Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(1)
Cisco NAC Appliance Agents
Downloads: This chapterpdf (PDF - 3.93MB) The complete bookPDF (PDF - 22.58MB) | Feedback

Cisco NAC Appliance Agents

Table Of Contents

Cisco NAC Appliance Agents

Cisco NAC Agent

Windows Cisco NAC Agent Overview

Configuration Steps for the Windows Cisco NAC Agent

Windows Cisco NAC Agent User Dialogs

RADIUS Challenge-Response Cisco NAC Agent Dialogs

Cisco NAC Web Agent

Overview

System Requirements

Configuration Steps for the Cisco NAC Web Agent

Cisco NAC Web Agent User Dialogs

Mac OS X Cisco NAC Agent

Mac OS X Cisco NAC Agent Overview

Configuration Steps for the Mac OS X Cisco NAC Agent

Mac OS X Cisco NAC Agent Configuration File Settings

Mac OS X Posture Assessment Prerequisites/Restrictions

Mac OS X Agent Prerequisites

Mac OS X Agent Restrictions

CAM/CAS Restrictions

Requirement Types Supported for Mac OS X Agent

Mac OS X Cisco NAC Agent Dialogs

Mac OS X Cisco NAC Agent Application File Locations

RADIUS Challenge-Response Mac OS X Cisco NAC Agent Dialogs


Cisco NAC Appliance Agents


This chapter presents overviews, login flow, and session termination dialogs for the following Cisco NAC Appliance access portals:

Cisco NAC Agent

Cisco NAC Web Agent

Mac OS X Cisco NAC Agent


Note For details on the Windows versions of the Clean Access Agent that are still supported in release 4.9(x), refer to the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.9 and the corresponding Release Notes for Cisco NAC Appliance.


Cisco NAC Agent

This section describes how to configure the Cisco NAC Agent to allow users to log in to the internal network via a persistent network access application installed on the client machine.

Windows Cisco NAC Agent Overview

Configuration Steps for the Windows Cisco NAC Agent

Windows Cisco NAC Agent User Dialogs

Windows Cisco NAC Agent Overview

The Cisco NAC Agent provides local-machine Agent-based posture assessment and remediation for client machines. The Cisco NAC Agent is designed to provide user login capability on a wide range of Windows client machines, including clients running 64-bit operating systems, and offers "double-byte" support to enable native localization for a large variety of languages.

Users download and install the Cisco NAC Agent (read-only client software), which can check the host registry, processes, applications, and services. The Cisco NAC Agent can be used to perform Windows updates or antivirus/antispyware definition updates, launch qualified remediation programs, distribute files uploaded to the Clean Access Manager, distribute website links to websites in order for users to download files to fix their systems, or simply distribute information/instructions.

Users without administrator privileges upgrading their Windows client machine from an earlier version of the Clean Access Agent (version 4.5.2.0 or 4.1.10.0 and earlier) to the Cisco NAC Agent must have the CCAAgentStub.exe Agent Stub installed on the client machine to facilitate upgrade. (Users with administrator privileges do not need this file.) After successful Cisco NAC Agent installation, the user is not required to have administrator privileges on the client machine, nor is the CCAAgentStub.exe Agent Stub file needed.

After users log into the Cisco NAC Agent, the Agent gets the requirements configured for the user role/operating system from the Clean Access Server, checks for the required packages, and sends a report back to the CAM (via the CAS). If requirements are met on the client, the user is allowed network access. If requirements are not met, the Agent presents a dialog to the user for each unmet requirement. The dialog (configured in the New Requirement form) provides the user with instructions and the action to take for the client machine to meet the requirement.

Cisco NAC Agent posture assessment is configured in the CAM by creating requirements based on rules and (optionally) checks, then applying the requirements to user roles/client operating systems. For more information, see Configuring Agent-Based Posture Assessment.

Cisco NAC Agent Download

Figure 10-1 illustrates the general user sequence for the initial download and install of the Cisco NAC Agent, if the administrator has required use of the Agent for the user's role and OS.

Figure 10-1 Downloading the Cisco NAC Agent

The Cisco NAC Agent software is always included as part of the Clean Access Manager software. When the CAM is installed, the Agent Installation file is already present and automatically published from the CAM to the CASs. To distribute the Agent to clients, you simply require the use of the Agent in the CAM web console for the desired user role/operating system. Once downloaded and installed, the Agent performs checks on the client according the requirements you have configured in the CAM.

First-time users can download and install the Agent by opening a web browser to log into the network. If the user's login credentials associate the user to a role that requires the Agent, the user will be redirected to the Agent download page. After the Agent is downloaded and installed, the user is immediately prompted to log into the network using the Agent dialogs, and is scanned for requirements. After successfully meeting the requirements configured for the user's role and operating system and passing scanning (if enabled), the user is allowed access to the network.


Note In Windows 8 Operating System, the Internet Explorer has two modes, Desktop and Metro. In the Metro mode, the ActiveX plugins are restricted. You cannot download NAC Agent in the Metro mode. You must switch to Desktop mode and then launch Internet Explorer to download NAC Agent.



Note Unlike the Clean Access Agent, the Cisco NAC Agent does not support Nessus-based network scanning.


You can distribute Agent Upgrades to clients by configuring auto-upgrade options in the web console. Agent Upgrades are retrieved on the CAM via Retrieving Cisco NAC Appliance Updates.

Configuration Steps for the Windows Cisco NAC Agent

The basic steps needed to configure the Windows Cisco NAC Agent are as follows:

1. Make sure to follow the steps in Agent Configuration Steps to enable distribution and download of the Cisco NAC Agent.

2. Configure Agent requirements using the instructions in Configuring Agent-Based Posture Assessment:

a. Configuring AV/AS Definition Update Requirements

b. Configuring a Windows Server Update Services Requirement

c. Configuring a Windows Update Requirement

d. Configuring Custom Checks, Rules, and Requirements

e. Configuring a Launch Programs Requirement

f. Map Requirements to Rules

g. Apply Requirements to User Roles

h. Validate Requirements

i. Configuring an Optional/Audit Requirement

Windows Cisco NAC Agent User Dialogs


Note Client machine browsers accessing a FIPS-compliant Cisco NAC Appliance network require TLSv1 in order to "talk" to the network, which is disabled by default in Microsoft Internet Explorer Version 6. Users can enable this option in Internet Explorer version 6 by following the same instructions for administrators accessing the CAM/CAS web console via IE version 6. See the "Enabling TLSv1 on Internet Explorer Version 6" installation troubleshooting section of the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.


This section illustrates the user experience when Cisco NAC Appliance is installed on your network and the Cisco NAC Agent is required and configured for the user role.


Note For details on the Cisco NAC Agent when configured for Single Sign-On (SSO) behind a VPN concentrator, see the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(1).


1. When the user first opens a web browser, the user is redirected to the web login page (Figure 10-40).

Figure 10-2 Login Page

2. The user logs into the web login page and is redirected to the Agent Download page (Figure 10-3) for the one-time download of the Cisco NAC Agent installation file.

Figure 10-3 Cisco NAC Agent Download Page

3. The user clicks the Launch Cisco NAC Windows Agent Installer button (the button displays the version of the Agent being downloaded).


Note If the Allow restricted network access in case user cannot use Cisco NAC Agent or Cisco NAC Web Agent option is selected under Device Management > Clean Access > General Setup > Agent Login, the Get Restricted Network Access button and related text will display in the Agent Download page. See Agent Login for details.



Note If the existing CAS certificate is not trusted on the client, the user must accept the optional certificate in the Security Alert dialog that appears before the user can download the Agent.


Figure 10-4 ActiveX Installation Notice

4. If the user's web browser settings are configured to verify actions like installing an ActiveX control on the client machine, the user may need to verify the action. For example, in the case of Microsoft IE, the user may need to click on a status bar that appears in the browser window and choose the Install ActiveX Control option from the resulting pop-up to validate the ActiveX process. If the ActiveX control fails to initialize, the user sees an ActiveX installation notice and, if you have set up the Cisco NAC Appliance system to do so, the Cisco NAC Appliance system attempts to download the Agent installation files via Java applet.


Note ActiveX is supported only on the 32-bit versions of Internet Explorer. You cannot install ActiveX on a Firefox web browser or on a 64-bit version of Internet Explorer.



