Table Of Contents
Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.0(6)
Cisco NAC Appliance Service Contract/Licensing Support
System and Hardware Requirements
Supported Switches for Cisco NAC Appliance
VPN Components Supported for Single Sign-On (SSO)
Software Compatibility Matrixes
Release 4.0(x) Compatibility Matrix
Release 4.0(x) CAM/CAS Upgrade Compatibility Matrix
Release 4.0(x) Agent Upgrade Compatibility Matrix
Determining the Software Version
Clean Access Manager (CAM) Version
Clean Access Server (CAS) Version
Cisco Clean Access Updates Versioning
Enhancements in Release 4.0.6.1
Supported AV/AS Product List Enhancements
Enhancements in Release 4.0(6)
Debug Log Download Enhancement
Syslog Configuration Enhancement
Supported AV/AS Product List Enhancements (Version 63)
Enhancements in Release 4.0(5)
Important Installation Notes for NAC-3310
Supported AV/AS Product List Enhancements
New Features and Enhancements in Release 4.0(4)
Support for Windows Vista Operating System
License Manager Support for Cisco Clean Access Lite, Standard, and Super Managers
Improved Memory Footprint for Clean Access Agent Reports
Broadcast ARP Server Management Option Removed
Supported AV/AS Product List Enhancements (Version 47)
Enhancements in Release 4.0.3.3
Enhancements in Release 4.0.3.2
Upgrade Instructions for 4.0.3.2
Enhancements in Release 4.0.3.1
Upgrade Instructions for 4.0.3.1
Enhancements in Release 4.0(3)
Support for Windows XP Media Center Edition (MCE)/Tablet PC Operating Systems
New "pr_" Rules for MCE/Tablet PC Hotfixes
Restricted Network Access Option for Clean Access Agent Users
Supported AV/AS Product List Enhancements (Version 44)
Enhancements in Release 4.0.2.2
Upgrade Instructions for 4.0.2.2
Enhancements in Release 4.0.2.1
Upgrade Instructions for 4.0.2.1
Enhancements in Release 4.0(2)
Upgrade Instructions for 4.0(2)
New Features and Enhancements in Release 4.0(1)
OOB Support for 3750 NME Modules for Cisco 2800/3800 ISRs
Link-Failure Based Failover in CAS HA
CAM Admin Console Login Enhancements
Client OS Detection Signature Lookup
Start Timer Specification for Cisco Updates
Enhancements for Windows XP Media Center Edition/Tablet PC
Supported AV/AS Product List Enhancements (Version 43)
Enhancements in Release 4.0.0.1
Upgrade Instructions for 4.0.0.1
New Features and Enhancements in Release 4.0(0)
Support for Active Directory (Windows Domain) Single Sign-On (SSO)
Corporate Asset Authentication and Posture Assessment by MAC Address
Support for Layer 3 Out-of-Band (OOB) Deployment
New Windows Update Requirement Type
SMP Kernel Support for Super CAM
Support for Assigning VLANs by VLAN Name in OOB Deployments
Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments
Ability to Change Priority of Wildcard/Range Global Device Filters
Ability to View or Search Active L2 Devices in Device Filter List
Ability to Test MAC Addresses Against Device Filters
Support for Relay IP Class Restrictions on DHCP Server
Support for DHCP Global Actions
New "service perfigo maintenance" CLI Command for CAS
Ability of Clean Access Agent to Send IP/MAC for All Available Adapters
Support for Stub Installation/Update of the Clean Access Agent
OOB Page Redirection Timers (SNMP Receiver Advanced Settings)
CAS Host-Based Traffic Policy Enhancements for Proxy Servers
Enhancements for DHCP Option Configuration Forms
Supported AV/AS Product List Enhancements (Version 42)
Cisco Pre-Configured Rules ("pr_")
Using Cisco Rules to Check for CSA
Clean Access Supported AV/AS Product List
Clean Access AV Support Chart (Windows Vista/XP/2000)
Clean Access AV Support Chart (Windows ME/98)
Clean Access AS Support Chart (Windows Vista/XP/2000)
Supported AV/AS Product List Version Summary
Clean Access Agent Version Summary
Open Caveats - Release 4.0.6.1
Resolved Caveats - Agent Version 4.0.6.2
Resolved Caveats - Release 4.0.6.1
Resolved Caveats - Release 4.0(6)
Resolved Caveats - Agent Version 4.0.5.1
Resolved Caveats - Release 4.0(5)
Resolved Caveats - Release 4.0(4)
Resolved Caveats - Release 4.0.3.3
Resolved Caveats - Release 4.0.3.2
Resolved Caveats - Release 4.0.3.1
Resolved Caveats - Release 4.0(3)
Resolved Caveats - Release 4.0.2.2
Resolved Caveats - Release 4.0.2.1
Resolved Caveats - Release 4.0(2)
Resolved Caveats - Release 4.0(1)
Resolved Caveats - Release 4.0.0.1
Resolved Caveats - Release 4.0(0)
Known Issues for Cisco NAC Appliance
Known Issue with NAT/PAT Devices and L3 Deployments
Known Issues with HP ProLiant DL140 G3 Servers
Known Issue with NAC-3310 CD Installation
Known Issues with NAC-3300 Series Appliances and Serial HA (Failover) Connection
Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)
Known Issues with Broadcom NIC 5702/5703/5704 Chipsets
Known Issue with MSI Agent Installer File Name
Known Issue with Windows 98/ME/2000 and Windows Script 5.6
New Installation of Release 4.0(x)
Settings That May Change With Upgrade
General Preparation for Upgrade
In-Place Upgrade from 3.5(7)+ to 4.0(x)—Standalone Machines
Mount the CD-ROM and Run the Upgrade File
Swap Ethernet Cables (if Necessary)
In-Place Upgrade from 3.5(7)+ to 4.0(x)—HA-Pairs
Determine Active and Standby Machines
Shut Down Standby Machine and Upgrade Active Machine In-Place
Shut Down Active Machine and Upgrade Standby Machine In-Place
Complete the HA In-Place Upgrade
Upgrading from 3.6(x)/4.0(x) —Standalone Machines
Web Console Upgrade—Standalone Machines
Console/SSH Upgrade—Standalone Machines
Upgrading from 3.6(x)/4.0(x)—HA-Pairs
Access Web Consoles for High Availability
Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs
Upgrading or Installing Super Manager Software
Upgrading NAC-3390 MANAGER (Super CAM) Software
CD Installation of Super CAM Software
Windows Vista Agent Stub Installer Error
Agent Error: "Network Error SSL Certificate Rev Failed 12057"
Recovering Root Password for CAM/CAS (Release 4.0(x)/3.6(x))
Recovering Root Password for CAM/CAS (Release 3.5(x) or Below)
No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM
Clean Access Agent 4.0.1.0 and IE 7.0 Beta
Clean Access Agent AV/AS Rule Troubleshooting
Enable Debug Logging on the Clean Access Agent
Troubleshooting Switch Support Issues
Troubleshooting Network Card Driver Support Issues
Other Troubleshooting Information
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.0(6)
Revised: January 30, 2008, OL-10370-01Contents
These release notes provide late-breaking and release information for Cisco® NAC Appliance, also known as Cisco Clean Access (CCA), release 4.0(x). This document describes new features, changes to existing features, limitations and restrictions ("caveats"), upgrade instructions, and related information. These release notes supplement the Cisco NAC Appliance documentation included with the distribution. Read these release notes carefully and refer to the upgrade instructions prior to installing the software.
•
Cisco NAC Appliance Service Contract/Licensing Support
•
•
•
•
•
•
Cisco NAC Appliance Releases
Note
Cisco NAC Appliance Service Contract/Licensing Support
For complete details on licensing, including service contract support, new licenses, evaluation licenses, legacy licenses and RMA, refer to Cisco NAC Appliance Service Contract/Licensing Support.
System and Hardware Requirements
This section describes the following:
•
•
System Requirements
See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on:
•
•
•
•
Hardware Supported
See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on:
•
•
•
•
Supported Switches for Cisco NAC Appliance
See Switch Support for Cisco NAC Appliance for details on:
•
•
•
•
VPN Components Supported for Single Sign-On (SSO)
Table 1 lists VPN components supported for Single Sign-On (SSO) with Cisco NAC Appliance. Elements in the same row are compatible with each other.
Table 1 VPN and Wireless Components Supported By Cisco NAC Appliance For SSO
4.0(x)
Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)1
N/A
Cisco ASA 5500 Series Adaptive Security Appliances, Version 7.2(0)81 or above
•
•
Cisco WebVPN Service Modules for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco VPN 3000 Series Concentrators, Release 4.7
Cisco PIX Firewall
1 For additional details, see also Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs).
Note
For further details, see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.0 and Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.0.
Software Compatibility
This section describes software compatibility for releases of Cisco NAC Appliance:
•
•
For details on Clean Access Agent client software versions and AV integration support, see:
•
•
Software Compatibility Matrixes
This section describes the following:
•
•
•
Release 4.0(x) Compatibility Matrix
Table 3, "Release 4.0(x) Compatibility Matrix" shows Clean Access Manager and Clean Access Server compatibility and the Agent version bundled with each CCA 4.0(x) release (if applicable). CAM/CAS/Agent versions displayed in the same row are compatible with one another. Cisco recommends that you synchronize your software images to match those shown as compatible in the table.
Prior versions of the 4.0.x.x Clean Access Agent are compatible with the latest 4.0(x) CAM/CAS release, unless otherwise specified. See Clean Access Agent Version Summary for details and caveats resolved for each Agent version.
Table 2 Release 4.0(x) Compatibility Matrix
4.0.6.1
4.0.6.1
4.0(6)
4.0(6)
4.0.6.0
4.0.5.1 4
4.0.5.0 5
4.0.4.0 6
4.0.2.1 7
4.0.2.0 8
4.0.1.0
4.0.0.1
4.0.0.04.0(4)
4.0(4)
4.0.3.2 11
4.0.3.1 12
4.0.3.1 12
4.0(3) 13
4.0(3) 13
4.0.2.2 14
4.0.2.2 14
4.0.0.1 15
4.0.0.1 15
4.0.2.1 16
4.0(2)
4.0.1.0
4.0.0.1 17
4.0.0.04.0(2)
4.0(1) 18 [obsoleted by 4.0(2)]
4.0(1) 18 [obsoleted by 4.0(2)]
4.0(0)
4.0(0)
1 The 4.0.6.1 and later Agents perform authentication only for 64-bit Windows Vista and Windows XP client operating systems. Once the user is authenticated, the Agent does not perform posture assessment or remediation. To support 64-bit operating system Agents, the CAM and CAS must also be running release 4.0.6.1. Because Cisco NAC Appliance provides authentication-only support for 64-bit operating system Agents, nessus scanning via the Clean Access Agent does not perform remediation on the client machine.
2 Release 4.0(5) is a required upgrade for NAC-3310, NAC-3350, NAC-3390 appliances (MANAGER and SERVER). See Enhancements in Release 4.0(5) and Resolved Caveats - Release 4.0(5) for details.
