Table Of Contents
Cisco NAC Appliance Configuration Quick Start Guide, Release 4.1
Introduction
About Cisco NAC Appliance
About This Document
In-Band (IB) or Out-of-Band (OOB) Deployment
Add a Clean Access Server
Troubleshooting
Manage the Clean Access Server
Set Up DHCP
Add a Default Login Page
Edit the Login Page
Create a User Role and Local User
Configure Traffic Policies for User Roles
Require Use of Clean Access Agent
Make Agent Auto-Upgrade Mandatory
Configure an AV Requirement
Test as a Managed Client
Configure Authentication Servers
User Authentication Test
Cisco NAC Appliance Configuration Quick Start Guide, Release 4.1
1 Introduction
About Cisco NAC Appliance
Cisco® NAC Appliance (formerly Cisco Clean Access) is a Network Admission Control (NAC) product that allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether networked devices such as laptops, desktops, and corporate assets are compliant with a network's security policies, and it repairs any vulnerabilities before permitting access to the network.
Cisco NAC Appliance is a network-centric integrated solution administered from the web console of the Clean Access Manager (CAM), enforced through the Clean Access Server (CAS), and applied on clients through the Clean Access Agent client software. You can deploy the Cisco NAC Appliance solution in the configuration that best meets the needs of your network.
The Cisco NAC Appliance is a Linux-based network hardware appliance which is pre-installed with either the CAM (MANAGER) or CAS (SERVER) application, the operating system and all relevant components on a dedicated server machine. The operating system comprises a hardened Linux kernel based on a Fedora core. Cisco NAC Appliance does not support the installation of any other packages or applications onto a CAM or CAS dedicated machine.
About This Document
Cisco NAC Appliance Configuration Quick Start Guide, Release 4.1 (this guide) assumes you have unpacked, installed, and licensed your Cisco NAC Appliances according to the guidelines in the Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.1. Therefore, this guide is intended only to provide instructions for how to use the web administration console of the Clean Access Manager to configure your Cisco NAC Appliance system. It is intended to illustrate the minimum steps required to configure the Clean Access Manager and Clean Access Server in order to test as a network client on the system using the Clean Access Agent via local authentication.
For comprehensive configuration information, refer to the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide and Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide applicable to your release (e.g. 4.1(1) or 4.1(2)).
Both guides are available on Cisco.com under http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.html. When using the online publications, refer to the documents that match the software version running on your NAC Appliance.
2 In-Band (IB) or Out-of-Band (OOB) Deployment
In-Band
Except where noted, this guide describes basic configuration required for all Cisco Clean Access systems, whether deployed In-Band or Out-of-Band. Out-of-Band deployment requires additional configuration as described below.
Out-of-Band
In a traditional In-Band Cisco NAC Appliance deployment, all network traffic to or from clients always goes through the Clean Access Server. For high throughput or highly routed environments, a Cisco NAC Appliance Out-of-Band (OOB) deployment allows client traffic to pass through the Clean Access network only for authentication, posture assessment and remediation. Once a user's device has successfully logged on, its traffic traverses the switch port directly and no longer passes through the Clean Access Server.
With OOB deployment, you can add switches to the Clean Access Manager's domain and control switches and VLAN assignments to ports using SNMP. To deploy OOB:
•
Install the latest 4.1(x) release of Cisco Clean Access software on your CAM and CAS(s).
•Ensure your product license(s) for your CAM and CAS(s) enable OOB. The Clean Access Server itself is either IB or OOB. A Clean Access Manager that is license-enabled for OOB can control both IB and OOB Clean Access Servers.
•Use supported switch models and IOS/CatOS versions for switches you will control through your CAM. For later configuration, you will need to know whether the switch OS supports MAC-notification SNMP traps. Refer to Switch Support for Cisco NAC Appliance for complete details.
•Configure your switches.
•Configure the CAM to add and control your switches using the Switch Management module of the CAM web console.
For more information on IB and OOB deployment options, see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide and Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide.
3 Add a Clean Access Server
Note This section and the following configuration sections assume you have unpacked, installed, and licensed your Cisco NAC Appliances according to the guidelines in the Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.1.
Once you have installed valid licenses and accessed the web admin console, add a Clean Access Server to the Clean Access Manager's managed domain:
Step 1 Go the Device Management module and click the CCA Servers link.
Step 2 Click the New Server tab.
