Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5)
Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment
Downloads: This chapterpdf (PDF - 2.39MB) The complete bookPDF (PDF - 18.67MB) | Feedback

Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment

Table Of Contents

Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment

Overview

Agent Configuration Steps

Add Default Login Page

Configure Agent Roles and User Profiles

Require Agent Login for Client Machines

Configure Restricted Network Access for Agent Users

Configure Network Policy Page (Acceptable Use Policy) for Agent Users

Configure the Agent Temporary Role

Retrieving Cisco NAC Appliance Updates

View Current Updates

Configure and Download Updates

Configure Proxy Settings for CAM Updates (Optional)

Setting Up Agent Distribution/Installation

Agent Distribution

Installation Page

Cisco NAC Agent XML Configuration File Settings

Cisco NAC Agent MSI Installer

Configuring Agent-Based Posture Assessment

Overview

Configuring AV/AS Definition Update Requirements

AV Rules and AS Rules

Verify AV/AS Support Info

Create an AV Rule

Create an AV Definition Update Requirement

Create an AS Rule

Create an AS Definition Update Requirement

Configuring a Windows Server Update Services Requirement

Create Windows Server Update Service Requirement

Map Windows Server Update Service Requirement to Windows Rules

Configuring a Windows Update Requirement

Create a Windows Update Requirement

Map Windows Update Requirement to Windows Rules

Configuring Custom Checks, Rules, and Requirements

Custom Requirements

Custom Rules

Cisco Pre-Configured Rules ("pr_")

Custom Checks

Cisco Pre-Configured Checks ("pc_")

Using Pre-Configured Rules to Check for CSA

Copying Checks and Rules

Configuration Summary

Create Custom Check

Create a Custom Rule

Validate Rules

Create a Custom Requirement

Configuring a Launch Programs Requirement

Launch Programs With Admin Privileges

Launch Programs Without Admin Privileges

Create a Launch Programs Requirement

Map Requirements to Rules

Apply Requirements to User Roles

Validate Requirements

Configuring an Optional/Audit Requirement

Configuring Auto Remediation for Requirements

Post-Configuration and Agent Maintenance on the CAM

Manually Uploading the Agent to the CAM

Downgrading the Agent

Configure Agent Auto-Upgrade

Enable Agent Auto-Upgrade on the CAM

Disable Agent Upgrades to Users

Disable Mandatory Agent Auto-Upgrade on the CAM

User Experience for Agent Auto-Upgrade

Uninstalling the Agent

Agent Auto-Upgrade Compatibility


Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment


This chapter describes how to configure Agent distribution and installation for client machines, as well as configure client posture assessment in the Cisco NAC Appliance system.

Overview

Add Default Login Page

Configure Agent Roles and User Profiles

Require Agent Login for Client Machines

Retrieving Cisco NAC Appliance Updates

Setting Up Agent Distribution/Installation

Configuring Agent-Based Posture Assessment

Post-Configuration and Agent Maintenance on the CAM

Overview

The Cisco NAC Agent and Cisco NAC Web Agent provide local posture assessment and remediation for client machines.

Users download and install the Cisco NAC Agent (read-only client software), which can check the host registry, processes, applications, and services. The Agent can be used to perform antivirus or antispyware definition updates, distribute files uploaded to the Clean Access Manager, distribute website links to websites in order for users to download files to fix their systems, or simply distribute information/instructions.

Unlike the Cisco NAC Agent, the Cisco NAC Web Agent is not "persistent," thus it only exists on the client machine long enough to accommodate a single user session. Instead of downloading and installing an Agent application, once the user opens a browser window, logs in to the NAC Appliance web login page, and chooses to launch the temporal Cisco NAC Web Agent, a self-extracting Agent installer downloads files to the client machine's temporary directory, performs posture assessment/scans the system to ensure security compliance, and report compliance status back to the Cisco NAC Appliance system. For more information on Cisco NAC Appliance Agents, see Chapter 10 "Cisco NAC Appliance Agents."

Agent posture assessment is configured in the CAM by creating requirements based on rules and (optionally) checks, then applying the requirements to user roles/client operating systems. For an illustrated overview, see Figure 9-9.


Note Most requirement remediation actions (like Windows Updates and AV/AS support updates) require the user to have administrator privileges on the client machine. Therefore, Cisco recommends you ensure that users of client machines undergoing posture assessment and remediation have administrator-level privileges.


Users in L3 Deployments

Cisco NAC Appliance supports multi-hop L3 deployment and VPN concentrator/L3 access from the Agent. This enables clients to discover the CAS when the network configuration puts clients one or more L3 hops away from the CAS (instead of in L2 proximity). You must Enable L3 Support on the CAS and ensure there is a valid Discovery Host for the Agent to function in multihop L3 environments or behind a Cisco VPN concentrator.

Distribution

The Cisco NAC Agent Installation files and the Cisco NAC Web Agent are part of the Clean Access Manager software and are automatically published to all Clean Access Servers. To distribute the Agent to clients for initial installation, you require the use of the Agent for a user role and operating system in the General Setup > Agent Login tab. The CAS then distributes the Agent Setup file when the client requests the Agent. (This behavior does not apply to the Cisco NAC Web Agent.) If the CAS has an outdated version of the Agent, the CAS acquires the newest version available from the CAM before distributing it to the client.

Auto Upgrade

By configuring Agent auto-upgrade in the CAM, you can allow users to automatically upgrade upon login to the latest version of the Agent available on the CAM. With the Cisco NAC Web Agent, users automatically download the latest version of the temporal Agent available on the CAM.

Installation

You can configure the level of user interaction required when users initially install the Agent.

Out-of-Band Users

Because out-of-band users only encounter the Agent during the time they are in-band for authentication and certification, Agent configuration is the same for in-band and out-of-band users.

Rules and Checks

With pre-configured Cisco checks and rules, or custom checks and rules that you configure, the Agent can check if any application or service is running, whether a registry key exists, and/or the value of a registry key. Cisco pre-configured rules provide support for Critical Windows OS hotfixes.

Agent Updates

Through the Updates page of your CAM web console, Cisco tracks and provides multiple updates per hour, including the latest versions of Cisco NAC Agent installers and Cisco NAC Web Agent installation packages as they become available. See Retrieving Cisco NAC Appliance Updates for complete details.

Agent Configuration Steps

The basic steps needed to configure Agent distribution, installation, and posture assessment are:


Step 1 Add Default Login Page

Step 2 Configure Agent Roles and User Profiles

Step 3 Require Agent Login for Client Machines

Step 4 Retrieving Cisco NAC Appliance Updates

Step 5 Setting Up Agent Distribution/Installation

Step 6 Configuring Agent-Based Posture Assessment


Add Default Login Page

In order for both web login users and Agent users to obtain the list of authentication providers, a login page must be added and present in the system in order for user to authenticate via the Agent. See Add Default Login Page to quickly add the default user login page.


Note For L3 OOB deployments, you must also Enable Web Client for Login Page.


Configure Agent Roles and User Profiles

In order for Agent users to log in to Cisco NAC Appliance, you must ensure that user login roles and user profiles are configured in the system. See Create User Roles and Create Local User Accounts to add user roles and individual user login profiles in Cisco NAC Appliance.

Require Agent Login for Client Machines

Requiring the use of the Agent is configured per user role and operating system. When an Agent is required for a role, users in that role are forwarded to the Agent download page (Figure 9-2) after authenticating for the first time using web login. The user is then prompted to download and run the Agent installation file or launch the Cisco NAC Web Agent. At the end of the installation, the user is prompted to log into the network using the Agent. (Cisco NAC Web Agent users are automatically connected to the network as long as their client machine meets Agent Requirements configured for the user role.)


Step 1 Go to Device Management > Clean Access > General Setup > Agent Login (Figure 9-1).

Figure 9-1 General Setup

Step 2 Select the User Role for which users will be required to use the Agent.

Step 3 Select an Operating System from the items available in the dropdown menu.


Note Make sure the Operating System is correctly configured for the role to ensure the Agent download page and/or Cisco NAC Web Agent launch page is properly pushed to users.


Step 4 If you want to require users to log in to the Cisco NAC Appliance system using the Cisco NAC Agent, click the checkbox for Require use of Agent. For information on Distribution settings, see Agent Distribution. For more information on the Cisco NAC Agent and user dialog examples, see Cisco NAC Agent.

Step 5 If you want to require users to log in to the NAC Appliance system using the Cisco NAC Web Agent, click the checkbox for Require use of Cisco NAC Web Agent. For more information on the Cisco NAC Web Agent and user dialog examples, refer to Cisco NAC Web Agent.


Note The Require use of Agent and Require use of Cisco NAC Web Agent options are not mutually exclusive. If you choose to enable both options, both choices appear to users when they are directed to the Login Page,


Step 6 You can leave the default messages, or optionally type your own HTML message in the Agent Download Page Message (or URL) and/or Cisco NAC Web Agent Launch Page Message (or URL) text fields.

Step 7 Click Update.


Note For additional details on configuring the General Setup page, see Client Login Overview.


Agent users logging in for the first time with the web login page see the Agent Download Page, as shown in Figure 9-2.

Figure 9-2 Agent Download Page

Cisco NAC Web Agent users logging in for the first time with the web login page see the Cisco NAC Web Agent Launch Page, as shown in Figure 9-3.

Figure 9-3 Cisco NAC Web Agent Launch Page


Configure Restricted Network Access for Agent Users

Administrators can configure restricted network access to users when they choose not to download and install the Cisco NAC Agent or launch the Cisco NAC Web Agent themselves, due to lack of permissions on the machine or for guest access purposes, for example. This enhancement is intended to aid guests or partners in a corporate environment to get access to the network even if their assigned user role requires them to log in via an Agent.

Users can also take advantage of "restricted" network access to gain limited network access when the client machine fails remediation and the user must implement updates to meet network access requirements before they can log in using their assigned user role.

The restricted network access option can only be configured when the Require use of Agent and/or Require use of Cisco NAC Web Agent checkboxes are enabled, and the option in question allows you to configure the user role to which these users will be assigned in addition to the button and text presented. When the user performs initial web login and is redirected to download the Agent, the "Restricted Network Access" text and button will appear below the "Download Cisco NAC Agent" and/or "Launch Cisco NAC Web Agent" buttons on the page (Figure 9-2 and Figure 9-3) if the "Allow restricted network access in case user cannot use NAC Agent or Cisco NAC Web Agent" option is enabled under Device Management > Clean Access > General Setup | Agent Login. If the user chooses not to download the Agent or launch the Cisco NAC Web Agent, the user can click "Get Restricted Network Access" button to gain the access permitted by the assigned role through the same browser page.

To support Agent login and/or remediation, users can choose to accept "restricted" network access during Agent login dialog sessions when it is clear that the client machine requires update in order to meet network security requirements. During the Agent session, the user can click Get Restricted Network Access in the Cisco NAC Agent/Cisco NAC Web Agent dialogs and immediately access the network using the role you assign for restricted network access, regardless of their assigned user role. For more information, see Windows Cisco NAC Agent User Dialogs and Cisco NAC Web Agent User Dialogs.

Note that:

Restricted network access users appear on the In-Band Online Users List denoted by blue shading.

For example, if a user cannot install the Agent and clicks the "Restricted Access" button in an OOB deployment, that user appears on the In-Band Online User list and remains in the Authentication VLAN even though the CAS is performing OOB. In this case, administrators can configure ACLs on the restricted role to control access for users in that role.

Restricted network access users do not appear on the Certified Devices List (since they have not met posture assessment requirements).

Configure Network Policy Page (Acceptable Use Policy) for Agent Users

This section describes how to configure user access to a Network Policy page (or Acceptable Usage Policy, AUP) for Agent users. After login and requirement assessment, the Agent displays an "Accept" dialog (Figure 10-56) with a Network Usage Terms & Conditions link to the web page that users must accept to access the network. You can use this option to provide a policies or information page about acceptable network usage. This page can be hosted on an external web server or on the CAM itself.

To Configure Network Policy Link

1. Go to Device Management > Clean Access > General Setup (see Figure 9-1).

2. Make sure User Role, Operating System and Require use of Agent/Require Use of Cisco NAC Web Agent are configured.

3. Click Show Network Policy to NAC Agent and Cisco NAC Web Agent users [Network Policy Link:]. This will display a link in the Agent to a Network Usage Policy web page that Agent users must accept to access the network.

4. If hosting the page on the CAM, you will need to upload the page (for example, "helppage.htm") using Administration > User Pages > File Upload. See Upload a Resource File for details. If hosting the page on an external web server, continue to the next step.

5. Type the URL for your network policy page in the Network Policy Link field as follows:

To link to an externally-hosted page, type the URL in the format:
https://mysite.com/helppages.

To point to a page you have uploaded to the CAM, for example, "helppage.htm," type the URL as follows:
https://<CAS_IP_address>/auth/helppage.htm

6. Make sure to add traffic policies to the Temporary role to allow users HTTP access to the page. See Adding Traffic Policies for Default Roles for details.

To see how the Network Policy dialog appears to Agent users, see Figure 10-56.

Configure the Agent Temporary Role

See Configure Agent Temporary Role for details on configuring traffic policies and session timeout for the Agent Temporary role.

Retrieving Cisco NAC Appliance Updates

A variety of updates are available from the Clean Access Updates server, available under Device Management > Clean Access > Updates. You can perform updates manually as desired or schedule them to be performed automatically. This section describes how to do the following:

View Current Updates

Configure and Download Updates

Configure Proxy Settings for CAM Updates (Optional)

View Current Updates


Step 1 Go to Device Management > Clean Access > Updates. The Summary page appears by default (Figure 9-4).

Figure 9-4 Updates Summary

Step 2 The Current Versions of Updates lists all the latest Cisco Updates versions currently on your CAM:

Cisco Checks and Rules

Cisco provides a variety of pre-configured rules ("pr_") and checks ("pc_") for standard client checks such as hotfixes, Windows update, and various antivirus software packages. Cisco checks and rules are a convenient starting point if you need to manually create your own custom checks and rules.

Supported AV/AS Product List (Windows/Macintosh)

The Cisco NAC Appliance Supported AV/AS Product List is a versioned XML file distributed from a centralized update server that provides the most current matrix of supported antivirus (AV) and antispyware (AS) vendors and product versions used to configure AV or AS Rules and AV or AS Definition Update requirements for posture assessment/remediation. This list is updated regularly for the AV/AS products and versions supported in each Agent release and to include new products for new Agent versions. Note that the list provides version information only. When the CAM downloads the Supported AV/AS Product List it is downloading the information about what the latest versions are for AV/AS products; it is not downloading actual patch files or virus definition files. Based on this information, the Agent can then trigger the native AV/AS application to perform updates.

Having the latest Supported AV/AS list ensures your AV/AS rule configuration pages include all the new products supported in the new Agent, particularly if you have updated the Agent version on your CAM.

For the latest details on products and versions supported, see Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info, or see the "Clean Access Supported AV/AS Product List" section in the latest Release Notes.

Default Host Policies

Clean Access provides automatic updates for the default host-based policies (for Unauthenticated, Temporary, and Quarantine roles). Note that Default Allowed Hosts are disabled by default, and must be enabled for each role under User Management > User Roles > Traffic Control > Hosts. See Enable Default Allowed Hosts for details.

Default L2 Policies

Displays the current version of Default Layer 2 traffic policies available on the CAM. Whenever the CAM searches for updates (either manually or automatically using the settings in the Device Management > Clean Access > Updates page), it automatically checks to see if there is a newer version of Default Layer 2 traffic policies available.

OS Detection Fingerprint:

By default, the system uses the User-Agent string from the HTTP header to determine the client OS. In addition, platform information from JavaScript or the OS fingerprinting from the TCP/IP handshake can also be compared against the OS signature information in the CAM database to determine the client OS. This information can be updated in the CAM when new OS signatures become available in order to verify an OS fingerprint as a Windows machine. This enhanced OS fingerprinting feature is intended to prevent users from changing identification of their client operating systems through manipulating HTTP information. Note that this is a "passive" detection technique (accomplished without Nessus) that only inspects the TCP handshake and is not impacted by the presence of a personal firewall. See also Device Management > CCA Servers > Manage [CAS_IP] > Authentication > OS Detection in the CAS management pages of the web console, and the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.7(5) for further details.


Note The OS detection/fingerprinting feature uses both browser User-Agent string and TCP/IP stack information to try to determine the OS of the client machine. While the detection routines will attempt to find the best match, it is possible that the OS may be detected incorrectly if the end-user modifies the TCP/IP stack on the client machine and changes the User-Agent string on the browser. If there is concern regarding malicious users evading the OS fingerprinting/detection mechanisms, then administrators are advised to use network scanning in order to confirm the OS on the machine. If, for any reason, it is not possible or not desirable to use network scanning, then network administrators should consider pre-installing the Agent on client machines or allowing users to log in via the Cisco NAC Web Agent.

In a FIPS 140-2 compliant network where both the CAMs and CASs are configured in failover mode, Cisco NAC Appliance does not correctly report the operating system of a client machine following a failover event and subsequent synchronization. Once the CAM/CAS detect client HTTP/HTTPS traffic, the CAM/CAS are able to "rediscover" the client machine operating system following the failover event.


Supported Out-of-Band Switch OIDs

Updates to the object IDs (OIDs) of supported switches are downloaded and published as they are made available. For example, if a new switch (such as C3750-XX-NEW) of a supported model (Catalyst 3750 series) is released, administrators only need to perform Cisco Updates on the CAM to obtain support for the switch OIDs, instead of performing a software upgrade of the CAM/CAS.

Note that the update switch OID feature only applies to existing models. If a new switch series is introduced, administrators will still need to upgrade to ensure OOB support for the new switches.See Chapter 3 "Switch Management: Configuring Out-of-Band Deployment" for details on OOB.

Macintosh Clean Access Agent

Displays the current version of the Mac OS X Clean Access Agent currently installed on the CAM. This is the version of Mac OS X Agent that users upload and install on their client machines when they first sign in to Cisco NAC Appliance. The Mac OS X Agent is automatically updated to a more current version when users sign in and a newer version of the Agent is available on the CAM.

Cisco NAC Web Agent

Displays the current version of the Cisco NAC Web Agent currently installed on the CAM. Users who log in and choose to use the temporal Cisco NAC Web Agent always receive the current version of the Agent for their user session.

Cisco NAC Web Agent Facilitator (ActiveX/Applet)

Displays the current version of the Cisco NAC Web Agent ActiveX/Java Applet the CAM uses to install the temporal Agent on the client machine when users access Cisco NAC Appliance and choose to use the Cisco NAC Web Agent.