3 If you are installing new system software from a CD-ROM (rather than performing an upgrade) on a NAC-3310 (both MANAGER and SERVER), you must enter DL140 or serial_DL140 at the "boot:" prompt. For details, see Important Installation Notes for NAC-3310.
4 See Resolved Caveats - Agent Version 4.0.5.1 for resolved caveats. For a new installation of Sophos 5.x and 6.x, the definition date is empty until the first update.
5 4.0.5.0 Agent resolves caveat CSCsh40166. See also Clean Access Agent (4.0.5.0).
6 Releases starting from 4.0(4) and 4.0.x.x Agent versions starting from 4.0.4.0 are the only 4.0(x) releases that support Windows Vista client operating systems. Clean Access Agent stub is supported on Windows Vista starting from release 4.0(6). See also New Features and Enhancements in Release 4.0(4).
7 4.0.2.1 Agent resolves caveat CSCsg37846.
8 4.0.2.0 Agent is not backward compatible with versions 4.0(0) and 4.0(2) of the CAS. This issue is resolved by CAM/CAS patch releases 4.0.0.1 and 4.0.2.2. See Enhancements in Release 4.0.2.2 and Enhancements in Release 4.0.0.1 for details.
9 Release 4.0.3.3 is available on NAC 3300 series platforms only and cannot be downloaded from Cisco Secure Software. See Enhancements in Release 4.0.3.3 and Resolved Caveats - Release 4.0.3.3 for details.
10 If you purchased a Cisco NAC Appliance 3300 Series platform, you can upgrade from 4.0.3.3 to the latest applicable 4.0(x) release only. You cannot upgrade to release 4.1(0).
11 Patch release 4.0.3.2 is applied to the CAM only. For complete upgrade compatibility details and instructions, see Enhancements in Release 4.0.3.2. For details on resolved caveats, see Resolved Caveats - Release 4.0.3.2.
12 Patch release 4.0.3.1 is an upgrade-only patch for 3.6(x) or 4.0(2) and below systems that replaces the upgrade package for 4.0(3). If you are planning to upgrade from 3.6(x)/4.0(x), then upgrade directly to release 4.0.3.1. If you have already upgraded from 3.6(x)/4.0(x) to 4.0(3), there is no need to apply the 4.0.3.1 patch; however, you must apply the workarounds described in Resolved Caveats - Release 4.0.3.1 for compatibility with 4.0.2.0 Agent. See Enhancements in Release 4.0.3.1 for details.
13 Release 4.0(3) is compatible with 4.0.2.0 Agent for new installations or in-place upgrade from 3.5(7)+ only. If you have already upgraded from 3.6(x)/4.0(x) to release 4.0(3) and 4.0.2.0 Agent, you must apply the workarounds described in Resolved Caveats - Release 4.0.3.1.
14 Patch release 4.0.2.2 is applied to 4.0.2.1/4.0(2) CAM and 4.0(2) CAS and is required for compatibility with the 4.0.2.0 Agent (released with CAM/CAS 4.0(3)). See Enhancements in Release 4.0.2.2 and Resolved Caveats - Release 4.0.2.2 for details.
15 Patch release 4.0.0.1 is applied to 4.0(0) CAM and CAS and is required for compatibility with the 4.0.2.0 Agent (released with CAM/CAS 4.0(3)). See Enhancements in Release 4.0.0.1 and Resolved Caveats - Release 4.0.0.1 for details.
16 Release 4.0.2.1 is applied to 4.0(2) CAMs only and resolves caveat CSCse99396. See Enhancements in Release 4.0.2.1 for details.
17 4.0.0.1 Agent resolves caveat CSCse64395.
18 Release 4.0(1) is obsoleted and replaced by release 4.0(2). If your system is running 4.0(1) or 3.5(x) or 3.6(x) and you wish to upgrade to release 4.0(x), upgrade to the latest 4.0(x) release directly.
Release 4.0(x) CAM/CAS Upgrade Compatibility Matrix
Table 3, "Release 4.0(x)CAM/CAS Upgrade Compatibility Matrix" shows 4.0(x) CAM/CAS upgrade compatibility. You can upgrade/migrate your CAM/CAS from the previous release(s) specified to the latest release shown in the same row. When you upgrade your system software, Cisco recommends you upgrade to the most current release available whenever possible.
Note
Table 3 Release 4.0(x)CAM/CAS Upgrade Compatibility Matrix
Upgrade From:
4.0(x)
3.6(x)
3.5(7)+ 14.0(x)
3.6(x)
3.5(7)+ 14.0(x)
3.6(x)
3.5(7)+ 14.0(x)
3.6(x)
3.5(7)+ 14.0(0) to 4.0.2.1
3.6(x)4.0(0) and 4.0(2)
3.6(x)4.0.3.17
3.5(7)+ 1
4.0(3) 8
3.5(7)+ 1
4.0(3) 8
4.0.2.1 9
4.0(2)4.0.2.2 10
4.0(2)
4.0.2.2 10
4.0(0)
4.0.0.1 11
4.0(0)
4.0.0.1 11
1 To upgrade from 3.5(7) and above, you must use In-Place Upgrade from 3.5(7)+ to 4.0(x)—Standalone Machines and In-Place Upgrade from 3.5(7)+ to 4.0(x)—HA-Pairs, as appropriate.
2 Release 4.0(5) is a required upgrade for NAC-3310, NAC-3350, NAC-3390 appliances (CAM and CAS). See EEnhancements in Release 4.0(5) and Resolved Caveats - Release 4.0(5) for details.
3 If you purchased a Cisco NAC Appliance 3300 Series platform, you can upgrade from 4.0.3.3 to the latest applicable 4.0(x) release only; you cannot upgrade to release 4.1(0).
4 If you are installing new system software from a CD-ROM (rather than performing an upgrade) on a NAC-3310 (both MANAGER and SERVER), you must enter DL140 or serial_DL140 at the "boot:" prompt. For details, see Important Installation Notes for NAC-3310.
5 Releases starting from 4.0(4) and 4.0.x.x Agent versions starting from 4.0.4.0 are the only 4.0(x) releases that support Windows Vista client operating systems. Clean Access Agent stub is supported on Windows Vista starting from release 4.0(6). See also New Features and Enhancements in Release 4.0(4) for Windows Vista support details and Resolved Caveats - Release 4.0(4).
6 Patch release 4.0.3.2 is applied to the CAM only. For complete upgrade compatibility details and instructions, see Enhancements in Release 4.0.3.2. For details on resolved caveats, see Resolved Caveats - Release 4.0.3.2.
7 Patch release 4.0.3.1 is an upgrade-only patch for systems running release 3.6(x) or 4.0(x) releases prior to 4.0(3) that replaces the upgrade package for 4.0(3). If you are planning to upgrade from 3.6(x)/4.0(x), then upgrade directly to release 4.0.3.1. If you have already upgraded from 3.6(x)/4.0(x) to 4.0(3), there is no need to apply the 4.0.3.1 patch; however, you must apply the workarounds described in Resolved Caveats - Release 4.0.3.1 for compatibility with 4.0.2.0 Agent. See Enhancements in Release 4.0.3.1 for details.
8 Release 4.0(3) is compatible with 4.0.2.0 Agent for new installations or in-place upgrade from 3.5(7)+ only. If you have already upgraded from 3.6(x)/4.0(x) to release 4.0(3) and 4.0.2.0 Agent, you must apply the workarounds described in Resolved Caveats - Release 4.0.3.1.
9 Release 4.0.2.1 is applied to 4.0(2) CAMs only and resolves caveat CSCse99396. See Enhancements in Release 4.0.2.1 for details.
10 Patch release 4.0.2.2 is applied to 4.0.2.1 or 4.0(2) CAM and 4.0(2) CAS and is required for compatibility with the 4.0.2.0 Agent. See Enhancements in Release 4.0.2.2 and Resolved Caveats - Release 4.0.2.2 for details.
11 Patch release 4.0.0.1 is applied to 4.0(0) CAM and CAS and is required for compatibility with the 4.0.2.0 Agent. See Enhancements in Release 4.0.0.1 and Resolved Caveats - Release 4.0.0.1 for details.
.
Release 4.0(x) Agent Upgrade Compatibility Matrix
Table 4, "Release 4.0.x.x Agent Upgrade Compatibility Matrix" shows Clean Access Agent upgrade compatibility when upgrading existing versions of the Agent after 4.0(x) CAM/CAS upgrade. Except where noted, you can auto-upgrade any 3.5.1+ Agent directly to the latest 4.0.x.x Agent.
Table 4 Release 4.0.x.x Agent Upgrade Compatibility Matrix
4.0.6.1 3
4.0.6.1 3
4.0.6.1 3
4.0.6.0
4.0.5.1
4.0.5.0
4.0.4.0 7
4.0.2.1 4
4.0.2.0 5 ,6
4.0.1.0
4.0.0.1
4.0.0.0
3.6.x.x
3.5.1 and above4.0.6.2 3
4.0(6)
4.0(6)
4.0(5)
4.0(5)
4.0(4) 7
4.0(4) 7
4.0.3.3 8
4.0.3.3
4.0.2.0
4.0.1.0
4.0.0.1
4.0.0.0
3.6.x.x
3.5.1 and above4.0.2.1
4.0.3.2 9
4.0.3.1 10
4.0.3.1 10
4.0(3) 11
4.0(3) 11
4.0.2.2
4.0.2.2
4.0.0.1
4.0.0.1
4.0.2.1
4.0(2)4.0(2)
4.0.0.1
4.0.0.0
3.6.x.x
3.5.1 and above4.0.1.0
4.0(0)
4.0(0)
1 For checks/rules/requirements, the Agent can detect "N" (European) versions of the Windows Vista operating system, but the CAM/CAS treat "N" versions of Vista as their US counterpart.
2 Agent versions are not supported across major releases. Do not use 4.0.x.x Agents with 3.6(x) or prior releases. However, auto-upgrade is supported from any 3.5.1 or above Agent directly to the latest 4.x.x.x Agent. See Clean Access Agent Version Summary for further details.
3 The 4.0.6.1 and later Agents perform authentication only for 64-bit Windows Vista and Windows XP client operating systems. Once the user is authenticated, the Agent does not perform posture assessment or remediation. To support 64-bit operating system Agents, the CAM and CAS must also be running release 4.0.6.1. Because Cisco NAC Appliance provides authentication-only support for 64-bit operating system Agents, nessus scanning via the Clean Access Agent does not perform remediation on the client machine.
4 4.0.2.1 Agent resolves caveat CSCsg37846.
5 If you have already upgraded from 3.6(x)/4.0(x) to CAM/CAS release 4.0(3) and 4.0.2.0 Agent, you must download the CCAAgentUpgrade-4.0.2.0.tar.gz from Cisco Secure Downloads and upload it to the CAM via Device Management > Clean Access > Clean Access Agent > Distribution. See Clean Access Agent (4.0.2.0) for details.
