco NAC Web Agent are as follows:

1. Make sure to follow the steps in Chapter 10, "Distributing the Agent" to enable and specify installer download parameters for the Cisco NAC Web Agent.

2. (Optional) Set up a "Restricted Access" role as described in Add New Role, page 6-6.

3. Configure Agent requirements using the instructions in Chapter 11, "Configuring Agent Requirements"

a. Configuring AV/AS Definition Update Requirements, page 11-3

b. Configuring a Windows Server Update Services Requirement, page 11-15

c. Configuring a Windows Update Requirement, page 11-22

d. Configuring Custom Checks, Rules, and Requirements, page 11-28

e. Configuring a Launch Programs Requirement, page 11-42

f. Map Requirements to Rules, page 11-56

g. Apply Requirements to User Roles, page 11-58

h. Validate Requirements, page 11-59

i. Configuring an Optional/Audit Requirement, page 11-60

After you have accounted for the above topics, users can log in and gain network access via the Cisco NAC Appliance system according to the parameters and requirements you have defined in your system configuration.

Cisco NAC Web Agent User Dialogs

This section illustrates the user experience when users access your network via the Cisco NAC Web Agent.


Note Depending on the user's privilege level (admin, privileged user, user, etc.) and web browser security settings on the client machine, the user may or may not see additional security "warnings" or message dialogs during critical points in the download and installation process. (For example, the user may need to acknowledge the installation process redirecting the user to a particular URL destination or approve the Web Agent executable launch following client scanning.)


1. When the user first opens a web browser, the user is redirected to the web login page (Figure 12-52).

Figure 12-52 Login Page

2. The user enters their credentials in the web login page and is redirected to the Cisco NAC Web Agent Launch page (Figure 12-53) where they can choose to launch the Cisco NAC Web Agent ActiveX or Java Applet installer. You determine the installer launch method using the Web Client (ActiveX/Applet) option in the Administration > User Pages > Login Page configuration screen.


Note If you plan to install the Web Agent files via ActiveX, the client machine must be using Microsoft Internet Explorer. You cannot install via ActiveX on a Firefox web browser.


Figure 12-53 Cisco NAC Web Agent Launch Page

3. The user clicks the Launch Cisco NAC Web Agent button (the button will display the version of the Web Agent being installed).


Note If the "Allow restricted network access in case user cannot use Cisco NAC Web Agent" option is selected under Device Management > Clean Access > General Setup > Agent Login, the Get Restricted Network Access button and related text will display in the Download Cisco NAC Web Agent page. See Agent Login, page 9-20 for details.



Note If the existing CAS certificate is not trusted on the client, the user must accept the optional certificate in the Security Alert dialog that appears before Web Agent launch can successfully proceed.


Figure 12-54 ActiveX Installation Notice

4. If the user's web browser settings are configured to verify actions like installing an ActiveX control on the client machine, the user may need to verify the action. For example, in the case of Microsoft IE, the user may need to click on a status bar that appears in the browser window and choose the Install ActiveX Control option from the resulting pop-up to validate the ActiveX process.

If the ActiveX control fails to initialize, the user sees an ActiveX installation notice like the one in Figure 12-55 and if you have set up the Cisco NAC Appliance system to try to download the Web Agent install files via Java applet should the ActiveX method fail, the user will likely see a Java Security Notice like the one in Figure 12-56 as the Cisco NAC Appliance system attempts to download the Web Agent installation files via Java applet.

Otherwise, the user will not be able to use the Cisco NAC Web Agent for login and will either have to contact the Cisco NAC Appliance network administrator to try and help troubleshoot issues with the installation process, or accept "Restricted" network access for the time being until they can fix the Web Agent installation problem.


Note If you specify that the Java applet method is preferred using the Web Client (ActiveX/Applet) option in the Administration > User Pages > Login Page configuration screen, the order of these possibilities is reversed—the user sees a Java applet failure notice before the ActiveX control attempts to install the Web Agent files on the client machine.


Figure 12-55 ActiveX Installation Notice

Figure 12-56 Java Applet Security Notice

If both the ActiveX and Java applet Web Agent download and install methods fail, the user sees a notification screen like the one in Figure 12-57 and is presented with a Windows dialog informing the user that Cisco NAC Web Agent login failed (Figure 12-58).


Note For more information on status and error codes the ActiveX Control or Java Applet passes back to the Cisco NAC Appliance system, see Table 12-1 in Cisco NAC Web Agent Status Codes.