L3 MAC Address Detection (ActiveX/Applet

The L3 Java Applet and L3 ActiveX web client are needed for client MAC Address detection when users perform web login in L3 OOB deployments. The MAC detection mechanism of the Agent will automatically acquire the client MAC address in L3 OOB deployments. (See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.7(5) for more information.)

Users performing web login will download and execute either an ActiveX control (for IE browsers) or Java applet (for non-IE browsers) to the client machine prior to user login to determine the user machine's MAC address. This information is then reported to the CAS and the CAM to provide the IP address/ MAC address mapping.

ActiveX/Java Applet and Browser Compatibility

Complete ActiveX/Java Applet and Browser Compatibility information is available in Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later.

Due to Firefox issues with Java, Java applets are not supported for Firefox on Mac OS X. See the Firefox release notes (http://www.mozilla.com/firefox/releases/1.5.0.3.html) for details.


NoteTo ensure Clean Access checks include the latest Microsoft Windows hotfixes, always get the latest Updates of Cisco Checks and Rules (by Clean Update if needed) and ensure appropriate host-based traffic policies are in place (see Add Global Host-Based Traffic Policies for details.)

When upgrading your CAM/CAS to the latest release of Cisco NAC Appliance, all Perfigo/Cisco pre-configured checks/ rules will be automatically updated.


Step 3 Once updates are performed (manual or automatic), you can check the Summary page to verify the updates.


Configure and Download Updates


Step 1 Go to Device Management > Clean Access > Updates.

Step 2 Click the Update subtab to configure what Cisco Updates to download to your CAM and/or how often to check for Clean Access Updates. (Figure 9-5).

Figure 9-5 Device Management > Clean Access > Updates > Update

Step 3 To configure automatic updates on your CAM, click the checkbox for Automatically check for updates starting from [] every [] hours, type a start time in 24-hour format (such as 13:00:00), and type a "repeat" interval (1 hour is recommended).

Step 4 Click the Check for Windows NAC Agent updates option to ensure the CAM always downloads the latest version of the Agent installer. This must be enabled for Agent auto-upgrade.

Step 5 Click the Check for Macintosh Clean Access Agent updates option to ensure the CAM always downloads the latest version of the Agent. This must be enabled for Macintosh Clean Access Agent auto-upgrade.

Step 6 Click the Check for Cisco NAC Web Agent updates option to ensure the CAM always downloads the latest version of the Cisco NAC Web Agent.

Step 7 Click the Check for CCA L3 Java Applet/ActiveX web client updates option to ensure the CAM always downloads the latest versions of the L3 Java Applet and ActiveX web clients. Web login users need to download these helper controls from the login page to enable the CAS to obtain MAC information in L3 deployments (particularly for L3 OOB). Once the Agent is used, the Agent automatically sends client MAC information to the CAS.

Step 8 Do one of the following:

a. Click Update to manually update your existing database with the latest Cisco checks and rules, Agent update, Supported AV/AS Product List, and default host policies.

b. Click Clean Update to remove previous update items from the database first (including non-customer-created checks and rules, Agent updates, and Supported AV/AS Product Lists) before downloading the new updates. See Enable Default Allowed Hosts for details.

Step 9 When you retrieve updates, the following status messages are displayed at the bottom of the page:

Cisco auto-update schedule (if enabled)

Latest version of Cisco Checks & Rules:
This shows the version of Cisco checks and rules downloaded. The latest update of Cisco pre-configured checks ("pc_") and rules ("pr_") will populate the Check List and Rule List, respectively (under Device Management > Clean Access > Clean Access Agent > Rules).

Latest version of Windows NAC Agent Installer (if available)

Latest version of Macintosh Clean Access Agent Installer (if available)

Latest Cisco NAC Web Agent version, Cisco NAC Web Agent Applet Facilitator version, and Cisco NAC Web Agent ActiveX Facilitator version installed

Latest version of Supported AV/AS Product List:
This shows the latest version of the Supported AV/AS Product List. When creating a New AV Rule or requirement of type AV Definition Update, the matrix of supported vendors and product versions will be updated accordingly.

Latest version of default host policies:
This shows the latest version of default host-based policies provided for the Unauthenticated, Temporary, and Quarantine roles.

Latest version of OS detection fingerprint:
Updates to OS Detection Fingerprints (or signatures) will be made as new operating systems become available for Windows machines.

Latest version of L3 Java Applet web client:
Updates to the L3 Java Applet web client will be downloaded and published as they are made available.

Latest version of L3 ActiveX web client:
Updates to the L3ActiveX web client will be downloaded and published as they are made available.

Latest version of OOB switch OIDs:
Updates to the object IDs (OIDs) of supported switches will be downloaded and published as they are made available.


Note Starting from Release 4.5, administrators are able to update the object IDs (OIDs) of supported WLC platforms (in addition to supported switches) when performing a CAM update.


Latest version of default L2 policies:
Updates to the Layer 2 traffic policies are downloaded and published as they are made available.


Configure Proxy Settings for CAM Updates (Optional)

If your CAM requires a proxy server to connect to the Internet, configure proxy server settings so that r the CAM can get Clean Access Updates.


Step 1 Go to Device Management > Clean Access > Updates.

Step 2 Click the HTTP Settings subtab.

Figure 9-6 Device Management > Clean Access > Updates > HTTP Settings

Step 3 Click the "Use an HTTP proxy server to connect to the update server" option if your CAM goes through a proxy server to get to the Internet.

Step 4 Specify the Proxy Hostname and Proxy Port the CAM uses to connect to the Internet.

Step 5 If your proxy server requires credentials to authenticate the proxy session, specify the Proxy Authentication method by checking one or more of the following:

Basic—Prompts you to provide the Username and Password required to authenticate the proxy session between the CAM and the proxy server.

Digest—Just as with the Basic setting, this option prompts you to provide the Username and Password required to authenticate the proxy session between the CAM and the proxy server and provides the additional bonus of "hashing" the credentials and requiring the proxy service to digest the information in order to keep the username and password protected across networks.

NTLM—In addition to the Username and Password required to authenticate the proxy session between the CAM and the proxy server, you must also specify the proxy Host and Domain to support an existing Microsoft Windows NT LAN Manager (NTLM) proxy service.


Note The NTLM option supports NTLM Version 1 and Version 2.


Step 6 Click Save.


Setting Up Agent Distribution/Installation

The latest version of the Agent is automatically included with the Clean Access Manager software for each software release. The CAM automatically publishes the Agent installation file to each Clean Access Server after CAS installation and anytime the CAM acquires a new version of the Agent through web Updates or through a manual upload.

To enable users to download and install the Agent installation file or launch the Cisco NAC Web Agent, you must Require Agent Login for Client Machines. For new Agent users, the Agent download page appears after the user logs in for the first time via the web login. If auto-upgrade is enabled, existing Agent users are prompted at login to upgrade if a new Agent version becomes available. Cisco NAC Web Agent users connect to the network automatically as long as the client machine complies with configured network security parameters.


Note Users without administrator privileges upgrading their Windows client machine from an earlier version of the Clean Access Agent (version 4.5.2.0 or 4.1.10.0 and earlier) to the Cisco NAC Agent must have the CCAAgentStub.exe Agent Stub installed on the client machine to facilitate upgrade. (Users with administrator privileges do not need this file.) After successful Cisco NAC Agent installation, the user is not required to have administrator privileges on the client machine, nor is the CCAAgentStub.exe Agent Stub file needed. For more information on the CCAAgentStub.exe file, see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5(1) and Release Notes for Cisco NAC Appliance, Version 4.5(1).


This section describes the following:

Agent Distribution

Installation Page

Cisco NAC Agent XML Configuration File Settings

Cisco NAC Agent MSI Installer

Agent Distribution

The Distribution page (Figure 9-7) provides the following configuration options pertinent to the Agent.

Figure 9-7 Distribution Page

NAC Agent Temporary Role—Displays the name of the Agent temporary role (default is "Temporary"). To change the Role Name, see Edit a Role.


NoteThe Enable L3 support option must be checked on the CAS (under Device Management > Clean Access Servers > Manage [CAS_IP] > Network > IP) for the Agent to work in VPN tunnel mode. See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.7(5) for additional information.


Windows NAC Agent Current Version—The version of the Windows Agent installation file to be downloaded by the client machine. The upgrade version reflects what the CAM has downloaded from the Updates page. See Require Agent Login for Client Machines.


Note Users without administrator privileges upgrading their Windows client machine from an earlier version of the Clean Access Agent (version 4.5.2.0 or 4.1.10.0 and earlier) to the Cisco NAC Agent must have the CCAAgentStub.exe Agent Stub installed on the client machine to facilitate upgrade. (Users with administrator privileges do not need this file.) After successful Cisco NAC Agent installation, the user is not required to have administrator privileges on the client machine, nor is the CCAAgentStub.exe Agent Stub file needed. or more information on the CCAAgentStub.exe file, see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5(1) and Release Notes for Cisco NAC Appliance, Version 4.5(1).


Macintosh Clean Access Agent Current Version—The version for the Macintosh Clean Access Agent installation file. The upgrade version reflects what the CAM has downloaded from the Updates page. See Require Agent Login for Client Machines.

Current NAC Agent is a mandatory upgrade—Checking this option and clicking Update forces the user to accept the prompt to upgrade to the latest version of the Agent when attempting login. If left unchecked (optional upgrade), the user is prompted to upgrade to the latest Agent version but can postpone the upgrade and still log in with the existing Agent. See Disable Mandatory Agent Auto-Upgrade on the CAM.


Note New CAM/CAS installs automatically set the Current NAC Agent is a mandatory upgrade option by default under Device Management > Clean Access > Clean Access Agent > Distribution. For CAM/CAS upgrades, the current setting (enabled or disabled) will be carried over to the upgraded system.

The Current NAC Agent is a mandatory upgrade option only applies to Windows Agents for release 4.1(2) and earlier.


Do not offer current NAC Agent to users for upgrade—Checking this option and clicking Update prevents upgrade notifications (mandatory or optional) to all Agent users, even when an Agent update is available on the CAM.

Upload Agent File—Use the Browse button to manually upload the Cisco NAC Agent installation file (nacagentsetup-win.tar.gz) in this field. For details on uploading Windows and Macintosh versions of the earlier Clean Access Agent, refer to the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5(1) and Release Notes for Cisco NAC Appliance, Version 4.5(1).


Note The CAM does not accommodate Cisco NAC Agent installation files (nacagentsetup-win.tar.gz) and Windows Clean Access Agent Setup files (CCAAgentSetup-4.x.y.z.tar.gz) simultaneously. If you upload an older Windows Clean Access Agent Setup file, you will wipe out the existing Cisco NAC Agent installation and XML Agent configuration files, and vice-versa.



Note Starting from release 4.6(1), the CAM no longer manages Clean Access Agent Patch/Upgrade files (CCAAgentUpgrade-4.x.y.z.tar.gz). Be sure you only upload Clean Access Agent installation files (CCAAgentSetup-4.x.y.z.tar.gz or CCAAgentMacOSX-4.x.y.z-k9.tar.gz) from the Cisco Software Download Site.



Caution You must upload the Agent file as a tar.gz file (without untarring it) to the CAM. Make sure you do NOT extract the .exe file before uploading.

See also Manually Uploading the Agent to the CAM.

Version—For manual upload, keep the same version number used for the Agent when downloading.

Installation Page

You can configure the level of user interaction needed when the Agent is initially installed.


Note Once one of the persistent Agents is installed, Agent launch and uninstallation shortcuts appear on the desktop.


To configure installation options:


Step 1 Make sure use of the Agent is required as described in Require Agent Login for Client Machines.

Step 2 Go to Device Management > Clean Access > Clean Access Agent > Installation.

Figure 9-8 Agent Installation Page

Discovery Host—This field is used by the Agent to send a proprietary, encrypted, UDP-based protocol to the Clean Access Manager to discover the Clean Access Server in Layer 3 deployment. The field automatically populates with the CAM's IP address (or DNS host name). In most cases, the default IP address does not need to be changed, but in cases where the CAM's IP address is not routed through the CAS, the Discovery Host can be any IP address or host name that can be reached from client machines via the CAS. Upon initial installation or when a new Agent configuration XML file is passed to the client machine via the CAS, the Cisco NAC Agent automatically uses this value for the DiscoveryHost parameter in the Agent configuration XML file, which is required to perform successful Agent login.


Note When the Discovery Host value is changed, it is received only by the new Agents that are deployed. The existing Agents do not receive the changed IP address. You need to use the "overwrite" function in the DiscoveryHost parameter in the Agent configuration XML file, for the existing Agents to receive the changed Discovery Host value. Refer to Table 9-4 for more information.



Note The Discovery Host is set to the IP of the CAM by default because the CAM must always be on a routed interface on the trusted side of the CAS. This means any client traffic on the untrusted side must pass through a CAS in order to reach the IP of the CAM. When the client attempts to contact the Discovery Host IP, the CAS will intercept the traffic and start the login process. It is assumed that best practices are applied to protect the CAM with ACLs, and that no client traffic should ever actually arrive at the CAM. For extra security (once L3 is correctly deployed), you can change the Discovery Host to an IP other than the CAM IP on the trusted side.


Step 3 The Installation Options are enabled by default for Windows.

Step 4 Use the Agent configuration XML file upload option if you want to customize login and session behavior on Windows client machines with the Cisco NAC Agent installed:

a. Create an Agent configuration XML file entitled NACAgentCFG.xml and ensure you have saved it on a local machine. For an example XML file template and a complete list of parameters and available settings, see Cisco NAC Agent XML Configuration File Settings.

b. Click Browse and navigate to the directory on your local machine where the NACAgentCFG.xml Agent configuration file resides, highlight it in the dialog box, and click Upload.

The next time the user authenticates with Cisco NAC Appliance, or if you enforce a mandatory update for the Cisco NAC Agent, the new Agent configuration is automatically enabled on the client machine.

Step 5 When the installer is launched directly by the user on the machine, choose from the following Direct Installation Options:

User Interface:

No UI—After the user clicks Open in the File Download dialog for the Cisco NAC Agent installation file (nacagentsetup-win.tar.gz), there is no user input required. The "Preparing to Install" dialog only appears briefly and the Agent is downloaded and installed automatically.

Reduced UI—After the user clicks Open to launch (or Saves and executes) the Cisco NAC Agent installation file (nacagentsetup-win.tar.gz), the "Preparing to Install" and InstallShield Wizard "Installing Cisco NAC Agent" screens display, but user input fields (such as "Next" buttons) are disabled, and the Agent is extracted and installed automatically.

Full UI (default)—After the user clicks Open (or Saves and executes) the Cisco NAC Agent installation file (nacagentsetup-win.tar.gz), the normal installation dialogs appear. The InstallShield Wizard for the Agent displays, including the Destination Folder directory screen, and, in the case of the Clean Access Server, the user must click through the panes using the "Next," "Install," and "Finish" buttons to complete the installation.

Run Agent After Installation:

Yes (default)—The Agent Login screen pops up after the Agent is installed.

No—The Agent Login screen does not appear after the Agent is installed. The user must double-click the Agent shortcut on the desktop to start the Agent and display it on the taskbar. The Agent can be verified to be installed under Control Panel > Add/Remove Programs > Cisco NAC Agent. Once the Agent is started, the Login screen will pop up if Pop Up Login Window is enabled on the taskbar menu.

Step 6 Click Update to save settings.


Note For MSI installation instructions pertaining to the Cisco NAC Agent, see Cisco NAC Agent MSI Installer.



Cisco NAC Agent XML Configuration File Settings

This section describes how to configure and enable various Cisco NAC Agent features by specifying settings within the NACAgentCFG.xml Agent configuration file. Topics include:

Customize Cisco NAC Agent Login/Logout Dialog Behavior

Cisco NAC Agent Posture Assessment Report Display Setting

Specify the Cisco NAC Agent Log File Size

Manage the Cisco NAC Agent Discovery Host Address

Cisco NAC Agent Verifying Launch Program Executable for Trusted Digital Signature

Additional SWISS Discovery Customization

Access to Authentication VLAN Change Detection on Clients with Multiple Active NICs

Client-Side MAC Address Management

Enable or Disable Cisco NAC Agent Accessibility Interaction

Specify Cisco NAC Agent Localization Settings

In order to configure a Windows client machine to use any of these additional features for the Cisco NAC Agent, you must define the appropriate parameters in the Agent configuration XML file, ensure that you title the file NACAgentCFG.xml, and upload the file to the CAM so that the next time a client machine installs the Cisco NAC Agent (or if you mandate an update to the Cisco NAC Agent for existing users), the new settings are automatically "pushed" to the Agent installation directory on the client machine. The default install directory on Windows 7/Vista/XP is C:\Program Files\Cisco\Cisco NAC Agent\. However, you may specify a different directory.

When configuring a customized Agent configuration XML file, the administrator can choose to customize one or more (or all) settings and specify whether they should merge with or overwrite existing XML configuration settings on the client machine. In addition to providing specific values for the parameters defined below, the administrator can use the "mode" attribute in conjunction with the target XML parameter to direct the Agent to "merge" the setting with existing parameters, or simply "overwrite" existing settings.

"merge"—specifies a value for a previously undefined XML setting and is ignored if a specific XML setting already exists on the client machine. This is the default behavior for the XML configuration file download feature.

"overwrite"—the XML setting specified in the Agent configuration XML file automatically takes precedence over any existing value currently on the client machine.

For example, a <Locale mode="merge">German</Locale> entry in an Agent configuration XML file instructs the Agent not to change any previously-existing Locale setting on the client machine (merge instead of overwrite), but if no setting currently exists, then make the localization language German. If the example entry reads <Locale mode="overwrite">German</Locale>, then the new localized language setting for the Agent is German, regardless of whether or not any previous setting exists.


Note The administrator can deploy a configuration XML without certain parameters and later add them when required. The administrator can upload a new configuration XML file including the parameters. These parameters can be set with either "merge" or "overwrite" mode, as they had never been deployed previously.

If the mode is set to "merge", the parameter is added if it does not exist in the configuration file present the client machine. But, if the administrator has allowed the end user to add a parameter to the configuration file and if the parameter value already exists, the "merge" will fail.

If the administrator wants to overwrite all the values regardless of the parameters added by the end user, then the "overwrite" mode can be used.


For instructions on uploading the Agent configuration file to the CAM for eventual download to Agent machines, see Installation Page. For more information on the Cisco NAC Agent and its capabilities, see Cisco NAC Agent.


Note For information on enabling similar functions on client machines where the Clean Access Agent is installed, refer to the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5(1) and Release Notes for Cisco NAC Appliance, Version 4.5(1).