6 4.0.2.0 Agent is not backward compatible with versions 4.0(0) and 4.0(2) of the CAS. This issue is resolved by CAM/CAS patch releases 4.0.0.1 and 4.0.2.1. See Enhancements in Release 4.0.2.2 and Enhancements in Release 4.0.0.1 for details.
7 Releases starting from 4.0(4) and 4.0.x.x Agent versions starting from 4.0.4.0 are the only 4.0(x) releases that support Windows Vista client operating systems. Clean Access Agent stub is supported on Windows Vista starting from release 4.0(6). See also New Features and Enhancements in Release 4.0(4). Upgrade to 4.0.4.0 is not otherwise required for non-Vista client PCs.
8 Release 4.0.3.3 is available on NAC 3300 hardware platforms only and cannot be downloaded from Cisco Secure Software. See Enhancements in Release 4.0.3.3 and Resolved Caveats - Release 4.0.3.3 for details.
9 Patch release 4.0.3.2 is applied to the CAM only. For complete upgrade compatibility details and instructions, see Enhancements in Release 4.0.3.2. For details on resolved caveats, see Resolved Caveats - Release 4.0.3.2.
10 Patch release 4.0.3.1 is an upgrade-only patch for 3.6(x) or 4.0(2) and below systems that replaces the upgrade package for 4.0(3). Upgrading from 3.6(x)/4.0(x) to release 4.0.3.1 provides compatibility with the 4.0.2.0 Agent. See Enhancements in Release 4.0.3.1 for details.
11 Release 4.0(3) is compatible with 4.0.2.0 Agent for new installations or in-place upgrade from 3.5(7)+ only. If you have already upgraded from 3.6(x)/4.0(x) to release 4.0(3) and 4.0.2.0 Agent, you must apply the workarounds described in Resolved Caveats - Release 4.0.3.1.
Determining the Software Version
There are several ways to determine the version of software running on your Clean Access Manager (CAM), Clean Access Server (CAS), or Clean Access Agent, as described below.
•
•
•
•
Clean Access Manager (CAM) Version
The top of the CAM web console displays the software version installed. Starting from release 4.0(4), after you add the CAM license, the top of the CAM web console displays the license type (Lite, Standard, Super). Additionally, the Administration > CCA Manager > Licensing page displays the types of licenses present after they are added.
The software version is also displayed as follows:
•
•
Clean Access Server (CAS) Version
•
•
(CAS direct console is accessed via https://<CAS_eth0_IP>/admin)•
Note
Clean Access Agent Versioning
On the CAM web console, you can determine Clean Access Agent versioning from the following pages:
•
•
•
•
From the Clean Access Agent itself on the client machine, you can view the following information from the Agent taskbar menu icon:
•
•
Cisco Clean Access Updates Versioning
To view the latest version of Updates downloaded to your CAM, including Cisco Checks & Rules, CCA Agent Upgrade Patch, Supported AV/AS Product List, go to Device Management > Clean Access > Clean Access Agent > Updates on the CAM web console. See Clean Access Supported AV/AS Product List and Cisco Pre-Configured Rules ("pr_") for additional details.
New and Changed Information
This section describes any new features or enhancements added to the following releases of Cisco NAC Appliance for the Clean Access Manager and Clean Access Server.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
For additional details, see also:
•
•
•
Enhancements in Release 4.0.6.1
Release 4.0.6.1 is a general and important bug fix release for the Clean Access Manager, Clean Access Server, and Clean Access Agent that addresses the caveats described in Resolved Caveats - Release 4.0(6) and provides the enhancements listed below. No new features are added.
•
Release 4.0.6.1 is provided as both an upgrade.tar.gz file and ISO file for new CD installations.
Note
For upgrade instructions refer to Upgrading to 4.0(x).
Clean Access Agent (4.0.6.2)
Release 4.0.6.2 is a bug fix release for the Clean Access Agent that addresses the caveats described in Resolved Caveats - Agent Version 4.0.6.2 and provides additional AV/AS product support as detailed in Clean Access Agent Version Summary.
Note
Clean Access Agent (4.0.6.1)
Release 4.0.6.1 introduces a Clean Access Agent that performs authentication on 64-bit client operating systems (i.e., Windows Vista and Windows XP) and provides additional AV/AS product support as detailed in Supported AV/AS Product List Enhancements and Clean Access Agent Version Summary.
Note
Supported AV/AS Product List Enhancements
•
•
•
Enhancements in Release 4.0(6)
This section details the enhancements delivered with Cisco NAC Appliance release 4.0(6)
Release 4.0(6) is a general and important bug fix release for Cisco NAC Appliance 3300 Series platforms that addresses the caveats described in Resolved Caveats - Release 4.0(6) and provides the enhancements listed below. No new features are added.
•
•
•
Note
Debug Log Download Enhancement
Beginning with release 4.0(6), you can now specify the number of days of collected debug logs to download in order to aid troubleshooting efforts when working with Cisco technical support. The default setting is one week (7 days). Previously, debug logs included all recorded log entries in the CAM/CAS database.
This enhancement adds a new field, "Download technical support logs for the last [] days" to the following web console pages:
•
•
Syslog Configuration Enhancement
Release 4.0(6) features a Syslog Settings page configuration enhancement allowing you to specify the Syslog Facility setting for a designated Syslog server where you direct Syslog messages originating from the CAM. You can use the default "User-Level" facility type, or you can assign any of the "local use" Syslog facility types defined in the Syslog RFC ("Local use 0" to "Local use 7"). This feature gives you the ability to differentiate Cisco NAC Appliance Syslog messages from "User-Level" Syslog entries you may already generate and direct to your Syslog server from other network components.
This enhancement affects the following page of the CAM web console:
•
Clean Access Agent (4.0.6.0)
Version 4.0.6.0 of the Clean Access Agent:
•
Note
This is expected behavior because, unlike earlier Windows operating systems, Windows Vista services run in an isolated session (session 0) from user sessions, and thus do not have access to video drivers. As a workaround for interactive services like the Agent stub installer, Windows Vista uses an Interactive Service Detection Service to prompt users for user input for interactive services and enable access to dialogs created by interactive services. The "Interactive Service Detection Service" will automatically launch by default and, in most cases, users are not required to do anything. If the service is disabled for some reason, however, Agent installation by non-admin users will not function.For more information on the stub installer and its behavior, see Support for Stub Installation/Update of the Clean Access Agent. See also Known Issue with MSI Agent Installer File Name.
•
For additional details, see Clean Access Agent Version Summary.
Supported AV/AS Product List Enhancements (Version 63)
•
•
Enhancements in Release 4.0(5)
Release 4.0(5) is a general and important bug fix release and patch for Cisco NAC Appliance 3300 Series platforms that addresses the caveats described in Resolved Caveats - Release 4.0(5). No new features are added.
•
•
•
•
•
For additional details, see:
•
•
•
•
Warning
Enhancements
•
Important Installation Notes for NAC-3310
•
•
NAC-3310 Required BIOS/Firmware Upgrade
The NAC-3310 appliance is based on the HP ProLiant DL140 G3 server and is subject to any BIOS/firmware upgrades required for the DL140 G3. Refer to Known Issues with HP ProLiant DL140 G3 Servers for detailed instructions.
NAC-3310 Required DL140 or serial_DL140 CD Installation Directive
The NAC-3310 appliance (MANAGER and SERVER) requires you to enter the DL140 or serial_DL140 installation directive at the "boot:" prompt when you install new system software from a CD-ROM. For more information, refer ro Known Issue with NAC-3310 CD Installation.
Clean Access Agent (4.0.5.1)
Version 4.0.5.1 of the Clean Access Agent includes fixes for caveats and new AV/AS product support. For more information, see Resolved Caveats - Agent Version 4.0.5.1 and Clean Access Supported AV/AS Product List.
Clean Access Agent (4.0.5.0)
Version 4.0.5.0 of the Clean Access Agent:
•
•
For additional details, see Clean Access Agent Version Summary.
Supported AV/AS Product List Enhancements
•
•
•
New Features and Enhancements in Release 4.0(4)
This section details the new feature and enhancements delivered with Cisco NAC Appliance release 4.0(4) for the Clean Access Manager and Clean Access Server.
New Features
•
Enhancements
•
•
•
•
Support for Windows Vista Operating System
Release 4.0(4) adds the following new Clean Access Agent configuration support for Windows Vista operating systems:
•
•
Note
This enhancement affects the following pages of the CAM web console:
•
License Manager Support for Cisco Clean Access Lite, Standard, and Super Managers
In release 4.0(4), the CAM web console now differentiates the three Cisco Clean Access Manager license types:
•
•
•
Administrators still acquire license files and enable them using the same method as in previous releases, but the Clean Access Manager web user interface displays more specific license parameters in the Administration > CCA Manager > Licensing window.
For more specific information on Cisco NAC Appliance licensing via the FlexLM licensing tool, see the Cisco NAC Appliance Service Contract/Licensing Support.
Improved Memory Footprint for Clean Access Agent Reports
The Clean Access Manager web console now uses less memory for Agent reports. The default number of maximum reports has been decreased from 30,000 to 20,000. (The allowable range—100 to 200,000—remains unchanged.)
This enhancement affects the following pages of the CAM web console:
•
Broadcast ARP Server Management Option Removed
The Clean Access Manager web console no longer offers the "Continuously broadcast gratuitous ARP with VLAN ID" Clean Access Server management option.
This enhancement affects the following page of the CAM web console:
•
Kernel Upgrade
CAM/CAS release 4.0.3.3 and above support the 2.6.11 SP2 kernel and associated NIC card drivers. The kernel upgrade featured in release 4.0(4) supports additional hardware capabilities required for the Cisco NAC Appliance 3390 Series.
Clean Access Agent (4.0.4.0)
Version 4.0.4.0 of the Clean Access Agent supports users running the Windows Vista operating system.
Note
For additional details, see Clean Access Agent Version Summary.
Supported AV/AS Product List Enhancements (Version 47)
The Supported AV/AS Product List remains at version 47 for release 4.0(4).
•
•
Enhancements in Release 4.0.3.3
Release 4.0.3.3 is an appliance-only release that is pre-installed on Cisco NAC Appliance 3300 Series hardware platforms only.
Release 4.0.3.3 provides additional hardware support for the Cisco NAC Appliance 3310, 3350 and 3390, and resolves some important caveats. No new features are added.
Note
Enhancement
•
Daylight Savings Time Support
Release 4.0.3.3 and above support the Daylight Savings Time (DST) change to March (second Sunday) and November (first Sunday) starting in 2007. Prior to 2007, DST started in April (first Sunday) and ended in October (last Sunday). See also CSCsg44268 for details.
Note
For additional details, see:
•
•
•
Enhancements in Release 4.0.3.2
Release 4.0.3.2 is a general and important bug fix release and patch for the Clean Access Manager (CAM) only that resolves the caveats described in Resolved Caveats - Release 4.0.3.2. No new features are added.
Note
•
•
•
•
•
See the following sections:
•
•
See also Software Compatibility Matrixes for additional details.
Upgrade Instructions for 4.0.3.2
To upgrade your CAM to 4.0.3.2, perform the following steps.