Figure 12-57 ActiveX and Java Installation Failure Notice

Figure 12-58 Cisco NAC Web Agent Login Failure Notice

5. After the user allows the ActiveX control to install the Web Agent files or acknowledges the Java certificate security warning and chooses to accept the Java applet contents, the Web Agent Stub installer goes to work installing the Web Agent executable and all required ancillary files in a temporary directory con the client machine (like C:\Temp\, for example) and the browser window displays a "Downloading Cisco NAC Web Agent..." message similar to Figure 12-59.

Figure 12-59 Cisco NAC Web Agent Executable Download

The downloading step in the process can take anywhere from just a few seconds to several minutes, depending on your connection speed. Typically, a fast connection speed like a 10/100 Ethernet LAN link will take very little time, whereas a relatively slow connection link like ISDN could take significantly longer.


Warning Cisco does not recommend using the Cisco NAC Web Agent on client machines connecting with link speeds slower than 56Kbits/s.


Once the executable files have been downloaded to the client machine's local temporary file directory, the self-extracting installer automatically begins launching the Web Agent on the client machine and the user sees a status window similar to Figure 12-60.

Figure 12-60 Cisco NAC Web Agent Installation

6. When the ActiveX control or Java Applet session completes, the Cisco NAC Web Agent automatically checks whether the client system meets the requirements configured for the user role. (See Figure 12-61.)

Figure 12-61 Cisco NAC Web Agent Scanning Dialog

7. If the Web Agent scan determines that a required application, process, or critical update is missing, the user receives a "Host is not compliant with network security policy" message (Figure 12-62 through Figure 12-69 provide a range of examples), is assigned to the Cisco NAC Web Agent Temporary role for the session timeout indicated in the dialog (typically 4 minutes by default).


Note For information on status codes the Cisco NAC Web Agent passes back to the Cisco NAC Appliance system, see Table 12-2 in Cisco NAC Web Agent Status Codes.


8. The user can choose to do one or more of the following:

Click Cancel to abort Web Agent launch

Click Save Report to save a local copy of the Web Agent session report that the user can forward on to the Cisco NAC Appliance administrator to help troubleshoot potential Web Agent login issues

Web Archive, Single File (*.mht)—Limited to the Microsoft Internet Explorer browser only

Web Page, Complete (*.htm, html)—Supports any browser, but resource files (GIFs, CSS, etc.) are stored in a subdirectory

Web Page, HTML Only (*htm, *.html)—Format and GIFs will not be present

Text File (*.txt)


Note Because the report dialog makes use of IFRAMEs, the report data and restricted access data are stored in a separate HTML file. If the HTML Only and Text options are used, the user does not see the report and restricted data in the saved file.


Click Get Restricted Network Access to log into the Cisco NAC Appliance system using a "restricted" user role instead of a more generous standard network access role.

Perform manual remediation—the user can download installation packages for the required software and perform other required remediation tasks according to the Remediation Suggestion entries displayed and click Re-Scan to see if their changes bring the client machine into acceptable compliance.


Note The Temporary role session timeout is set to 4 minutes by default, but Cisco recommends you configure the duration to allow enough time for users to access web resources, download installation packages for the required software, and possibly perform other required remediation tasks before attempting to Re-Scan the client machine for compliance.


Figure 12-62 Mandatory WSUS Definition Requirement Not Met

Figure 12-63 Mandatory AV Definition Requirement Not Met

Figure 12-64 Mandatory AS Definition Update Requirement Not Met

Figure 12-65 Mandatory File Distribution Requirement Not Met

Figure 12-66 Mandatory Launch Program Requirement Not Met

Figure 12-67 Mandatory Link Distribution Requirement Not Met

Figure 12-68 Mandatory Local Check Requirement Not Met

Figure 12-69 Mandatory Windows Upgrade Requirement Not Met

9. If the Web Agent scan determines that an optional application, process, or update is missing, the user receives a "Host is compliant with network security policy" message (Figure 12-70), is assigned to the Cisco NAC Web Agent Temporary role for the session timeout indicated in the dialog (typically 4 minutes by default).


Note For information on status codes the Cisco NAC Web Agent passes back to the Cisco NAC Appliance system, see Table 12-2 in Cisco NAC Web Agent Status Codes.


10. The user can choose to do one the following:

Click Continue to complete Web Agent launch.

Click Save Report to save a local copy of the Web Agent session report that the user can forward on to the Cisco NAC Appliance administrator to help troubleshoot potential Web Agent login issues. The reports are available in the following formats:

Web Archive, Single File (*.mht)—Limited to the Microsoft Internet Explorer browser only

Web Page, Complete (*.htm, html)—Supports any browser, but resource files (GIFs, CSS, etc.) are stored in a subdirectory

Web Page, HTML Only (*htm, *.html)—Format and GIFs will not be present

Text File (*.txt)


Note Because the report dialog makes use of IFRAMEs, the report data and restricted access data are stored in a separate HTML file. If the HTML Only and Text options are used, the user does not see the report and restricted data in the saved file.


