Guest

Cisco NAC Appliance (Clean Access)

Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.0(6)

 Feedback

Table Of Contents

Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.0(6)

Contents

Cisco NAC Appliance Releases

Cisco NAC Appliance Service Contract/Licensing Support

System and Hardware Requirements

System Requirements

Hardware Supported

Supported Switches for Cisco NAC Appliance

VPN Components Supported for Single Sign-On (SSO)

Software Compatibility

Software Compatibility Matrixes

Release 4.0(x) Compatibility Matrix

Release 4.0(x) CAM/CAS Upgrade Compatibility Matrix

Release 4.0(x) Agent Upgrade Compatibility Matrix

Determining the Software Version

Clean Access Manager (CAM) Version

Clean Access Server (CAS) Version

Clean Access Agent Versioning

Cisco Clean Access Updates Versioning

New and Changed Information

Enhancements in Release 4.0.6.1

Clean Access Agent (4.0.6.2)

Clean Access Agent (4.0.6.1)

Supported AV/AS Product List Enhancements

Enhancements in Release 4.0(6)

Debug Log Download Enhancement

Syslog Configuration Enhancement

Clean Access Agent (4.0.6.0)

Supported AV/AS Product List Enhancements (Version 63)

Enhancements in Release 4.0(5)

Important Installation Notes for NAC-3310

Clean Access Agent (4.0.5.1)

Clean Access Agent (4.0.5.0)

Supported AV/AS Product List Enhancements

New Features and Enhancements in Release 4.0(4)

Support for Windows Vista Operating System

License Manager Support for Cisco Clean Access Lite, Standard, and Super Managers

Improved Memory Footprint for Clean Access Agent Reports

Broadcast ARP Server Management Option Removed

Kernel Upgrade

Clean Access Agent (4.0.4.0)

Supported AV/AS Product List Enhancements (Version 47)

Enhancements in Release 4.0.3.3

Daylight Savings Time Support

Enhancements in Release 4.0.3.2

Upgrade Instructions for 4.0.3.2

Clean Access Agent (4.0.2.1)

Enhancements in Release 4.0.3.1

Upgrade Instructions for 4.0.3.1

Enhancements in Release 4.0(3)

Support for Windows XP Media Center Edition (MCE)/Tablet PC Operating Systems

New "pr_" Rules for MCE/Tablet PC Hotfixes

Restricted Network Access Option for Clean Access Agent Users

Clean Access Agent (4.0.2.0)

Supported AV/AS Product List Enhancements (Version 44)

Enhancements in Release 4.0.2.2

Upgrade Instructions for 4.0.2.2

Enhancements in Release 4.0.2.1

Upgrade Instructions for 4.0.2.1

Enhancements in Release 4.0(2)

Upgrade Instructions for 4.0(2)

New Features and Enhancements in Release 4.0(1)

Enable L3 Strict Mode

OOB Support for 3750 NME Modules for Cisco 2800/3800 ISRs

Link-Failure Based Failover in CAS HA

Upgrade Enhancements

CAM Disable Serial Login

CAM Admin Console Login Enhancements

Client OS Detection Signature Lookup

Start Timer Specification for Cisco Updates

API Enhancements

Enhancements for Windows XP Media Center Edition/Tablet PC

Clean Access Agent (4.0.1.0)

Supported AV/AS Product List Enhancements (Version 43)

Enhancements in Release 4.0.0.1

Upgrade Instructions for 4.0.0.1

New Features and Enhancements in Release 4.0(0)

Support for Active Directory (Windows Domain) Single Sign-On (SSO)