Step 1
Step 2
–
–
–
Step 3
Step 4
Clean Access Agent (4.0.2.1)
Version 4.0.2.1 of the Clean Access Agent resolves caveat CSCsg37846 (Trend Micro AV does not allow auto-update to be launched). Cisco recommends you upgrade clients using Trend Micro AV products to version 4.0.2.1 of the Clean Access Agent.
For additional details, see Clean Access Agent Version Summary.
Enhancements in Release 4.0.3.1
Patch release 4.0.3.1 is an important upgrade-only patch for 4.0(x) and 3.6(x) systems that replaces the upgrade package for 4.0(3). Patch release 4.0.3.1 is applied to the Clean Access Manager (CAM) and Clean Access Server (CAS). Patch 4.0.3.1 resolves caveats CSCsf24570 and CSCsf24583. No new features are added.
Note
•
•
•
See the following sections:
•
•
See also Software Compatibility Matrixes for additional details.
Upgrade Instructions for 4.0.3.1
To upgrade your CAM/CAS from 3.6(x) or 4.0(2) and below to 4.0.3.1, perform the following steps.
Step 1
Step 2
–
–
–
–
Step 3
–
–
–
Enhancements in Release 4.0(3)
This section details the new feature and enhancements delivered with Cisco NAC Appliance release 4.0(3) for the Clean Access Manager and Clean Access Server.
Enhancements
•
•
•
•
For additional details see also Resolved Caveats - Release 4.0(3).
If performing a new installation, see New Installation of Release 4.0(x). If upgrading to this release refer to Upgrading to 4.0(x).
Support for Windows XP Media Center Edition (MCE)/Tablet PC Operating Systems
Release 4.0(3) adds the following new Clean Access Agent configuration support for Windows XP operating systems:
•
•
Note
•
Note
This enhancement affects the following pages of the CAM web console:
•
New "pr_" Rules for MCE/Tablet PC Hotfixes
Release 4.0(3) (with the latest version of the Cisco Updates ruleset) adds two additional pre-configured rules ("pr_") to incorporate hotfixes for Windows XP Media Center Edition and Tablet PC operating systems. The new rules are pr_XP_MCE_Hotfixes and pr_XP_TabletPC_Hotfixes. Mapping these rules to your Clean Access Agent requirements will enable you to ensure that Agent users have the appropriate hotfixes installed for these operating systems.
Note
See Cisco Pre-Configured Rules ("pr_") for additional information on "pr_" rules.
This enhancement affects the following pages of the CAM web console:
•
•
Restricted Network Access Option for Clean Access Agent Users
Release 4.0(3) provides administrators the ability to allow restricted network access to users when they cannot download and install the Clean Access Agent themselves, due to lack of permissions on the machine or for guest access purposes.
This enhancement is intended to aid guests or partners in a corporate environment to get access to the network even if their original role requires use of the Agent.
The restricted network access option can only be configured when the "Require use of the Clean Access Agent" checkbox is enabled, and the option allows you to configure the user role to which these users will be assigned in addition to the button and text presented. When the user performs initial web login and is redirected to download the Agent, the "Restricted Network Access" text and button will appear below the "Download Clean Access Agent" button on the page if this option is enabled in the CAM web console. If the user is not able to download the Clean Access Agent, the user can click "Get Restricted Network Access" to gain the access permitted by the assigned role through the same browser page.
Restricted network access users appear on the In-Band Online Users List denoted by blue shading. Restricted network access users do not appear on the Certified List (since they have not met posture assessment requirements).
This enhancement affects the following pages of the CAM web console:
•
•
•
In addition, the Download Clean Access Agent user page will now display a new Get Restricted Network Access button/text if the restricted network access option is configured for Agent users.
Clean Access Agent (4.0.2.0)
•
•
Note
•
Note
•
Note
For additional details, see Clean Access Agent Version Summary.
Supported AV/AS Product List Enhancements (Version 44)
The Supported AV/AS Product List remains at version 44 for release 4.0(3).
•
•
Enhancements in Release 4.0.2.2
Release 4.0.2.2 is a general and important bug fix release and patch for the Clean Access Manager (CAM) and Clean Access Server (CAS) that resolves caveats CSCsf22777 and CSCsf22786. No new features are added.
Note
•
•
•
See the following sections:
•
•
See also Software Compatibility Matrixes for additional details.
Upgrade Instructions for 4.0.2.2
To upgrade your 4.0.2.1 or 4.0(2) Clean Access Manager and 4.0(2) Clean Access Server, execute the following update procedure steps.
Step 1
Step 2
–
–
–
–
Step 3
–
–
–
Enhancements in Release 4.0.2.1
Release 4.0.2.1 is a general and important bug fix release and patch for the Clean Access Manager and that resolves caveat CSCse99396. No new features are added.
Note
•
•
Information for the 4.0(2) patch is in the following sections:
•
•
Upgrade Instructions for 4.0.2.1
To upgrade your 4.0(2) Clean Access Manager, execute the following update procedure steps.
Step 1
Step 2
–
–
–
–
Step 3
–
–
–
Enhancements in Release 4.0(2)
Release 4.0(2) is a general and important bug fix patch and release for the Clean Access Manager and Clean Access Server. No new features are added.
Note
•
•
Information for the 4.0(2) release is in the following sections:
•
•
Upgrade Instructions for 4.0(2)
To upgrade your 4.0(0)/4.0(1) system, execute the following update procedure steps on your CAM and CAS.
Step 1
Step 2
–
–
–
–
Step 3
–
–
–
New Features and Enhancements in Release 4.0(1)
Warning
New Features
•
•
Enhancements
•
•
•
•
•
Enable L3 Strict Mode
With release 4.0(1)+, administrators with L3 deployments can now optionally restrict L3 Clean Access Agent clients from connecting to the Clean Access Server through NAT devices using the "Enable L3 strict mode to block NAT devices with Clean Access Agent" option.
When this feature is enabled in conjunction with "Enable L3 support," the CAS will check the client IP information automatically sent by the Clean Access Agent against source IP information to ensure no NAT device exists between the CAS and the client. If a NAT device is detected between the client device and the CAS, the user is not allowed to log in.
With release 4.0(1)+, administrators now have the following options when enabling network access for clients on the CAS:
•
•
•
•
This affects the following web admin console page:
•
OOB Support for 3750 NME Modules for Cisco 2800/3800 ISRs
With release 4.0(1)+, Cisco NAC Appliance OOB adds support for the following Cisco 3750 EtherSwitch service module (NME) cards for Cisco 2800/3800 Series Integrated Services Routers:
•
•
•
•
•
•
These NMEs are essentially a Cisco Catalyst 3750 switch packaged as a blade for the 2800/3800 ISR router, and are supported on these ISRs only (e.g. 2600 is not supported).
Note
For complete switch support details, see Switch Support for Cisco NAC Appliance.
Link-Failure Based Failover in CAS HA
When configuring Clean Access Server pairs in High Availability (HA) mode, release 4.0(1)+ now allows you to optionally configure each CAS to respond to link failures on the trusted and/or untrusted sides as failover events. This option is configured in addition to Serial/UDP Heartbeat configuration. You can configure the same or different link-detect IP addresses for each CAS in the HA pair for comparison (depending on your network), as only the number of nodes that can be reached is considered. The CAS will attempt to ping the link-detect address(es) entered, then count the number of nodes it can reach (0-for no addresses, 1-for either trusted/untrusted, 2-for both trusted/untrusted). If the Standby CAS can reach more nodes than the Active CAS, the Standby CAS will take over and become the Active CAS. If both CASes can ping the same number of addresses (all addresses or only one address), no failover event occurs.
This affects the following page of an HA-CAS:
•
Upgrade Enhancements
Release 4.0(1) adds functionality to allow future upgrades of High Availability Clean Access Managers via web console in a future release of 4.0(x). (SSH connection may still be required to stop/start the perfigo service on each CAM.)
Warning
CAM Disable Serial Login
Release 4.0(1)+ provides a new Disable Serial Login checkbox on the CAM web console. When there is only one serial port on the CAM machine, this checkbox allows administrators to disable serial login on COM1 so that it can be used as the Heartbeat Serial Interface for a pair of HA-Clean Access Managers. Prior to this feature, serial login had to be disabled manually via the command line.
Note
This enhancement affects the following CAM web console page:
•
CAM Admin Console Login Enhancements
With release 4.0(1) and above, the left-pane navigational menu of the CAM web admin console is only displayed to admin users after successful authentication (for both standalone and HA-CAM consoles). This enhancement further strengthens web console security and allows for future version-based menu option enhancements.
Client OS Detection Signature Lookup
With release 4.0(1)+, if a client is wrongly classified as Windows OS, you can type the Client IP Address and click the Display Signature button to display the TCP/IP stack signature stored for the client on the CAM. When troubleshooting, you can copy and paste the text that appears in the TCP/IP Stack Signature field (for example, TCP/IP Stack Signature: Windows 2000 SP4, XP SP1+ [<OS signature>]) into the customer support request when contacting Cisco TAC.
This affects the following web admin console page:
•
Note
Start Timer Specification for Cisco Updates
Release 4.0(1)+ now allows administrators to specify a delay in the initial start time of Cisco Updates when configuring automatic updates on the CAM. Note that the start time is specified in a 24 hr. format (e.g. 14:30:00) and the repeat interval time is still specified in hours (e.g. 1 hour).
This affects the following web admin console page:
•
API Enhancements
The Clean Access API for your Clean Access Manager is accessed from a web browser as follows: https://<cam-ip-or-name>/admin/cisco_api.jsp. With release 4.0(1) and above, the Cisco Clean Access API utility script, cisco_api.jsp, provides the following enhancements:
New APIs:
•
•
Enhanced APIs:
•
•
•
•
•
Enhancements for Windows XP Media Center Edition/Tablet PC
Version 4.0.1.0 of the Clean Access Agent detects users with Window Media Center Edition and Windows Tablet PC client operating systems and allows these systems to bypass hotfixes and checks intended for Windows XP systems. Because Windows MCE/Tablet PC are flavors of the XP engine, this enhancement enables users with these operating systems to still be able to access the network.
This enhancement affects the following pages of the CAM web console:
•
•
Note
Clean Access Agent (4.0.1.0)
Version 4.0.1.0 of the Clean Access Agent features the following enhancements:
•
•
Note
Supported AV/AS Product List Enhancements (Version 43)
•
•
Enhancements in Release 4.0.0.1
Release 4.0.0.1 is a general and important bug fix release and patch for the Clean Access Manager (CAM) and Clean Access Server (CAS) that resolves caveats CSCsf22777 and CSCsf22786. No new features are added.
Note
•
•
See the following sections:
•
•
See also Software Compatibility Matrixes for additional details.
Upgrade Instructions for 4.0.0.1
To upgrade your 4.0(0) Clean Access Manager and 4.0(0) Clean Access Server, execute the following update procedure steps.
Step 1
Step 2
–
–
–
–
Step 3
–
–
–
New Features and Enhancements in Release 4.0(0)
This section details the new features delivered with Cisco NAC Appliance release 4.0(0) for the Clean Access Manager and Clean Access Server, as well as enhancements from release 3.6(x).