Note If you specify that the Java applet method is preferred using the Web Client (ActiveX/Applet) option in the Administration > User Pages > Login Page configuration screen, the order of these possibilities is reversed—the user sees a Java applet failure notice before the ActiveX control attempts to install the Agent files on the client machine.


Figure 10-5 Java Installation Notice


Note If the version of the Agent being downloaded from the CAM is "unsigned" (if it has been handed over directly from Cisco Support as a patch version, for example), the user may see an additional Java Security Notice like the one in Figure 10-6.


Figure 10-6 Java Applet Security Notice

If both the ActiveX and Java applet Agent download and install methods fail, the user sees a Windows dialog informing the user that Cisco NAC Agent login failed and must either contact the Cisco NAC Appliance network administrator to try and help troubleshoot issues with the installation process, or (if enabled for the user's login role) accept "Restricted" network access for the time being until they can fix the Agent installation problem.

5. After the user allows the ActiveX control to install the Agent files or acknowledges the Java certificate security warning and chooses to accept the Java applet contents, the client machine goes to work downloading the Agent installer and all required ancillary files and saving them on the client machine and the browser window displays a "Cisco NAC Agent was successfully installed!" message (Figure 10-7).

Figure 10-7 Cisco NAC Agent Installed Successfully

The installation step in the process can take anywhere from just a few seconds to several minutes, depending on your connection speed. Typically, a fast connection speed like a 10/100 Ethernet LAN link will take very little time, whereas a relatively slow connection link like ISDN could take significantly longer.

6. The user should Save the Update.exe file to a download folder and then Run the executable on the client machine.


Note If the CAS certificate is not trusted on the client, the user must accept the certificate in the Security Alert dialog that appears before Agent installation can successfully proceed.


7. The Cisco NAC Agent Client - Welcome to the InstallShield Wizard dialog appears (Figure 10-8).

Figure 10-8 Cisco NAC Agent InstallShield Wizard—Welcome

8. Before the Agent installation process can continue, the user must first click the I accept the terms in the license agreement option in the "End User License Agreement" dialog and click Next (Figure 10-9).

Figure 10-9 Cisco NAC Agent Installation—License Agreement

9. The user also has the option to install the complete collection of Cisco NAC Agent files or specify one or more items by choosing the Custom option and clicking Next (Figure 10-10).

Figure 10-10 Cisco NAC Agent Installation—Setup Type

10. The Cisco NAC Agent Client - InstallShield Wizard dialog appears (Figure 10-11).

Figure 10-11 Cisco NAC Agent InstallShield Wizard—Ready to Install

11. The setup wizard prompts the user through the short installation steps to install the Cisco NAC Agent to C:\Program Files\Cisco\Cisco NAC Agent.

Figure 10-12 Cisco NAC Agent Installation In Progress

Figure 10-13 Cisco NAC Agent Installation Complete

12. When the InstallShield Wizard completes and the user clicks Finish, the Cisco NAC Agent login dialog pops up (Figure 10-14) and the Cisco NAC Agent taskbar icon appears in the system tray.

Figure 10-14 Cisco NAC Agent Login Dialog

13. The user enters credentials to log into the network. Similar to the web login page, the user can choose an authentication provider from the Server list (if configured for multiple authentication providers).


Note If multiple authentication providers are available in the Server list, when a user logs in with invalid credentials, the Server automatically changes to the default authentication provider. Checking the session-based Remember Me checkbox causes to show the last selected provider instead of default authentication server, in case of invalid credentials.



Note Clicking the session-based Remember Me checkbox causes the User Name and Password fields to be populated with the last values entered throughout multiple logins/logouts if the user does not exit or upgrade the application or reboot the machine. On shared machines, the Remember Me checkbox can be unchecked to ensure multiple users on the machine are always prompted for their individual username and password.

If Cisco NAC Appliance employs a RADIUS server for user authentication and the server has been configured to authenticate users with additional credentials, the user may be presented with one or more additional challenge-response dialogs like those described in RADIUS Challenge-Response Cisco NAC Agent Dialogs.


14. The user can right-click the Cisco NAC Agent icon in the system tray to bring up the taskbar menu for the Agent (Figure 10-15).

Figure 10-15 Cisco NAC Agent Taskbar Menu

Taskbar menu options are as follows:

Login/Logout—This toggle reflects the login status of the user. Login means the user is behind a Clean Access Server and is not logged in. Logout means the user is already logged into Cisco NAC Appliance. Disabled (grey) Login occurs when there is no SWISS response from the CAS to the Cisco NAC Agent. This condition is expected in the following cases:

The Cisco NAC Agent cannot find a Clean Access Server or the Agent is logged in, but has lost contact with the CAS.

OOB deployments: the Cisco NAC Agent user has already logged in through the CAS and is now on the Access VLAN.

Multi-hop Layer 3 (VPN/WLC) deployments with SSO: the user has authenticated through the VPN concentrator and therefore is already automatically logged into Cisco NAC Appliance.

Device Filters: MAC address-based authentication is configured for the machine of this user and therefore no user login is required.

Popup Login Window—This option is set by default when the Cisco NAC Agent is first installed and causes the Agent login dialog to automatically pop up when it detects that the user is behind a Clean Access Server and is not logged in.

Enable Toast Notification—This option is available only for clients using Windows 8 as Operating System. You can enable this option to send relevant notifications to the user. See Windows 8 Metro and Metro App Support —Toast Notifications for more details.

Log Packager—Click this option to run the support package and collect the logs.

Properties—Selecting Properties brings up the Agent Properties and Information dialog (Figure 10-16) which shows all of the AV and AS products installed on the client machine and the Discovery Host for Layer 3 deployments.

You can access the above options by using the keyboard shortcuts as follows:

L — Login/Logout

A — About

X — Exit

R — Properties

P — Popup Login Window


Note The Discovery Host field can be made editable or not by changing the DiscoveryHostEditable parameter in the Agent configuration XML file. See Cisco NAC Agent XML Configuration File Settings for more details.


Figure 10-16 Properties

About—Displays the version of the Cisco NAC Agent (Figure 10-17).

Figure 10-17 About

Exit—Exits the application, removes the Cisco NAC Agent icon on the taskbar, and automatically logs off the users in both In-Band and Out-of-Band mode. The users in Out-of-Band mode are logged off only when the OOB Logoff feature has been enabled through the CAM web console.


Note If Popup Login Window is disabled on the taskbar menu, the user can always right-click the Agent icon from the system tray and select Login to bring up the login dialog.


Windows 8 Metro and Metro App Support —Toast Notifications

In NAC Agent scenarios where the user does not get network access, like "Remediation Failed" or "Network Access expired", the Agent displays the following message:

Network not available, Click "OK" to continue" toast notification

To get more details, you can select the toast and you will be redirected to Desktop mode and the NAC agent dialog is displayed.

Toast Notification is displayed for all positive recommended actions that the user needs to perform to gain network access. The following are some examples:

For Network Acceptance policy, toast will be displayed as: "Click Accept to gain network access"

For Agent/Compliance Module Upgrade, toast will be displayed as: "Click OK to Upgrade/Update"

In the "user logged out" event, when "Auto Close" option for Logoff is not enabled in CAM, toast notification is provided. This toast enables the users to know that they have been logged out and that they need to login again to get network access.

Auto-Upgrade for Already-Installed Agents: When the Cisco NAC Agent is already installed, users are prompted to auto-upgrade at each login, unless you disable upgrade notification. You can optionally force logout at machine shutdown (default is for users to remain logged in at machine shutdown). You can configure auto-upgrade to be mandatory or optional. With mandatory auto-upgrade and a newer version of the Agent available from the CAM, existing Agent users will see the following auto-upgrade prompts at login (Figure 10-18).

Figure 10-18 Example Auto-Upgrade Prompt (Mandatory)

If the upgrade is optional and a newer version of the is Agent available from the CAM, users can choose to Cancel the upgrade and continue with the login process (Figure 10-19).

Figure 10-19 Example Auto-Upgrade Prompt (Optional)

Clicking OK in either of the above dialogs brings up the setup wizard to upgrade the Cisco NAC Agent to the newest version (Figure 10-8). After Agent upgrade and user login, requirement checking proceeds.

If the Compliance Module feature has been enabled, the users are prompted to install the NAC Agent Compliance Module as shown in Figure 10-20.