Corporate Asset Authentication and Posture Assessment by MAC Address

Support for Layer 3 Out-of-Band (OOB) Deployment

New Windows Update Requirement Type

SMP Kernel Support for Super CAM

Support for Assigning VLANs by VLAN Name in OOB Deployments

Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments

Ability to Change Priority of Wildcard/Range Global Device Filters

Ability to View or Search Active L2 Devices in Device Filter List

Ability to Test MAC Addresses Against Device Filters

Support for Relay IP Class Restrictions on DHCP Server

Support for DHCP Global Actions

New "service perfigo maintenance" CLI Command for CAS

Ability of Clean Access Agent to Send IP/MAC for All Available Adapters

Clean Access Agent (4.0.0.1)

Clean Access Agent (4.0.0.0)

Support for Stub Installation/Update of the Clean Access Agent

OOB Page Redirection Timers (SNMP Receiver Advanced Settings)

SNMP Enhancements for CAM

CAS Host-Based Traffic Policy Enhancements for Proxy Servers

Enhancements for DHCP Option Configuration Forms

Authentication Cache Timeout

Supported AV/AS Product List Enhancements (Version 42)

Cisco Pre-Configured Rules ("pr_")

Using Cisco Rules to Check for CSA

Clean Access Supported AV/AS Product List

Clean Access AV Support Chart (Windows Vista/XP/2000)

Clean Access AV Support Chart (Windows ME/98)

Clean Access AS Support Chart (Windows Vista/XP/2000)

Supported AV/AS Product List Version Summary

Clean Access Agent Version Summary

Caveats

Open Caveats - Release 4.0.6.1

Resolved Caveats - Agent Version 4.0.6.2

Resolved Caveats - Release 4.0.6.1

Resolved Caveats - Release 4.0(6)

Resolved Caveats - Agent Version 4.0.5.1

Resolved Caveats - Release 4.0(5)

Resolved Caveats - Release 4.0(4)

Resolved Caveats - Release 4.0.3.3

Resolved Caveats - Release 4.0.3.2

Resolved Caveats - Release 4.0.3.1

Resolved Caveats - Release 4.0(3)

Resolved Caveats - Release 4.0.2.2

Resolved Caveats - Release 4.0.2.1

Resolved Caveats - Release 4.0(2)

Resolved Caveats - Release 4.0(1)

Resolved Caveats - Release 4.0.0.1

Resolved Caveats - Release 4.0(0)

Known Issues for Cisco NAC Appliance

Known Issue with NAT/PAT Devices and L3 Deployments

Known Issues with HP ProLiant DL140 G3 Servers

Known Issue with NAC-3310 CD Installation

Known Issues with NAC-3300 Series Appliances and Serial HA (Failover) Connection

Known Issues with Switches

Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)

Known Issues with Broadcom NIC 5702/5703/5704 Chipsets

Known Issue with MSI Agent Installer File Name

Known Issue with Windows 98/ME/2000 and Windows Script 5.6

New Installation of Release 4.0(x)

Upgrading to 4.0(x)

Notes on 4.0(x) Upgrade

Settings That May Change With Upgrade

General Preparation for Upgrade

In-Place Upgrade from 3.5(7)+ to 4.0(x)—Standalone Machines

Create the Installation CD

Mount the CD-ROM and Run the Upgrade File

Swap Ethernet Cables (if Necessary)

Complete the In-Place Upgrade

In-Place Upgrade from 3.5(7)+ to 4.0(x)—HA-Pairs

Prepare for HA Upgrade

Determine Active and Standby Machines

Shut Down Standby Machine and Upgrade Active Machine In-Place

Shut Down Active Machine and Upgrade Standby Machine In-Place

Complete the HA In-Place Upgrade

Upgrading from 3.6(x)/4.0(x) —Standalone Machines

Create CAM DB Backup Snapshot

Download the Upgrade File

Web Console Upgrade—Standalone Machines

Console/SSH Upgrade—Standalone Machines

Upgrading from 3.6(x)/4.0(x)—HA-Pairs

Access Web Consoles for High Availability

Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs

Upgrading or Installing Super Manager Software

Upgrading NAC-3390 MANAGER (Super CAM) Software

CD Installation of Super CAM Software

Troubleshooting

Windows Vista Agent Stub Installer Error

Agent Error: "Network Error SSL Certificate Rev Failed 12057"