Step 3 In the Server IP Address field, type the trusted interface (eth0) IP address of the Clean Access Server you want to add.
Step 4 Server Location is an optional description of the server. Type a rack location, server type (e.g. NAC-3350) or any other information that identifies the CAS.
Step 5 The Server Type sets whether the CAS operates as a bridge or a gateway when added to the CAM. Refer to Table 1 to determine the CAS operating mode as appropriate for your environment, then choose the Server Type from the dropdown menu. After the CAS is added, you can change the Server Type of the CAS, but this will require an Update and Reboot of the CAS.
Note The CAM can manage all IB and OOB Clean Access Servers added to its domain, but the CAS itself can only be either IB or OOB.
Table 1 Clean Access Server Types
|
|
Description
|
Required Configuration Steps
|
Virtual Gateway
|
CAS acts as a bridge between the untrusted network and an existing gateway.
|
Warning For Virtual Gateway (IB or OOB), do not connect the untrusted interface (eth1) of the CAS to the switch until after the CAS is added to the CAM, and VLAN mapping is configured correctly under Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping. See the applicable Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide for details.
•The CAS interfaces must be on a different subnet/VLAN from the CAM.
•The trusted (eth0) and untrusted (eth1) interfaces of the CAS can have the same IP address.
•The CAS is automatically configured for DHCP Passthrough.
|
Real-IP Gateway
|
CAS acts as a gateway for the untrusted network.
|
•For Real-IP/NAT Gateways, the trusted (eth0) and untrusted (eth1) interfaces of the CAS must be on different subnets/VLANs.
•Static routes must be added on the L3 switch/router to route traffic for managed subnets to the trusted interface of the respective CAS(s).
|
NAT Gateway
|
CAS acts as a gateway and performs NAT services for the untrusted network.
|
The trusted (eth0) and untrusted (eth1) interfaces of the CAS must be on different subnets/VLANs.
Note NAT Gateway (in-band or out-of-band) should only be used for demo/testing purposes. For production deployments, only Virtual or Real-IP Gateway is supported.
|
Out-of-Band Virtual Gateway
|
CAS is a Virtual Gateway while traffic is in-band for authentication and certification.
|
Warning For Virtual Gateway (IB or OOB), do not connect the untrusted interface (eth1) of the CAS to the switch until after the CAS is added to the CAM and VLAN mapping is correctly configured.
•The CAS interfaces must be on a different subnet/VLAN from the CAM.
•The trusted (eth0) and untrusted (eth1) interfaces of the CAS can have the same IP address.
•The CAS is automatically configured for DHCP Passthrough.
•For OOB Virtual Gateway, the CAS management VLAN must also be on a different VLAN than the user or Access VLANs.
|
Out-of-Band Real-IP Gateway
|
CAS is a Real-IP Gateway while traffic is in-band for authentication and certification.
|
•The trusted (eth0) and untrusted (eth1) interfaces of the CAS must be on different subnets/VLANs.
•Static routes must be added on the L3 switch/router to route traffic for managed subnets to the trusted interface of the respective CAS(s).
|
Out-of-Band
NAT Gateway
|
CAS is a NAT Gateway while traffic is in-band for authentication and certification.
|
The trusted (eth0) and untrusted (eth1) interfaces of the CAS must be on different subnets/VLANs.
Note NAT Gateway (in-band or out-of-band) is not supported for production deployments.
|
Step 6 Click Add Clean Access Server.
Troubleshooting
If the Clean Access Manager cannot add the Clean Access Server to its managed list of servers:
•Make sure the CAS is pingable. If not, the network settings may be incorrect. Reset them using service perfigo config.
•The CAM and CAS must have the same shared secret. If this is the problem, reset the shared secret with service perfigo config.
•In Virtual Gateway mode, ensure that the CAM and CAS are on different subnets.
4 Manage the Clean Access Server
Step 1 Once added to the Clean Access Manager, the new Clean Access Server should appear with a Status of Connected in the list under Device Management > CCA Servers > List of Servers.
Step 2 Click the Manage button for the corresponding Clean Access Server in the List of Servers to bring up the Clean Access Server (CAS) management pages (Figure 1).
Step 3 By default, the Status tab for the Clean Access Server appears first. The Status page shows whether the components of the server are running.
Figure 1 CAS Management Pages (Status Tab)
Note In this document, Device Management > CCA Servers > Manage [CAS_IP] denotes the CAS management pages accessed from Device Management > List of Servers > Manage.