Figure 10-20 Install

NAC Agent Compliance Module - Prompt

Clicking OK in above dialog brings up the setup wizard to upgrade the Cisco NAC Agent to the newest version of NAC Agent Compliance Module.

15. After the user submits his or her credentials, the Cisco NAC Agent automatically checks whether the client system meets the requirements configured for the user role (Figure 10-21).

Figure 10-21 Cisco NAC Agent Verifying System

16. If required software is determined to be missing, the Temporary Network Access dialog appears (Figure 10-22). The user is assigned to the Agent Temporary role for the session timeout indicated in the dialog. The Temporary role session timeout is set by default to 4 minutes and should be configured to allow enough time for users to access web resources and download the installation package for the required software.

Figure 10-22 Temporary Access—Requirement Not Met

If the user clicks Show Details, the Cisco NAC Agent displays a list of the requirements the user must resolve before Cisco NAC Appliance grants the client machine network access based on the user's assigned role (Figure 10-23).

Figure 10-23 Temporary Network Access—Show Details

To close the Security Compliance Summary dialog, click Hide Details.

17. When the user clicks Repair, the Cisco NAC Agent dialog for the requirement with the highest priority configured for the user role appears prompting the user to take appropriate action to address the requirement type.

For an AV Definition Update requirement (Figure 10-24), the user clicks the Update button to update the client AV software on the system.

Figure 10-24 AV Definition Update Requirement Example

For an AS Definition Update requirement (Figure 10-25), the user clicks the Update button to update the definition files for the Anti-Spyware software on the client system.

Figure 10-25 AS Definition Update Requirement Example

For a Windows Update requirement (Figure 10-26), the user clicks the Update button to set the Windows Update and force updates on the client system if "Automatically Download and Install" is configured for the requirement.

Figure 10-26 Windows Update Requirement Example

For a Windows Server Update Service requirement (Figure 10-27), the user clicks the Update button to set the Windows Server Update Service and force updates on the client system.

Figure 10-27 Windows Server Update Service Requirement Example

For a Launch Program requirement (Figure 10-28), the user clicks the Launch button to automatically launch the qualified program for remediation if the requirement is not met.


Note Signature processing is governed based on the setting in the config file for Admin, <SignatureCheck>0|1</SignatureCheck>. Signature verification is done regardless of the setting in the config file for non-Admin.


Figure 10-28 Launch Program Requirement Example

For a File Distribution requirement (Figure 10-29), the button displays Download instead of Go To Link. When the user clicks download, the Save file to dialog appears. The user needs to save the installation file to a local folder, and run the executable file from there. (The maximum file size you can make available to users via File Distribution is 500MB.)

Figure 10-29 File Distribution Requirement Example

For a Link Distribution requirement (Figure 10-30), the user can access the website for the required software installation file by clicking Go To Link. This opens a browser for the URL specified in the Location field.

Figure 10-30 Link Distribution Requirement Example

18. Clicking Cancel at this stage stops the login process.

19. For each requirement, the user needs to click Skip to proceed after completing the action required (Update, Go To Link, Download). The Cisco NAC Agent again performs a scan of the system to verify that the requirement is met. If met, the Agent proceeds to the next requirement configured for the role.


Note If a requirement is Optional, when the user clicks Skip in the Cisco NAC Agent for the optional requirement, the next requirement dialog appears or the login success dialog appears (Figure 10-32) if all other requirements are met.


20. If a Network Policy page was configured for the role, the following dialog will appear (Figure 10-31) after requirements are met. The user can view the "network usage policy" HTML page (uploaded to the CAM or external server) by clicking the Network Usage Terms & Conditions link. The user must click the Accept button to successfully log in.

Figure 10-31 Network Policy Dialog

See Configure Network Policy Page (Acceptable Use Policy) for Agent Users for details on configuring this dialog.

21. When all requirements are met (and Network Policy accepted, if configured), the user is transferred from the Temporary role to the normal login role and the login success dialog appears (Figure 10-32). The user is free to access the network as allowed for the normal login role.


Note The administrator can configure the Login and Logout success dialogs to close automatically after a specified number of seconds, or not to appear at all. See Agent Login for details.


Figure 10-32 Successful Login—Client Machine Compliant

22. If you have enabled the Allow restricted network access in case user cannot use Cisco NAC Agent or Cisco NAC Web Agent" option under Device Management > Clean Access > General Setup > Agent Login, or the Agent is currently failing a mandatory requirement, the Get Restricted Network Access button appears in the Cisco NAC Agent authentication dialogs and the user can choose to accept restricted network access. Once the user clicks the Get Restricted Network Access button, they log into the Cisco NAC Appliance system using a "restricted" user role instead of a more generous standard network access role and are presented with a login confirmation dialog like the one in Figure 10-33. For more information on enabling restricted network access, see Agent Login.

Figure 10-33 Restricted Network Access

23. To log off the network, the user can right-click the Cisco NAC Agent icon in the system tray and select Logout. The logout screen appears (Figure 10-34). If the administrator removes the user from the network, the Login dialog will reappear instead (if Popup Login Window is set).


Note The administrator can configure the Login and Logout success dialogs to close automatically after a specified number of seconds, or not to appear at all. See Agent Login for details.


Figure 10-34 Successful Logout

24. Once a user has met requirements, the user will pass these Cisco NAC Agent checks at the next login unless there are changes to the user's computer or Cisco NAC Agent requirements.

25. If a required software installation requires users to restart their computers, the user should log out of the network before restarting. Otherwise, the user is still considered to be in the Temporary role until the session times out. The session timeout and heartbeat check can be set to disconnect users who fail to logout of the network manually.

RADIUS Challenge-Response Cisco NAC Agent Dialogs

If you configure the Clean Access Manager to use a RADIUS server to validate remote users, the end-user Cisco NAC Agent login session may feature extra authentication challenge-response dialogs not available in other dialog sessions—beyond the standard user ID and password. This additional interaction is due to the user authentication profile on the RADIUS server, itself, and does not require any additional configuration on the Clean Access Manager. For example, the RADIUS server profile configuration may feature an additional authentication challenge like verifying a token-generated PIN or other user-specific credentials in addition to the standard user ID and password. In this case, one or more additional login dialog screens may appear as part of the login session.

The following section provides and example of the dialog exchange for Windows Cisco NAC Agent user authentication.

1. The remote user logs in normally and provides their username and password as shown in Figure 10-35.

Figure 10-35 Windows Agent Login Dialog

2. If the associated RADIUS server has been configured to authenticate users with additional credentials, the user is presented with one or more additional challenge-response dialogs (like the password renewal scenario shown in Figure 10-36) for which they must provide additional credentials to authenticate and connect.

Figure 10-36 Additional Windows RADIUS Challenge-Response Session Dialog

3. Once the additional challenge-response(s) are validated, the RADIUS server notifies the Clean Access Manager that the user has successfully authenticated and should be granted remote access.

Figure 10-37 Windows RADIUS Challenge-Response Authentication Successful

Cisco NAC Web Agent

This chapter describes how to configure the Cisco NAC Web Agent to allow users to log in to the network without requiring a permanent, dedicated network access application on the client machine.

Overview

Configuration Steps for the Cisco NAC Web Agent

Cisco NAC Web Agent User Dialogs

Overview


Warning Cisco does not recommend using the Cisco NAC Web Agent on client machines connecting with link speeds slower than 56Kbits/s.

The Cisco NAC Web Agent provides temporal posture assessment for client machines. Users launch the Cisco NAC Web Agent executable, which installs the Web Agent files in a temporary directory on the client machine via ActiveX control or Java applet. When the user terminates the Web Agent session, the Web Agent logs the user off of the network and their user ID disappears from the Online Users list.

After users log into the Cisco NAC Web Agent, the Web Agent gets the requirements configured for the user role/OS from the Clean Access Server, checks the host registry, processes, applications, and services for required packages and sends a report back to the CAM (via the CAS). If requirements are met on the client, the user is allowed network access. If requirements are not met, the Web Agent presents a dialog to the user for each unmet requirement. The dialog (configured in the New Requirement form) provides the user with instructions and the action to take for the client machine to meet the requirement. Alternatively, if the specified requirements are not met, users can choose to accept "restricted" network access (if you have enabled that option in the Device Management > Clean Access > General Setup > Agent Login page) while they try to remediate the client machine so that it meets requirements for the user login role. You can set up a "restricted" user role to provide access to only limited applications/network resources in the same way you configure a standard user login role according to the guidelines in Adding a New User Role.