Perform manual remediation—the user can download installation packages for the required software and perform other required remediation tasks according to the Remediation Suggestion entries displayed and click Re-Scan to see if their changes bring the client machine into full compliance.


Note The Temporary role session timeout is set to 4 minutes by default, but Cisco recommends you configure the duration to allow enough time for users to access web resources, download installation packages for the required software, and possibly perform other required remediation tasks before attempting to Re-Scan the client machine for compliance.


Figure 12-70 Optional Requirement Not Met

11. If the Web Agent scan determines that the client machine is compliant with the Agent requirements you have configured for the user's role, the user receives a "Host is compliant with network security policy" message within a green banner (Figure 12-71).


Note For information on status codes the Cisco NAC Web Agent passes back to the Cisco NAC Appliance system, see Table 12-2 in Cisco NAC Web Agent Status Codes.


12. The user can choose to do one the following:

Click Continue to complete Web Agent launch.

Click Save Report to save a local copy of the Web Agent session report that the user can forward on to the Cisco NAC Appliance administrator to help troubleshoot potential Web Agent login issues. The reports are available in the following formats:

Web Archive, Single File (*.mht)—Limited to the Microsoft Internet Explorer browser only

Web Page, Complete (*.htm, html)—Supports any browser, but resource files (GIFs, CSS, etc.) are stored in a subdirectory

Web Page, HTML Only (*htm, *.html)—Format and GIFs will not be present

Text File (*.txt)

Figure 12-71 Requirement Met

13. If you have configured the Cisco NAC Appliance system to require the user to view and accept a Network Usage Policy guideline in the Device Management > Clean Access > General Setup > Agent Login page and have configured the Device Management > Clean Access > Clean Access Agent > Installation page to show the user the Full UI Direct Installation Option, the user may see a dialog similar to Figure 12-72. If the user does not accept the Network Usage Policy, the installation process halts and the user must choose to either restart the install and launch process or accept "restricted" network access.

Figure 12-72 (Optional) Network Usage Policy Dialog

14. Once the user has performed manual remediation and successfully "re-scanned" the client machine, accepted any optional Network Usage Policy, identified and noted optional requirement items, or has chosen to accept "restricted" access for this user login session, the user receives a "Successfully logged on to the network" dialog (Figure 12-73) followed by a Clean Access Authentication browser window (Figure 12-75) featuring Web Agent session status information and a Logout button the user can click to terminate the Web Agent session.

Figure 12-73 Successful Cisco NAC Web Agent Login

It is possible that, even after the Cisco NAC Web Agent launched, installed, and initiated a login session without any issues, or that following manual remediation, the user was able to bring the client machine into compliance and successfully "re-scan" the client, another issue might keep the Cisco NAC Web Agent from logging the user into the network, resulting in a "You will not be allowed to access the network..." message similar to that in Figure 12-74. A couple of examples of known causes for this situation is a previous Web Agent session for the same user that did not "tear down" properly, on the CAM or if the user is currently logged into an active Clean Access Agent session.

If you receive one of these messages, click OK and attempt to launch the Cisco NAC Web Agent again. If the problem persists, contact your Cisco NAC Appliance system administrator.

Figure 12-74 Cisco NAC Web Agent Login Failed

Figure 12-75 Cisco NAC Web Agent Connection Status Window (Including Logout Button)

15. To logout of the Cisco NAC Appliance user session and disengage the Cisco NAC Web Agent, the user clicks the Logout button. The web interface logs the user out of the network, removes the session from the client machine, and the user ID disappears from the Online Users list.


Note To log off the network and disengage the Cisco NAC Web Agent, the user can also right-click a Clean Access Agent icon in the system tray and select Logout.


If you close the Web Agent connection browser window without "logging out" of the system, the user session remains active with the assigned user role until the CAM detects that the client machine is not longer available, a session timeout occurs, or some other event takes place to reveal the correct client machine state.


Note The administrator can configure the Web Agent Login success dialog to close automatically after a specified number of seconds, or not to appear at all. See Agent Login, page 9-20 for details.