Step 4 Click the Network tab and verify the settings on the IP page for the Trusted and Untrusted interfaces against your configuration using the Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.1.
Step 5 If you need to modify settings on this form, make sure to click Update, then Reboot. The CAS will show a status of "Not connected" while it reboots. Wait for it to show "Connected" status before continuing.
5 Set Up DHCP
If using a Real-IP or NAT Gateway configuration for the server, configure DHCP settings as described below. If a DHCP server already exists in your environment, it may be easiest to relay to that server for initial testing purposes. See the applicable Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide for further details on DHCP configuration in the CAS.
Step 1 In the CAS management pages, click the Network tab, then the DHCP submenu link. The DHCP Status tab displays by default.
Step 2 The DHCP type dropdown menu indicates the DHCP operation mode for the Clean Access Server. The options are:
a. DHCP Passthrough (default for Virtual Gateway CAS) - The CAS propagates the DHCP broadcast messages across its interfaces without modification. This mode should be selected if there is an existing DHCP server on the network segment.
b. DHCP Relay - The CAS forwards messages from clients to another DHCP server. If selecting this type, wait for the page to refresh after clicking the Select DHCP Type button, then specify the external DHCP server by IP address in the Relay to DHCP Server field and click Update.
c. DHCP Server - The CAS allocates client IP addresses for the untrusted (managed) network.
Step 3 For this example, choose DHCP Server as the operation type and click the Select DHCP Type button (note that this button toggles to Select DHCP Type and Reboot Clean Access Server after the CAS is configured as a DHCP Server).
Step 4 From Device Management > CCA Servers > Manage [CAS_IP] > Network > DHCP, Click the Subnet List tab, then the New sublink.
Step 5 In the New range form, fill out the following fields:
•IP Range - The IP address pool to be assigned to clients.
•Default Gateway - The IP address of the default gateway IP address passed to clients (this should be the untrusted (eth1) IP address of the CAS you configured in the Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.1.
•Default/Max Lease Time (seconds) - The default and maximum amount of time that the IP address is given to the client, in seconds (such as 3600). The default lease time is used if the client does not request a particular lease time.
•DNS Suffix - The DNS suffix to be passed to clients along with the address (e.g. yourorganization.com).
•DNS Servers - The address of one or more DNS servers in the client's environment. Multiple addresses should be comma-separated.
•WIN Servers - The address of one or more WIN servers in the client's environment. Multiple addresses should be comma-separated.
•Restrict range to VLAN ID - This option is used when more than one managed subnet is added and more than one VLAN is configured. You can leave this blank for this example.
•Subnet/Netmask - Choose how the subnet and netmask values are calculated for the IP pool. Options are:
–Calculate from existing managed subnets
–Calculate smallest subnet for IP range entered
–Manually enter subnet and mask—the Subnet and Netmask fields appear below if this option is selected
For this example, select Calculate smallest subnet for IP range entered.
Step 6 When finished, click Update. If any error messages appear, correct the configuration as instructed and try creating the pool again.
Step 7 The new subnet list now appears under Device Management > CCA Servers > Manage [CAS_IP] > Network > DHCP > Subnet List > List.
Step 8 You can click the DHCP Status tab to display the total number of Dynamic IPs configured for the new subnet list and Available IPs remaining in the subnet list that can be assigned to clients (in the example below, only one address is assigned).
Step 9 When IP addresses are assigned to clients, clicking the View MACs button (magnifying glass icon) on the DHCP Status page displays the client information.
Step 10 You can verify that the DHCP module is running for a CAS by clicking the Status tab for the Clean Access Server. Make sure the DHCP Server module displays a status of Started.
6 Add a Default Login Page
A default login page must exist to allow all managed users (web login or Clean Access Agent) to authenticate. The login page appears to web login users whenever they open a web browser to access the network. Before full deployment, you can customize the page to reflect your organization.
Step 1 In the console, click Administration > User Pages.
Step 2 Click the Login Page tab. The List submenu page appears by default.
Step 3 Click the Add submenu link.
Step 4 Leaving the default settings (*), click the Add button to add a default login page for all users.
Step 5 The new page appears under Login Page > List.
Edit the Login Page
To modify a login page configuration later, click the Edit button next to the page under Administration > User Pages > Login Page > List. This brings up the following configuration options:
•The General sublink allows you to make the page frame-based (allowing organizational logos to be added) or frame-less, and target the page to users by VLAN, subnet, or Operating System.