New Features
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Enhancements
•
•
•
•
Support for Active Directory (Windows Domain) Single Sign-On (SSO)
With release 4.0, Cisco Clean Access can automatically authenticate Clean Access Agent users who are already authenticated to a Windows domain. Release 4.0 supports Windows Single Sign-On (SSO) on Windows 2000/XP client machines and Active Directory (AD) on Windows 2000/2003 servers as shown in Table 5.
Note
With Windows SSO, user authentication is first validated against the backend Kerberos Domain Controller (Windows 2000/2003 AD server). After user validation, authorization can then be performed through a separate lookup in Active Directory using LDAP to map users to various access roles (if desired). Configuration of the CAM web console and command line of the Active Directory server is required to implement this feature.
This new feature adds new web console pages or affects existing pages as follows:
•
•
•
In addition, the Clean Access Agent provides a new dialog that displays on clients when Windows Domain Single Sign-On is being performed.
Note
Corporate Asset Authentication and Posture Assessment by MAC Address
With release 4.0, Cisco NAC Appliance can perform MAC-based authentication and posture assessment (Clean Access certification) of client machines without requiring the user to log into Cisco Clean Access. This feature is implemented through the new "CHECK" device filter control for global and local device filters, and through Ability of Clean Access Agent to Send IP/MAC for All Available Adapters.
•
–
–
This new feature adds the following new pages to the web admin console:
•
•
•
In addition, the Clean Access Agent provides a new dialog that displays on clients when device-based authentication is being performed.
For a description of additional related enhancements, see also Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments.
Support for Layer 3 Out-of-Band (OOB) Deployment
New Deployment Options for L3
Release 3.5(3) introduced multi-hop L3 support for in-band (wired) deployments, enabling administrators to deploy the Clean Access Server (CAS) in-band centrally (in core or distribution layer) to support users behind L3 Switches (e.g. routed access) and remote users behind VPN Concentrators or remote WAN routers.With L3 IB, users more than one L3 hop away from the CAS are supported and their traffic always goes through Cisco NAC Appliance.
Release 4.0 introduces multi-hop L3 support for out-of-band (wired) deployments, enabling administrators to deploy the CAS out-of-band centrally (in core or distribution layer) to support users behind L3 Switches (e.g. routed access) and remote users behind WAN routers in some instances. With L3 OOB, users more than one L3 hop away from the CAS are supported and their traffic only has to go through Cisco NAC Appliance for authentication/posture assessment only.
With release 4.0, administrators now have the option of deploying a remote CAS or L3 IB CAS for remote WAN users, and in some instances using L3 OOB.
Note
Client MAC Address Detection—Clean Access Agent or ActiveX/Java Applet
In release 4.0, the MAC detection mechanism of the 4.0.0.0 and above Clean Access Agent will automatically acquire the client MAC address in L3 OOB deployments (see Ability of Clean Access Agent to Send IP/MAC for All Available Adapters).
Users performing web login will download and execute either an Active X control (for IE browsers) or Java applet (for non-IE browsers) to the client machine prior to user login to determine the user machine's MAC address. This information is then reported to the CAS and the CAM to provide the IP address/ MAC address mapping.
ActiveX/Java Applet and Browser Compatibility
•
•
•
Note
Note
Because Linux machines behave differently than Windows/Mac OS clients (i.e. do not release IP address when NIC is down and renew IP address when NIC is up), use the following steps for OOB Linux clients:
1.
2.
This will cause the Linux client to renew its IP address shortly after authentication/certification.
Note
3.
Note
This new feature modifies the following web admin console pages:
•
–
–
•
In addition, the web login pages for L3 OOB users will reflect status information related to loading the Active X control or Java applet, and renewing the client IP address.
New Windows Update Requirement Type
Release 4.0 adds a new Clean Access Agent "Windows Update" Requirement type configuration page to allow administrators to check and modify Windows Update settings, and launch Windows Updater (Automatic Updates/WSUS Agent for Local WSUS Server) on Clean Access Agent user machines. When this requirement is configured, the administrator can turn on Automatic Updates on Windows 2000 or XP clients which have this option disabled on the machine. If Automatic Updates are already enabled on the user machine, the administrator can override the user-specified update option with the administrator-specified option. In addition, administrator-specified Windows Update settings can be applied temporarily on the user machine or can be set to permanently override user preferences to ensure updates are always performed.
The "Windows Update" requirement (set to Optional) provides an Update button on the Clean Access Agent for remediation. When the end user clicks the Update button, the CCA Agent will launch the AU/WSUS Agent and force it to get the update software from the WSUS Server. The software download from WSUS may take some time. Cisco recommends you set the Windows Update requirement to Optional for WSUS remediation to occur as a background process.
Note
This new feature adds the following web admin console page:
•
SMP Kernel Support for Super CAM
Release 4.0 adds SMP (Symmetric Multi-Processing) support to the Clean Access Manager kernel. However, this support is only available in the upcoming SuperManager (Super CAM) product.
A SuperManager (Super CAM) is a Clean Access Manager on a hardware platform that will be capable of managing up to 40 Clean Access Servers (CAS). Currently, the limit for the number of CASes that can be managed by a regular CAM is 20.
Note that regular CCA release 4.0, as well as upgrades to 4.0 (from 3.5 or 3.6), will continue to support only single processor servers.
Note
Current Supported Components Required for Super CAM
Table 6 lists the current supported components required to install the SuperManager (Super CAM) product software. The Super CAM software is currently supported only for the platform specified in Table 6.
Table 6 Current Supported Components Required for Cisco NAC Appliance-Super CAM
4.0(x)
HP Proliant DL360 G5 (Serial Attached SCSI (SAS) controller)
Note
Cavium CN1120-NHB-E
1 Super CAM software version 4.0.3.3 and newer will only be supported on the Cisco NAC Appliance 3390 hardware platform.
2 You must purchase and install the Cavium CN1120-NHB-E SSL Accelerator Card on the server hardware to install the Super CAM software. The Super CAM will not run without it. Refer to http://www.cavium.com/EnterpriseBoards/overview.html for details.
See Upgrading or Installing Super Manager Software for further details.
Support for Assigning VLANs by VLAN Name in OOB Deployments
With release 4.0, administrators now have the option of specifying the VLAN Name or the VLAN ID in the Port Profile form or in the User Role form (when role-based VLAN assignment is used for Out-of-Band deployments). Note that VLAN Name is case-sensitive. If specifying wildcards for VLAN Name, you can use: abc, *abc, abc*, *abc*. The switch will use the first match for the wildcard VLAN Name.
Note
This new feature modifies the following web admin console pages:
•
•
Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments
Release 4.0 provides a new "IGNORE" global device filter control which when set for the specified MAC address will ignore SNMP traps from managed switches in Out-of-Band deployments. This feature is intended to support OOB client machines connected to the network via IP phones.
•
–
Note
•
This new feature is part of the overall enhancements to the following web admin console page:
•
For a description of additional related enhancements, see also Corporate Asset Authentication and Posture Assessment by MAC Address.
Ability to Change Priority of Wildcard/Range Global Device Filters
Release 4.0 provides a new "Order" page control to allow administrators to change the priority of global device filters configured using wildcards or address ranges. By reordering the priority of a device filter policy up or down, the administrator can quickly change the access type for the devices which fall under the device filter rule.
Note
This new feature adds the following new web admin console page:
•
Ability to View or Search Active L2 Devices in Device Filter List
Release 4.0 provides a new control to view or search the IP addresses, Access Types, and Role of all L2 clients currently connected to the CAS, sending packets and with their MAC addresses in a global or local device filter. Active L2 devices can be viewed across all Clean Access Servers via the CAM web console, or per CAS via the CAS management pages.
This new feature adds the following new pages to the web admin console:
•
•
Ability to Test MAC Addresses Against Device Filters
Release 4.0 provides a new "Test" page control to allow administrators to determine which device filter and access type will be applied to the specified MAC for the specified Clean Access Server.
•
Support for Relay IP Class Restrictions on DHCP Server
With release 4.0, when the CAS is configured as a DHCP server, administrators can now also restrict DHCP subnet ranges based on a Relay IP address (in addition to restricting ranges based on VLAN ID).
•
•
This new feature modifies the following web admin console pages (when the CAS is configured as a DHCP Server):
•
•
Support for DHCP Global Actions
With release 4.0, when the CAS is configured as a DHCP server, administrators can now globally modify and apply the following settings:
•
•
•
•
•
You can globally apply these settings to the following:
•
•
•
•
•
This feature creates the following new web console tab (for a CAS-DHCP Server):
•
New "service perfigo maintenance" CLI Command for CAS
Release 4.0 provides a new service perfigo maintenance CLI command that can be issued on the CAS machine to maintain network connectivity when bringing the CAS into maintenance mode. In maintenance mode, only the basic CAS router runs and continues to handle VLAN-tagged packets. The new command allows communication through the management VLAN to the CAS, and is intended for environments where the CAS is in trunk mode and the native VLAN is different than the management VLAN. This command provides a better alternative to the service perfigo stop command, which when issued and the management VLAN is set, causes the CAS to lose network connectivity.
Note
Ability of Clean Access Agent to Send IP/MAC for All Available Adapters
With release 4.0, version 4.0.0.0 of the Clean Access Agent is now able to transfer the MAC address of all network adapters on the client to the Clean Access Server for the following applications:
•
With release 4.0 and above, if the MAC address of a Clean Access Agent user is in a "allow" device filter, the CAS now informs the Agent in its UDP discovery response, and the Agent will allow device authentication and posture assessment of the device without requiring any user login.
•
The Agent always sends the MAC/IP address pair of the client at login request regardless of the CAS configuration. The CAS then determines what to read or discard. If the CAS is configured for L3 OOB, the CAS takes the MAC/IP address of the Agent at UDP discovery and at login request. If the CAS is configured for L2 Strict mode, the CAS discards all IP addresses, because they are not needed.
Clean Access Agent (4.0.0.1)
Version 4.0.0.1 of the Clean Access Agent resolves caveat CSCse64395.
See also Clean Access Agent Version Summary.
Clean Access Agent (4.0.0.0)
Version 4.0.0.0 adds the following functionality to the Clean Access Agent:
•
•
•
•
•
Note
See also Clean Access Agent Version Summary.
Support for Stub Installation/Update of the Clean Access Agent
Release 4.0 provides a stub installer to allow users without administrator permissions on their machines to install or update the Clean Access Agent after the stub is installed by an admin user. With release 4.0 the installer proxy of the Agent installer is also enhanced to check the digital signature of any target executable and to only perform installation when the digital signatures are trusted.
In release 4.0 when the Agent Setup Installation program is started, it:
1.
2.
3.
4.
a.
b.
c.
The stub installer must be distributed by the administrator and can be downloaded from Cisco Secure Downloads or obtained from the CAM using the administrator download buttons on the Clean Access Agent Distribution page: CCAA MSI Stub (Microsoft Installer format) or CCAA EXE Stub (generic executable format).