Agent Troubleshooting

This section contains the following:

Client Cannot Connect/Login

No Clean Access Agent Pop-Up/Login Disabled

Client Cannot Connect (Traffic Policy Related)

AV/AS Rule Troubleshooting

Cisco NAC Web Agent Status Codes

Known Issue for Windows Script 5.6

Known Issue for MS Update Scanning Tool (KB873333)


Note For additional Agent Stub installer logging and debug logging information, refer to the "Generating Windows Installer Log Files for Agent Stub" and "Debug Logging for Cisco NAC Appliance Agents" troubleshooting sections in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(3).


Client Cannot Connect/Login

The following client errors at login can indicate CAM/CAS certificate related issues (i.e. the CAS does not trust the certificate of the CAM, or vice-versa):

Users attempting web login continue to see the login page after entering user credentials and are not redirected.

Users attempting Clean Access Agent login see the following error: "Clean Access Server could not establish a secure connection to the Clean Access Manager at <IPaddress or domain>

To resolve these issues, refer to Troubleshooting Certificate Issues, page 15-16.

No Clean Access Agent Pop-Up/Login Disabled

For L2 or L3 deployments, the Clean Access Agent will pop up on the client if "Popup Login Window" is enabled on the Agent and the Agent detects it is behind the Clean Access Server. If the Agent does not pop up, this indicates it cannot reach the CAS.

To Troubleshoot L2 Deployments:

1. Make sure the client machine can get a correct IP address. Open a command tool (Start > Run > cmd) and type ipfconfig or ipconfig /all to check the client IP address information.

2. If necessary, type ipconfig /release, then ipconfig /renew to reset the DHCP lease for the client.

To Troubleshoot L3 Deployments:

1. Check whether the Discovery Host field is set to the IP address of the CAM itself under Device Management > Clean Access > Clean Access Agent > Installation | Discovery Host. This field must be the address of a device on the trusted side and cannot be the address of the CAS.

2. Uninstall the Clean Access Agent on the client.

3. Change the Discovery Host field to the IP address of the CAM and click Update.

4. Reboot the CAS.

5. Re-download and re-install the Clean Access Agent on the client.


Note The Login option on the Clean Access Agent is correctly disabled (greyed out) in the following cases:

For OOB deployments, the Agent user is already logged in through the CAS and the client port is on the Access VLAN.

For multi-hop L3 deployments, Single Sign-On (SSO) has been enabled and the user has already authenticated through the VPN concentrator (therefore is already automatically logged into Cisco NAC Appliance).

MAC address-based authentication is configured for the machine of this user and therefore no user login is required.


Client Cannot Connect (Traffic Policy Related)

The following errors can indicate DNS, proxy or network traffic policy related issues:

User can login via Clean Access Agent, but cannot access web page/Internet after login.

User cannot access web login page without typing in https://<CAS_IP_address> as the URL.

To troubleshoot these issues:

Verify and/or change DNS Servers setting on the CAS (under Device Management > CCA Servers > Manage <CAS_IP> > Network > DNS)

If enabling the CAS as a DHCP server, verify and/or change the DNS Servers field for the Subnet List (under Device Management > CCA Servers > Manage <CAS_IP> > Network > DHCP > Subnet List > List | Edit).

If remediation sites cannot be reached after login, verify default host policies (Allowed Hosts) are enabled for the Temporary role (under User Management > User Roles > Traffic Control > Host).

If using a proxy server, make sure a traffic policy allowing HTTP traffic to the proxy server is enabled for the Temporary role. Verify the proxy is correctly set in the browser (from IE go to Tools > Internet Options > Connections > LAN Settings | Proxy server).

See Troubleshooting Host-Based Policies, page 8-28 for additional details.

AV/AS Rule Troubleshooting

To view administrator reports for the Clean Access Agent, go to Device Management > Clean Access > Clean Access Agent > Reports. To view information from the client, right-click the Agent taskbar icon and select Properties.

When troubleshooting AV/AS Rules, please provide the following information:

1. Version of CAS, CAM, and Clean Access Agent.

2. Client OS version (e.g. Windows XP SP2)

3. Name and version of AV/AS vendor product.

4. What is failing—AV/AS installation check or AV/AS update checks? What is the error message?

5. What is the current value of the AV/AS def date/version on the failing client machine?

6. What is the corresponding value of the AV/AS def date/version being checked for on the CAM? (see Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info)

Cisco NAC Web Agent Status Codes

Table 12-1 shows the status codes passed from the ActiveX or Java Applet downloader used to install the Cisco NAC Web Agent on the client machine.