To ensure that the Cisco NAC Agent adopts any custom settings you specify in the Agent configuration XML, construct the file as shown in the following XML file example template:

Example Agent Configuration XML File Template:

<?xml version="1.0" ?> 
<cfg>
  <VlanDetectInterval>0</VlanDetectInterval> 
  <RetryDetection>3</RetryDetection> 
  <PingArp>0</PingArp> 
  <PingMaxTimeout>1</PingMaxTimeout> 
  <DisableExit>0</DisableExit>
  <AllowCRLChecks>1</AllowCRLChecks>
  <SignatureCheck>0</SignatureCheck> 
  <RememberMe>1</RememberMe> 
  <AutoPopUp>1</AutoPopUp> 
  <PostureReportFilter>displayFailed</PostureReportFilter> 
  <BypassSummaryScreen>yes</BypassSummaryScreen> 
  <LogFileSize>5</LogFileSize> 
  <DiscoveryHost></DiscoveryHost> 
  <Locale>default</Locale> 
  <AccessibilityMode>0</AccessibilityMode> 
  <SwissTimeout>1</SwissTimeout> 
  <DisableL3SwissDelay>0</DisableL3SwissDelay>
  <ExceptionMACList></ExceptionMACList> 
  <GeneratedMAC></GeneratedMAC> 
</cfg>

Note If the configuration file consists of any invalid parameter, that parameter will not be updated in the client machines.


Table 9-1 Customize Cisco NAC Agent Login/Logout Dialog Behavior 

Parameter
Default Value
Valid Range
Description/Behavior

RememberMe

0

0 or 1

If this setting is any value other than 0, the user only needs to enter login credentials once. The Cisco NAC Agent also remembers the user credentials after session termination/time-out.

Note When the user logs out of Windows, the saved credentials are erased.

When the user moves from a connection that requires username and password to an SSO session and returns back, then the credentials are removed.

AutoPopUp

1

0 or 1

If this setting is 1, the Cisco NAC Agent login dialog appears automatically when the user is logged out.

If this setting is 0, users must manually initiate login using the Start menu option or the system tray icon on the desktop.

BypassSummaryScreen

yes

yes or no

If you are employing auto-remediation for Cisco NAC Agent requirements, this setting enables you to make the Agent session dialog more "automated" by skipping the Agent posture assessment summary screen and proceeding directly to the first auto-remediation function, thus reducing or eliminating user interaction during the Agent login and remediation session.

DisableExit

0

0 or 1

If this parameter is set to 1, users cannot exit the Cisco NAC Agent via the system tray icon.

AllowCRLChecks

1

0 or 1

Setting this parameter to 0 turns off Certificate Revocation List (CRL) checking for the Cisco NAC Agent during discovery and negotiation with the CAS.


Table 9-2 Cisco NAC Agent Posture Assessment Report Display Setting 

Parameter
Default Value
Valid Range
Description/Behavior

PostureReportFilter

displayFailed

This parameter controls the level/type of results that appear to the user when the client machine undergoes posture assessment.

If this setting is displayAll, the client posture assessment report appears, displaying all results when the user clicks Show Details in the Cisco NAC Agent dialog.

If this setting is DisplayFailed, the client posture assessment report only displays remediation errors when the user clicks Show Details in the Cisco NAC Agent dialog.


Table 9-3 Specify the Cisco NAC Agent Log File Size 

Parameter
Default Value (Decimal)
Valid Range
Description/Behavior

LogFileSize

5

0 and above

This setting specifies the file size (in Megabytes) for Cisco NAC Agent log files on the client machine.

If this setting is 0, the Agent does not record any login or operation information for the user session on the client machine.

If the administrator specifies any other integer, the Cisco NAC Agent records login and session information up to the number of MB specified.1

1 Cisco NAC Agent log files are recorded and stored in the C:\Documents and Settings\All Users\Application Data\Cisco\Cisco NAC Agent\logs directory. After the first Agent login session, two files reside in this directory: one backup file from the previous login session, and one new file containing login and operation information from the current session. If the log file for the current Cisco NAC Agent session grows beyond the specified file size, the first segment of Agent login and operation information automatically becomes the "backup" file in the directory and the Agent continues to record the latest entries in the current session file.


Table 9-4 Manage the Cisco NAC Agent Discovery Host Address 

Parameter
Default Value
Valid Range
Description/Behavior

DiscoveryHost

IP address or FQDN

This setting specifies the Discovery Host address the Agent uses to connect to the Cisco NAC Appliance system in a Layer 3 deployment.

You can use this function to "overwrite" or "merge" the existing Discovery Host value specified on the CAM with the value currently on the client machine.

Note If you choose to "merge" this value, the client machine always assumes the Discovery Host specified on the CAM by default. If you choose to "overwrite" (change) this value on the client machine with one on the CAM, you must first change the Discovery Host value in the CAM Device Management > Clean Access > Clean Access Agent > Installation web console page and then specify the same value for this parameter.


Table 9-5 Cisco NAC Agent Verifying Launch Program Executable for Trusted Digital Signature  

Registry Key
Default Value (Decimal)
Valid Range
Description/Behavior

SignatureCheck

0

0 or 1

The SignatureCheck setting looks for a digital signature that the Cisco NAC Agent uses to determine whether or not Windows can trust the executable before launching.


For more information, see Configuring a Launch Programs Requirement.

Table 9-6 Additional SWISS Discovery Customization 

Parameter
Default Value (Decimal)
Valid Range
Description/Behavior

SwissTimeout

1

> 1

If this setting is 1, the Agent performs SWISS discovery as designed and no additional response packet delay timeout value is introduced.

If the setting is an integer greater than 1, the Agent waits the additional number of seconds for a SWISS discovery response packet from the Clean Access server before sending another discovery packet to be sure network latency is not delaying the response packet en route.

DisableL3SwissDelay

0

0 or 1

If this setting is 1, the Agent disables its ability to increase the transmission interval for Layer 3 discovery packets. Therefore, the Layer 3 discovery packets repeatedly go out every 5 seconds, just like Layer 2 packets. The default setting for is 0 (enabled).

For more information, see the "Layer 3 SWISS Packet Delay to Conserve Bandwidth" section of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.7(5).


Refer to the "Configuring the CAS Managed Network" chapter of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.7(5) for details.

Table 9-7 Access to Authentication VLAN Change Detection on Clients with Multiple Active NICs 

Parameter
Default Value (Decimal)
Valid Range
Description/Behavior

RetryDetection

3

0 and above

If ICMP or ARP polling fails, this setting configures the Agent to retry <x> times before refreshing the client IP address.

PingArp

0

0-2

If this value is set to 0, poll using ICMP.

If this value is set to 1, poll using ARP.

If this value is set to 2, poll using ICMP first, then (if ICMP fails) use ARP.

PingMaxTimeout

1

1-10

Poll using ICMP and if no response in <x> seconds, then declare ICMP polling failure.

VlanDetectInterval

0 1 , 5 2

0, 5-900 3

If this setting is 0, the Access to Authentication VLAN change feature is disabled.

If this setting is 1-5, the Agent sends ICMP/ARP queries every 5 seconds.

If this setting is 6-900, ICMP/ARP every <x> seconds.

1 For Windows NAC Agent, the default value is 0. By default, the Access to Authentication VLAN change feature is disabled for Windows.

2 For Mac OS X Agent, the default value is 5. By default, the Access to Authentication VLAN change feature is enabled with "VlanDetectInterval" as 5 seconds for Mac OS X.

3 The maximum range for the Cisco NAC Agent is 900 seconds (15 minutes). The maximum range for the Cisco Clean Access Agent is 60 seconds (1 minute). For more information, refer to the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5(1) and Release Notes for Cisco NAC Appliance, Version 4.5(1).


Refer to Configure Access to Authentication VLAN Change Detection for additional details.

Table 9-8 Client-Side MAC Address Management 

Parameter
Default Value
Valid Range
Description/Behavior

ExceptionMACList

Valid MAC address

If you specify one or more MAC addresses in this setting, the Agent does not advertise those MAC addresses to the CAS during login and authentication to help prevent sending unnecessary MAC addresses over the network. The text string you specify must be a comma-separated list of MAC addresses including colons. For example:

AA:BB:CC:DD:EE:FF,11:22:33:44:55:66
 
        

GeneratedMAC

Valid MAC address

This parameter supports Evolution Data Optimized (EVDO) connections on the client machine. If the client machine does not have an active NIC, the Agent creates a "dummy" MAC address for the system.


Table 9-9 Enable or Disable Cisco NAC Agent Accessibility Interaction 

Parameter
Default Value (Decimal)
Valid Range
Description/Behavior

AccessibilityMode

0

0 or 1

If this setting is 1, the Cisco NAC Agent is compatible with the JAWS screen reader.

If this setting is 0, the Agent does not interact with the JAWS screen reader.

Note Users may experience a slight impact on performance when this feature is enabled. The Agent still functions normally if this feature is enabled on a client machine that does not have the JAWS screen reader installed.


Refer to Accessibility Features in Cisco NAC Agent- Keyboard Navigation for more details.

Table 9-10 Specify Cisco NAC Agent Localization Settings 

Parameter
Default Value
Valid Range
Description/Behavior

Locale

OS setting ("default")

If this setting is default, the Agent uses the Locale settings from the client operating system.

If this setting is either the ID, abbreviated name, or full name of a supported language, the Agent automatically displays the appropriate localized text in Agent dialogs on the client machine.


Table 9-11 Agent Configuration XML File "Locale" Parameter Settings 

Language
ID
Abbreviated Name
Full Name

Catalan (Spain)

1027

ca

Catalan

Chinese_simplified

2052

zh_cn

Chinese (Simplified)

Chinese_traditional

1028

zh_tw

Chinese (Traditional)

Czech

1029

cs

Czech

Danish

1030

da

Danish

Dutch (Standard)

1043

nl

Dutch (Standard)

English US

1033

en

English

Finnish

1035

fi

Finnish

French

1036

fr

French

German

1031

de

German

Italian

1040

it

Italian

Japanese

1041

ja

Japanese

Korean (Extended Wansung)

1042

ko

Korean

Norwegian

1044

no

Norwegian

Portuguese

2070

pl

Portuguese

Russian

1049

ru

Russian

Serbian (Cyrillic)

3098

src

SerbianCyrillic

Serbian (Latin)

2074

sr

SerbianLatin

Swedish

1053

sv

Swedish

Turkish

1055

tr

Turkish


Cisco NAC Agent MSI Installer

Cisco NAC Appliance provides an MSI (Microsoft Installer format) installer for the Cisco NAC Agent (called nacagentsetup-win.msi) on Windows client machines. There is also a .zip version of the same installer package that uses up less local memory on file transfer. You can download the MSI and/or .zip package from the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. Once you have obtained the Cisco NAC Agent MSI or .zip package, you can place the MSI installer in a directory on the client machine along with an Agent configuration XML file (NACAgentCFG.xml) containing the appropriate Discovery Host address telling the client machine where to look for the Cisco NAC Appliance network.


Step 1 Download the nacagentsetup-win.msi or nacagentsetup-win.zip installer file from the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml.

Step 2 Place the nacagentsetup-win.msi file in a specific directory on the client machine (for example, C:\temp\nacagentsetup-win.msi):

If you are copying the MSI installer directly over to the client, place the nacagentsetup-win.msi file into a directory on the client machine from which you plan to install the Cisco NAC Agent.

If you are using the nacagentsetup-win.zip installer, extract the contents of the .zip file into the directory on the client machine from which you plan to install the Cisco NAC Agent

Step 3 Place an Agent configuration XML file specifying the appropriate Discovery Host address in the same directory as the Cisco NAC Agent MSI package. For information on the Agent configuration XML file and its parameters and syntax, see Cisco NAC Agent XML Configuration File Settings.

As long as the Agent configuration XML file exists in the same directory as the MSI installer package, the installation process automatically places the Agent configuration XML file in the appropriate Cisco NAC Agent application directory so the Agent can point to the correct network location when it is first launched.

Step 4 Open a Command prompt on the client machine and enter the following to execute the installation:

msiexec.exe /i NACAgentSetup-win.msi /qn /l*v c:\temp\agent-install.log
 
   

Note The /qn qualifier installs the Cisco NAC Agent completely silently. The /l*v logs the installation session in verbose mode.


The Cisco NAC Agent is installed on the client machine and automatically launches in the background using the Discovery Host supplied in the Agent configuration XML file to contact the Cisco NAC Appliance network.


Configuring Agent-Based Posture Assessment

This section describes how to configure requirements on the CAM so that the Agent can perform posture assessment and remediation on client machines.

Overview

Configuring AV/AS Definition Update Requirements

Configuring a Windows Server Update Services Requirement

Configuring a Windows Update Requirement

Configuring Custom Checks, Rules, and Requirements

Configuring a Launch Programs Requirement

Map Requirements to Rules

Apply Requirements to User Roles

Configuring Auto Remediation for Requirements

Overview

Requirements

To perform posture assessment for client machines running the Cisco NAC Agent or Cisco NAC Web Agent, you need to configure and implement requirements based on the type of client validation you want to perform for the client operating system. Requirements are used to implement business-level decisions about what users must (or must not) have running on their systems to be able to access the network. The requirement mechanism maps one or more rules that you want clients in a user role to meet to the action you want those users to take if the client fails the rules. When you create a new requirement, you choose from one of several different requirement types (e.g. AV Definition Update) to configure options, buttons, and remediation instructions the Agent dialogs present to the user when the client fails the requirement. For detailed instructions on creating the different requirement types, see:

Configuring AV/AS Definition Update Requirements

Configuring a Windows Server Update Services Requirement

Configuring a Windows Update Requirement

Configuring Custom Checks, Rules, and Requirements

Configuring a Launch Programs Requirement


Note Most requirement remediation actions (like Windows Updates and AV/AS support updates) require the user to have administrator privileges on the client machine. Therefore, Cisco recommends you ensure that users of client machines undergoing posture assessment and remediation have administrator-level privileges.


Rules

In all but one case—the Windows Server Update Service (WSUS) "Severity" option requirement type—you must map rules to requirements to ensure client machines meet security standards. A rule is the unit the Agent uses to validate client machines and assess whether or not a requirement has been met. Rules can be:

Preconfigured AV/AS rules, which you associate to AV/AS requirements. These require no additional checks to validate client machines.

Preconfigured Cisco Rules ("pr_rule") that feature one or more preset checks. For example, Windows hotfix-related "pr_" rules that only address "Critical" updates. You can map pr_rules as the validation criteria for several different requirement types. Refer to Cisco Pre-Configured Rules ("pr_") for further details on Cisco Rules.

A custom rule made up of one or more preconfigured or custom checks. A custom rule is one you create yourself by configuring a rule expression based on checks.

For details on mapping requirements to rules, see Map Requirements to Rules.

Checks

Checks are the building blocks for rules, but in most cases you will not need to configure them. A check is a single registry, file, service, or application check for a selected operating system, and is used to create a custom rule. A check can be a Cisco pre-configured check (pc_ check) or a custom check you create yourself. When you map rules to requirements, make sure the appropriate checks (pc_ checks or custom checks) are in place to accurately validate client machines.


Note Preconfigured ("pr_") rules are already associated with one or more checks that validate client machine security standards. You only need to create custom rules or checks if the preconfigured rules or checks do not meet your needs. See Configuring Custom Checks, Rules, and Requirements for more information.


Role Mapping

Once you have mapped a requirement to one or more rules, the final step is to associate the requirement to a normal login user role. Users who attempt to authenticate into the normal user role are put into the Temporary role until they pass requirements associated with the normal login role:

If they successfully meet the requirements, the users are allowed on the network in the normal login role.

If they fail to meet the requirements, users stay in the Temporary role for the session timeout until they take the steps described in the Agent dialogs and successfully meet the requirements.

For details on mapping requirements to roles, see Apply Requirements to User Roles.


Note To map a requirement to a normal login user role, the role must already be created as described in Create User Roles.


Agent Posture Assessment Process

Figure 9-9 details the Cisco NAC Appliance client posture assessment process (with or without network scanning) when a user authenticates via the Agent.

Figure 9-9 Agent Posture Assessment

The following user roles are used for Cisco NAC Appliance and must be configured with traffic policies and session timeout:

Unauthenticated Role—Default system role for unauthenticated users (Agent or web login) behind a Clean Access Server. Web login users are in the unauthenticated role while network scanning is performed.

Agent Temporary Role—Agent users are in the Temporary role while Agent requirements are checked on their systems.

Quarantine Role—Both web login and Agent users are put in the Quarantine role when network scanning determines that the client machine has vulnerabilities.

If a user meets Agent requirements and/or has no network scanning vulnerabilities, the user is allowed access to the network in the normal login user role or "restricted access" role. See Client Posture Assessment Roles for additional details.

During user login/remediation, the Agent dialogs present different buttons that users can click depending on the type of Agent installed and the requirement(s) assigned to validate the client machine. For specific information on Agent dialogs and behavior, see Chapter 10 "Cisco NAC Appliance Agents."

Configuring AV/AS Definition Update Requirements

The AV Definition Update and AS Definition Update requirement type can be used to report on and update the definition files on a client for supported antivirus or antispyware products. If the client fails to meet the AV/AS requirement, the Agent communicates directly with the installed antivirus or antispyware software on the client and automatically updates the definition files when the user clicks the Update/Remediate button on the Agent dialog.


Note The Cisco NAC Web Agent only supports Go To Link manual remediation and File Distribution functionality. Cisco NAC Web Agent does not support Update or Launch remediation actions, nor does it perform Auto Remediation.


AV Rules incorporate extensive logic for antivirus vendors and are associated with AV Definition Update requirements. AS Rules incorporate logic for most antispyware vendors and are associated with AS Definition Update requirements. For AV or AS Definition Update requirements, there is no need to configure checks. You associate:

AV Definition Update requirement with AV Rule(s) and user roles and operating systems

AS Definition Update requirement with AS Rule(s) and user roles and operating systems

and configure the Agent dialog instructions you want the user to see if the AV or AS requirement fails.


Note Where possible, Cisco recommends using AV Rules mapped to AV Definition Update Requirements to check antivirus software on clients. In the case of a non-supported AV product, or if an AV product/version is not available through AV Rules, administrators always have the option of using Cisco provided pc_ checks and pr_rules for the AntiVirus vendor or of creating their own custom checks, rules, and requirements through Device Management > Clean Access > Clean Access Agent (use New Check, New Rule, and New File/Link/Local Check Requirement), as described in Configuring Custom Checks, Rules, and Requirements.