This new feature modifies the following web admin console page:
•
OOB Page Redirection Timers (SNMP Receiver Advanced Settings)
When configuring OOB for web login users, release 4.0(0) provides new "Redirection Delay with/without Bouncing" options for additional control of webpage redirection intervals (to allow time for port bouncing or to minimize redirection time if no port bouncing is required). This allows the port to be bounced after a configured interval, and the page to be redirected after another configured interval. The total of these configured intervals then becomes the redirection interval experienced by the user after login, by default 20 seconds when the port is bounced. The client will then be on the Access VLAN.
•
•
This enhancement modifies the following web admin console page:
•
SNMP Enhancements for CAM
With release 4.0, the SNMP settings for traps the CAM sends to SNMP management tools are saved on CAM failover peers. In addition, the state of all levels the CAM monitors (state of disks, memory, CPU, and critical processes) are sent within a few minutes of SNMP server startup (i.e., after SNMP configuration changes or CAM machine reboot).
CAS Host-Based Traffic Policy Enhancements for Proxy Servers
Release 4.0 provides an enhancement to host-based traffic policy handling on the Clean Access Server when users are required to use a proxy server to connect to the network. When the "Parse Proxy Traffic for Roles other than Unauthenticated Role" checkbox is enabled on the Allowed Hosts form, the CAS will check the payloads of GET, POST and CONNECT HTTP/HTTPS/FTP traffic to ensure the host is on the host policy list before allowing traffic to the proxy server specified on the Proxy configuration page of the CAS. This feature also enhances the Proxy page so that the proxy server IP address as well as port can be specified. Note that the proxy server IP and port should be configured first before enabling the "parse proxy" checkbox.
This enhancement modifies the following web admin console pages:
•
•
Enhancements for DHCP Option Configuration Forms
When the CAS is configured as a DHCP Server, release 4.0 enhances the configuration forms for specifying DHCP options.
For Root Global and Scoped Global options, administrators can now specify an option number and choose from an option type dropdown, or create a custom option by specifying an ID and a data type (for options that are not on the list or of a different type). Custom DHCP options may be used by VoIP vendors to provide IP phone information that needs to be routed on the network.
Similar Class Options configuration forms are now provided to allow administrators to specify class options for VLAN ID or Relay IP restricted subnets.
This enhancement adds the following web admin console page (when the CAS is configured as a DHCP Server):
•
Note
Authentication Cache Timeout
For performance reasons, the Clean Access Manager caches the authentication results from user authentication for 2 minutes by default. Release 4.0 provides a new "Authentication Cache Timeout" control on the Auth Server list page that allows administrators to configure the number of seconds the authentication result will be cached in the CAM. When a user account is removed from the authentication server (LDAP, RADIUS, etc), administrators can restrict the time window a user can login again into CCA by configuring the Authentication Cache Timeout.
This enhancement modifies the following web admin console page:
•
Supported AV/AS Product List Enhancements (Version 42)
•
•
Cisco Pre-Configured Rules ("pr_")
Cisco NAC Appliance provides a set of pre-configured rules and checks that are downloaded to the CAM via the Updates page on the CAM web console (under Device Management > Clean Access > Clean Access Agent > Updates).
Pre-configured rules have a prefix of "pr" in their names (e.g. "pr_XP_Hotfixes"), and can be copied (for use as a template), but cannot be edited or removed. You can click the Edit button for any "pr_" rule to view the rule expression that defines it. The rule expression for a pre-configured rule will be composed of pre-configured checks (e.g. "pc_Hotfix835732") and boolean operators. The rule expression for pre-configured rules is updated via Cisco Updates. For example, when new Critical Windows OS hotfixes are released for Windows XP, the pr_XP_Hotfixes rule will be updated with the corresponding hotfix checks.
Pre-configured rules are listed under Device Management > Clean Access > Clean Access Agent > Rules > Rule List. Pre-configured checks have a prefix of "pc" in their names and in turn are listed under Device Management > Clean Access > Clean Access Agent > Rules > Check List
Note
Note
Using Cisco Rules to Check for CSA
You can use Cisco rules to create a Clean Access Agent requirement that checks if the Cisco Security Agent (CSA) is already installed and/or running on a client (from version 14663 and above of the Cisco Updates ruleset). To do this:
1.
2.
–
–
3.
Clean Access Supported AV/AS Product List
This section describes the Supported AV/AS Product List that is downloaded to the Clean Access Manager via Device Management > Clean Access > Clean Access Agent > Updates to provide the latest antivirus (AV) and anti-spyware (AS) product integration support. The Supported AV/AS Product List is a versioned XML file distributed from a centralized update server that provides the most current matrix of supported AV/AS vendors and product versions used to configure AV/AS Rules and AV/AS Definition Update requirements.
The Supported AV/AS Product List contains information on which AV/AS products and versions are supported in each Clean Access Agent release along with other relevant information. It is updated regularly to bring the relevant information up to date and to include newly added products for new releases. Cisco recommends that you keep your list current, especially when you upload a new Agent Setup version or Agent Patch version to your CAM. Having the latest Supported AV/AS list ensures your AV/AS rule configuration pages list all the new products supported in the new Agent.
Note
The following charts list the AV and AS product/version support per client OS as of the latest Clean Access release:
•
•
•
The charts show which AV/AS product versions support virus or spyware definition checks and automatic update of client virus/spyware definition files via the user clicking the Update button on the Clean Access Agent.
For a summary of the product support that is added per version of the Supported AV/AS Product List or Clean Access Agent, see also:
•
•
You can access additional AV and AS product support information from the CAM web console under Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info.
Where possible, Cisco recommends you use AV Rules mapped to AV Definition Update Requirements when checking antivirus software on clients, and AS Rules mapped to AS Definition Update Requirements when checking anti-spyware software on clients. In the case of non-supported AV or AS products, or if an AV/AS product/version is not available through AV Rules/AS Rules, administrators always have the option of creating their own custom checks, rules, and requirements for the AV/AS vendor (and/or using Cisco provided pc_ checks and pr_rules) through Device Management > Clean Access > Clean Access Agent (use New Check, New Rule, and New File/Link/Local Check Requirement). See the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.0 for configuration details.
Note that Clean Access works in tandem with the installation schemes and mechanisms provided by supported AV/AS vendors. In the case of unforeseen changes to underlying mechanisms for AV/AS products by vendors, the Cisco NAC Appliance team will update the Supported AV/AS Product List and/or Clean Access Agent in the timeliest manner possible in order to support the new AV/AS product changes. In the meantime, administrators can always use the "custom" rule workaround for the AV/AS product (such as pc_checks/pr_ rules) and configure the requirement for "Any selected rule succeeds."Clean Access AV Support Chart (Windows Vista/XP/2000)
Table 7 lists Windows Vista/XP/2000 Supported Antivirus Products as of the latest release of the Cisco NAC Appliance software. (See Table 8 for Windows ME/98).
Table 7 Clean Access Antivirus Product Support Chart (Windows Vista/XP/2K)
Version 66, 4.0.6.2 Agent / Release 4.0.6.1 (Sheet 1 of 10)
(Minimum Agent Version Needed)1TrustPort Antivirus
2.x
yes (4.0.6.0)
-
yes
AhnLab Security Pack
2.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
AhnLab V3 Internet Security 2007 Platinum
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
AhnLab V3 Internet Security 7.0 Platinum Enterprise
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
V3Pro 2004
6.x
yes (3.5.10.1)
yes (3.5.12)
yes
V3 VirusBlock 2005
6.x
yes (4.1.2.0)
yes (4.1.2.0)
-
avast! Antivirus
4.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
avast! Antivirus (managed)
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
avast! Antivirus Professional
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Active Virus Shield
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
AOL Safety and Security Center Virus Protection
102.x
yes (4.0.4.0)
yes (4.0.4.0)
-
AOL Safety and Security Center Virus Protection
1.x
yes (3.5.11.1)
yes (3.5.11.1)
-
AOL Safety and Security Center Virus Protection
210.x
yes (4.0.4.0)
yes (4.0.4.0)
-
AOL Safety and Security Center Virus Protection
2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Command Anti-Virus Enterprise
4.x
yes (3.5.0)
yes (3.5.0)
yes
Command AntiVirus for Windows
4.x
yes (3.5.0)
yes (3.5.0)
yes
Command AntiVirus for Windows Enterprise
4.x
yes (3.5.2)
yes (3.5.2)
yes
Cox High Speed Internet Security Suite
3.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Avira AntiVir Windows Workstation
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Avira Premium Security Suite
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
Rising Antivirus Software AV
17.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Rising Antivirus Software AV
18.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Rising Antivirus Software AV
19.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
BellSouth Internet Security Anti-Virus
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
BullGuard 7.0
7.x
yes (4.1.2.0)
yes (4.1.2.0)
-
ZoneAlarm Anti-virus
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm (AntiVirus)
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Security Suite Antivirus
7.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
ClamAV
devel-x
yes (4.0.6.0)
yes (4.0.6.0)
yes
ClamWin Antivirus
0.x
yes (3.5.2)
yes (3.5.2)
yes
ClamWin Free Antivirus
0.x
yes (3.5.4)
yes (3.5.4)
yes
CA Anti-Virus
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust Antivirus
7.x
yes (3.5.0)
yes (3.5.0)
yes
CA eTrust Internet Security Suite AntiVirus
7.x
yes (3.5.11)
yes (3.5.11)
yes
CA eTrustITM Agent
8.x
yes (3.5.12)
yes (3.5.12)
yes
eTrust EZ Antivirus
6.1.x
yes (3.5.3)
yes (3.5.8)
yes
eTrust EZ Antivirus
6.2.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
6.4.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
7.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Armor
6.1.x
yes (3.5.0)
yes (3.5.8)
yes
eTrust EZ Armor
6.2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eTrust EZ Armor
7.x
yes (3.5.0)
yes (3.5.0)
yes
Defender Pro Anti-Virus
5.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Aluria Security Center AntiVirus
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
EarthLink Protection Control Center AntiVirus
1.x
yes (3.5.10.1)
yes (3.5.10.1)
-
EarthLink Protection Control Center AntiVirus
2.x
yes (4.0.5.1)
yes (4.0.5.1)
-
eEye Digital Security Blink Personal
3.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
eEye Digital Security Blink Professional
3.x
yes (4.0.6.0)
yes (4.0.6.0)
-
NOD32 antivirus system
2.x
yes (3.5.5)
yes (3.5.5)
yes
FortiClient Consumer Edition
3.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
F-PROT Antivirus for Windows
6.0.x
yes (4.0.5.1)
yes (4.0.5.1)
-
F-Prot for Windows
3.14e
yes (3.5.0)
yes (3.5.0)
yes
F-Prot for Windows
3.15
yes (3.5.0)
yes (3.5.0)
yes
F-Prot for Windows
3.16c
yes (3.5.11)
yes (3.5.11)
yes
F-Prot for Windows
3.16d
yes (3.5.11)
yes (3.5.11)
yes
F-Prot for Windows
3.16x
yes (3.5.11.1)
yes (3.5.11.1)
yes
F-Secure Anti-Virus
5.x
yes (3.5.0)
yes (3.5.0)
yes
F-Secure Anti-Virus
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus
7.x
yes (4.0.4.0)
yes (4.0.4.0)
-
F-Secure Anti-Virus 2005