•The Content sublink lets you customize login page elements such as default authentication servers, instructional text, button labels, and add logo files you uploaded to the CAM using Administration > User Pages > File Upload. The Content page also provides a Preview button to enable you to see what the page will look like to end users.
•The Style sublink lets you alter background and foreground colors and styles of the page.
For complete details, see the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide.
7 Create a User Role and Local User
Cisco Clean Access puts users in roles when users log into the Clean Access network (Out-of-Band users are put into roles during the time that they are In-Band). User roles aggregate a variety of user policies in the system, including traffic, bandwidth, application of network scanning plugins, and Clean Access Agent host requirements. The steps below show how to create a normal login role, then create a test local user to authenticate into that role. (Local users are validated by the Clean Access Manager and are used primarily for testing.) Once the role is created, you can configure the associated policies for the users in the role.
Step 1 Go to User Management > User Roles.
Step 2 Click the New Role tab to bring up the New Role form.
Step 3 Type a name for Role Name, such as user, and an optional Role Description. For this example, use the default values for the other form fields.
Step 4 Click Create Role. The new role appears under User Management > User Roles > List of Roles.
Step 5 Next, go to User Management > Local Users.
Step 6 Click the New Local User tab and fill in form fields as follows:
a. Type a User Name, such as TestUser.
b. Enter a password for the Password and Confirm Password fields.
c. Type an optional Description for the user.
d. Choose the role you previously created, user, from the Role dropdown menu.
e. Click Create User.
Step 7 The new user now appears under User Management > Local Users > List of Local Users.
8 Configure Traffic Policies for User Roles
By default, when a new normal login role is created, all client-side traffic originating from the untrusted network is blocked and all CAM/CAS-side traffic originating from the trusted network is allowed. After a normal login user role is created, Untrusted -> Trusted traffic control policies need to be configured to allow users to send and receive traffic while logged into that role. When users log into the network using the Clean Access Agent, the system first puts them in the system Temporary role while determining whether they meet host requirements. If they do, users are allowed on the network in the normal login role to which their user credentials are associated. If clients fail requirements, users stay in the Temporary role until they meet requirements or reach session timeout. (If using network scanning, clients that fail scan plugins can be put in a quarantine role or blocked from the network. See the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide for details on network scanning.)
Step 1 Go to User Management > User Roles > List of Roles and click the Policies button for the new user role you created.
Step 2 This will take you to the User Management > User Roles > Traffic Control tab (filtered for the specified role). The Traffic Control tab has three sublinks: IP, Host, and Ethernet that navigate to the list of IP-based, Host-based, and Layer 2 traffic policies, respectively. For each list, traffic policies can be displayed for all user roles in the system or just the one you pick from the dropdown menu. The IP policy list appears initially by default, with the traffic direction set to Untrusted -> Trusted (for traffic moving from managed clients to the protected backend network).
Note Because the User Management > User Roles > Traffic Control > Ethernet tab is only applicable for Virtual Gateway deployments, this guide does not present a Layer-2 Ethernet traffic Policy configuration example.
Step 3 From User Management > User Roles > Traffic Control > IP, and with your "user" role selected from the dropdown menu, click the Add Policy link for the role (on the right-hand side of the page).
Step 4 In the IP-based Add Policy form that appears for the user role, configure options as follows:
a. Leave Priority as 2.
b. Leave Action as Allow.
c. To enable all access, choose ALL TRAFFIC from the Category dropdown menu.
d. Click Add Policy. The policy will display for the user role under User Management > User Roles > Traffic Control > IP.
Note The Priority field determines which IP traffic policy is applied first. You can change this any time using the up/down arrows of the Move column in the policies list.
Step 5 Go to User Management > User Roles > Traffic Control > Host.
Step 6 Choose Temporary Role from the dropdown list and click Select or scroll down the configuration window to the policies for the Temporary Role.
Step 7 At the bottom of the form, make sure the default asterisk (*) is in the Trusted DNS Server text box and click the Add button next to the entry. This allows traffic for any DNS server and automatically adds an IP-based traffic policy allowing UDP traffic to/from the trusted network for clients in the Temporary role.
Step 8 Next, click the Enable checkboxes for any of the preconfigured Allowed Hosts to allow clients who fail Clean Access Agent requirements to go to these sites to fix their systems while they are in the Temporary role. You can also add your own hosts by entering the information in the Allowed Host and Description text box fields, selecting an operator (e.g. contains) and clicking the Add button.