Cisco NAC Web Agent posture assessment is configured in the CAM by creating requirements based on rules and (optionally) checks, then applying the requirements to user roles/client operating systems. This chapter describes how to configure these requirements.

Figure 10-38 illustrates the general user sequence for launching the Cisco NAC Web Agent, if the administrator has required use of the Cisco NAC Web Agent for the user's role and operating system.

Figure 10-38 Cisco NAC Web Agent User Interaction/Experience

System Requirements

Your Cisco NAC Appliance network must meet the following requirements to support the Cisco NAC Web Agent:

Operating System Compatibility and Browser Support

ActiveX and Java Applet Requirements

Microsoft Internet Explorer 7 in Windows Vista

Operating System Compatibility and Browser Support

If users are logging in via the Web Agent in a Windows 7 environment and have proxy connections configured on Internet Explorer, they must enable "Protected Mode" in the browser's security settings to enable Web Agent download on the client machine.

In Windows 8, Web Agent does not support Metro Mode and Toast Notification.

You can find complete Operating System Compatibility and Browser Support information for all Cisco NAC Appliance Agents in the Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later.

ActiveX and Java Applet Requirements

If you plan to use the Java applet version to install the Web Agent files, the client must already have Java version 1.5 or higher installed.

If you plan to install the Web Agent files via ActiveX, the client machine must be using 32-bit version of Microsoft Internet Explorer. You cannot install via ActiveX on a Firefox web browser or on a 64-bit verison of Internet Explorer.

The user must have permissions for ActiveX download or admin privileges on the client machine to enable installation of ActiveX controls.


Note The Web Agent Java applet might fail to launch when the CPU load on the client machine approaches 100%. (ActiveX runs successfully under these conditions.)



Note Security restrictions for the "Guest" user profile in Windows Vista operating systems prevent ActiveX controls and Java applets from running properly. Therefore, you must be logged into the Windows Vista client machine as a known user (not a "Guest") in order to log into Cisco NAC Appliance via the Web Agent.


Microsoft Internet Explorer 7 in Windows Vista

By default, Windows Vista checks the server certificate revocation list and prevents the Web Agent from launching on the client machine. To disable this functionality:


Step 1 In Internet Explorer 7, navigate to Menu > Tools > Internet Options.

Step 2 Click the Advanced tab.

Step 3 Under Security, uncheck (disable) the Check for server certificate revocation option.

Step 4 Click OK.


Configuration Steps for the Cisco NAC Web Agent

The basic steps needed to configure the Cisco NAC Appliance system to enable and use the Cisco NAC Web Agent are as follows:

1. Make sure to follow the steps in Agent Configuration Steps to enable and specify installer download parameters for the Cisco NAC Web Agent.

2. (Optional) Set up a "Restricted Access" role as described in Adding a New User Role.

3. Configure Agent requirements using the instructions in Configuring Agent-Based Posture Assessment:

a. Configuring AV/AS Definition Update Requirements

b. Configuring a Windows Server Update Services Requirement

c. Configuring a Windows Update Requirement

d. Configuring Custom Checks, Rules, and Requirements

e. Configuring a Launch Programs Requirement

f. Map Requirements to Rules

g. Apply Requirements to User Roles

h. Validate Requirements

i. Configuring an Optional/Audit Requirement

After you have accounted for the above topics, users can log in and gain network access via the Cisco NAC Appliance system according to the parameters and requirements you have defined in your system configuration.

Cisco NAC Web Agent User Dialogs

This section illustrates the user experience when users access your network via the Cisco NAC Web Agent.


Note Depending on the user's privilege level (Administrator, Privileged User, User, etc.) and web browser security settings on the client machine, the user may or may not see additional security "warnings" or message dialogs during critical points in the download and installation process. (For example, the user may need to acknowledge the installation process redirecting the user to a particular URL destination or approve the Web Agent executable launch following client scanning.)


1. When the user first opens a web browser, the user is redirected to the web login page (Figure 10-39).

Figure 10-39 Login Page

2. The user enters their credentials in the web login page and is redirected to the Cisco NAC Web Agent Launch page (Figure 10-40) where they can choose to launch the Cisco NAC Web Agent ActiveX or Java Applet installer. You determine the installer launch method using the Web Client (ActiveX/Applet) option in the Administration > User Pages > Login Page configuration screen.


Note If you plan to install the Web Agent files via ActiveX, the client machine must be using 32-bit version Microsoft Internet Explorer. You cannot install via ActiveX on a Firefox web browser or on a 64-bit version of Internet Explorer.


Figure 10-40 Cisco NAC Web Agent Launch Page

3. The user clicks the Launch Cisco NAC Web Agent button (the button will display the version of the Web Agent being installed).


Note If the "Allow restricted network access in case user cannot use Cisco NAC Web Agent" option is selected under Device Management > Clean Access > General Setup > Agent Login, the Get Restricted Network Access button and related text will display in the Download Cisco NAC Web Agent page. See Agent Login for details.



Note If the existing CAS certificate is not trusted on the client, the user must accept the optional certificate in the Security Alert dialog that appears before Web Agent launch can successfully proceed.


Figure 10-41 ActiveX Installation Notice

4. If the user's web browser settings are configured to verify actions like installing an ActiveX control on the client machine, the user may need to verify the action. For example, in the case of Microsoft IE, the user may need to click on a status bar that appears in the browser window and choose the Install ActiveX Control option from the resulting pop-up to validate the ActiveX process.

If the ActiveX control fails to initialize, the user sees an ActiveX installation notice like the one in Figure 10-42 and if you have set up the Cisco NAC Appliance system to try to download the Web Agent install files via Java applet should the ActiveX method fail, the Cisco NAC Appliance system attempts to download the Web Agent installation files via Java applet.

Otherwise, the user will not be able to use the Cisco NAC Web Agent for login and will either have to contact the Cisco NAC Appliance network administrator to try and help troubleshoot issues with the installation process, or accept "Restricted" network access for the time being until they can fix the Web Agent installation problem.


Note If you specify that the Java applet method is preferred using the Web Client (ActiveX/Applet) option in the Administration > User Pages > Login Page configuration screen, the order of these possibilities is reversed—the user sees a Java applet failure notice before the ActiveX control attempts to install the Web Agent files on the client machine.


Figure 10-42 ActiveX Installation Notice


Note If the version of the Agent being downloaded from the CAM is "unsigned" (if it has been handed over directly from Cisco Support as a patch version, for example), the user may see an additional Java Security Notice like the one in Figure 10-43.


Figure 10-43 Java Applet Security Notice

If both the ActiveX and Java applet Web Agent download and install methods fail, the user sees a notification screen like the one in Figure 10-44 and is presented with a Windows dialog informing the user that Cisco NAC Web Agent login failed (Figure 10-45).


Note For more information on status and error codes the ActiveX Control or Java Applet passes back to the Cisco NAC Appliance system, see Table 11-4 in Cisco NAC Web Agent Status Codes.


Figure 10-44 ActiveX and Java Installation Failure Notice

Figure 10-45 Cisco NAC Web Agent Login Failure Notice

5. After the user allows the ActiveX control to install the Web Agent files or acknowledges the Java certificate security warning and chooses to accept the Java applet contents, the Web Agent installer goes to work installing the Web Agent executable and all required ancillary files in a temporary directory con the client machine (like C:\Temp\, for example) and the browser window displays a "Downloading Cisco NAC Web Agent..." message similar to Figure 10-46.

Figure 10-46 Cisco NAC Web Agent Executable Download

The downloading step in the process can take anywhere from just a few seconds to several minutes, depending on your connection speed. Typically, a fast connection speed like a 10/100 Ethernet LAN link will take very little time, whereas a relatively slow connection link like ISDN could take significantly longer.


Warning Cisco does not recommend using the Cisco NAC Web Agent on client machines connecting with link speeds slower than 56Kbits/s.

Once the executable files have been downloaded to the client machine's local temporary file directory, the self-extracting installer automatically begins launching the Web Agent on the client machine and the user sees a status window similar to Figure 10-47.

Figure 10-47 Cisco NAC Web Agent Installation

6. When the ActiveX control or Java Applet session completes, the Cisco NAC Web Agent automatically checks whether the client system meets the requirements configured for the user role. (See Figure 10-48.)