Table 12-1 Java Server Page Status Codes from ActiveX Control or Java Downloader Applet

ActiveX/Java Applet Status Code
Value/Description

ACTIVEX_FAILURE

-1 "unable to launch active-x control"

DL_FAILURE

-2 "failed to download the web agent executable"

EXE_FAILURE

-3 "there was an error running the web agent"

ACTIVEX_START

0

STATUS_DL_START

1

DL_IN_PROGRESS

2

EXE_IN_PROGRES

3


Table 12-2 shows the status codes passed from the Cisco NAC Web Agent back to the Cisco NAC Appliance system during posture assessment and remediation.

Table 12-2 Cisco NAC Web Agent Status Codes

Cisco NAC Web Agent Status Code
Value

COMPLIANT/SUCCESS

32

NON_COMPLIANT

33

REJECTED_AUP

34

REMEDIATION TIMEOUT

35

GENERAL ERROR

36

TEMPORARY/RESTRICTED ACCESS

37

WEB AGENT ALREADY RUNNING

38


Known Issue for Windows Script 5.6

Windows Script 5.6 is required for proper functioning of the Clean Access Agent. Most Windows 2000 and older operating systems come with Windows Script 5.1 components. Microsoft automatically installs the new 5.6 component on performing Windows updates. Windows installer components 2.0 and 3.0 also require Windows Script 5.6. However, PC machines with a fresh install of Windows 98, ME, or 2000 that have never performed Windows updates will not have the Windows Script 5.6 component. Cisco NAC Appliance cannot redistribute this component as it is not provided by Microsoft as a merge module/redistributable.

In this case, administrators will have to access the MSDN website to get this component and upgrade to Windows Script 5.6. For convenience, links to the component from MSDN are listed below:

Win 98, ME, NT 4.0:

Filename: scr56en.exe

URL: http://www.microsoft.com/downloads/details.aspx?familyid=0A8A18F6-249C-4A72-BFCF-FC6AF26DC390&displaylang=en

Win 2000, XP:

Filename: scripten.exe

URL: http://www.microsoft.com/downloads/details.aspx?familyid=C717D943-7E4B-4622-86EB-95A22B832CAA&displaylang=en

If these links change on MSDN, try a search for the file names provided above or search for the phrase "Windows Script 5.6."

Known Issue for MS Update Scanning Tool (KB873333)

Background

KB873333 is a critical update that is required for Windows XP Professional and Home for SP1 and SP2. It fixes an OS vulnerability that can allow remote code to run. However, Microsoft had a bug in this hotfix which caused problems on SP2 editions (home/pro). This bug required another fix (KB894391), because KB873333 on SP2 caused a problem with displaying Double Byte Character Sets (DBCS). However, KB894391 does not replace KB873333, it only fixes the DBCS display issue.

Ideally, KB894391 should not be installed or shown in updates unless the user machine has KB873333. However, the MS Update Scanning Tool tool shows it irrespective of whether or not KB873333 is installed. In addition, if due to ordering of the updates, KB894391 is installed, the MS Update Scanning Tool does not show KB873333 as being installed, thereby leaving the vulnerability open. This could happen if the user does not install KB873333 and only selects KB894391 to install from the updates list shown or manually installs KB894391 without installing KB873333 first. In this case, the next time updates are run, the user will not be shown KB873333 as a required update, because the MS Update Scanning Tool (including MS Baseline Analyzer) will assume KB873333 is installed if KB894391 is installed, even if this is not true and the machine is still vulnerable.

Workaround

Because of this potential vulnerability, Cisco does not intend to remove the update check for KB87333 from the Clean Access ruleset and users should manually download and install KB873333 to protect their machines. This can be done in one of two ways:

Option 1 (Cisco Recommended Option)

Create a new Link requirement in the CAM web console to check for KB873333, using the following steps:

1. Create a rule to check for the presence of KB873333. To create this rule, go to the Rules section of the web console and click New Rule. Give the rule a name (e.g. "KB873333_Rule"), and for the rule expression, copy/paste the exact name of the KB873333 check from the list of checks displayed on that page (the list of available checks appear below the new rule creation section). Save the rule by clicking "Add Rule."

2. Download the update executable for KB873333 from Microsoft's website and host it on an available web server.

3. Create a Link Requirement on Cisco NAC Appliance, and enter the URL from step 2.

4. Create Requirement-Rules for this requirement by selecting the rule you created in step 1.

5. Finally, go to the Role-Requirements section, and associate the Requirement you just created with the role to which you want this to be applied.


Note On the Requirements page, make sure that the KB873333 requirement is above the Windows Hotfixes requirement.


Option 2

Uninstall KB894391 from affected machines. After rebooting, go to the Windows Update page again. Windows Update should now display both the updates. Install KB873333 and KB894391 on the client machine. Note that this requires administrators to educate users or manually perform this task on the user machines.