9 Require Use of Clean Access Agent
New users are presented with a webpage from which they can download the setup executable to install the Clean Access Agent the first time they open a web browser and perform a web login (see Figure 3). Once the Clean Access Agent is downloaded to clients, you can configure the Agent to be automatically updated on clients via the web administration console (see Make Agent Auto-Upgrade Mandatory).
Step 1 Go to Device Management > Clean Access.
Step 2 Click the General Setup > Agent Login subtab.
Step 3 Select the user role from the User Role dropdown menu.
Step 4 Leave the default setting of ALL for the client Operating System dropdown.
Step 5 Click the checkbox for Require use of Clean Access Agent.
Step 6 Click Update. This will present the Clean Access Agent download page to any user that opens a web browser and logs in with credentials that associate the user to the user role.
10 Make Agent Auto-Upgrade Mandatory
You can enable mandatory or optional Agent auto-upgrade for all Clean Access Agent users. To make Agent auto-upgrade mandatory, use the following steps.
Step 1 Go to Device Management > Clean Access > Clean Access Agent > Distribution.
Step 2 Click the checkbox for "Current Clean Access Agent Patch is a mandatory upgrade."
Step 3 Click the Update button.
Step 4 Go to Device Management > Clean Access > Clean Access Agent > Updates > Update.
Step 5 Click the checkbox for "Check for Windows CCA Agent upgrade patches."
Step 6 Click the Update button.
When users reboot or exit/restart their Clean Access Agent, they will see a prompt to upgrade to a newer Agent when an update patch is downloaded to the CAM and made available to the CAS. The user must click OK (mandatory upgrade) and the client automatically installs the newer Agent. If auto-upgrade is left as optional, users will still see a prompt when they reboot or exit/restart their Agent, but they have the option of clicking Yes to install it immediately or No to postpone the upgrade.
11 Configure an AV Requirement
Once you have enforced use of the Clean Access Agent on a role, you can configure a variety of requirements to make sure users trying to log into the role have required packages on their systems (e.g. hotfixes, antivirus software or virus definition files) or alternatively, block users who have undesirable software installed. The following example shows how to configure a Clean Access Agent AV Definition Update requirement that checks if Sophos Plc. antivirus definition files are up-to-date on a Windows Vista, XP, or 2000 client. For complete details on how to configure Clean Access Agent AV and custom requirements in the web admin console, see the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide. In this example, the general configuration steps are as follows:
1. Update your CAM
2. Create New AV Rule
3. Create New AV Definition Update Requirement
4. Map AV Definition Update Requirement to AV Definition Rule
5. Map AV Definition Update Requirement to User Role
Update your CAM
Step 1 Ensure you update your CAM to the latest version of the Supported Antivirus Product List, Cisco Checks & Rules, and CCA Agent Upgrade Patch by going to Device Management > Clean Access > Clean Access Agent > Updates.
Step 2 Make sure the "Check for CCA Agent upgrade patches along with Checks, Rules and AV List" option is enabled before updating to ensure that any Agents installed on clients are updated with the latest patches.
Step 3 To configure Automatic Update, click the checkbox for "Check for updates every [] hours." (Cisco recommends 1 hour).
Step 4 Click Update. Status messages appear at the bottom of the page when update is complete.
Create New AV Rule
Step 5 Go to Device Management > Clean Access > Clean Access Agent > Rules > New AV Rule.
Step 6 Type a name in the Rule Name field, such as TestRule (make sure there are no spaces in the name).
Step 7 Select Sophos Plc. from the Antivirus Vendor dropdown menu. This populates the form below, Checks for Selected Operating Systems, with the vendor's products (for the default Type and OS, which is Installation and Windows Vista/XP/2K, respectively).
Note Choosing ANY from the Antivirus Vendor dropdown configures the AV rule to check the client for any supported AV product from any of the vendors (for the OS specified).
Step 8 Select Virus Definition from the Type dropdown menu. Note that this disables (greys out) the Installation checkboxes on the form below.
Step 9 Select Windows Vista/XP/2K from the Operating System dropdown menu. This displays the vendor's product versions for this client OS.
Step 10 Type an optional Rule Description if desired.
Step 11 In the form for Checks for Selected Operating Systems, click the checkbox for a specific product(s), for example Sophos AntiVirus 5.x and Sophos AntiVirus 6.x, or click the ANY checkbox to configure the AV rule to check client virus definition files for any product supported for Sophos Plc.