Figure 10-48 Cisco NAC Web Agent Scanning Dialog

7. If the Web Agent scan determines that a required application, process, or critical update is missing, the user receives a "Host is not compliant with network security policy" message (Figure 10-49 through Figure 10-54 provide a range of examples), is assigned to the Cisco NAC Web Agent Temporary role for the session timeout indicated in the dialog (typically 4 minutes by default).


Note For information on status codes the Cisco NAC Web Agent passes back to the Cisco NAC Appliance system, see Table 11-5 in Cisco NAC Web Agent Status Codes.


8. The user can choose to do one or more of the following:

Click Cancel to abort Web Agent launch

Click Save Report to save a local copy of the Web Agent session report that the user can forward on to the Cisco NAC Appliance administrator to help troubleshoot potential Web Agent login issues

Web Archive, Single File (*.mht)—Limited to the Microsoft Internet Explorer browser only

Web Page, Complete (*.htm, html)—Supports any browser, but resource files (GIFs, CSS, etc.) are stored in a subdirectory

Web Page, HTML Only (*htm, *.html)—Format and GIFs will not be present

Text File (*.txt)


Note Because the report dialog makes use of IFRAMEs, the report data and restricted access data are stored in a separate HTML file. If the HTML Only and Text options are used, the user does not see the report and restricted data in the saved file.


Click Get Restricted Network Access to log into the Cisco NAC Appliance system using a "restricted" user role instead of a more generous standard network access role.

Perform manual remediation—the user can download installation packages for the required software and perform other required remediation tasks according to the Remediation Suggestion entries displayed and click Re-Scan to see if their changes bring the client machine into acceptable compliance.


Note The Temporary role session timeout is set to 4 minutes by default, but Cisco recommends you configure the duration to allow enough time for users to access web resources, download installation packages for the required software, and possibly perform other required remediation tasks before attempting to Re-Scan the client machine for compliance.


Figure 10-49 Mandatory AV Definition Requirement Not Met

Figure 10-50 Mandatory AS Definition Update Requirement Not Met

Figure 10-51 Mandatory File Distribution Requirement Not Met

Figure 10-52 Mandatory Link Distribution Requirement Not Met

Figure 10-53 Mandatory Local Check Requirement Not Met

Figure 10-54 Mandatory Windows Upgrade Requirement Not Met

9. If the Web Agent scan determines that an optional application, process, or update is missing, the user receives a "Host is compliant with network security policy" message (Figure 10-55), is assigned to the Cisco NAC Web Agent Temporary role for the session timeout indicated in the dialog (typically 4 minutes by default).


Note For information on status codes the Cisco NAC Web Agent passes back to the Cisco NAC Appliance system, see Table 11-5 in Cisco NAC Web Agent Status Codes.


10. The user can choose to do one the following:

Click Continue to complete Web Agent launch.

Click Save Report to save a local copy of the Web Agent session report that the user can forward on to the Cisco NAC Appliance administrator to help troubleshoot potential Web Agent login issues. The reports are available in the following formats:

Web Archive, Single File (*.mht)—Limited to the Microsoft Internet Explorer browser only

Web Page, Complete (*.htm, html)—Supports any browser, but resource files (GIFs, CSS, etc.) are stored in a subdirectory

Web Page, HTML Only (*htm, *.html)—Format and GIFs will not be present

Text File (*.txt)


Note Because the report dialog makes use of IFRAMEs, the report data and restricted access data are stored in a separate HTML file. If the HTML Only and Text options are used, the user does not see the report and restricted data in the saved file.


Perform manual remediation—the user can download installation packages for the required software and perform other required remediation tasks according to the Remediation Suggestion entries displayed and click Re-Scan to see if their changes bring the client machine into full compliance.


Note The Temporary role session timeout is set to 4 minutes by default, but Cisco recommends you configure the duration to allow enough time for users to access web resources, download installation packages for the required software, and possibly perform other required remediation tasks before attempting to Re-Scan the client machine for compliance.


Figure 10-55 Optional Requirement Not Met

11. If the Web Agent scan determines that the client machine is compliant with the Agent requirements you have configured for the user's role, the user receives a "Host is compliant with network security policy" message within a green banner (Figure 10-56).


Note For information on status codes the Cisco NAC Web Agent passes back to the Cisco NAC Appliance system, see Table 11-5 in Cisco NAC Web Agent Status Codes.


12. The user can choose to do one the following:

Click Continue to complete Web Agent launch.

Click Save Report to save a local copy of the Web Agent session report that the user can forward on to the Cisco NAC Appliance administrator to help troubleshoot potential Web Agent login issues. The reports are available in the following formats:

Web Archive, Single File (*.mht)—Limited to the Microsoft Internet Explorer browser only

Web Page, Complete (*.htm, html)—Supports any browser, but resource files (GIFs, CSS, etc.) are stored in a subdirectory

Web Page, HTML Only (*htm, *.html)—Format and GIFs will not be present

Text File (*.txt)

Figure 10-56 Requirement Met

13. If you have configured the Cisco NAC Appliance system to require the user to view and accept a Network Usage Policy guideline in the Device Management > Clean Access > General Setup > Agent Login page and have configured the Device Management > Clean Access > Clean Access Agent > Installation page to show the user the Full UI Direct Installation Option, the user may see a dialog similar to Figure 10-57. If the user does not accept the Network Usage Policy, the installation process halts and the user must choose to either restart the install and launch process or accept "restricted" network access.


Note The first time users launch the Cisco NAC Web Agent on a client machine, they will likely see a pop-up blocker message at the top of the browser window after clicking "Accept" to continue past the Network Usage Policy.


Figure 10-57 (Optional) Network Usage Policy Dialog

14. Once the user has performed manual remediation and successfully "re-scanned" the client machine, accepted any optional Network Usage Policy, identified and noted optional requirement items, or has chosen to accept "restricted" access for this user login session, the user receives a "Successfully logged on to the network" dialog (Figure 10-58) followed by a Clean Access Authentication browser window (Figure 10-60) featuring Web Agent session status information and a Logout button the user can click to terminate the Web Agent session.

Figure 10-58 Successful Cisco NAC Web Agent Login

It is possible that, even after the Cisco NAC Web Agent launched, installed, and initiated a login session without any issues, or that following manual remediation, the user was able to bring the client machine into compliance and successfully "re-scan" the client, another issue might keep the Cisco NAC Web Agent from logging the user into the network, resulting in a "You will not be allowed to access the network..." message similar to that in Figure 10-59. A couple of examples of known causes for this situation is a previous Web Agent session for the same user that did not "tear down" properly, on the CAM or if the user is currently logged into an active Cisco NAC Agent session.

If you receive one of these messages, click OK and attempt to launch the Cisco NAC Web Agent again. If the problem persists, contact your Cisco NAC Appliance system administrator.

Figure 10-59 Cisco NAC Web Agent Login Failed

Figure 10-60 Cisco NAC Web Agent Connection Status Window (Including Logout Button)

15. To logout of the Cisco NAC Appliance user session and disengage the Cisco NAC Web Agent, the user clicks the Logout button. The web interface logs the user out of the network, removes the session from the client machine, and the user ID disappears from the Online Users list.


Note To log off the network and disengage the Cisco NAC Web Agent, the user can also right-click a Agent icon in the system tray and select Logout.


If you close the Web Agent connection browser window without "logging out" of the system, the user session remains active with the assigned user role until the CAM detects that the client machine is not longer available, a session timeout occurs, or some other event takes place to reveal the correct client machine state.


Note The administrator can configure the Web Agent Login success dialog to close automatically after a specified number of seconds, or not to appear at all. See Agent Login for details.


Mac OS X Cisco NAC Agent

This section describes how to configure the Mac OS X Cisco NAC Agent to allow users to log in to the internal network via a persistent network access application installed on the client machine.

Mac OS X Cisco NAC Agent Overview

Configuration Steps for the Mac OS X Cisco NAC Agent

Mac OS X Cisco NAC Agent Configuration File Settings

Mac OS X Posture Assessment Prerequisites/Restrictions

Requirement Types Supported for Mac OS X Agent

Mac OS X Cisco NAC Agent Dialogs

Mac OS X Cisco NAC Agent Application File Locations

Mac OS X Cisco NAC Agent Overview

The Mac OS X Cisco NAC Agent provides local-machine Agent-based posture assessment and remediation for client machines. Users download and install the Agent (read-only client software), which can check the host registry, processes, applications, and services.