Cisco NAC Appliance works in tandem with the installation schemes and mechanisms provided by supported Antivirus vendors. In the case of unforeseen changes to underlying mechanisms for AV products by AV vendors, the Clean Access team updates the Supported AV/AS Product List and/or Agent in the timeliest manner possible in order to support the new AV product changes. In the meantime, administrators can always use the "custom" rule workaround for the AV product (such as pc_checks/pr_ rules) and configure the requirement for "Any selected rule succeeds."


Figure 9-10 and Figure 9-11 show Agent dialogs that appear when a client fails to meet an AV Definition Update requirement.

Figure 9-10 Required AV Definition Update (Cisco NAC Agent)

Figure 9-11 Required AV Definition Update (Mac OS X Agent)

AV Rules and AS Rules

Antivirus rules (AV Rule) and anti-spyware rules (AS Rule) are preconfigured rule types that are mapped to the matrix of vendors and products sourced in the Supported AV/AS Product List. There is no need to configure checks with this type of rule.

There are two basic types of AV Rules:

Installation AV Rules check whether the selected antivirus software is installed for the client operating systems.

Virus Definition AV Rules check whether the virus definition files are up-to-date on the client. Virus Definition AV Rules can be mapped into AV Definition Update requirements so that a user that fails the requirement can automatically execute the update by clicking the Update button in the Agent and the system reporting function can alert Cisco NAC Web Agent users of the requirement.

There are two basic types of AS Rules:

Installation AS Rules check whether the selected anti-spyware software is installed for the client OS.

Spyware Definition AS Rules check whether the spyware definition files are up-to-date on the client. Spyware Definition AS Rules can be mapped into AS Definition Update requirements so that a user that fails the requirement can automatically execute the update by clicking the Update button in the Agent and the system reporting function can alert Cisco NAC Web Agent users of the requirement.


Note In some cases, the specific AV/AS vendor software requires the user to have administrator privileges on the client machine to enable updates.


AV Rules are typically associated with AV Definition Update requirements, and AS Rules are typically associated with AS Definition Update requirements.

The steps to create AV Definition Update Requirements are as follows:


Step 1 Verify AV/AS Support Info

Step 2 Create an AV Rule

Step 3 Create an AV Definition Update Requirement

Step 4 Map Requirements to Rules

Step 5 Apply Requirements to User Roles

Step 6 Validate Requirements


The steps to create AS Definition Update Requirements are as follows:


Step 1 Verify AV/AS Support Info

Step 2 Create an AS Rule

Step 3 Create an AS Definition Update Requirement

Step 4 Map Requirements to Rules

Step 5 Apply Requirements to User Roles

Step 6 Validate Requirements



Note In some cases it may be advantageous to configure AV or AS rules/requirements in different ways. For example:

Not all product versions of a particular vendor may support the Agent launching the automatic update of the product. In this case, you can provide instructions (via the Description field of the AV or AS Definition Update requirement) to have users update their AV or AS definition files from the interface of their installed AV or AS product.

You can associate the AV or AS rules with a different requirement type, such as Link Distribution or Local Check, to change the Agent buttons and user action required from "Update" to "Go to Link", or to disable the action button and provide instructions only. This allows you flexibility in configuring the actions you want your users to take.

You can also configure different Enforce Types. You can generate reports for clients and optionally provide users extra time to meet a requirement without blocking them from the network. See Configuring an Optional/Audit Requirement for details.


Verify AV/AS Support Info

Cisco NAC Appliance allows multiple versions of the Agent to be used on the network. New updates to the Agent will add support for the latest antivirus or antispyware products as they are released. The system picks the best method (either Def Date or Def Version) to execute AV/AS definition checks based on the AV/AS products available and the version of the Agent. The AV/AS Support Info page provides details on Agent compatibility with the latest Supported AV/AS Product List downloaded to the CAM. This page lists the latest version and date of definition files for each AV and AS product as well the baseline version of the Agent needed for product support. You can compare the client's AV or AS information against the AV/AS Support Info page to verify if a client's definition file is the latest. If running multiple versions of the Agent on your network, this page can help troubleshoot which version must be run to support a particular product.

Use the following steps to view Agent support details.


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info.

Step 2 Choose either Antivirus (Figure 9-12 and Figure 9-13) or Anti-Spyware (Figure 9-14 and Figure 9-15) from the Category dropdown.

Figure 9-12 AV/AS Support Info — Windows AV Vendor Example

Figure 9-13 AV/AS Support Info — Mac OS X AV Vendor Example

Figure 9-14 AV/AS Support Info — Windows AS Vendor Example

Figure 9-15 AV/AS Support Info — Mac OS X AS Vendor Example

Step 3 Choose a corresponding vendor (Antivirus Vendor or Anti-Spyware Vendor) from the dropdown menu.


Note Regular updates for Anti-Spyware definition date/version will be made available via Cisco Updates. Until update service is available, the system enforces definition files to be x days older than the current system date for AS Spyware Definition rules (under Device Management > Clean Access > Clean Access Agent > Requirements > Requirement-Rules).


Step 4 Choose one of the following operating systems from the Operating System dropdown menu to view the support information for those client systems:

Windows 7/Vista/XP/2K

Mac OSX

Check the Minimum Agent Version Required to Support AV/AS Products table for product details.

Your selection populates the following tables:

Minimum Agent Version Required to Support AV/AS Products: shows the minimum Agent version required to support each AV/AS product. For example:

A 4.1.3.0 or later Windows Agent can log into a role that requires Aluria Security Center AntiVirus 1.x, but for any earlier Agent version, this check will fail.

A 4.6.0.3 Mac OS X Agent can log into clamXav: 0.x and ClamXav: 1.x.

Note that if a version of the Agent supports both Def Date and Def Version checks, the Def Version check will be used.

Latest Virus/Spyware Definition Version/Date for Selected Vendor: displays the latest version and date information for the AV/AS product. The AV software for an up-to-date client should display the same values.


Note The Agent sends its version information to the CAM, and the CAM always attempts to first use the virus definition version for AV checks. If the version is not available, the CAM uses the virus definition date instead.



Tip You can also view the latest def file version when selecting an AV vendor from the New AV Rule form.



Create an AV Rule


Note Your CAM/CAS must be running Cisco NAC Appliance release 4.5 or later and have the latest Cisco AV/AS support updates in order to perform client remediation using version 4.5.0.0+ of the Mac OS X Agent.


Use the following steps to configure an AV rule.


Step 1 Make sure you have the latest version of the Supported AV/AS Product List, as described in Retrieving Cisco NAC Appliance Updates.

Step 2 Go to Device Management > Clean Access > Clean Access Agent > Rules > New AV Rule.

Figure 9-16 New AV Rule—Windows

Figure 9-17 New AV Rule—Mac OS X

Step 3 Type a Rule Name. You can use digits and underscores, but no spaces in the name.

Step 4 Choose a specific Antivirus Vendor, or choose ANY vendor, from the dropdown menu. Along with the Operating System chosen, this populates the Checks for Selected Operating Systems table at the bottom of the page for the ANY vendor option or with the supported products and product versions for the specified vendor.


Note Cisco recommends specifying vendor names when appropriate because choosing the ANY option can affect the Agent's performance (the process takes longer) on the client machine.


Step 5 From the Type dropdown menu, choose either Installation or Virus Definition. This enables the checkboxes for the corresponding Installation or Virus Definition column in the table below.

Step 6 Choose an Operating System from the dropdown menu. This populates the product versions supported for this client OS in the table below:

Windows 7/Vista/XP/2K

Mac OS X

Step 7 Type an optional Rule Description.


Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly recommends providing an appropriate message in this field describing the nature and purpose of the given function.


Step 8 In the Checks for Selected Operating Systems table, choose the product versions you want to check for on the client by clicking the checkbox(es) in the corresponding Installation or Virus Definition column:

ANY means you want to check for any product and any version from this AV vendor.

Installation checks whether the product is installed.

Virus Definition checks whether the virus definition files are up to date on the client for the specified product.


Note In a definition rule, the Agent first confirms whether or not the product is installed, then checks whether or not the definition file is up-to-date.


Step 9 Click Add Rule. The new AV rule will be added at the bottom of the Rule List with the name you provided.

Figure 9-18 New AV Rules Appear at the Bottom of the Rule List—Mac OS X Example


Note When configuring AV Rules, the "ANY" Antivirus vendor option and the vendor-specific "ANY Product/ANY Version" option work differently:

For ANY vendor, the Agent needs to query the server to verify whether the installed products are from a supported vendor. Because the Agent only queries once at the beginning of each login session, the user must click Cancel or restart the Agent to repeat the login process in order to refresh the server's response.

For "ANY Product/ANY Version" for a specific vendor, the Agent only needs to match the required vendor against what is installed on the client machine. No query is needed.



Create an AV Definition Update Requirement

The following steps show how to create a new AV Definition Update requirement to check the client system for the specified AV product(s) and version(s) using an associated AV Rule. If the client's AV definition files are not up-to-date, the user can simply click the Update/Remediate button on the Agent, and the Agent causes the resident AV software launch its own update mechanism. Note that the actual mechanism differs for different AV products (e.g. live update vs.command line parameter).


Note The Cisco NAC Web Agent only supports Go To Link manual remediation and File Distribution functionality. Cisco NAC Web Agent does not support Update or Launch remediation actions, nor does it perform Auto Remediation.



Note Mac OS X users can only resolve ClamWin AV Definition Update requirements by navigating to the ClamXAV download site at http://www.clamav.net. Cisco recommends using the pre-defined host policy list for the Unauthenticated Role on the CAM (User Management > User Roles > Traffic Control > Host).


Use the following steps to create an AV Definition Update requirement.


Step 1 In the Clean Access Agent tab, click the Requirements submenu link and then New Requirement.

Figure 9-19 New Requirement

Step 2 For Requirement Type choose AV Definition Update.

Step 3 Choose an Enforce Type from the dropdown menu:

Mandatory—Enforce requirement.The user is informed of this requirement and cannot proceed or have network access unless the client system meets it.

Optional— Do not enforce requirement. The user is informed of the requirement but can bypass it if desired (by clicking Next/Skip in the Agent dialog). The client system does not have to meet the requirement for the user to proceed or have network access.

Audit—Silently audit. The client system is checked "silently" for the requirement without notifying the user and a report is automatically generated and sent back to the CAS. (Audit requirements do not appear in the user's Mac OS X Assessment Report window.) The report results (pass or fail) do not affect user network access.

Refer to Configuring an Optional/Audit Requirement for details.

Step 4 Choose the Priority of execution for this requirement on the client. A high priority (e.g. 1) means this requirement is checked on the system ahead of all other requirements (and appears in the Agent dialogs in that order). Note that if a Mandatory requirement fails, the Agent does not continue past that point until that requirement succeeds.


Note The Mac OS X Agent does not support automatic remediation. Therefore, the Remediation functions that appear on the New Requirement configuration page (Remediation Type, Interval, and Retry Count) do not serve any purpose when creating requirement types for Macintosh client remediation.


Step 5 If you want to enable and configure Auto Remediation for the Agent:

a. Choose the Remediation Type [Manual | Automatic] from the dropdown menu. Choosing Manual preserves previous Agent behavior. The user has to click through each of the requirements using the Next/Skip button in the Agent. Choosing Automatic sets the Agent to perform Auto Remediation, where the Agent automatically performs updates or launches required programs on the client after the user logs in.

b. If you configure the requirement to use automatic remediation, specify the Interval in seconds (the default interval is 0). Depending on the requirement type, this interval either sets the delay before the Agent re-attempts remediation or sets the total time allowed for a particular remediation process.

c. Enter the Retry Count []. Specifying a retry count sets a limit on the number of times the Agent automatically retries the requirement if it initially fails. (The default retry count setting is 0.)

For details on configuring Auto Remediation, see Configuring Auto Remediation for Requirements.


Note The Cisco NAC Web Agent does not support Auto Remediation.


Step 6 Choose an Antivirus Product Name from the dropdown menu or choose ANY. The Products table lists all the virus definition product versions supported per client OS.


Note Cisco recommends specifying vendor names when appropriate because choosing the ANY option can affect the Agent's performance (the process takes longer) on the client machine.


Step 7 For the Requirement Name, type a unique name to identify this AV virus definition file requirement in the Agent. The name will be visible to users on the Agent dialogs.

Step 8 In the Description field, type a description of the requirement and instructions to guide users who fail to meet the requirement. For an AV Definition Update requirement, you should include instructions to alert Cisco NAC Web Agent users of the requirement and for Cisco NAC Agent users to click the Update/Remediate button to update their systems.


Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly recommends providing an appropriate message in this field describing the nature and purpose of the given function.


Step 9 Click the checkbox for at least one client Operating System (at least one must be chosen).

Step 10 Click Add Requirement to add the requirement to the Requirement List.

Figure 9-20 Mac OS X Agent Assessment Report AV Definition Update Requirement Display


Create an AS Rule


Note Your CAM/CAS must be running Cisco NAC Appliance release 4.5 or later and have the latest Cisco AV/AS support updates in order to perform client remediation using version 4.5.0.0+ of the Mac OS X Agent.


Use the following steps to configure an AS rule.


Step 1 Make sure you have the latest version of the Supported AV/AS Product List, as described in Retrieving Cisco NAC Appliance Updates.

Step 2 Go to Device Management > Clean Access > Clean Access Agent > Rules > New AS Rule.

Figure 9-21 New AS Rule—Windows

Figure 9-22 New AS Rule—Mac OS X

Step 3 Type a Rule Name. You can use digits and underscores, but no spaces in the name.

Step 4 Choose an Anti Spyware Vendor from the dropdown menu, or choose ANY to select any supported AS vendor or product. This correspondingly populates the Checks for Selected Operating Systems table at the bottom of the page with the supported products and product versions from this vendor (for the Operating System chosen).


Note Cisco recommends specifying vendor names when appropriate because choosing the ANY option can affect the Agent's performance (the process takes longer) on the client machine.


Step 5 From the Type dropdown menu, choose either Installation or Spyware Definition. This enables the checkboxes for the corresponding Installation or Spyware Definition column in the table below.

Step 6 Choose an Operating System from the dropdown menu:

Windows 7/Vista/XP/2K

Mac OS X

Step 7 Type an optional Rule Description.


Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly recommends providing an appropriate message in this field describing the nature and purpose of the given function.


Step 8 In the Checks for Selected Operating Systems table, choose the product versions you want to check for on the client by clicking the checkbox(es) in the corresponding Installation or Spyware Definition column:

ANY means you want to check for any product and any version from this AS vendor.

Installation checks whether the product is installed,

Spyware Definition checks whether the spyware definition files are up to date on the client for the specified product.


Note In a definition rule, the Agent first confirms whether or not the product is installed, then checks whether or not the definition file is up-to-date.


Step 9 Click Add Rule. The new AS rule will be added at the bottom of the Rule List with the name you provided (see Figure 9-23).

Figure 9-23 New AS Rules Appear at the Bottom of the Rule List—Mac OS X Example


Create an AS Definition Update Requirement


Note Although the Mac OS X Agent supports both AV and AS definition updates, the Compliance Module library currently associated with Cisco NAC Appliance Release 4.7 does not contain an AS definition update. Therefore, no AS definition update is currently available on the CAM AS Definition Update requirement configuration page.

For a list of support AV/AS applications, see the "Clean Access Supported AV/AS Product List" section of the Release Notes for Cisco NAC Appliance.


Use the following steps to configure an AS Definition Update requirement.


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Requirements > New Requirement.

Figure 9-24 New AS Definition Update Requirement

Step 2 For Requirement Type choose AS Definition Update

Step 3 Choose an Enforce Type from the dropdown menu:

Mandatory—Enforce requirement.The user is informed of this requirement and cannot proceed or have network access unless the client system meets it.

Optional— Do not enforce requirement. The user is informed of the requirement but can bypass it if desired (by clicking Next/Skip in the Agent dialog). The client system does not have to meet the requirement for the user to proceed or have network access.

Audit—Silently audit. The client system is checked "silently" for the requirement without notifying the user, and a report is automatically generated and sent back to the CAS. (Audit requirements do not appear in the Mac OS X user's Assessment Report window.) The report results (pass or fail) do not affect user network access.

Refer to Configuring an Optional/Audit Requirement for details.

Step 4 Choose the Priority of execution for this requirement on the client.


Note The Mac OS X Agent does not support automatic remediation. Therefore, the Remediation functions that appear on the New Requirement configuration page (Remediation Type, Interval, and Retry Count) do not serve any purpose when creating requirement types for Macintosh client remediation.


Step 5 If you want to enable and configure Auto Remediation for the Agent:

a. Choose the Remediation Type [Manual | Automatic] from the dropdown menu. Choosing Manual preserves previous Agent behavior. The user has to click through each of the requirements using the Next/Skip button in the Agent. Choosing Automatic sets the Agent to perform Auto Remediation, where the Agent automatically performs updates or launches required programs on the client after the user logs in.

b. If you configure the requirement to use automatic remediation, specify the Interval in seconds (the default interval is 0). Depending on the requirement type, this interval either sets the delay before the Agent re-attempts remediation or sets the total time allowed for a particular remediation process.

c. Enter the Retry Count []. Specifying a retry count sets a limit on the number of times the Agent automatically retries the requirement if it initially fails. (The default retry count setting is 0.)

For details on configuring Auto Remediation, see Configuring Auto Remediation for Requirements.


Note The Cisco NAC Web Agent does not support Auto Remediation.


Step 6 Choose an Anti-Spyware Vendor Name from the dropdown menu or choose ANY. The Products table lists all the spyware definition product versions currently supported per client OS.


Note Cisco recommends specifying vendor names when appropriate because choosing the ANY option can affect the Agent's performance (the process takes longer) on the client machine.


Step 7 For the Requirement Name, type a unique name to identify this AS definition file requirement in the Agent. The name will be visible to users on the Agent dialogs.

Step 8 In the Description field, type a description of the requirement and instructions to guide users who fail to meet the requirement. For an AS Definition Update requirement, you should include an instruction alerting Cisco NAC Web Agent users of the requirement and for Cisco NAC Agent users to click the Update/Remediate button to update their systems.


Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly recommends providing an appropriate message in this field describing the nature and purpose of the given function.


Step 9 Click the checkbox for at least one client Operating System (at least one must be chosen).

Step 10 Click Add Requirement to add the requirement to the Requirement List.