5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus Client Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Internet Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Internet Security
7.x
yes (4.0.4.0)
yes (4.0.4.0)
-
F-Secure Internet Security 2006 Beta
6.x
yes (3.5.8)
yes (3.5.8)
yes
AntiVirusKit 2006
2006.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Antivirussystem AVG 6.0
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 6.0 Anti-Virus - FREE Edition
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 6.0 Anti-Virus System
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 7.5
7.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
AVG Antivirensystem 7.0
7.x
yes (3.5.0)
yes (3.5.0)
yes
AVG Anti-Virus 7.0
7.x
yes (3.5.0)
yes (3.5.0)
yes
AVG Anti-Virus 7.1
7.1.x
yes (3.6.3.0)
yes (3.6.3.0)
yes
AVG Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
ViRobot Desktop
5.0.x
yes (4.0.5.1)
yes (4.0.5.1)
-
AntiVir PersonalEdition Classic Windows
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
AntiVir/XP
6.x
yes (3.5.0)
yes (3.5.0)
yes
Avira AntiVir PersonalEdition Premium
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
IKARUS Guard NT
2.x
yes (4.0.6.0)
yes (4.0.6.0)
-
IKARUS virus utilities
5.x
yes (4.0.6.0)
yes (4.0.6.0)
-
Proventia Desktop
8.x
yes (4.0.6.0)
-
-
Proventia Desktop
9.x
yes (4.0.6.0)
yes (4.0.6.0)
-
Kaspersky Anti-Virus 2006 Beta
6.0.x
yes (3.5.8)
yes (3.5.8)
-
Kaspersky Anti-Virus 6.0
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Anti-Virus 6.0 Beta
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Anti-Virus for Windows File Servers
5.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Kaspersky Anti-Virus for Windows Workstations
5.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Kaspersky Anti-Virus for Windows Workstations
6.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
Kaspersky Anti-Virus for Workstation
5.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Kaspersky Anti-Virus Personal
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky Anti-Virus Personal
5.0.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky Anti-Virus Personal Pro
5.0.x
yes (3.5.11)
yes (3.5.11)
yes
Kaspersky Internet Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky(TM) Anti-Virus Personal 4.5
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky(TM) Anti-Virus Personal Pro 4.5
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kingsoft AntiVirus 2004
2004.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kingsoft Internet Security
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
Kingsoft Internet Security 2006 +
2006.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee Internet Security 6.0
8.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee Managed VirusScan
3.x
yes (3.5.8)
yes (3.5.8)
yes
McAfee Managed VirusScan
4.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
McAfee VirusScan
10.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee VirusScan
11.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee VirusScan
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
8.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
9.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan
9xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.0.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.1.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
8.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
McAfee VirusScan Home Edition
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
McAfee VirusScan Professional
8.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan Professional
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Professional
9.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
Total Protection for Small Business
4.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Microsoft Forefront Client Security
1.5.x
yes (4.0.5.0)
yes (4.0.5.0)
-
Windows Live OneCare
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Windows OneCare Live
0.8.x
yes (3.5.11.1)
-
-
eScan Anti-Virus (AV) for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Corporate for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Internet Security for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Professional for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Virus Control (VC) for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norman Virus Control
5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Panda Antivirus 2007
2.x
yes (4.0.4.0)
yes (4.0.4.0)
-
Panda Antivirus 2008
3.x
yes (4.0.6.1)
yes (4.0.6.1)
-
Panda Antivirus 6.0 Platinum
6
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus + Firewall 2007
6.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Antivirus Lite
1.x
yes (3.5.0)
yes (3.5.0)
-
Panda Antivirus Lite
3.x
yes (3.5.9)
yes (3.5.9)
-
Panda Antivirus Platinum
7.04.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus Platinum
7.05.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus Platinum
7.06.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Client Shield
4.x
yes (4.0.4.0)
yes (4.0.4.0)
-
Panda Internet Security 2007
11.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Internet Security 2008
12.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Panda Platinum 2005 Internet Security
9.x
yes (3.5.3)
yes (3.5.3)
yes
Panda Platinum 2006 Internet Security
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Platinum Internet Security
8.03.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium 2006 Antivirus + Antispyware
5.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Panda Titanium Antivirus 2004
3.00.00
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium Antivirus 2004
3.01.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium Antivirus 2004
3.02.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Panda Titanium Antivirus 2005
4.x
yes (3.5.1)
yes (3.5.1)
yes
Panda TruPrevent Personal 2005
2.x
yes (3.5.3)
yes (3.5.3)
yes
Panda TruPrevent Personal 2006
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
WebAdmin Client Antivirus
3.x
yes (3.5.11)
yes (3.5.11)
-
Radialpoint Virus Protection
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Zero-Knowledge Systems Radialpoint Security Services Virus Protection
6.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Dr.Web
4.32.x
yes (3.5.0)
yes (3.5.0)
yes
Dr.Web
4.33.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Sereniti Antivirus
1.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
The River Home Network Security Suite
1.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
BitDefender 8 Free Edition
8.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 8 Professional Plus
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 8 Standard
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 9 Internet Security AntiVirus
9.x
yes (3.5.11.1)
yes (3.5.11.1)
-
BitDefender 9 Professional Plus
9.x
yes (3.5.8)
yes (3.5.8)
yes
BitDefender 9 Standard
9.x
yes (3.5.8)
yes (3.5.8)
yes
BitDefender Antivirus Plus v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Antivirus v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Internet Security v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Standard Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
Sophos Anti-Virus
3.x
yes (3.5.3)
yes (3.5.3)
-
Sophos Anti-Virus
4.x
yes (3.6.3.0)
yes (3.6.3.0)
-
Sophos Anti-Virus
5.x
yes (3.5.3)
yes (3.5.3)
yes
Sophos Anti-Virus
6.x
yes (4.0.1.0)
yes (4.0.1.0)
yes
Sophos Anti-Virus
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Sophos Anti-Virus version 3.80
3.8
yes (3.5.0)
yes (3.5.0)
-
Norton 360 (Symantec Corporation)
1.x
yes (4.1.1.0)
yes (4.1.1.0)
yes
Norton AntiVirus
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus
14.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norton AntiVirus
15.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Norton AntiVirus 2002
8.00.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton AntiVirus 2002 Professional
8.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002 Professional Edition
8.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional Edition
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 Professional
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 Professional Edition
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 (Symantec Corporation)
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2005
11.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2006
12.0.x
yes (3.5.5)
yes (3.5.5)
yes
Norton AntiVirus 2006
12.x
yes (3.5.5)
yes (3.5.5)
yes
Norton AntiVirus Corporate Edition
7.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
7.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.2.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
9.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Norton Internet Security (Symantec Corporation)
10.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norton SystemWorks 2003
6.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2004 Professional
7.x
yes (3.5.4)
yes (3.5.4)
yes
Norton SystemWorks 2005
8.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2005 Premier
8.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2006 Premier
12.0.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Symantec AntiVirus
10.x
yes (3.5.3)
yes (3.5.3)
yes
Symantec AntiVirus
9.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec AntiVirus Client
8.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec AntiVirus Server
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Symantec AntiVirus Win64
10.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Symantec Client Security
10.x
yes (3.5.3)
yes (3.5.3)
yes
Symantec Client Security
9.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec Endpoint Protection
11.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Symantec Scan Engine
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
PC-cillin 2002
9.x
yes (3.5.1)
yes (3.5.1)
-
PC-cillin 2003
10.x
yes (3.5.0)
yes (3.5.0)
-
ServerProtect
5.x
yes (4.1.0.0)
yes (3.6.5.0)
-
Trend Micro Antivirus
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro AntiVirus
15.x
yes (3.6.5.0)
yes (3.6.5.0)
-
Trend Micro Client/Server Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Trend Micro Client/Server Security Agent
7.x
yes (3.5.12)
yes (3.5.12)
yes
Trend Micro HouseCall
1.x
yes (4.0.1.0)
yes (4.0.1.0)
-
Trend Micro Internet Security
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro Internet Security
12.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro OfficeScan Client
5.x
yes (3.5.1)
yes (3.5.1)
yes
Trend Micro OfficeScan Client
6.x
yes (3.5.1)
yes (3.5.1)
yes
Trend Micro OfficeScan Client
7.x
yes (3.5.3)
yes (3.5.3)
yes
Trend Micro OfficeScan Client
8.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Trend Micro PC-cillin 2004
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro PC-cillin Internet Security 12
12.x
yes (4.0.1.0)
yes (4.0.1.0)
-
Trend Micro PC-cillin Internet Security 14
14.x
yes (4.0.1.0)
yes (4.0.1.0)
yes
Trend Micro PC-cillin Internet Security 2005
12.x
yes (3.5.3)
yes (3.5.3)
yes
Trend Micro PC-cillin Internet Security 2006
14.x
yes (3.5.8)
yes (3.5.8)
yes
Trend Micro PC-cillin Internet Security 2007
15.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Fix-It Utilities 7 Professional [AntiVirus]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
SystemSuite 7 Professional [AntiVirus]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
VCOM Fix-It Utilities Professional 6 [AntiVirus]
6.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Verizon Internet Security Suite Anti-Virus
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
AT&T Yahoo! Online Protection [AntiVirus]
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
SBC Yahoo! Anti-Virus
7.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Verizon Yahoo! Online Protection [AntiVirus]
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
ZoneAlarm Anti-virus
6.x
yes (3.5.5)
yes (3.5.5)
-
ZoneAlarm Security Suite
5.x
yes (3.5.0)
yes (3.5.0)
-
ZoneAlarm Security Suite
6.x
yes (3.5.5)
yes (3.5.5)
-
ZoneAlarm with Antivirus
5.x
yes (3.5.0)
yes (3.5.0)
-
1 "Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
3 For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.
4 For a new installation of Sophos 5.x and 6.x, the definition date is empty until the first update.
Clean Access AV Support Chart (Windows ME/98)
Table 8 lists Windows ME/98 Supported AV Products as of the latest release of the Cisco NAC Appliance software. (See Table 7 for Windows Vista/XP/2000.)