After users log into the Cisco NAC Agent, the Agent gets the requirements configured for the user role/operating system from the Clean Access Server, checks for the required packages and sends a report back to the CAM (via the CAS). If requirements are met on the client, the user is allowed network access. If requirements are not met, the Agent presents a dialog to the user for each unmet requirement. The dialog (configured in the New Requirement form) provides the user with instructions and the action to take for the client machine to meet the requirement.

Mac OS X Cisco NAC Agent posture assessment is configured in the CAM by creating requirements based on rules and (optionally) checks, then applying the requirements to user roles/client operating systems. For more information, see Configuring Agent-Based Posture Assessment.


Note In the CAM web console, you can view the distribution options for the Mac OS X Cisco NAC Agent under Device Management > Clean Access > Clean Access Agent > Distribution. See Agent Distribution for details.


Configuration Steps for the Mac OS X Cisco NAC Agent

The basic steps needed to configure the Mac OS X Cisco NAC Agent are as follows:

1. Make sure to follow the steps in Agent Configuration Steps to enable distribution and download of the Mac OS X Cisco NAC Agent, including Require Agent Login for Client Machines and Setting Up Agent Distribution/Installation.

2. Configure Mac OS X Agent requirements using the instructions in Configuring Agent-Based Posture Assessment:

a. Configuring AV/AS Definition Update Requirements

b. Configuring Custom Checks, Rules, and Requirements

c. Map Requirements to Rules

d. Apply Requirements to User Roles

e. Validate Requirements

f. Configuring an Optional/Audit Requirement

Mac OS X Cisco NAC Agent Configuration File Settings

This Mac OS X Cisco NAC Agent features can be configured and enabled by setting the parameters in the following files:

~/Library/Application Support/Cisco Systems/CCAAgent/preference.plist

/Applications/CCAAgent/Contents/Resources/setting.plist

Table 10-1 lists the configuration parameters that are supported.

Mac OS X Posture Assessment Prerequisites/Restrictions

Macintosh Client machines and the CAM/CAS must meet the following requirements to be able to perform posture assessment using the Mac OS X Cisco NAC Agent.

Mac OS X Agent Prerequisites

The Mac OS X Agent installer (built by Apple's "Package Maker" system application) installs two application files on the client: CCAAgent.app to launch the Mac OS X Cisco NAC Agent, and dhcp_refresh to facilitate IP address refresh procedures.

The client machine must be running the most recent release of 10.5 (release 10.5.2) or later to support Macintosh client posture assessment. Mac OS 10.2 and 10.3 do not support posture assessment and remediation. For more information, see Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later.

Auto-upgrade of the Mac OS X Agent is supported starting from version 4.1.3.0 and later in Cisco NAC Appliance. Users can upgrade client machines to the latest Mac OS X Agent by downloading the Agent via web login and running the Agent installation. For more information, see the corresponding Release Notes for Cisco NAC Appliance.

When a Link Distribution requirement type launches a browser, it uses the default browser which the user can configure in their Safari browser's Preference settings. The user can pick any browser they like, including Safari, Firefox, or Opera.

The Mac OS X Agent fully supports UTF-8. Therefore, if a requirement from the CAM is configured in any language other than English (like Traditional Chinese, for example), the Mac OS X Agent is still able to display Agent text correctly. The administrator just needs to create a different user interface file (.nib) using Apple's Interface Builder and change the locale in the client machine's System Preferences, No code is required to implement this feature.

To localize the user interface:

a. Add a new localized .nib file in the Interface Builder and re-compile the Mac OS X Agent (zh_TW is the language code for Traditional Chinese).

b. Change the locale in the client machine's System Preferences.

c. The Mac OS X Agent then displays the localized user interface based on the new locale setting.

User Preference configuration options
(~/Library/Application Support/Cisco Systems/CCAAgent/preference.plist):

a. Suppress auto-popup the login window when detecting the CAS.

b. Allow saving user's credential in the memory until quitting the agent.

c. Change the VLAN detection interval (default is 5 seconds, 0 is disable).

In Release 4.9 and later, the VLAN Detect is automatically disabled when the client machine is on VPN connection. The following VPN clients are supported:

Cisco VPN Client

AnyConnect

Apple Native VPN Client to Cisco IPSEC

Shimo(User Interface for Cisco IPSEC client)


Note The Mac Agent automatically creates a preference.plist file when either or both of the "Auto Popup Login Window" or "Remember Me" options are toggled for the Mac Agent. If neither of these options are changed for the Agent, the user would have to manually produce a preference.plist file on the Mac OS X client machine.


Example preference.plist File Template:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AutoPopup</key>
<string>yes</string>
<key>RememberMe</key>
<string>yes</string>
<key>VlanDetectInterval</key>
<string>5</string>
</dict>
</plist>
 
   

Note Refer to Table 10-1, for more details on all the configuration parameters.


 
   

Agent Setting configuration options are done in the /Applications/CCAAgent/Contents/Resources/setting.plist. The setting.plist is used to configure the parameters globally for all the users except the "RememberMe" and "AutoPopup" options.

Example setting.plist File Template:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>RetryDetection</key>
<string>3</string>
<key>PingArp</key>
<string>2</string>
<key>LogFileSize</key>
<string>5</string>
</dict>
</plist>

Note Refer to Table 10-1, for more details on all the configuration parameters.


Table 10-1 Mac OS X Cisco NAC Agent Configuration Parameters 

Parameter
Default Value
Valid Range
Description/Behavior

RememberMe 1

yes

yes or no

If this setting is yes, the user only needs to enter login credentials once. The Mac OS X Agent also remembers the user credentials after session termination/time-out.

Note When the user logs out of Windows, the saved credentials are erased.

When the user moves from a connection that requires username and password to an SSO session and returns back, then the credentials are removed.

AutoPopup 1

yes

yes or no

If this setting is yes, the Agent login dialog appears automatically when the user is logged out.

If this setting is no, users must manually initiate login using the Tools menu option.

LogFileSize

5

0 and above

This setting specifies the file size (in Megabytes) for Mac OS X Agent log files on the client machine.

If this setting is 0, the Agent does not record any login or operation information for the user session on the client machine.

If the administrator specifies any other integer, the Agent records login and session information up to the number of MB specified.

DiscoveryHost

IP address or FQDN

This setting specifies the Discovery Host address the Agent uses to connect to the Cisco NAC Appliance system in a Layer 3 deployment.

RetryDetection

3

0 and above

If ICMP or ARP polling fails, this setting configures the Agent to retry <x> times before refreshing the client IP address.

HttpDiscoveryTimeout

5

3 and above

The default timeout is 5 seconds. This is the time for which the HTTPS discovery from Agent waits for the response from Clean Access Server. If there is no response for the specified time, then the discovery is timed out.

The minimum value that can be set is 3. If the value is set to 1 or 2, the timeout is recognized as 3 seconds.

If this value is set to zero (0), then the Windows default timeout settings are used.

HttpTimeout

5

3 and above

The default timeout is 120 seconds. This is the time for which the HTTP request from Agent waits for the response. If there is no response for the specified time, the request is timed out.

The minimum value that can be set is 3. If the value is set to 1 or 2, the timeout is recognized as 3 seconds.

If this value is set to zero (0), then the Windows default timeout settings are used.

PingArp 2

2

0-2

If this value is set to 0, poll using ICMP.

If this value is set to 1, poll using ARP.

If this value is set to 2, poll using ICMP first, then (if ICMP fails) use ARP.

PingMaxTimeout

1

1-10

Poll using ICMP and if no response in <x> seconds, then declare ICMP polling as failure.

VlanDetectInterval 3 ,4

5

5-900

If this setting is 0, the Access to Authentication VLAN change feature is disabled.

By default, this setting is 5 and the Agent sends ICMP/ARP queries every 5 seconds.

If this setting is 6-900, ICMP/ARP every <x> seconds.

1 The RememberMe and the AutoPopup parameters can be set only in the preference.plist file.

2 If the PingArp value is "1", it breaks the VPN connections by removing the Gateway entry. If the value is "0", then it breaks network connections with Managed subnets on In Band. It is recommended to have the value as "2".