Configuring a Windows Server Update Services Requirement

The Agent "Windows Server Update Services" requirement type allows administrators to launch Windows Server Update Services (WSUS) on Agent user machines based on the following:

Cisco Rules (e.g. pr_<Windows operating system>_hotfixes) and/or administrator-configured custom rules for a specific Windows operating system

Windows Update severity checks

If you choose to validate Windows client machines using "Cisco Rules," you must also map the WSUS requirement to one or more rules in the CAM. You can choose to map the requirement to existing Cisco (pr_hotfix) rules or to custom rules you create to ensure client machines meet specific criteria before granting access to the Cisco NAC Appliance network. Because external server access is not required, using Cisco Rules can provide for quicker client validation and user login. However, client machines are only checked against "Critical" hotfixes encompassed by the Cisco Rules. For details on pr_rules, see Configuring Custom Checks, Rules, and Requirements.

If you choose to validate client machines using Windows Update "Severity" options, you do not have to configure requirement-rule mapping and you can choose the level of hotfix to check against. The "Severity" posture assessment settings require access to external WSUS update servers to both verify client machine security compliance and install Windows updates, which can take a significantly longer period of time to complete.

The "Windows Server Update Services" requirement provides an Update button on the Agent for remediation. When the end user clicks the Update button, the Agent launches the Automatic Updates Agent and forces it to get the update software from a Microsoft-managed or local/third-party-managed WSUS server. You can make the WSUS requirement Mandatory, however, the software download from WSUS servers can take some time (particularly if you are using "Severity" settings to validate client machines). Therefore, Cisco recommends making the WSUS requirement "Optional" so that WSUS remediation takes place as a background process on the client machine.


Note The Cisco NAC Web Agent only supports Go To Link manual remediation and File Distribution functionality. Cisco NAC Web Agent does not support Update or Launch remediation actions, nor does it perform Auto Remediation.


If you only need to enable or disable Windows Updates (that is, if you do not require specific updates based on the Microsoft severity level), you can configure a standard Windows Update requirement instead of a WSUS requirement. For more information, see Configuring a Windows Update Requirement.

Prerequisites

The network administrator must ensure the Automatic Updates Agent is updated to support a local WSUS server to support auto-launch capabilities. For details, refer to:

http://www.microsoft.com/windowsserversystem/updateservices/evaluation/faqs.mspx

The "Windows Server Update Services" requirement type is only for Windows 2000, Windows XP, Windows Vista, and Windows 7.

In order to support Windows Server Update Services operations, client machines must have version 5.4.3790.1000 (or a more recent version) of the WUAUENG.dll file installed.

If users without Administrator privileges are using WSUS to update Windows, you must choose the No UI option for the Installation Wizard Interface Setting when configuring a WSUS requirement.

Some Microsoft Windows components (i.e., Internet Explorer 7) require admin privileges in order to successfully update. If the user does not have admin privileges on the client machine, the Windows update process returns a "WU_E_NO_INTERACTIVE_USER" error. Therefore, Cisco recommends making any Windows updates requiring admin privileges "Optional" to minimize update failures. For details, refer to http://msdn2.microsoft.com/en-us/library/aa387289.aspx.

WSUS forced updates can take a while. They are launched and run in the background.

If there are update errors, refer to C:\Windows\Windows Update.log or C:\Windows\WindowsUpdate.log on the client machine.

The steps to create a Windows Server Update Service Requirements are:


Step 1 Create Windows Server Update Service Requirement

Step 2 Map Windows Server Update Service Requirement to Windows Rules

Step 3 Apply Requirements to User Roles

Step 4 Validate Requirements


Create Windows Server Update Service Requirement

Use the following steps to configure a Windows Server Update Service (WSUS) requirement.


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Requirements > New Requirement.

Figure 9-25 New Windows Server Update Service Requirement

Step 2 From the Requirement Type dropdown menu, choose Windows Server Update Services.

Step 3 Choose an Enforce Type from the dropdown menu:

Mandatory—Enforce requirement.The user is informed of this requirement and cannot proceed or have network access unless the client system meets it.

Optional— Do not enforce requirement. The user is informed of the requirement but can bypass it if desired (by clicking Next/Skip in the Agent dialog). The client system does not have to meet the requirement for the user to proceed or have network access.

Audit—Silently audit. The client system is checked "silently" for the requirement without notifying the user, and a report is generated. The report results (pass or fail) do not affect user network access.

Refer to Configuring an Optional/Audit Requirement for details.

Step 4 Choose the Priority of execution for this requirement on the client. A high priority (e.g. 1) means this requirement is checked on the system ahead of all other requirements (and appears in the Agent dialogs in that order). Note that if this is a Mandatory requirement and it fails, the Agent does not continue past that point until that requirement succeeds.

Step 5 If you want to enable and configure Auto Remediation for the Agent:

a. Choose the Remediation Type [Manual | Automatic] from the dropdown menu. Choosing Manual preserves previous Agent behavior. The user has to click through each of the requirements using the Next/Skip button in the Agent. Choosing Automatic sets the Agent to perform Auto Remediation, where the Agent automatically performs updates or launches required programs on the client after the user logs in.

b. If you configure the requirement to use automatic remediation, specify the Interval in seconds (the default interval is 0). Depending on the requirement type, this interval either sets the delay before the Agent re-attempts remediation or sets the total time allowed for a particular remediation process.

c. Enter the Retry Count []. Specifying a retry count sets a limit on the number of times the Agent automatically retries the requirement if it initially fails. (The default retry count setting is 0.)

For details on configuring Auto Remediation, see Configuring Auto Remediation for Requirements.


Note The Cisco NAC Web Agent does not support Auto Remediation.


Step 6 Under Windows Updates Validation by, specify the validation method to use when checking the Windows operating system installed on the client machine:

Cisco Rules—Use Cisco Rules (e.g. pr_<Windows operating system>_Hotfixes) or similar administrator-configured custom rules on the CAM to verify whether the client Windows operating system meets minimum security standards. This is the faster method to assess the client machine's security posture, as it relies on criteria available in the CAM's local database. For fastest execution, Cisco recommends using Cisco Rules as the validation method with Express installation (which installs "Critical and Important" Windows updates) and Windows Servers as the installation source.


Note If you choose this option, you also need to configure requirement-rule mapping, as described in Map Windows Server Update Service Requirement to Windows Rules.

If you wish to validate against your own custom rules, Cisco recommends that you configure them similarly to an existing Cisco Rule (e.g pr_<Windows operating system>_Hotfixes). You should know the level of severity of the hotfix to check for (e.g. "Important" vs. "Low"). Refer to Copying Checks and Rules for details.


Severity—Verify whether or not the Windows operating system on the client meets minimum security standards using a Microsoft-managed or local Windows Update server. With this validation method, you do not need to map the WSUS requirement to any rules. However, the Severity setting requires the CAM to use an external WSUS server to verify updates currently installed on the client machine and then install the Windows updates necessary to meet the requirement.

When you use locally-managed or hosted Windows (WSUS) servers to perform the Windows updates to satisfy a WSUS requirement, the Agent calls on WSUS to install the updates. Note that the WSUS Agent automatically installs all of the updates available for the specified severity level. (That is, if there are 5 "Important" updates and 3 "Critical" updates and the client machine already features some of the updates, the WSUS installer still automatically installs all of the updates specified by the requirement type.) As a result, validating client matches based on severity can take a longer period of time to assess and remediate.


Note You set the validation method to coincide with the Severity option using the Windows Updates Installation Sources setting in step 9.


Step 7 Under Windows Updates to be Installed, specify the level of updates to install. The validation method essentially checks what's missing on the machine to trigger an update. The actual update will originate from Microsoft or WSUS servers. The number of updates installed depends on the level of updates you choose here. For example, if you choose validation by Cisco Rules, which only checks for Critical hotfixes, but choose Custom Windows Updates to be Installed, with a level of Medium, all "Critical, Important, and Moderate" hotfixes will be installed on the client, but only if the client is missing Critical hotfixes to begin with.

Express—This option installs the same Windows updates as would be available from the Windows Update application "Express" option. Typically, the "Express" option includes only the "Important and Critical" Windows updates. However, if the Microsoft version of the Express update includes other installations (like a Service Pack update, for example), then all of the updates are automatically installed on the client machine.

Custom—Use this setting and the associated dropdown menu to install updates based on their severity by choosing Critical, Medium, or All from the associated dropdown menu.

Critical—Installs only "Critical" Microsoft Windows updates.

Medium—Installs all "Critical, Important, and Moderate" Windows updates.

All—Installs all "Critical, Important, Moderate, and Low" Windows updates.

In all cases, the WSUS server automatically downloads all of the updates to install on the client. Therefore, even if the client machine already features 3 of 5 updates of a given severity, the WSUS server still downloads and installs all updates.

Step 8 Click Upgrade to Latest OS Service Pack to automatically install the latest service pack available for the user's operating system.


Note This option is automatically included in the install process when you specify either Medium or All Custom updates, above, and cannot be "left out." If you specified Critical Custom updates, you can choose to enable or disable this option.

Cisco Rules validate all "Critical" Windows updates and verify whether or not minimum Windows 2000 Service Pack and Windows XP Service Pack updates are installed on the client machine. If you choose to require only "Critical" Windows Updates to be Installed, Windows 2000 Service Pack 4 and Windows XP Service Pack 2 may not be present on the client machine, hence, the client machine will not pass posture assessment via "Cisco Rules." To address this potential problem, Cisco recommends that if you choose to validate client machines using "Cisco Rules" and require only "Critical" updates, that you also require Service Pack Updates to ensure any clients validated using "Cisco Rules" pass posture assessment. (If you choose to validate client machines according to "Severity" rather than "Cisco Rules," this is not an issue.)



Note Windows Service Pack updates traditionally take a long time to download and install. Before you require users to update their Windows operating system with a full service pack installation, be sure you extend the session timeout period for Temporary Role users to accommodate the long install and update process. (See Configure Session Timeout for the Temporary Role.)


Step 9 For Windows Updates Installation Sources, specify the source for the Windows update(s):

Windows Servers—Updates the Windows operating system using Microsoft-managed Windows update servers.

Managed WSUS Servers—Updates the Windows operating system using resources managed by the Windows server administrator or other trusted third-party source.

Step 10 For Installation Wizard Interface Setting, specify whether or not the user sees the Installation Wizard user interface during Windows Update installation:

Show UI—The Windows Update Installation Wizard progress is visible to users during the update process so they can tell what components are being updated and when the update completes. (Users must have Administrator privileges on the client machine in order to see the Installation Wizard user interface during Windows Update.)

No UI—The Windows Update takes place in the background once the update process has begun and the user is only notified when the update is complete.


NoteIf users without Administrator privileges are using WSUS to update Windows, you must choose the No UI option.

When a WSUS update is performed on a new installation of Windows 7 (where no updates have been applied), and the No UI option is selected for the requirement, the WSUS update can fail.

The portion of the Windows update that fails to install is the KB890830 update (Windows Malicious Software Removal Tool, http://support.microsoft.com/?kbid=890830). This upgrade must be installed with admin privileges and there is a one time EULA that the user must accept during installation.

After KB890830 is installed, there are monthly updates that are pushed out from Microsoft on patch Tuesday. The subsequent updates of KB890830 do not require admin privileges and they work fine on a client where the user is not a member of the admin group.

If users manually install KB890830 on a client system as a non-admin user using Windows Update, they are prompted for the administrator password and then get the EULA.


Step 11 For the Requirement Name, type a unique name to identify this requirement in the Agent. The name will be visible to users on the Agent dialogs.

Step 12 In the Description field, type a description of the requirement and instructions to guide users who fail to meet the requirement, including instructions for Agent users to click the Update button to update their systems. Note that Windows Server Update Service displays the Update button on the Agent.


Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly recommends providing an appropriate message in this field describing the nature and purpose of the given function.


Step 13 Click one or more of the following checkboxes to set the Operating System(s) for the requirement:

Windows 2000

Windows XP (All) or one or more of the specific Windows XP operating systems

Windows Vista (All) or one or more of the specific Windows Vista operating systems

Windows 7 (All) or one or more of the specific Windows 7 operating systems

Step 14 Click Add Requirement.

Step 15 If you configured the WSUS requirement for "Windows Updates Validation by Cisco Rules," continue to the next step, Map Windows Server Update Service Requirement to Windows Rules.

Otherwise, continue to the next steps to complete the configuration:

Apply Requirements to User Roles

Validate Requirements


Map Windows Server Update Service Requirement to Windows Rules

Perform the steps in this section if you configured a Windows Server Update Service requirement for Windows Updates Validation by Cisco Rules. (See Create Windows Server Update Service Requirement.)

If you specified Windows Updates Validation by Severity, you do not need to map the Windows Server Update Service to an existing Windows Rule and you can skip this section.

Use the following steps to map a Windows Server Update Service requirement to a Windows rule.


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Requirements > Requirement-Rules.

Figure 9-26 Map Windows Server Update Service Requirement to Rules

Step 2 From the Requirement Name dropdown menu, choose the Windows Server Update Service (WSUS) requirement you configured.

Step 3 To configure the Windows Server Update Service requirement-rule mapping, repeat the following procedure for each operating system you want to validate for this requirement:

a. In the Operating System dropdown menu, choose one of the operating systems you configured for the requirement in step 13 of Configuring a Windows Server Update Services Requirement.

Rules are categorized in the system according to the operating system for which they are configured. The Operating System dropdown determines which Rules appear for selection in the "Rules for Selected Operating System" table at the bottom of the page. For example, if you want to map multiple hotfix rules to a requirement you configured for Windows XP (All), in the Requirement-Rule page, you must individually select each flavor of Windows XP (e.g.Windows XP Pro/Home, Windows XP Tablet PC, Windows XP Media Center) from the Operating System dropdown to be able to view and select the pr_hotfix rules for each of those OS flavors (e.g. pr_XP_Hotfixes, pr_XP_TabletPC_Hotfixes, and pr_XP_MCE_Hotfixes, respectively) in the "Rules for Selected Operating System" list.

b. Choose one of the following options for Requirement met if:

All selected rules succeed (default)—all the rules must be satisfied for the client to be considered in compliance with the requirement.

Any selected rule succeeds—at least one selected rule must be satisfied for the client to be considered in compliance with the requirement.

No selected rule succeeds—the selected rules must all fail for the client to be considered in compliance with the requirement.

c. Ignore the AV Virus/AS Spyware Definition rule options.

d. The Rules for Selected Operating System list will display all rules that exist in the system for the chosen OS (pr_ rules or rules that you have configured). Click the checkbox for each rule you want to enable for this requirement. Rules that are typically associated to this requirement are:

pr_AutoUpdateCheck_Rule (Windows XP (All), Windows 2000)

pr_XP_Hotfixes (Windows XP Pro/Home)

pr_2K_Hotfixes (Windows 2000)

pr_Vista_<version>_Hotfixes (Windows Vista Home Basic/Premium, Business, Ultimate, Enterprise)

Note that all rules are listed under Device Management > Clean Access > Clean Access Agent > Rules > Rule List.

e. Click Update to complete the mapping.

Step 4 Continue to the next steps—Apply Requirements to User Roles and Validate Requirements—to complete the configuration.


Configuring a Windows Update Requirement

The Agent "Windows Update" Requirement type configuration page allows administrators to check and modify Windows Update settings, and launch Windows Updater on client machines where users have Administrator privileges.

When this requirement is configured, the administrator can turn on Automatic Updates on Windows Vista, Windows 2000, or Windows XP client machines which have this option disabled on the machine.

The Windows Update requirement (set to Optional by default) provides an Update button on the (persistent) Agent for remediation. When the end user clicks the Update button, the Agent launches the Automatic Updates Agent and forces it to get the update software from an external WSUS server. The software download from the WSUS server may take some time. Therefore, Cisco recommends you keep the Windows Update requirement Optional so that remediation occurs in the background.


Note The Cisco NAC Web Agent only supports Go To Link manual remediation and File Distribution functionality. Cisco NAC Web Agent does not support Update or Launch remediation actions, nor does it perform Auto Remediation.


Windows operating systems can be customized in many ways to include hotfixes and service packs as part of the operating system installation. In some cases, the Agent may not be able to detect hotfix key values in the registry when the hotfix is part of the operating system. In these cases, Cisco recommends using the Windows Server Update Services (WSUS) requirement, which can be configured to access external Windows Updates servers. For more information, see Configuring a Windows Server Update Services Requirement.

Prerequisites

The Windows Server Update Services requirement type applies only to Windows 2000, Windows XP, Windows Vista and, Windows 7 client machines. It supports checking Cisco- and Windows-based client operating system verification and customized update installation options based on update severity.

The network administrator must ensure the Automatic Updates Agent is updated to support a local WSUS server to support auto-launch capabilities. For details, refer to http://www.microsoft.com/windowsserversystem/updateservices/evaluation/faqs.mspx

In order to support Windows Server Update Services operations, client machines must have version 5.4.3790.1000 (or a more recent version) of the WUAUENG.dll file installed.

WSUS forced update may take a while. Generally, it is launched and run in the background.

Some Microsoft Windows components (such as Internet Explorer 7) require admin privileges in order to successfully update. If the user does not have admin privileges on the client machine, the Windows update process returns a "WU_E_NO_INTERACTIVE_USER" error. Therefore, Cisco recommends making any Windows updates requiring admin privileges "Optional" to minimize update failures. For details, refer to http://msdn2.microsoft.com/en-us/library/aa387289.aspx.

If there are update errors, see C:\Windows\Windows Update.log or C:\Windows\WindowsUpdate.log.

The steps to configure a Windows Update requirements are as follows:


Step 1 Create a Windows Update Requirement

Step 2 Map Windows Update Requirement to Windows Rules

Step 3 Apply Requirements to User Roles

Step 4 Validate Requirements


Create a Windows Update Requirement

Use the following steps to configure a Windows Update requirement.


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Requirements > New Requirement.

Figure 9-27 New Windows Update Requirement

Step 2 From the Requirement Type dropdown menu, choose Windows Update.

Step 3 Choose an Enforce Type from the dropdown menu:

Optional (default setting)—Do not enforce requirement. The user is informed of the requirement but can bypass it if desired (by clicking Next/Skip in the Agent dialog). The client system does not have to meet the requirement for the user to proceed or have network access.


Note The Windows Update requirement type is set to Optional (or "do not enforce") by default to optimize user experience by running the update process in the background. Cisco also recommends leaving this requirement as Optional if selecting the "Automatically download and install" option.


Mandatory—Enforce requirement.The user is informed of this requirement and cannot proceed or have network access unless the client system meets it.

Audit—Silently audit. The client system is checked "silently" for the requirement without notifying the user, and a report is generated. The report results (pass or fail) do not affect user network access.

Refer to Configuring an Optional/Audit Requirement for details.