Note Choosing ANY from the Checks for Selected Operating Systems table configures the AV rule to check the client for any product supported for that particular vendor and OS.
Step 12 Scroll down all the way to the bottom of the form and verify the Latest Virus Definition Version/Date for Selected Vendor table. This will show the latest version or date value for the chosen product from the AV vendor. When testing on your client, compare these values with the version shown on the client AV software to verify that virus definition files have been updated.
Note You can also view this information from Device Management > Clean Access > Clean Access Agent > Rules > Agent-AV Support Info.
Step 13 Click Add Rule. This adds the new AV definition rule at the bottom of Device Management > Clean Access > Clean Access Agent > Rules > Rule List.
Note If your test client has a different AV package installed, choose a different Antivirus Vendor. The New AV Rule form displays the supported AV products available as of the latest Update for the vendor, OS, and check type (Installation or Virus Definition) chosen. For this example, make sure that Virus Definition is selected for Type.
Create New AV Definition Update Requirement
Step 14 Create an AV Definition Update requirement by going to Device Management > Clean Access > Clean Access Agent > Requirements > New Requirement.
Step 15 Select AV Definition Update from the Requirement Type dropdown menu.
Step 16 Select Sophos Plc. from the Antivirus Vendor Name dropdown menu.
Step 17 Type TestRequirement in the Requirement Name text box (make sure there are no spaces).
Step 18 In the Description textbox, type instructions for the user such as: Please click the Update button to update the virus definition files for your installed Antivirus software. Please allow a few minutes for the update to complete. (Make sure there are no quotations or special characters in the text box.)
Step 19 Click the Windows 2000, Windows XP (All), and Windows Vista (All) checkboxes for Operating System.
Step 20 Click Add Requirement. The new TestRequirement will be listed under Device Management > Clean Access > Clean Access Agent > Requirements > Requirement List.
Map AV Definition Update Requirement to AV Definition Rule
Step 21 Go to Device Management > Clean Access > Clean Access Agent > Requirements > Requirement-Rules.
Step 22 Select TestRequirement from the Requirement Name dropdown menu.
Step 23 Select Windows Vista (All) from the Operating System dropdown menu. All AV rules and preconfigured Cisco rules ("pr_") applicable to the requirement and OS will display.
Step 24 Leave the default setting for Requirement met if: (All selected rules succeed).
Step 25 Under Rules for Selected Operating System, scroll down to the bottom of the page and click the checkbox for TestRule.
Step 26 Click Update.
Step 27 Repeat Step 23 through Step 26 so that you map the same AV rule to the requirement for both the Windows XP (All) and Windows 2000 operating systems.
Map AV Definition Update Requirement to User Role
Step 28 Go to Device Management > Clean Access > Clean Access Agent > Role-Requirements.
Step 29 Leave Normal Login Role selected for the Role Type dropdown menu.
Step 30 Select user from the User Role dropdown menu.
Step 31 The form under Select requirements to associate with the role displays all requirements you have configured. Click the checkbox for TestRequirement.
Step 32 Click Update. Clean Agent requirement configuration is now complete. For this example configuration, any Windows Vista/XP/2000 user that logs in with user credentials associated to the user role will be required to have up-to-date AV definition files for the Sophos Plc. product chosen. If not, the Clean Access Agent will prompt the user to update their client files.
12 Test as a Managed Client
The easiest way to test Clean Access as an actual user is to connect a client computer to a switch connected to the untrusted (eth1) interface of the Clean Access Server and perform the following tests.
Step 1 Check whether the DHCP module correctly assigns a dynamic IP address:
a. After attaching the client computer, restart it and open a command line window.
b. From a command tool, type ipconfig /all and check the IP address and DHCP information you have been assigned. Your IP address should fall within the range of addresses you configured for the DHCP module.
Note If you do not immediately get a client IP address in the correct range, try typing ipconfig /release then ipconfig /renew in the command tool.
Step 2 Check your web access:
a. From a browser on your computer, attempt to navigate to any web page.
b. In the Security Alert warning dialog, click Yes to accept the temporary certificate.
c. You should be redirected to the default web login page (Figure 2).
Note Login page elements should be customized for your own organization before live deployment. See Edit the Login Page for details.
Figure 2 Web Login Page
.