3 In Release 4.9 and later, the VLAN Detect is automatically disabled when the client machine is on VPN connection. The following VPN clients are supported:
- Cisco VPN Client
- AnyConnect
- Apple Native VPN Client to Cisco IPSEC
- Shimo(User Interface for Cisco IPSEC client)

4 During the discovery, all the VLAN Detect parameters are set to their default values and these values cannot be overridden. The parameters are: RetryDetection, PingArp, PingMaxTimeout, and VlanDetectInterval. Refer to Table 10-1 for the default values of these parameters.


Mac OS X Agent Restrictions

The Mac OS X Cisco NAC Agent only supports a subset of the posture assessment functions available for the Windows Clean Access Agent. (Only Link Distribution, AV Definition Updates, AS Definition Updates, and Local Checks are supported.)

The Mac OS X Agent does not support auto-remediation. The user must manually remediate all mandatory requirements to make the client machine compliant with network security guidelines.

The Mac OS X Agent does not support IP-based certificates for authentication.

The Log file (~/Library/Application Support/Cisco Systems/CCAAgent/event.log) is encrypted. Contact Cisco Technical Assistance Center for help with decryption.

CAM/CAS Restrictions

Cisco NAC Appliance only supports 10.5 and later. Mac OS 10.2, 10.3, and 10.4 are not supported. For more information, see Support Information for Cisco NAC Appliance Agents, Release 4.5 and Later.

The Mac OS X Agent does not support custom checks and custom rules. You can only assign AV and AS rules to the Link Distribution, Local Check, AV Definition Update, and AS Definition Update requirement types for Mac OS X posture remediation.

You cannot configure the CAM to install the Mac OS X Agent using a stub installer.

Requirement Types Supported for Mac OS X Agent

The Mac OS X Cisco NAC Agent performs a subset of the posture assessment functions supported on the Windows Clean Access Agent. The posture assessment functions currently supported on the Mac OS X Agent are:

Link Distribution—This requirement type refers users to another web page where the software is available, such as a software download page. Make sure the Temporary role is configured to allow HTTP (and/or HTTPS) access to the link.

Local Check—This requirement type can be used to create checks that look for software that should or should not be on the client machine. For the Mac OS X Agent, Local Checks are used primarily as a message medium to inform users what to do if/when a particular rule has/has not been met. The Mac OS X Agent Assessment Report window displays Local Check requirements using a "Message" icon.

AV Definition and AS Definition Updates—These requirement types are used to report on and update the definition files on a client for supported antivirus or antispyware products.


Note For a list of support AV/AS applications, see the "Clean Access Supported AV/AS Product List" section of the corresponding Release Notes for Cisco NAC Appliance.


Although the Windows Agent supports "auto-remediation," Mac OS X Agent users must manually remediate their client machines to meet security requirements.

Mac OS X Cisco NAC Agent Dialogs


Note The Mac OS X Cisco NAC Agent supports single-sign on (SSO) with VPN deployments but does not support SSO with Active Directory.


See also the "SSL Requirements for Mac OS/CAS Communication" section in the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(1) for additional details.

The Mac OS X Cisco NAC Agent user sequence is as follows.

1. The user navigates to the untrusted interface address of the CAS and is redirected to the Login page (Figure 10-61).

Figure 10-61 Login Page—Mac OS X

2. The user is directed to the Download Cisco NAC Agent page (Figure 10-62).

Figure 10-62 Download Cisco NAC Agent—Mac OS X

3. The user clicks the "Download" button and the CCAAgent_Mac OSX.tar.gz.tar file is download to the desktop (Figure 10-63) and untarred.

Figure 10-63 Download Cisco NAC Agent Setup Executable to Desktop

4. The user double-clicks the CCAAgent.pkg file and the Mac OS installer for the Cisco NAC Agent starts up (Figure 10-64).

Figure 10-64 Double-Click CCAAgent.pkg to Start Cisco NAC Agent Installer

5. The user clicks the Continue button to proceed to the Read Me screen of the installer (Figure 10-65).

Figure 10-65 Mac OS X Agent Installation—Read Me

6. The user clicks the Continue button to proceed to the Select a Destination screen of the installer (Figure 10-66).

Figure 10-66 Mac OS X Agent Installation—Select a Destination

Figure 10-67 Mac OS X Agent Installation—Install/Upgrade Button

7. The user clicks the Install/Upgrade button to perform the installation (Figure 10-67). When done, the user clicks Close.


Note If the Cisco NAC Agent has never been installed on the machine, the Installation screen displays an Install button. If the Agent was installed at one point, even if there is no Agent currently in the system when the installer is invoked, the Upgrade button is displayed.


Figure 10-68 Mac OS X Agent Installation In Progress

Figure 10-69 Mac OS X Agent Installation—Install Succeeded

8. After installation, the Cisco NAC Agent login dialog appears. The Agent icon is now available from the Tool Menu (Figure 10-70). Right-clicking the Agent icon brings up the menu choices:

Login/Logout (toggle depending on login status)


Note If Cisco Clean Access employs a RADIUS server for user authentication and the server has been configured to authenticate users with additional credentials, the user may be presented with one or more additional challenge-response dialogs like those described in RADIUS Challenge-Response Mac OS X Cisco NAC Agent Dialogs.


Auto Popup Login Window (enabled by default)

About (displays version screen for the Cisco NAC Agent and the Compliance Module)

Collect Support Logs (collects logs and support information)

The user can click the Collect Support Logs option to collect the Agent logs and support information. The collected information is available as a zip file (CiscoSupportReport.zip) on the desktop of the client machine. While collecting the support logs, if a file with same name is available on the desktop, the old file is deleted and new file will be created.

If the Agent crashes or hangs, you can run the CCAAgentLogPackager.app to collect the logs. This file is available in the Applications folder where the Cisco NAC Agent has been installed. You can double click this file to collect the support information.


Note The Collect Support Logs option is available only for Cisco NAC Appliance, Release 4.9(1).


Quit (exits the Cisco NAC Agent application)

Figure 10-70 Cisco NAC Agent Login Pops Up/Desktop Icon Available from Tool Menu

9. Auto-Upgrade for Already-Installed Agents: When the Mac OS X Agent is already installed, users are prompted to auto-upgrade at each login, unless you disable upgrade notification. You can optionally force logout at machine shutdown (default is for users to remain logged in at machine shutdown). You can configure auto-upgrade to be mandatory or optional. With optional auto-upgrade and a newer version of the Agent available from the CAM, existing Mac OS X Agent users will see the following upgrade prompt at login (Figure 10-71).

Figure 10-71 Mac OS X Agent—New Agent Version Available

10. Clicking OK in the above dialog brings up the setup wizard to upgrade the Mac OS X Agent to the newest version (Figure 10-65). After Agent upgrade and user login, requirement checking proceeds. If the upgrade is optional and a newer version of the is Agent available from the CAM, users can choose to Cancel the upgrade and continue with the login process (Figure 10-72).

11. The user provides authentication credentials in the Mac OS X Agent login dialog to sign in to the Cisco NAC Appliance system.

Figure 10-72 Mac OS X Agent Login Dialog

12. During login, the Mac OS X Agent icon in the Macintosh client machine menu bar at the top of the Macintosh desktop displays differently based on the relative status and segment of the login process:

a. Searching—The Agent is not currently connected and is in the process of transmitting SWISS packets to discover the CAS.

b. Ready and waiting—The Agent is connected to the CAS and ready to log in.

c. Lost focus—When the Agent window is not the top application on the desktop, the status icon shows "CLICK" and "FOCUS" repeatedly. Once the user clicks on the status icon, the Agent window becomes the active window on the desktop. This signal is helpful when the Agent window is "buried" by several other windows or applications, especially when a link remediation pops up a browser on top of the Agent and the user wants to switch back to the Agent after downloading an application or update.

d. Quarantined—If the Agent is in the Temporary role during posture assessment and remediation, the menu bar displays this icon to tell the user that they only have limited access to the network.

e. Logged in—The user has completed the login process and is ready to use the network.

f. Logged in via VPN—The user is signed in via a VPN or VPN SSO connection and has been successfully logged in.

g. Error—When an error occurs (for example, if the client cannot validate the CAS certificate, sees an invalid CAS certificate, or domain name resolution fails) the status icon changes to the exclamation point (!) icon.