Step 4 Choose the Priority of execution for this requirement on the client. A high priority (e.g. 1) means this requirement is checked on the system ahead of all other requirements (and appears in the Agent dialogs in that order). Note that if this is a Mandatory requirement and it fails, the Agent does not continue past that point until that requirement succeeds.

Step 5 If you want to enable and configure Auto Remediation for the Agent:

a. Choose the Remediation Type [Manual | Automatic] from the dropdown menu. Choosing Manual preserves previous Agent behavior. The user has to click through each of the requirements using the Next/Skip button in the Agent. Choosing Automatic sets the Agent to perform Auto Remediation, where the Agent automatically performs updates or launches required programs on the client after the user logs in.

b. If you configure the requirement to use automatic remediation, specify the Interval in seconds (the default interval is 0). Depending on the requirement type, this interval either sets the delay before the Agent re-attempts remediation or sets the total time allowed for a particular remediation process.

c. Enter the Retry Count []. Specifying a retry count sets a limit on the number of times the Agent automatically retries the requirement if it initially fails. (The default retry count setting is 0.)

For details on configuring Auto Remediation, see Configuring Auto Remediation for Requirements.


Note The Cisco NAC Web Agent does not support Auto Remediation.


Step 6 From the Windows Update Setting dropdown, choose one of the following options:

Do not change setting

Notify to download and install

Automatically download and notify to install

Automatically download and install

These settings correspond to the Automatic Updates dialog settings on the Windows client (Figure 9-28)

Step 7 Click the checkbox for Permanently override user setting with administrator Windows Update Setting, if you want to enforce your administrator-specified setting for Automatic Updates on all client machines during and after Windows Update. If left unchecked, the admin setting will only apply when Automatic Updates are disabled on the client; otherwise the user setting applies when Automatic Updates are enabled.

Step 8 For the Requirement Name, type a unique name to identify this requirement in the Agent. The name will be visible to users on the Agent dialogs.

Step 9 In the Description field, type a description of the requirement and instructions to guide users who fail to meet the requirement, including instructions for Agent users to click the Update button to update their systems. Note that Windows Update displays the Update button on the Agent.


Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly recommends providing an appropriate message in this field describing the nature and purpose of the given function.


Step 10 Click one or more of the following checkboxes to set the Operating System(s) for the requirement:

Windows 2000

Windows XP (All) or one or more of the specific Windows XP operating systems

Windows Vista (All) or one or more of the specific Windows Vista operating systems

Windows 7 (All) or one or more of the specific Windows 7 operating systems


Note Make sure the operating system you choose matches the operating system you set for the rule(s) you plan to map to this Windows Update requirement in Configuring a Windows Server Update Services Requirement.


Step 11 Click Add Requirement.

Figure 9-28 Windows XP Automatic Updates


Map Windows Update Requirement to Windows Rules

Use the following steps to map a Windows Update requirement to one or more rules.


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Requirements > Requirement-Rules.

Figure 9-29 Map Windows Update Requirement to Rules

Step 2 From the Requirement Name dropdown menu, choose the Windows Update requirement you configured.

Step 3 To configure the Windows Update requirement-rule mapping, repeat the following procedure for each operating system you want to support:

a. In the Operating System dropdown menu, choose one of the operating systems you configured for the requirement in step 10 of Configuring a Windows Update Requirement.

Rules are categorized in the system according to the operating system for which they are configured. The Operating System dropdown determines which Rules appear for selection in the "Rules for Selected Operating System" table at the bottom of the page. For example, if you want to map multiple hotfix rules to a requirement you configured for Windows XP (All), in the Requirement-Rule page, you must individually select each flavor of Windows XP (e.g.Windows XP Pro/Home, Windows XP Tablet PC, Windows XPMedia Center) from the Operating System dropdown to be able to view and select the pr_hotfix rules for each of those OS flavors (e.g. pr_XP_Hotfixes, pr_XP_TabletPC_Hotfixes, and pr_XP_MCE_Hotfixes, respectively) in the "Rules for Selected Operating System" list.

b. Choose one of the following options for Requirement met if:

All selected rules succeed (default)—all the rules must be satisfied for the client to be considered in compliance with the requirement.

Any selected rule succeeds—at least one selected rule must be satisfied for the client to be considered in compliance with the requirement.

No selected rule succeeds—the selected rules must all fail for the client to be considered in compliance with the requirement.

c. Ignore the AV Virus/AS Spyware Definition rule options.

d. The Rules for Selected Operating System list will display all rules that exist in the system for the chosen OS (pr_ rules or rules that you have configured). Click the checkbox for each rule you want to enable for this requirement. Typical rules that are associated to this requirement are:

pr_AutoUpdateCheck_Rule (Windows XP (All), Windows 2000)

pr_XP_Hotfixes (Windows XP Pro/Home)

pr_2K_Hotfixes (Windows 2000)

pr_Vista_<version>_Hotfixes (Windows Vista Home Basic/Premium, Business, Ultimate, Enterprise)

Note that all rules are listed under Device Management > Clean Access > Clean Access Agent > Rules > Rule List.

e. Click Update to complete the mapping.

Step 4 Continue to the next steps—Apply Requirements to User Roles and Validate Requirements—to complete the configuration.


Configuring Custom Checks, Rules, and Requirements

A check is a condition statement used to examine the client system. In the simplest case, a requirement can be created from a single rule made up of a single check. If the condition statement yields a true result, the system is considered in compliance with the Agent requirement and no remediation is necessary.

To create a check, first determine an identifying feature of the requirement. The feature (such as a registry key or process name) should indicate whether the client meets the requirement. The best way to find such an indicator is to examine a system that meets the requirement. If necessary, refer to the documentation provided with the software to determine what identifying feature to use for the Clean Access check. Once you have determined the indicator for the requirement, use the following procedure to create the check.


Note The Mac OS X Agent does not support custom checks and custom rules. You can only assign AV and AS rules to the Link Distribution, Local Check, AV Definition Update, and AS Definition Update requirement types for Mac OS X posture remediation.


Custom Requirements

You can create custom requirements to map rules to the mechanism that allows users to meet the rule condition. The mechanism may be an installation file, a link to an external resource, or simply instructions. If a rule check is not satisfied (for example, required software is not found on the client system), users can be warned or required to fix their systems, depending on your configuration. As shown in Figure 9-30, a rule can combine several checks with Boolean operators, "&" (and), "|" (or), and "!" (not). A requirement can rely on more than one rule, specifying that any selected rule, all rules, or no rule must be satisfied for the client to be considered in compliance with the requirement.

Figure 9-30 Custom Checks, Rules, and Requirements

Custom Rules

A rule is a condition statement made up of one or more checks. A rule combines checks with logical operators to form a Boolean statement that can test multiple features of the client system.

Cisco Pre-Configured Rules ("pr_")

Cisco NAC Appliance provides a set of pre-configured rules and checks that are downloaded to the CAM via the Updates page on the CAM web console (under Device Management > Clean Access > Updates).

Pre-configured rules have a prefix of "pr" in their names (e.g. "pr_XP_Hotfixes"), and can be copied for use as a template, but cannot be edited or removed. You can click the Edit button for any "pr_" rule to view the rule expression that defines it. The rule expression for a pre-configured rule will be composed of pre-configured checks (e.g. "pc_Hotfix835732") and boolean operators. The rule expressions for pre-configured rules are updated via Cisco Updates. For example, when new Critical Windows OS hotfixes are released for Windows XP, the pr_XP_Hotfixes rule will be updated with the corresponding hotfix checks.

Pre-configured rules are listed under Device Management > Clean Access > Clean Access Agent > Rules > Rule List.


Note Cisco pre-configured rules are intended to provide support for Critical Windows operating system hotfixes only.


Custom Checks

A check is a condition statement that examines a feature of the client system, such as a file, registry key, service, or application. Table 9-12 lists the types of custom checks available and what they test.

Table 9-12 Checks

Check Category
Check Type

Registry check

whether or not a registry key exists

registry key value, version, or modification date

File Check

whether or not a file exists

date of modification or creation

file version

Service check

whether or not a service is running

Application check

whether or not an application is running


Cisco Pre-Configured Checks ("pc_")

Pre-configured checks have a prefix of "pc" in their names (for example, pc_Hotfix828035) and are listed under Device Management > Clean Access > Clean Access Agent > Rules > Check List.

Using Pre-Configured Rules to Check for CSA

You can use Cisco pre-configured rules to create an Agent requirement that checks if the Cisco Security Agent (CSA) is already installed and/or running on a client. To do this:

1. Create a new Link Distribution or File Distribution requirement (for Windows 7/Vista/XP/2000).

2. Associate the requirement to one or both of the following rules (for Windows 7/Vista/XP/2000):

pr_CSA_Agent_Version_5_0

pr_CSA_Agent_Service_Running

3. Associate the requirement to the user role(s) for which it will apply.


Note See Configuration Summary for further details on creating custom requirements (using either pre-configured or custom rules).


Copying Checks and Rules

Note that pre-configured rules and checks are not editable, but can serve as templates. To modify a non-editable check or a rule, make a copy of it first by clicking the corresponding Copy button. Copies of checks are added to the bottom of the Check List, in the form copy_of_checkname. Copies of rules are added to the bottom of the Rules List, in the form copy_of_rulename. Click the corresponding Edit button to bring up the Edit form to modify the check or rule. The edited checks and rules can then be configured and associated to requirements and roles as described in the following sections.

Configuration Summary

The steps to create custom requirements are as follows:


Step 1 Create Custom Check

Step 2 Create a Custom Rule

Step 3 Validate Rules

Step 4 Create a Custom Requirement

Step 5 Map Requirements to Rules

Step 6 Apply Requirements to User Roles

Step 7 Validate Requirements


Create Custom Check

Use the following steps to configure a custom Check.


Step 1 In the Clean Access Agent tab, click the Rules submenu and then open the New Check page.

Figure 9-31 New Check


Note For all custom checks, follow steps 2 through 7, refer to the specific configuration settings for each check type, then go to step 8.


Step 2 Select a Check Category: Registry Check, File Check, Service Check, or Application Check.

Step 3 Select a Check Type for the Category and fill in specific form fields as described in the following section. Specify the parameters, operator, and (if the check type is a value comparison) the value and data type of the statement, and click Add Check to create the evaluation statement. If the condition statement evaluates to false, the required software is considered missing.

Registry Checks

File Checks

Service Check

Application Check

Step 4 Type a descriptive Check Name. The rules created from this check will reference the check by this name, so be sure to give the check a unique, self-descriptive name. The name is case-sensitive and should be less than 255 characters and without spaces or special characters.

Step 5 Type an optional Check Description.


Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly recommends providing an appropriate message in this field describing the nature and purpose of the given function.


Step 6 Click one or more of the following checkboxes to set the Operating System(s) for the requirement:

Windows All

Windows 2000

Windows XP (All) or one or more of the specific Windows XP operating systems

Windows Vista (All) or one or more of the specific Windows Vista operating systems

Windows 7 (All) or one or more of the specific Windows 7 operating systems

Step 7 If desired, select "Automatically create rule based on this check". In this case, the rule is automatically populated with the check when added and is named "checkname-rule".

Step 8 Click Add Check when finished.

Registry Checks

Registry Key—Checks whether a specific key exists in the registry.

Registry Value (Default)—Checks whether an unnamed (default) registry key exists or has a particular value, version, or modification date.

Registry Value—Checks whether a named registry key exists or has a particular value, version, or modification date.

Figure 9-32 Registry Check Types

a. For the Registry Key field, select the area of the client registry:

HKLM - HKEY_LOCAL_MACHINE

HKCC - HKEY_CURRENT_CONFIG

HKCU - HKEY_CURRENT_USER

HKU - HKEY_USERS

HKCR - HKEY_CLASSES_ROOT

Then type the path to be checked.

For example: HKLM \SOFTWARE\Symantec\Norton AntiVirus\version

b. For a Registry Value search, enter a Value Name.

c. For Registry Value searches, enter a Value Data Type:

1. For a "Number" Value Data Type (Note: REG_DWORD is equivalent to Number), choose one of the following Operators from the dropdown: equals, greater than, less than, does not equal, greater than or equal to, less than or equal to

2. For a "String" Value Data Type choose one of the following Operators from the dropdown: equals, equals (ignore case), does not equal, starts with, does not start with, ends with, does not end with, contains, does not contain.

3. For a "Version" Value Data Type choose one of the following Operators from the dropdown: earlier than, later than, same as.

4. For a "Date" Value Data Type, choose one of the following Operators from the dropdown: earlier than, later than, same as.

d. If specifying a "Date" Value Data Type, also choose one of two values to check. This allows you to specify "older than" or "newer than" by more than/fewer than x days to the current date.

Type the date/time of the client machine in mm/dd/yyyy hh:MM:ss format.

Choose the CAM date, + or - from the dropdown, and type the number of days.

e. Type the Value Data for a Registry Value search.


Note For the "String" Value Data Type, the maximum length for a string is 256 characters.


File Checks

File Existence—Checks whether a file exists on the system.

File Date—Checks whether a file with a particular modification or creation date exists on the system.

File Version—Checks whether a particular version of a file exists on the system.

Figure 9-33 File Check Types

a. For File Path, select:

SYSTEM_DRIVE - checks the C:\ drive

SYSTEM_ROOT - checks the root path for Windows systems

SYSTEM_32 - checks C:\WINDOWS\SYSTEM32

SYSTEM_PROGRAMS - checks C:\Program Files

b. For Operator, select:

exists or does not exist - File Existence check

earlier than, later than, same as - File Date or File Version check

c. For a File Date check type, also choose one of two values to check for File Date. This allows you to specify "older than" or "newer than" by more than/fewer than x days to the current date.

Type the date/time of the client machine in mm/dd/yyyy hh:MM:ss format

Choose the CAM date, + or - from the dropdown, and type the number of days

d. For a File Date check type, select a File Date Type:

Creation date

Modification date

Service Check

Service Status - Whether a service is currently running on the system.

Figure 9-34 Service Check Type

a. Enter a Service Name. The Service Name in this context is the name that comes up when a user double-clicks on the service in Microsoft Management Console with a "Service Name:" prefix. For example, "Windows Firewall/Internet Connection Sharing (ICS)" would need to be configured as "SharedAccess" in the Service Name field to check for the service.

b. Select an Operator:

running

not running

Application Check

Application Status - Whether an application is currently running on the system.

Figure 9-35 Application Check Type

a. Enter an Application Name.

b. Select an Operator: running or not running.


Create a Custom Rule

A rule is an expression made up of checks and operators. A rule is the unit used by the Agent to assess a posture on a particular operating system. The result of the rule expression is considered to assess compliance with the Agent requirement. A rule can be made up of a single check or it can have multiple checks combined with Boolean operators. Table 9-13 shows the operators along with their order of evaluation.

Table 9-13 Rule Operators

Priority
Operator
Description

1

()

parens for evaluation priority

2

!

not

3

&

and

3

|

or


Operators of equal priority are evaluated from left to right. For example, a rule may be defined as follows:

adawareLogRecent & (NorAVProcessIsActive | SymAVProcessIsActive) 
 
   

The adawareLogRecent check and either the NorAVProcessIsActive check or the SymAVProcessIsActive check must be satisfied for the rule to be considered met. Without parentheses, the following would be implied:

(adawareLogRecent & NorAVProcessIsActive) | SymAVProcessIsActive

In this case, either SymAVProcessIsActive or both of the first two checks must be true for the rule to be considered met.

Use the following steps to create a custom Rule.


Step 1 In the Clean Access Agent tab, click the Rules submenu link and then New Rule.

Figure 9-36 New Rule

Step 2 Type a unique Rule Name.

Step 3 Enter a Rule Description.


Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly recommends providing an appropriate message in this field describing the nature and purpose of the given function.


Step 4 Select the Operating System for which the rule applies. If Updates have been downloaded, the pre-configured checks for that operating system appear in the Checks for Selected Operating System list below.

Step 5 Create the Rule Expression by combining checks and operators. Use the list to select the names of checks and copy and paste them to the Rule Expression text field. Use the following operators with the checks: () (evaluation priority), ! (not), & (and), | (or).

For example:

adawareLogRecent & (NorAVProcessIsActive | SymAVProcessIsActive) 
 
   

For a simple rule that tests a single check, simply type the name of the check:

SymAVProcessIsActive 
 
   

Step 6 Click Add Rule.

The console validates the rule and, if formed correctly, the rule appears in the Rule List. From there, you can delete the rule, modify it, or copy it (create a new rule by copying this one).


Validate Rules

The Clean Access Manager automatically validates rules and requirements as they are created. Invalid rules have incompatibilities between checks and rules, particularly those relating to the target operating system. These errors can arise when you create checks and rules for a particular operating system but later change the operating system property for a check. In this case, a rule that uses the check and which is still applicable for the formerly configured operating system is no longer valid. Rule validation detects these and other errors.

The Validity column under Device Management > Clean Access > Clean Access Agent > Rules > Rule List displays a blue checkmark if the rule is valid and a red "X" if the rule is invalid. Highlight this icon with your mouse to reveal which check is causing the rule to be invalid, in the form:

Invalid rule [rulename], Invalid check [checkname] in rule expression. 

Figure 9-37 Rule List

Use the following steps to correct an invalid Rule.


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Rules > Rule List.

Step 2 Click the Edit button for the invalid rule.

Step 3 Correct the invalid Rule Expression. If the rule is invalid because a check has been deleted, make sure you associate the rule with a valid check.

Step 4 Make sure the correct Operating System. is selected.

Step 5 Make sure the Requirement met if: expression is correctly configured.

Step 6 Click Save Rule.

Step 7 Make sure any requirement based on this rule is also corrected as described in Validate Requirements.


Create a Custom Requirement

Custom requirements map a specified collection of rules for an operating system to the files, distribution links, or instructions that you want pushed to the user via Agent dialogs. Custom requirements can point to installation files or links where software can be downloaded. For local checks not associated with a specific installation file, the requirement can map the rule to an informational message, for example, instructing the user to remove software or run a virus check. A new requirement can be created at any time in the configuration process. However, the requirement must be associated to both a rule for an operating system and a user role before it can take effect.

Create File Distribution/Link Distribution/Local Check Requirement

Use the following steps to configure a custom requirement.


Step 1 In the Clean Access Agent tab, click the Requirements submenu link and then New Requirement.

Figure 9-38 New Requirement (File Distribution)

Step 2 Select a Requirement Type:

File Distribution - This distributes the required software directly by making the installation package available for user download using the Agent. In this case, the file to be downloaded by the user is placed on the CAM using the File to Upload field. (The maximum file size you can make available to users via File Distribution is 50MB.) For the Agent to download this file, you should create a traffic policy allowing HTTP access only to the CAM for the Temporary role. See Adding Traffic Policies for Default Roles.