Table 8 Clean Access Antivirus Product Support Chart (Windows ME/98)
Version 66, 4.0.6.2 Agent / Release 4.0.6.1 (Sheet 1 of 2)
(Minimum Agent Version Needed)1Rising Antivirus Software AV
18.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
CA eTrust Antivirus
7.x
yes (3.5.3)
yes (3.5.3)
yes
eTrust EZ Antivirus
6.1.x
yes (3.5.0)
yes (3.5.8)
yes
eTrust EZ Antivirus
6.2.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
6.4.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
7.x
yes (3.5.3)
yes (3.5.3)
yes
eTrust EZ Armor
6.1.x
yes (3.5.3)
yes (3.5.8)
yes
McAfee Managed VirusScan
3.x
yes (3.5.8)
yes (3.5.8)
yes
McAfee VirusScan
10.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee VirusScan
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
8.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan
9.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional
8.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Professional
9.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
BitDefender 8 Free Edition
8.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 8 Professional Plus
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 8 Standard
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 9 Professional Plus
9.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 9 Standard
9.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Standard Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
Norton AntiVirus
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.00.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton AntiVirus 2003
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional Edition
9.x
yes (3.5.3)
yes (3.5.3)
yes
Norton AntiVirus 2004
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 (Symantec Corporation)
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2005
11.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.x
yes (3.5.1)
yes (3.5.1)
yes
Symantec AntiVirus
10.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Symantec AntiVirus
9.x
yes (3.5.8)
yes (3.5.3)
yes
Symantec AntiVirus Client
8.x
yes (3.5.9)
yes (3.5.9)
yes
PC-cillin 2003
10.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
11.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
12.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro OfficeScan Client
7.x
yes (4.0.5.0)
yes (4.0.5.0)
-
Trend Micro PC-cillin 2004
11.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro PC-cillin Internet Security 2005
12.x
yes (3.5.3)
yes (3.5.3)
-
1 "Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
3 For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.
Clean Access AS Support Chart (Windows Vista/XP/2000)
Table 9 lists Windows Vista/XP/2000 Supported Antispyware Products as of the latest release of the Cisco Clean Access software.
Table 9 Clean Access Antispyware Product Support Chart (Windows Vista/XP/2000)
Version 66, 4.0.6.2 Agent / Release 4.0.6.1 (Sheet 1 of 5)
(Minimum Agent Version Needed)1AhnLab SpyZero 2.0
2.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
AhnLab SpyZero 2007
3.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
AhnLab V3 Internet Security 2007 Platinum AntiSpyware
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
AhnLab V3 Internet Security 7.0 Platinum Enterprise AntiSpyware
7.x
yes (4.1.2.0)
yes (4.1.2.0)
yes
AOL Safety and Security Center Spyware Protection
2.0.x
yes (4.1.0.0)
-
-
AOL Safety and Security Center Spyware Protection
2.1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.3.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.x
yes (3.6.1.0)
yes (3.6.1.0)
-
AOL Spyware Protection
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
AOL Spyware Protection
2.x
yes (3.6.0.0)
-
-
Anonymizer Anti-Spyware
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Anonymizer Anti-Spyware
3.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Cox High Speed Internet Security Suite
3.x
yes (4.0.4.0)
-
yes
BellSouth Internet Security Anti-Spyware
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
BPS Spyware & Adware Remover
9.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
BPS Spyware-Adware Remover
8.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
BPS Spyware Remover
9.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
ZoneAlarm (AntiSpyware)
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Anti-Spyware
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Pro Antispyware
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Security Suite Antispyware
7.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
CA eTrust Internet Security Suite AntiSpyware
5.x
yes (3.6.1.0)
yes (3.6.1.0)
yes
CA eTrust Internet Security Suite AntiSpyware
8.x
yes (4.1.2.0)
yes (4.1.2.0)
yes
CA eTrust Internet Security Suite AntiSpyware
9.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust PestPatrol
5.x
yes (3.6.1.0)
yes (4.0.6.0)
yes
CA eTrust PestPatrol Anti-Spyware
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust PestPatrol Anti-Spyware Corporate Edition
5.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
PestPatrol Corporate Edition
4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
PestPatrol Standard Edition (Evaluation)
4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Aluria Security Center AntiSpyware
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
EarthLink Protection Control Center AntiSpyware
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
EarthLink Protection Control Center AntiSpyware
2.x
yes (4.0.6.0)
-
-
Primary Response SafeConnect
2.x
yes (3.6.5.0)
-
-
X-Cleaner Deluxe
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
AVG Anti-Malware [AntiSpyware]
7.x
yes (4.1.2.0)
-
-
AVG Anti-Spyware 7.5
7.x
yes (4.0.5.1)
yes (4.0.5.1)
-
SpywareBlaster v3.1
3.1.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.2
3.2.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.3
3.3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.4
3.4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.5.1
3.5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kingsoft Internet Security [AntiSpyware]
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Ad-Aware 2007 Professional
7.x
yes (4.0.6.1)
-
yes
Ad-aware 6 Professional
6.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Ad-Aware SE Personal
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Ad-Aware SE Professional
1.x
yes (3.6.1.0)
yes (3.6.1.0)
yes
McAfee AntiSpyware
1.5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware
1.x
yes (3.6.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware
2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware Enterprise
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee Anti-Spyware Enterprise Module
8.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
McAfee VirusScan AS
11.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Spyware Begone
4.x
yes (3.6.0.0)
-
-
Spyware Begone
6.x
yes (4.1.0.0)
-
-
Spyware Begone
8.x
yes (4.1.0.0)
-
-
Spyware Begone Free Scan
7.x
yes (3.6.0.0)
-
-
Spyware Begone V7.30
7.30.x
yes (3.6.1.0)
-
-
Spyware Begone V7.40
7.40.x
yes (3.6.1.0)
-
-
Spyware Begone V7.95
7.95.x
yes (4.1.0.0)
-
-
Spyware Begone V8.20
8.20.x
yes (4.1.0.0)
-
-
Spyware Begone V8.25
8.25.x
yes (4.1.0.0)
-
-
Microsoft AntiSpyware
1.x
yes (4.0.6.0)
-
yes
Windows Defender
1.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Windows Defender Vista
1.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Spyware Doctor
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor
5.x
yes (4.0.6.0)
-
yes
Spyware Doctor 3.0
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.1
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.2
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.5
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor 3.8
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Prevx1
1.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Prevx1
2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Prevx Home
2.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Radialpoint Spyware Protection
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Zero-Knowledge Systems Radialpoint Security Services Spyware Protection
6.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
Spybot - Search & Destroy 1.3
1.3
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spybot - Search & Destroy 1.4
1.4
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spybot - Search & Destroy 1.5
1.x
yes (4.0.6.1)
yes (4.0.6.1)
-
Sereniti Antispyware
1.x
yes (4.0.6.0)
-
yes
The River Home Network Security Suite Antispyware
1.x
yes (4.0.6.0)
-
yes
BitDefender 9 Antispyware
9.x
yes (4.1.0.0)
yes (4.1.0.0)
-
CounterSpy Enterprise Agent
1.8.x
yes (4.0.6.0)
-
-
Sunbelt CounterSpy
1.x
yes (3.6.0.0)
-
yes
Sunbelt CounterSpy
2.x
yes (4.0.6.0)
-
yes
Norton Spyware Scan
2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Trend Micro Anti-Spyware
3.5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Trend Micro Anti-Spyware
3.x
yes (3.6.0.0)
-
-
Trend Micro PC-cillin Internet Security 2007 AntiSpyware
15.x
yes (4.1.0.0)
-
yes
Fix-It Utilities 7 Professional [AntiSpyware]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
SystemSuite 7 Professional [AntiSpyware]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
VCOM Fix-It Utilities Professional 6 [AntiSpyware]
6.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Verizon Internet Security Suite Anti-Spyware
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Spy Sweeper
3.x
yes (3.6.0.0)
-
-
Spy Sweeper
4.x
yes (3.6.0.0)
-
-
Spy Sweeper
5.x
yes (4.1.0.0)
-
-
Webroot Spy Sweeper Enterprise Client
1.x
yes (3.6.0.0)
-
-
Webroot Spy Sweeper Enterprise Client
2.x
yes (3.6.1.0)
-
-
Webroot Spy Sweeper Enterprise Client
3.x
yes (4.0.5.1)
-
-
AT&T Yahoo! Online Protection
2006.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
SBC Yahoo! Applications
2005.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Verizon Yahoo! Online Protection
2005.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Yahoo! Anti-Spy
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Integrity Agent
6.x
yes (4.1.2.0)
yes (4.1.2.0)
-
1 "Yes" in the AS Checks Supported columns indicates the Agent supports the AS Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AS Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AS product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
Supported AV/AS Product List Version Summary
Table 10 details enhancements made per version of the Supported Antivirus/Antispyware Product List. See Clean Access Supported AV/AS Product List for the latest Supported AV list as of the latest release. See New and Changed Information for the release feature list.
Clean Access Agent Version Summary
This section consolidates information for the Clean Access Agent client software. Table 11 lists the latest enhancements per version of the Clean Access Agent. Unless otherwise noted, enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions.
See Clean Access Supported AV/AS Product List for details on related AV/AS support.
Table 11 Clean Access Agent Versions
4.0.6.2
•
–
–
–
Note
Because Cisco NAC Appliance provides authentication-only support for 64-bit operating system Agents, nessus scanning via the Clean Access Agent does not perform remediation on the client machine.•
4.0.6.1
•
–
–
–
–
–
–
Note
Because Cisco NAC Appliance provides authentication-only support for 64-bit operating system Agents, nessus scanning via the Clean Access Agent does not perform remediation on the client machine.•
–
–
–
–
•
4.0.6.0
•
•
Note
This is expected behavior because, unlike earlier Windows operating systems, Windows Vista services run in an isolated session (session 0) from user sessions, and thus do not have access to video drivers. As a workaround for interactive services like the Agent stub installer, Windows Vista uses an Interactive Service Detection Service to prompt users for user input for interactive services and enable access to dialogs created by interactive services. The "Interactive Service Detection Service" will automatically launch by default and, in most cases, users are not required to do anything. If the service is disabled for some reason, however, Agent installation by non-admin users will not function.•
See also Known Issue with MSI Agent Installer File Name and Clean Access Agent (4.0.6.0).
4.0.5.1
•
–
–
–
–
–
•
See also Clean Access Agent (4.0.5.1) and Resolved Caveats - Agent Version 4.0.5.1.
4.0.5.0
Version 4.0.5.0 of the Agent:
•
•
See also Clean Access Agent (4.0.5.0).
4.0.4.0
•
•
Note
For checks/rules/requirements, the Agent can detect "N" (European) versions of the Windows Vista operating system, but the CAM/CAS treat "N" versions of Vista as their US counterpart.See also Clean Access Agent (4.0.4.0).
4.0.2.1
•
•
See also Resolved Caveats - Release 4.0.3.2 and Clean Access Agent (4.0.2.1) for further details.
4.0.2.0
•
•
Note
Note
Note
Note
See also Clean Access Agent (4.0.2.0).
4.0.1.0
•
•
CSCse72371, CSCse72396, CSCse76201, CSCse84747, CSCse85453, CSCse85994, CSCse86002
Note
Note
See also Resolved Caveats - Release 4.0(1) and Clean Access Agent (4.0.1.0).
4.0.0.1
•
Note
See also Clean Access Agent (4.0.0.1).
4.0.0.0
•
•
•
•
•
See also Clean Access Agent (4.0.0.0).
1 See Release 4.0(x) Agent Upgrade Compatibility Matrix for upgrade compatibility details.
Caveats
This section describes the following caveats:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Note
http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 4.0.6.1
Guest