13. Following user log in, if any mandatory or optional requirements fail, the user is assigned to the default Temporary role and sees the Assessment Report window (see Figure 10-73) containing the following information for each requirement in the report:

Run—This column either contains a checkbox that the user can choose to check or leave unchecked (if the requirement is optional), or a "grayed-out" checkbox (if the requirement is mandatory). This enables the user to select the optional requirements to remediate before clicking the Remediate button to address all requirements listed in the Assessment Report window.

Name—This is the name of the requirement the administrator configures on the CAM.

Description—This field contains text from the "Description" field the administrator enters in the CAM when configuring the requirement to provide information/explanation.

Type (icons)—The icons in this column denote the requirement type ("Link," "Update," or "Message").

Required—Specifies whether the requirement is Mandatory or Optional.

If there are Mandatory requirements associated with the user login session that do not pass upon posture assessment, the Mac OS X Agent automatically displays the Assessment Report dialog after the user enters login credentials.

If the only requirements that fail are Optional requirements, the Agent still displays the Assessment Report dialog to the user, but they are allowed to click the Complete button and successfully log in to the network. (In this situation, the Agent assumes that all Mandatory requirements (if any) have passed and the user has a choice to remediate or log in.)


Note Audit requirements are always checked/verified in the background and do not appear in the user-facing Assessment Report window with "failed" mandatory or optional requirements.


Status (icons)—Displays the current status of the requirement type in the report dialog. When an assessment dialog first opens, all of the requirement types in the report are "failed" (denoted by an "X" icon). As the user addresses each requirement in turn, the status icons can change to "passed" (denoted by a checkmark icon), or "Skip" in the case of optional requirement types or mandatory requirements that the user could not remediate at that time.


Note If a user chooses to "Skip" a mandatory requirement, they are able to progress through and address the other requirement types/entries in the Assessment Report, but cannot log into the network until they have successfully remediated their client machine and passed all of the mandatory requirements. (See Figure 10-76.)


The Assessment Report window also displays the time remaining (in the upper right corner) before the Agent Temporary role expires and the client remediation window closes, requiring the user to log in and resume remediation again.

Figure 10-73 Mac OS X Agent Assessment Report Dialog

14. The user clicks the Remediate button to begin updating the client machine to meet the requirement criteria. The Mac OS X Agent begins the remediation process on the first "failed" requirement in the Assessment Report, and progresses through the requirement list one-by-one until all of the requirements in the list either "pass" posture assessment or the user "skips" one or more mandatory requirements. Depending on the type of requirement, the user sees one of the following processes during the remediation process:

In the case of a Link Distribution ("Link") requirement, users are directed to a web page, such as a software download page, where the required software is available and the user can quickly begin the download and installation process.

In the case of a Live Definition Update ("Update") requirement, the Mac OS X Agent reports on and (once the user clicks Remediate) automatically updates the definition files on the client machine for supported antivirus or antispyware products.

In the case of a Local Check ("Message"), the Mac OS X Agent looks for software that should or should not be installed on the system. (In the context of the Mac OS X Agent, this feature is used primarily as a message medium to inform users what to do if/when a particular rule has/has not been met. The user does not undertake any specific action in the Assessment Report window, itself.)

15. During requirement remediation, a user can choose to bypass mandatory requirements when the Skip button appears in the Status column. (See Figure 10-74.) If the user clicks Skip in this scenario, they cannot log into the Cisco NAC Appliance system, as the mandatory requirement has not been satisfied. This function can be useful for users who know that a particular mandatory requirement cannot succeed within the time constraints of the Temporary role and they want to move on to other more easily-manageable mandatory requirements.

Figure 10-74 Mac OS X Agent Requirement Resolution

If the Name and/or Description for a given requirement are too long to display completely in the Assessment Report window, users can still view the complete text in a pop-up (or "drawer") that appears in addition to the Assessment Report.

16. If an error occurs during remediation, the Assessment Window displays the error message text above the requirement list. For example, Figure 10-75 displays an error that occurred during the mandatory live definition update reading, "No product that supports def-update found!"

Figure 10-75 Mac OS X Agent Requirement Failed

If one or more mandatory requirements still fail following the remediation process, the user can only choose Cancel in the Assessment Report window and cannot log into the Cisco NAC Appliance system. (See Figure 10-76.)

Figure 10-76 Previous Mac OS X Agent Mandatory Requirement(s) Failed

17. Users can also choose to "Skip" optional requirements in the Assessment Report (see Figure 10-77). If users click Skip, the Status icon turns to "fail" (the "X" icon) as shown in Figure 10-78, but the user is still allowed to log in to the system because the requirement is optional instead of mandatory.

Figure 10-77 Mac OS X Agent Optional Requirement

Figure 10-78 Mac OS X Agent Optional Requirement Failed

The Mac OS X Agent behaves similarly if the user chooses not to perform remediation for an optional requirement type by disabling the particular requirement entry before clicking the Remediate button (see Figure 10-79). When the Agent reaches this particular requirement in the Assessment Report window, the Agent automatically marks the requirement "failed" and either moves on to the next requirement, or (if the optional requirement is the last in the list and all other requirements have been met) displays the Complete button.

Figure 10-79 Mac OS X Agent Optional Requirement Skipped

18. When all requirements pass remediation, the user sees the Complete button at the bottom of the Assessment Report window and can log into the Cisco NAC Appliance system. (See Figure 10-80.)

Figure 10-80 All Mac OS X Agent Requirements Passed

19. The user clicks the Complete button once all mandatory requirements are met and successfully logs into the network. Once the user successfully logs into the Cisco NAC Appliance system, the Mac OS X Agent sends an Assessment Report back to the CAS.

Figure 10-81 Mac OS X Agent Login Successful

Mac OS X Cisco NAC Agent Application File Locations

The Cisco NAC Agent application itself is installed under Macintosh HD > Applications > CCAAgent.app (Figure 10-82).

Figure 10-82 Cisco NAC Agent—Application Installation Location

The Cisco NAC Agent event.log debug file and preference.plist user preferences file are installed in the <username> > Library > Application Support > Cisco Systems > CCAAgent folder (Figure 10-83).

Figure 10-83 Cisco NAC Agent—event.log and preference.plist File Locations

The preference.plist file (Figure 10-84) includes:

Whether AutoPopup Login Window is checked in the Menu (AutoPopup).

Whether Remember Me is checked in the Login screen (RememberMe).

How frequent the agent will perform Access to Authentication VLAN change detection (VlanDetectInterval).


Note The Mac Agent automatically creates a preference.plist file when either or both of the "Auto Popup Login Window" or "Remember Me" options are enabled for the Mac Agent. If neither of these options are enabled for the Agent, the user would have to manually produce a preferences.plist file on the Mac OS X client machine.


Figure 10-84 Cisco NAC Agent—preference.plist File Contents

RADIUS Challenge-Response Mac OS X Cisco NAC Agent Dialogs

If you configure the Clean Access Manager to use a RADIUS server to validate remote users, the end-user Cisco NAC Agent login session may feature extra authentication challenge-response dialogs not available in other dialog sessions—beyond the standard user ID and password. This additional interaction is due to the user authentication profile on the RADIUS server, itself, and does not require any additional configuration on the Clean Access Manager. For example, the RADIUS server profile configuration may feature an additional authentication challenge like verifying a token-generated PIN or other user-specific credentials in addition to the standard user ID and password. In this case, one or more additional login dialog screens may appear as part of the login session.

The following section provides an example of the dialog exchange for Mac OS X Cisco NAC Agent user authentication.

1. The remote user logs in normally and provides their username and password in the Mac OS X Cisco NAC Agent login dialog as shown in Figure 10-85.

Figure 10-85 Mac OS X Login Dialog

2. If the associated RADIUS server has been configured to authenticate users with additional credentials, the user is presented with one or more additional challenge-response dialogs (like the password renewal scenario shown in Figure 10-86) for which they must provide additional credentials to authenticate and connect.

Figure 10-86 Additional Mac OS X RADIUS Challenge-Response Dialogs

3. Once the additional challenge-response(s) are validated, the RADIUS server notifies the Clean Access Manager that the user has successfully authenticated and should be granted remote access (Figure 10-87).

Figure 10-87 Mac OS X RADIUS Challenge-Response Authentication Successful