You can also use the File Distribution requirement type to search the client machine for a specific file that is different from the one you want users to download. That way, you can force users who do not yet have the correct file to get it via the File Distribution requirement and allow users who already have the file installed to simply pass this particular step in the posture assessment process.

Figure 9-39 Example Cisco NAC Agent File Distribution Dialog

Link Distribution - This refers users to another web page where the software is available, such as a software download page. Make sure the Temporary role is configured to allow HTTP (and/or HTTPS) access to the link.

Figure 9-40 Example Mac OS X Agent Assessment Report Link Distribution Requirement Display

Local Check - This is used when creating checks not associated with installable software, for example, to check if Windows Update Service (Automatic Updates) is enabled, or to look for software that should not be on the system. (The Mac OS X Agent Assessment Report window displays Local Check requirements using a "Message" icon.)

Figure 9-41 Example Mac OS X Agent Assessment Report Local Check Requirement Display

Step 3 Choose an Enforce Type from the dropdown menu:

Mandatory—Enforce requirement.The user is informed of this requirement and cannot proceed or have network access unless the client system meets it.

Optional— Do not enforce requirement. The user is informed of the requirement but can bypass it if desired (by clicking Next/Skip in the Agent dialog). The client system does not have to meet the requirement for the user to proceed or have network access.

Audit—Silently audit. The client system is checked "silently" for the requirement without notifying the user, and a report is automatically generated and sent back to the CAS. (Audit requirements do not appear in the user's Assessment Report window.) The report results (pass or fail) do not affect user network access.

Refer to Configuring an Optional/Audit Requirement for more details.

Step 4 Specify the Priority of the requirement. Requirements with the lowest number (e.g "1") have the highest priority and are performed first. If a requirement fails, the remediation instructions configured for the requirement are pushed to the user without additional requirements being tested. Therefore you can minimize processing time by putting the requirements that are most likely to fail at a higher priority.

Step 5 You can enable and configure Auto Remediation using the Agent for a Link Distribution requirement type only. Refer to Configuring Auto Remediation for Requirements for details.


Note The Cisco NAC Web Agent does not support Auto Remediation.


Step 6 The Version field lets you keep track of various versions of a requirement. This is particularly useful when there are updates to the required software. You can use any versioning scheme you like, such as numbers (1, 2, 3), point numbers (1.0), or letters.

Step 7 If you chose File Distribution as the Requirement Type, click Browse next to the File to Upload field and navigate to the folder where you have the installation file (.exe) for the required software.

Step 8 If you chose Link Distribution as the Requirement Type, enter the URL of the web page where users can get the install file or patch update in the File Link URL field.


Note The Mac OS X Agent does not support automatic remediation. Therefore, the Remediation functions that appear on the New Requirement configuration page (Remediation Type, Interval, and Retry Count) when you choose the AV Definition Update or AS Definition Update requirement types do not serve any purpose when creating requirements for Macintosh client remediation.


Step 9 For the Requirement Name type a unique name to identify the system requirement. The name will be visible to users on the Agent dialogs.

Step 10 In the Description field, type a description of the requirement and instructions for the benefit of your users. Note the following:

File Distribution displays a Download button on the Agent.

Link Distribution displays a Go To Link button on the Agent.

Local Check displays a Re-Scan button on the Agent.


Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly recommends providing an appropriate message in this field describing the nature and purpose of the given function.


Step 11 Select the Operating System for which the requirement applies (you must choose at least one).

Step 12 Click Add Requirement to save the settings for the download requirement.

Step 13 The requirement appears in the Requirement List.

Figure 9-42 shows an example of how requirement configuration fields display in the Mac OS X Agent.

Figure 9-42 Mac OS X Agent Requirements (User Display Example)

Figure 9-43 shows an example of how requirement configuration fields display in the Cisco NAC Agent.

Figure 9-43 Example Optional Link Distribution Requirement—Cisco NAC Agent on Windows XP


Configuring a Launch Programs Requirement


Note The Cisco NAC Agent is required to use this feature. This feature applies to Windows 7, Windows Vista, Windows 2000, and Windows XP machines only. The Mac OS X Agent and the Cisco NAC Web Agent do not support this requirement type.


The Launch Programs Requirement Type allows administrators to launch a qualified (signed) remediation program through the Agent. The administrator can create a check/rule condition; upon its failure, the administrator can configure to launch any remediation program to fix the machine. Multiple programs are permitted, and they are launched in the same sequence as specified by the administrator.

The Agent launches the programs in two ways, depending on whether the user has or does not have admin user privileges on the device.

Launch Programs With Admin Privileges

If the user has admin privileges on the client machine, any program that is an executable is qualified. The program is launched directly and digital signing and verification of the application are not required.

Launch Programs Without Admin Privileges

The executable must have:

A valid digital signature signed by certificates with specific field value(s)

File version information with specific item value(s)

Note also that:

The executable must be signed with a code signing certificate with a proper chain of certificates. The code signing certificate must be installed on the client machine.

The root certificate must also be installed on the client machine and must be in the Trusted Root Certification Authority on Windows.

You must create a registry key that is particular to the executable being run in addition to installing the certificate. Refer to How the Agent Verifies Digital Signature and Trust on an Executable Program for details.

How the Agent Verifies Digital Signature and Trust on an Executable Program

On client machines where users will launch executables, you must add a Trust<N> key in the Windows registry for the executable you want to run. It is the administrator's responsibility to populate the required registry keys for the programs to be trusted by the Cisco NAC Agent service. The Cisco NAC Agent verifies the launch program for a trusted digital signature as follows:

1. Verifies the digital signature - Ensures the digital signature is trusted.

2. Verifies the signer certificate information based on the information in the registry.

The related registry structure appears as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub\Trust<N>\ 
Certificate\2.5.4.3 
\FileVersionInfo\ProductName
 
   

Where:

<N> is a numeric number.

For the entries under Certificate, each value can be exact case-insensitive.

For the entries under FileVersionInfo, each value must appear in the corresponding value in the file information stream, and can also be case-insensitive.

All the entries under Certificate and FileVersionInfo must be satisfied (AND operations) to qualify as a trusted target.

If any of the Trust<N> chain is satisfied, the target is qualified to launch.

For example, the following key-value pairs in the registry qualify Cisco NAC Agent to be launched as an application by non-admin:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub\Trust0\Certificate\
2.5.4.3 with a value of "Cisco Systems"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub\Trust0\
FileVersionInfo\ProductName with a value of "Cisco NAC Agent"

Administrators should add registry entries to qualify all applications users will launch on client machines. See Table 9-14 for a list of supported keys.

Table 9-14 Supported Launch Program Executable Keys for Trusted Digital Signature  

Registry Key
Default Value (Decimal)
Valid Range
Supported Value Names
Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CCAAgentStub\

Trust<N>

0 and above

The Trust<N> chain is a digital signature for the executable that the Clean Access Agent Stub uses to determine whether or not Windows can trust the executable before launching.

Certificate

2.5.4.3 - COMMON_NAME or

2.5.4.3 - SUBJECT_NAME

2.5.4.4 - SUR_NAME

2.5.4.5 - DEVICE_SERIAL_NUMBER

2.5.4.6 - COUNTRY_NAME

2.5.4.7 - LOCALITY_NAME

2.5.4.8 - STATE_OR_PROVINCE_NAME

2.5.4.9 - STREET_ADDRESS

2.5.4.10 - ORGANIZATION_NAME

2.5.4.11 - ORGANIZATIONAL_UNIT_NAME

2.5.4.12 - TITLE

2.5.4.13 - DESCRIPTION

2.5.4.14 - SEARCH_GUIDE

2.5.4.15 - BUSINESS_CATEGORY

2.5.4.16 - POSTAL_ADDRESS

2.5.4.17 - POSTAL_CODE

2.5.4.18 - POST_OFFICE_BOX

2.5.4.19 - PHYSICAL_DELIVERY_OFFICE_NAME

2.5.4.20 - TELEPHONE_NUMBER

FileVersionInfo

ProductName

CompanyName

FileDescription

FileVersion

InternalName

LegalCopyright

OriginalFileName

ProductVersion

Comments

LegalTrademarks

PrivateBuild

SpecialBuild


Create a Launch Programs Requirement

Use the following steps to configure a Launch Programs requirement.


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Requirements > New Requirement.

Figure 9-44 New Launch Program Requirement

Step 2 For Requirement Type choose Launch Programs.

Step 3 Choose an Enforce Type from the dropdown menu:

Mandatory—Enforce requirement.The user is informed of this requirement and cannot proceed or have network access unless the client system meets it.

Optional— Do not enforce requirement. The user is informed of the requirement but can bypass it if desired (by clicking Next/Skip in the Agent dialog). The client system does not have to meet the requirement for the user to proceed or have network access.

Audit—Silently audit. The client system is checked "silently" for the requirement without notifying the user, and a report is generated. The report results (pass or fail) do not affect user network access.

Refer to Configuring an Optional/Audit Requirement for details.

Step 4 Choose the Priority of execution for this requirement on the client. A high priority (e.g. 1) means this requirement is checked on the system ahead of all other requirements (and appears in the Agent dialogs in that order). Note that if a Mandatory requirement fails, the Agent does not continue past that point until that requirement succeeds.

Step 5 If you want to enable and configure Auto Remediation for the Agent:

a. Choose the Remediation Type [Manual | Automatic] from the dropdown menu. Choosing Manual preserves previous Agent behavior. The user has to click through each of the requirements using the Next/Skip button in the Agent. Choosing Automatic sets the Agent to perform Auto Remediation, where the Agent automatically performs updates or launches required programs on the client after the user logs in.

b. If you configure the requirement to use automatic remediation, specify the Interval in seconds (the default interval is 0). Depending on the requirement type, this interval either sets the delay before the Agent re-attempts remediation or sets the total time allowed for a particular remediation process.

c. Enter the Retry Count []. Specifying a retry count sets a limit on the number of times the Agent automatically retries the requirement if it initially fails. (The default retry count setting is 0.)

For details on configuring Auto Remediation, see Configuring Auto Remediation for Requirements.


Note The Cisco NAC Web Agent does not support Auto Remediation.


Step 6 Configure the program to be launched as follows:

a. For the Program Name, choose the root location from which to launch the program from the dropdown: SYSTEM_DRIVE, SYSTEM_ROOT, SYSTEM_32, SYSTEM_PROGRAMS, or None, and type the name of the program executable in the adjoining text field.

b. If a more specific path or program parameters are needed, type them in the Program Parameters text field.

c. Click Add Program. This adds the Program Name and Program Parameters to the sublist of programs to launch for the requirement.

d. Configure more programs to add, or click the Delete checkbox to remove programs from the list.

Step 7 When done configuring the program or list of programs to added, type the Requirement Name.

Step 8 Type a Description to be displayed to users.


Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly recommends providing an appropriate message in this field describing the nature and purpose of the given function.


Step 9 Click the checkbox for the Windows Operating System for which this requirement applies.

Step 10 Click Add Requirement.


Map Requirements to Rules

Once the requirement is created and the remediation links and instructions are specified, map the requirement to a rule or set of rules. A requirement-to-rule mapping associates the ruleset that checks whether the client system meets the requirement to the user requirement action (Agent button, instructions, links) needed for the client system to comply.


Note The Mac OS X Agent does not support custom checks and custom rules. You can only assign AV and AS rules to the Link Distribution, Local Check, AV Definition Update, and AS Definition Update requirement types for Mac OS X posture remediation.


Use the following steps to map a requirement to rules.


Step 1 In the Clean Access Agent tab, click the Requirements submenu and then open the Requirement-Rules form.

Figure 9-45 Requirement-Rules Mapping

Step 2 From the Requirement Name menu, select the requirement to map.

Step 3 Verify the operating system for the requirement in the Operating System menu. The Rules for Selected Operating System list will be populated with all rules available for the chosen OS.

Step 4 For the Requirements met if option, choose one of the following options:

All selected rules succeed—if all the rules must be satisfied for the client to be considered in compliance with the requirement.

Any selected rule succeeds—if at least one selected rule must be satisfied for the client to be considered in compliance with the requirement.

No selected rule succeeds—if the selected rules must all fail for the client to be considered in compliance with the requirement.

If clients are not in compliance with the requirement, they will need to install the software associated with the requirement or take the steps instructed.

Step 5 For AV Virus Definition Rules (yellow background) and AS Spyware Definition rules (blue background), you can optionally configure the CAM to allow definition files on the client to be a number of days older than what the CAM has available from Updates (see Rules > AV-AS Support Info for the latest product file dates). This allows you to configure leeway into a requirement so that if no new virus/spyware definition files are released from a product vendor, your clients can still pass the requirement.

Click the checkbox for either:

For AV Virus Definition rules, allow definition file to be x days older than:

For AS Spyware Definition rules, allow definition file to be x days older than:

Type a number in the text box. The default is "0" indicating the definition date cannot be older than the file/system date.

Choose either:

Latest file date—This allows the client definition file to be older than the latest virus/spyware definition date on the CAM by the number of days you specify.

Current system date—This allows the client definition file to be older than the CAM's system date when the last Update was performed by the number of days you specify.


Note For AS Spyware Definition rules, the system will enforce this feature (allowing the definition files to be X days older then the current system date) until Cisco Update service is available to regularly update the date/version for Spyware definition files.

When this feature is configured for a requirement, the Agent checks for the definition date of the AV/AS product then verifies whether the date meets the requirement. If the Agent cannot detect the definition date (i.e., def date detection is not supported for that product), the system ignores this feature and the Agent checks whether the client has the latest definition version.


Step 6 Scroll down the page and click the Select checkbox next to each rule you want to associate with the requirement. The rules will be applied in their order of priority, as described in Table 9-13.

Figure 9-46 Select Rules to Map to Requirement

Step 7 Click Update.


Apply Requirements to User Roles

Once requirements are created, configured with remediation steps, and associated with rules, they need to be mapped to user roles. This last step applies your requirements to the user groups in the system.


Note Make sure you already have normal login user roles created as described in Create User Roles.


Use the following steps to map requirements to a user role.


Step 1 In the Clean Access Agent tab, click the Role-Requirements submenu link.

Figure 9-47 Role- Requirements Mapping

Step 2 From the Role Type menu, select the type of the role you are configuring. In most cases, this will be Normal Login Role.

Step 3 Select the name of the role from the User Role menu.

Step 4 Click the Select checkbox for each requirement you want to apply to users in the role.

Step 5 Click Update.

Step 6 Before finishing, make sure users in the role are required to use the Agent. See Require Agent Login for Client Machines.


Validate Requirements

The Clean Access Manager automatically validates requirements and rules as they are created. The Validity column under Device Management > Clean Access > Clean Access Agent > Requirements > Requirement List displays a blue checkmark if the requirement is valid and a red "X" if the requirement is invalid.

Highlighting red "X" icons (if any) with your mouse reveals which rule and which check is causing the requirement to be invalid, in the form:

Invalid rule [rulename] in package [requirementname] (Rule verification error: Invalid 
check [checkname] in rule expression)
 
   

The requirement must be corrected and made valid before it can be used. Typically requirements/rules become invalid when there is an operating system mismatch.

To Correct an Invalid Requirement:


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Requirements > Requirement-Rules.

Step 2 Correct any invalid rules or checks as described in Validate Rules.

Step 3 Select the invalid Requirement Name from the dropdown menu.

Step 4 Select the Operating System.

Step 5 Make sure the Requirement met if: expression is correctly configured.

Step 6 Make sure the rules selected for the requirement are valid (blue checkmark in Validity column).

Figure 9-48 Requirement List


Configuring an Optional/Audit Requirement

You can make any requirement Mandatory, Optional, or Audit-only using the Enforce Type dropdown menu in the New Requirement or Edit Requirement form. Optional requirements allow you to view administrative reports for an Agent user without blocking the client from the network if the optional requirement fails. If an optional requirement fails, the user is put in the Temporary role and will see "Optional" preceding the name of the requirement in the Agent dialog; however the user can click Next/Skip and either proceed to the next requirement or to the network if no other requirements are configured.

If you want to provide an extended period of time for users to meet requirements without blocking them from the network, you can configure an optional requirement with instructions to comply by a certain date. You can later enforce the requirement at the specified date to make the requirement mandatory.

If you want to ensure that the client system is checked "silently" for the requirement without notifying the user, and that a report is generated and sent back to the CAS, you can configure an audit-only requirement which only reports results (pass or fail) and does not affect user network access.

To create an Optional or Audit requirement:


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Requirements > New Requirement.

Figure 9-49 Optional/Audit Requirement

Step 2 Choose a Requirement Type from the dropdown.

Step 3 Choose Optional (do not enforce) or Audit (silent assessment) as the Enforce Type from the dropdown menu.

For an Optional requirement, the user is informed of the requirement but can bypass it if desired (by clicking Next/Skip in the Agent dialog). The client system does not have to meet the requirement for the user to proceed or have network access. For an Audit requirement, the system generates audit reports, but no user dialogs appear on the client machine and the user's network access is unaffected.

Step 4 Choose the Priority of execution for this requirement on the client. A high priority (e.g. 1) means this requirement is checked on the system ahead of all other requirements (and appears in the Agent dialogs in that order). Note that if a Mandatory requirement fails, the Agent does not continue past that point until that requirement succeeds.


Note The Mac OS X Agent does not support automatic remediation. Therefore, the Remediation functions that appear on the New Requirement configuration page (Remediation Type, Interval, and Retry Count) do not serve any purpose when creating requirement types for Macintosh client remediation.


Step 5 If you want to enable and configure Auto Remediation for the Agent:

a. Choose the Remediation Type [Manual | Automatic] from the dropdown menu. Choosing Manual preserves previous Agent behavior. The user has to click through each of the requirements using the Next/Skip button in the Agent. Choosing Automatic sets the Agent to perform Auto Remediation, where the Agent automatically performs updates or launches required programs on the client after the user logs in.

b. If you configure the requirement to use automatic remediation, specify the Interval in seconds (the default interval is 0). Depending on the requirement type, this interval either sets the delay before the Agent re-attempts remediation or sets the total time allowed for a particular remediation process.

c. Enter the Retry Count []. Specifying a retry count sets a limit on the number of times the Agent automatically retries the requirement if it initially fails. (The default retry count setting is 0.)

For details on configuring Auto Remediation, see Configuring Auto Remediation for Requirements.


Note The Cisco NAC Web Agent does not support Auto Remediation.


Step 6 Configure specific fields for the requirement type.

Step 7 Type the Requirement Name for the optional requirement.