Note If entering a domain name as a URL does not bring up the login page, your DNS settings may not be properly configured. In this case, try entering 1.1.1.1 as the URL to redirect you to the web login page.
Step 3 Login with the Username and Password you created for your local user.
Step 4 Click Continue. The Clean Access Agent download page should appear (Figure 3).
Figure 3 Clean Access Agent Download Page
Step 5 Click the Download button and Save the setup executable to an accessible folder. Then Run the file.
Step 6 The Clean Access Agent Install Shield Wizard appears. Follow the installation instructions and install the Clean Access Agent to your client machine. The Clean Access Agent will install to C:\Program Files\Cisco Systems\Clean Access Agent\ on the client.
Step 7 When the installation is complete, you will see Clean Access Agent system tray icon, desktop shortcut, and login dialog.
Step 8 Right-clicking the Clean Access Agent system tray icon brings up the taskbar menu.
There are four options:
•Login/Logout—This option toggles depending on the login status of the user. Users can log themselves out by right-clicking the menu and selecting Logout.
•Popup Login Window—This is enabled by default and causes the CCA Agent login dialog to pop up whenever the client is behind the CAS and is not logged in.
•About—This displays the version of the CCA Agent.
•Exit—This quits the Clean Access Agent. The user will not be logged out. To restart the application and display it on the system tray, double-click the Clean Access Agent desktop shortcut.
Note Exit does not log off users from the network, nor does rebooting the client computer. Users can only log themselves off the network by right-clicking the taskbar menu and selecting Logout.
Step 9 In the Clean Access Agent login dialog that pops up, login with the Username and Password you created for the local user.
Step 10 Because you configured an AV Definition Requirement for this user role, a temporary access dialog should display if your client AV definition files are not up-to-date.
Step 11 Click Continue. The AV requirement you configured displays in the Required Antivirus Update dialog. You will have a default session time of 4 minutes in the Temporary role to perform whatever action is necessary to meet the requirement type (in this case, update your AV definition files).
Step 12 Click the Update button in the Required Antivirus Update dialog. The Clean Access Agent will update the virus definition files for the AV software directly.
Step 13 A confirmation dialog pops up when update is complete. Click OK.
Step 14 Click the Next button in the Required Antivirus Update dialog. A login success confirmation should appear.
Step 15 Click OK. You should now have access to the network in the user role (with corresponding traffic policies).
Note If you time out of your Temporary session, you will instead see a "Temporary access to the network has expired" dialog. In this case, click OK, wait for the login dialog to pop up, and login again.
Step 16 Open the AV software on the client and verify that the version/date information has updated for the virus definition file.
Tip When using Automatic Update from the CAM, you can verify the latest system virus definition versions/dates for various AV products by selecting the applicable vendor/product from the AV/AS Support Info or New AV Rule page.
13 Configure Authentication Servers
To integrate Cisco Clean Access with an existing authentication server, you will need to know the configuration parameters for the type of authentication server you want to use. These can include the location of the authentication server, connect strings, and so on. Use the following steps once you have the information applicable for your authentication source.
Step 1 Go to User Management > Auth Servers.
Step 2 Click the New subtab.
Step 3 Choose the type of authentication source you are using from the Authentication Type scroll list. Options are as follows:
Step 4 The parameters specific for the authentication type appear in the form.
Step 5 Type a name for the source in the Provider Name field. This name will appear in the Provider list in the login page.
Step 6 Enter other parameters appropriate for your authentication source and click Add Server.
Step 7 The new external authentication server appears under User Management > Auth Servers > List.
See the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide. for details on configuring mapping rules to map users into user roles based on VLAN ID or LDAP/RADIUS authentication server attributes.
14 User Authentication Test
Before testing an external authentication server as an actual user, there is a simple user authentication test that can validate your authentication server parameters immediately in the web admin console.
Step 1 Go to User Management > Auth Servers > Auth Test.
Step 2 Select a Provider. The Clean Access Manager is the default Local provider.
Step 3 Enter User Name and Password values and click the Test button. The results appear at the bottom of page. If the username and password are valid, the console displays the role assigned to the user.
Note Under Administration > User Pages > Login Page > Edit > Content > Default Provider, make sure to change your Default Provider from Local DB to the new auth server you configured to allow clients to be authenticated externally instead of locally in the Clean Access Manager.
Step 4 Users should now be able to access the managed network using the login credentials stored in the authentication source you configured. Perform client testing as described in Test as a Managed Client.
Feedback