Step 8 Type instructions in the Description field to inform users that this is an optional requirement and that they can still proceed to the network by clicking the Next/Skip button on the Agent dialog. Note the following:

File Distribution displays a Download button on the Agent.

Link Distribution displays a Go To Link button on the Agent.

Local Check displays a Re-Scan button on the Agent.

AV Definition Update displays an Update button on the Agent.

AS Definition Update displays an Update button on the Agent.

Windows Update displays an Update button on the Agent.

Launch Programs displays a Launch button on the Agent.

Windows Server Update Service displays an Update button on the Agent.


Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly recommends providing an appropriate message in this field describing the nature and purpose of the given function.


Step 9 Click the checkbox(es) for the Operating System.

Step 10 Click Add Requirement.

Optional requirements must be mapped to rules and user roles in the same way as mandatory requirements. Refer to Map Requirements to Rules and Apply Requirements to User Roles for details.

Figure 9-50 Example Cisco NAC Agent Dialog for Optional Requirement

Figure 9-51 Example Mac OS X Agent Dialog for Optional Requirement


Configuring Auto Remediation for Requirements

You can configure Auto Remediation for all requirement types except File Distribution and Local Check.


Note This configuration example is specific to the Cisco Clean Access Agent. The Mac OS X Agent and Cisco NAC Web Agent do not support Auto Remediation.


To configure Auto Remediation:


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Requirements > New Requirement, and select the Requirement Type. You can configure Auto Remediation for:

Link Distribution

AV Definition Update

AS Definition Update

Windows Update

Launch Programs

Windows Server Update Services

Step 2 Choose the Enforce Type [Mandatory | Optional | Audit] from the dropdown.

Step 3 Choose the Remediation Type [Manual | Automatic] from the dropdown.

Choosing Manual preserves the previous Agent behavior. The user has to click through each of the requirements using the Next/Skip button.

Choosing Automatic sets the Agent to perform Auto Remediation, where the Agent automatically performs updates or launches required programs on the client after the user logs in. The Agent automatically performs different actions depending on the requirement type, for example:

Auto launches URL in the default browser for Link Distribution

Auto updates AV/AS definition files on the client for AV/AS Definition Update

Auto launches Windows Auto Update(s) (in background) for Windows Update

Auto launches programs for Launch Programs

Auto installs WSUS client updates for Windows Server Update Services

When you check the Automatic option, you can optionally configure how long the Agent waits before it retries the same requirement (Interval), and how many times the Agent retries the requirement if it initially fails on the client (Retry Count). The effect of these options is slightly different depending on the requirement type.


Note During Auto Remediation on the Agent, the resulting dialog displays only two buttons: Details and Manual. Clicking Details shows additional progress messages for the Auto Remediation. If Auto Remediation fails, the user can click the Manual button to change the Agent back to Manual mode, where the user has to click through each requirement.


Step 4 Enter a value for the Interval [] Secs setting:

Interval [] Secs—Default is 0. Depending on the requirement type, this interval either sets the delay before the Agent re-attempts remediation or sets the total time allowed for a particular remediation process. When the interval is set to 0, the Agent continues to attempt Auto Remediation until the temporary role times out.

AV Definition Update/AS Definition Update/Windows Server Update Services—when the initial remediation attempt fails, this interval defines how long the Agent waits before it restarts the next update attempt. For example, if setting this interval to 30 seconds for an AV Definition Update, at the end of the initial attempt to update the client's AV definition file, the Agent waits 30 seconds then starts the next update attempt if the requirement failed.

Link Distribution/Windows Update/Launch Programs—for these requirement types, the interval defines the total number of seconds the Agent allows for the remediation attempt to complete. For example, if setting this interval to 60 seconds for a Launch Programs requirement, the Agent launches the program(s) and allows 60 seconds for the programs to execute. If the client has not met the requirement at the end of 60 seconds, the Agent launches the programs again immediately.

Step 5 Enter a value for the Retry Count []:

Retry Count [] - Default is 0. When the interval is 0, the Agent continues to attempt Auto Remediation until the temporary role times out. Otherwise, specifying a retry count sets a limit on the number of times the Agent automatically retries the requirement if it initially fails. If the Retry Count is reached before the Temporary role timeout, the Auto Remediation dialog displays red status text telling the user to click the Manual button.

AV Definition Update / AS Definition Update / Windows Server Update Services

Link Distribution / Windows Update / Launch Programs

If a Mandatory requirement still fails after the Retry Count, the Agent stops and does not perform the next priority requirement for the user role. Users will not have network access.

For an Optional requirement, the Agent always continues to the next requirement after the initial attempt finishes, regardless of the Retry Count specified and whether the initial attempt succeeded or failed. However, if an Interval is specified, the Agent waits that amount of time before continuing to the next requirement.

Figure 9-52 Clean Access Agent Auto Remediation Example—Windows Update In Process

If Auto Remediation fails, the user sees a failure message similar to the one in Figure 9-53 and can click the Details button to view the remediation results (Figure 9-54) or click Continue to return to the Clean Access Agent authentication process. The user can then either cancel the login session or accept "restricted" network access (Figure 9-55).

Figure 9-53 Clean Access Agent Auto Remediation Example—Windows Update Failed

Figure 9-54 Clean Access Agent Auto Remediation Example—Auto Remediation Details

Figure 9-55 Clean Access Agent Auto Remediation Example—Return to WSUS Requirement Authentication Dialog


Post-Configuration and Agent Maintenance on the CAM

Once you have configured Agent login and client posture assessment, and users are able to successfully access the Cisco NAC Appliance network, you can use the following topics to manage Agent versions on client machines in your network:

Manually Uploading the Agent to the CAM

Downgrading the Agent

Configure Agent Auto-Upgrade


Note If you are uploading an older (pre-release 4.6(1) Windows Clean Access Agent to the CAM, refer to the uploading and downgrading instructions in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5(1).


Manually Uploading the Agent to the CAM

When performing a software upgrade or new install of the CAM/CAS, it is not necessary to upload Agent installation files since they are automatically included with the CAM software. In certain cases, you can manually upload either the Windows Cisco NAC Agent Installation File (nacagentsetup-win.tar.gz) or Mac OS X Agent Installation File (CCAAgentMacOSX-4.6.x.y-k9.tar.gz) directly to the CAM (for example, if you need to reinstall the Agent or downgrade the version of the Agent distributed to new users—see Downgrading the Agent for details).

To support Windows Clean Access Agent backward compatibility, you can also manually upload the Windows Clean Access Agent Setup File (CCAAgentSetup-4.x.y.z.tar.gz) directly to the CAM. This feature allows administrators to revert to a previous Windows Agent Setup file for distribution. You can manually upload the Agent Setup File using the CAM Device Management > Clean Access > Clean Access Agent > Distribution web console page.


Note The CAM will automatically publish the Agent Installation/Setup file to the connected CAS(s) when the file is uploaded manually. There is no version check while publishing, so the Agent Installation/Setup can be downgraded or replaced. For details on version compatibility for the CAM/CAS and Agent, refer to Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later.



Caution You must upload the Agent file as a tar.gz file (without untarring it) to the CAM. Make sure you do NOT extract the .exe file before uploading.


Step 1 Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials.

Step 2 Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance > Cisco NAC Appliance 4.7.

Step 3 Click the directory link for the appropriate release, for example "4.7.5."

Step 4 Download the Cisco NAC Agent (nacagentsetup-win.tar.gz) installer file to your local machine.


Note The CAM does not accommodate Cisco NAC Agent installation files (nacagentsetup-win.tar.gz) and Windows Clean Access Agent Setup files (CCAAgentSetup-4.x.y.z.tar.gz) simultaneously. If you upload an older Windows Clean Access Agent Setup file, you will wipe out the existing Cisco NAC Agent installation and XML Agent configuration files, and vice-versa.


Step 5 Go to Device Management > Clean Access > Clean Access Agent > Distribution (see Agent Distribution).

Step 6 In the Upload Agent File field, click Browse, and navigate to the folder where the appropriate Agent file is located.

Step 7 Select the .tar.gz file and click Open. The name of the file should appear in the text field.

Step 8 In the Version field, type the version of the Agent to be uploaded (for example, 4.7.5.4).


Caution You must upload the Agent file as a tar.gz file (without untarring it) to the CAM. Make sure you do NOT extract the .exe file before uploading.

Step 9 Click Upload.


Downgrading the Agent

The following steps describe how to manually downgrade the version of the Agent on the CAM.


Step 1 Under Device Management > Clean Access > Clean Access Agent > Distribution, disable the Current NAC Agent is a mandatory upgrade checkbox and click Update.

Step 2 Under Device Management > Clean Access > Updates, disable the Check for Windows NAC Agent updates checkbox and click Update.

Step 3 Follow the instructions in Manually Uploading the Agent to the CAM.


Note Users cannot automatically "downgrade" the Cisco NAC Agent on the client machine. In order to support Agent downgrade for the Cisco NAC Agent, the user must first uninstall the existing Agent, then log back into Cisco NAC Appliance to install the available Agent version.


Step 4 Make sure that all the CASs are listed with a status of "Connected" under Device Management > CCA Servers > List of Servers.

Step 5 Under Device Management > Clean Access > Clean Access Agent > Distribution, browse to and upload first the Setup.tar.gz file to the CAM. Make sure you type the correct version of the Agent (for example, "4.1.10.0") in the Version field before you click Upload. Files will be published to the CASs automatically.


Note The CAM does not accommodate Cisco NAC Agent installation files (nacagentsetup-win.tar.gz) and Windows Clean Access Agent Setup files (CCAAgentSetup-4.x.y.z.tar.gz) simultaneously. If you upload an older Windows Clean Access Agent Setup file, you will wipe out the existing Cisco NAC Agent installation and XML Agent configuration files, and vice-versa.


Step 6 Create a Local Check requirement that provides instructions to the end user to uninstall the Agent (e.g. 4.1.x.y) and perform weblogin again to download the downgraded Agent (e.g. 4.1.2.1).


Note The Mac OS X Agent does not support downgrade. For example, if you upload an old Mac OS X Agent (lower version number) and check the Current NAC Agent is a mandatory upgrade option, the client machine does not prompt for auto-upgrade.



Configure Agent Auto-Upgrade

This section describes the following:

Enable Agent Auto-Upgrade on the CAM

Disable Agent Upgrades to Users

Disable Mandatory Agent Auto-Upgrade on the CAM

User Experience for Agent Auto-Upgrade

Uninstalling the Agent

Agent Auto-Upgrade Compatibility

Enable Agent Auto-Upgrade on the CAM

To enable Agent Auto-Upgrade, you must:

Be running Cisco NAC Appliance release 4.1(0) or later on the Clean Access Manager and Clean Access Server, and already have the Agent installed on client machines. (See User Experience for Agent Auto-Upgrade.)

Require use of the Agent for the role and client operating system. (See Require Agent Login for Client Machines.)

Retrieve the latest version of the Agent installation file. For both mandatory or optional Auto-Upgrade, a newer version of the Agent installer must be downloaded to the CAM via Device Management > Clean Access > Updates > Update, or users will not be prompted to upgrade to the newer Agent. (See Require Agent Login for Client Machines.)


Note If you have upgraded the Cisco NAC Web Agent installer, users logging in using the Web Agent always log in using that Agent version.


Disable Agent Upgrades to Users

You can disable notification and distribution of the Agent installation file upgrade to users as follows:


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Distribution (see Figure 9-7).

Step 2 Enable (check) the Do not offer current NAC Agent to users for upgrade option.

Step 3 Click Update.


Disable Mandatory Agent Auto-Upgrade on the CAM

New installs of the CAM/CAS automatically enable mandatory auto-upgrade by default. For CAM/CAS upgrades, the current setting (enabled or disabled) will be carried over to the upgraded system. To disable mandatory Agent auto-upgrade for all users:


Step 1 Go to Device Management > Clean Access > Clean Access Agent > Distribution (Figure 9-7).

Step 2 Disable (uncheck) the Current NAC Agent is a mandatory upgrade option.

Step 3 Click Update.


Note Cisco recommends setting the Current NAC Agent is a mandatory upgrade option to ensure the latest AV/AS product support.



User Experience for Agent Auto-Upgrade

With auto-upgrade enabled, and a newer version of the Agent available in the CAM, the user experience is as follows:

New users download and install the latest available version of the Agent after the initial one-time web login.

Existing users are prompted at login to auto-upgrade to the latest version of the Agent available (if upgrade notification is enabled for users). After the user accepts the prompt to upgrade, the client automatically begins installing the newer Agent version.

Out-of-Band users must be on the Authentication VLAN to be prompted to automatically upgrade the Agent at login.

In-Band users remain logged into the Agent when the user logs off the Windows domain or shuts down the machine, unless the General Setup page is configured otherwise. See Logoff NAC Agent users from network on their machine logoff or shutdown after <x> secs (for Windows & In-Band setup) for details.

Uninstalling the Agent

This section describes how to:

Uninstall Cisco NAC Agent

Uninstall Windows Clean Access Agent

Uninstall Mac OS X Agent

Uninstall Cisco NAC Agent

The Agent installs to C:\Program Files\Cisco\Cisco NAC Agent\ on the Windows client. You can uninstall the Agent in the following ways:

By double-clicking the Uninstall Cisco NAC Agent desktop icon

By going to Start Menu > Programs > Cisco Systems > Cisco Clean Access > Uninstall Cisco NAC Agent

By going to Start Menu > Control Panel > Add or Remove Programs > Cisco NAC Agent


Note To change the version of the Agent on the CAM, see Manually Uploading the Agent to the CAM.


Uninstall Windows Clean Access Agent

The Agent installs to C:\Program Files\Cisco Systems\Clean Access Agent\ on the Windows client. You can uninstall the Clean Access Agent in the following ways:

By going to Start Menu > Programs > Cisco Systems > Cisco Clean Access > Uninstall Clean Access Agent

By going to Start Menu > Control Panel > Add or Remove Programs > Cisco Clean Access Agent


Note To change the version of the Agent distributed from the CAM, see Manually Uploading the Agent to the CAM.


Uninstall Mac OS X Agent

In Mac OS X Agent version 4.7.5.531, you can uninstall the Agent by running the uninstall script as follows:


Step 1 Open the navigator pane and navigate to <local drive ID> > Applications.

Step 2 Highlight and right-click the CCAAgent icon to bring up the selection menu.

Step 3 Choose Show Package Contents and double-click NacUninstall.

Step 4 This will uninstall the Agent on Mac OS X.


In the previous versions of Mac OS X Agent, there are two steps to uninstall the Agent:


Step 1 Perform any one of the following:

Open up a Terminal.app session and enter the following:

sudo rm -rf /sbin/dhcp_refresh /opt/cisco/nac/Applications/CCAAgent.app
 
   

For Mac OS X 10.7, open up a Terminal.app session and enter the following:

sudo rm -rf /sbin/dhcp_refresh /Applications/CCAAgent.app

[or]

Drag the Agent application to the trash can. The Agent application is located at /Library/Application Support/Cisco Systems/CCAAgent.app.

For Mac OS X 10.7, go to Finder > Application > CCAAgent.app, right-click and then click Move to Trash.

Step 2 For Mac OS X 10.4 and 10.5, enter the following in the Terminal.app session:

sudo rm -rf /Library/Receipts/CCAAgent.pkg

Note Cisco NAC Appliance Release 4.7(5) does not support Mac OS X 10.4.


For Mac OS X 10.6 and 10.7, enter the following in the Terminal.app session:

sudo rm -rf /var/db/receipts/com.cisco.cca.CCAAgent.*

Once these two steps are done, the next time you run the installer, the button in the installer will display "INSTALL" instead of "UPGRADE" because you have completely removed all traces of the application.

Removing the dhcp_refresh Tool from Macintosh OS X

To completely remove the Mac OS X Agent and related files, you must ensure that the dhcp_refresh file under /sbin folder is deleted.

You may need to manually remove the dhcp_refresh tool that is copied and stored in /sbin. The dhcp_refresh tool is copied to this location in two ways—it is copied using either the Java applet or Macagent installer applications. There are two ways you can remove this tool:

Open up a Terminal.app session and enter the following:

cd /sbin
sudo rm dhcp_refresh

Use the Finder.app method:

a. Navigate to Finder > Go > Go to Folder.

b. Enter /sbin at the prompt.

c. Drag the dhcp_refresh file to the trash can.

d. Enter your administrator password at the authentication dialog that pops up.

Agent Auto-Upgrade Compatibility

The newest version of the Agent installation files are automatically included with the CAM software for each Cisco NAC Appliance software release. Every version of the Agent is compatible with the same version of the server product. For example:

4.7.5.4 Cisco NAC Agent works with 4.7(5) CAS/CAM

4.7.3.2 Cisco NAC Agent works with 4.7(3) CAS/CAM

4.7.2.10 Cisco NAC Agent works with 4.7(2) CAS/CAM

4.7.1.511 Cisco NAC Agent works with 4.7(1) CAS/CAM

4.7.1.15 Cisco NAC Agent works with 4.7(0) CAS/CAM

By design, every new 4.7.x.x Agent is intended to have basic backward compatibility with any 4.7(x) Clean Access Server. In addition 4.7(x) Clean Access Servers are designed to be compatible with later 4.7.x.x Agents. Basic compatibility means the Agent is able to perform basic functions such as login, logout, look for configured requirements, and report vulnerabilities.

For Clean Access Agent version compatibility details, refer to Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later.

Versioning

The Cisco NAC Agent uses 4-digit versioning:

Cisco NAC Agent version 4.7.5.4 is bundled with Cisco NAC Appliance Release 4.7(5).

Upgrades to the Agent (e.g. 4.7.5.4) typically correspond to AV/AS product support enhancements and/or Agent compatibility (e.g. OS support).

New Agent versions bundled with a Cisco NAC Appliance release (e.g. Cisco NAC Agent version 4.7.5.4) incorporate and supersede previous versions of the Clean Access Agent (e.g. 4.7.1.511, 4.7.1.15, and 4.6.2.113).

Cisco Updates

With auto-upgrade enabled and the Agent already installed on clients, the Agent automatically detects when an Agent update is available, downloads the update from the CAS, and upgrades itself on the client after user confirmation. Administrators can make Agent auto-upgrade mandatory or optional for users.

To prevent distribution of the Agent update to users altogether, you can check the Do not offer current NAC Agent to users for upgrade option from the Agent Distribution page. This prevents the user upgrade notification when a newer Agent update becomes available on the CAM.


Note For further details on version upgrade restrictions, refer to the "Agent Upgrade Compatibility Matrix" of the Release Notes for Cisco NAC Appliance.