Creating CAM DB Snapshot

Creating CAM/CAS Support Logs

Recovering Root Password for CAM/CAS (Release 4.0(x)/3.6(x))

Recovering Root Password for CAM/CAS (Release 3.5(x) or Below)

No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM

Clean Access Agent 4.0.1.0 and IE 7.0 Beta

Clean Access Agent AV/AS Rule Troubleshooting

Enable Debug Logging on the Clean Access Agent

Troubleshooting Switch Support Issues

Troubleshooting Network Card Driver Support Issues

Other Troubleshooting Information

Documentation Updates

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.0(6)


Revised: January 30, 2008, OL-10370-01

Contents

These release notes provide late-breaking and release information for Cisco® NAC Appliance, also known as Cisco Clean Access (CCA), release 4.0(x). This document describes new features, changes to existing features, limitations and restrictions ("caveats"), upgrade instructions, and related information. These release notes supplement the Cisco NAC Appliance documentation included with the distribution. Read these release notes carefully and refer to the upgrade instructions prior to installing the software.

Cisco NAC Appliance Releases

Cisco NAC Appliance Service Contract/Licensing Support

System and Hardware Requirements

Software Compatibility

New and Changed Information

Clean Access Supported AV/AS Product List

Clean Access Agent Version Summary

Caveats

Known Issues for Cisco NAC Appliance

New Installation of Release 4.0(x)

Upgrading to 4.0(x)

Troubleshooting

Documentation Updates

Obtaining Documentation, Obtaining Support, and Security Guidelines

Cisco NAC Appliance Releases

Cisco NAC Appliance Version
Availability

4.0.6.2 (Agent only)

October 4, 2007

4.0.6.1 GD

August 30, 2007

4.0(6) GD

August 14, 2007

4.0.5.1 (Agent only)

May 10, 2007

4.0.5.0 (Agent only)

March 2, 2007

4.0(5) ED

February 8, 2007

4.0(4) ED

December 26, 2006

4.0.3.3 ED (Appliance only)

November 17, 2006

4.0.3.2 ED

September 19, 2006

4.0.3.1 ED

August 30, 2006

4.0(3) ED

August 28, 2006

4.0.2.2 ED

August 29, 2006

4.0.2.1 ED

August 7, 2006

4.0(2) ED

July 28, 2006

4.0(1) ED [obsoleted by 4.0(2)]

July 25, 2006

4.0.0.1 ED

August 29, 2006

4.0(0) ED

June 7, 2006



Note Any ED release of software should be utilized first in a test network before being deployed in a production network.


Cisco NAC Appliance Service Contract/Licensing Support

For complete details on licensing, including service contract support, new licenses, evaluation licenses, legacy licenses and RMA, refer to Cisco NAC Appliance Service Contract/Licensing Support.

System and Hardware Requirements

This section describes the following:

System Requirements

Hardware Supported

Supported Switches for Cisco NAC Appliance

VPN Components Supported for Single Sign-On (SSO)

System Requirements

See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on:

Clean Access Manager (CAM) system requirements

Clean Access Server (CAS) system requirements

Clean Access Agent (CAA) system requirements

CAS High Availability Requirements

Hardware Supported

See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on:

Cisco NAC Appliance 3310, 3350, 3390 hardware platforms

Supported server hardware configurations

Pre-installation instructions for applicable server configurations

Troubleshooting information for network card driver support

Supported Switches for Cisco NAC Appliance

See Switch Support for Cisco NAC Appliance for details on:

Switches and NME EtherSwitch service modules that support Out-of-Band (OOB) deployment

Switch support for Virtual Gateway VLAN mapping

Known issues with switches/WLCs

Troubleshooting information

VPN Components Supported for Single Sign-On (SSO)

Table 1 lists VPN components supported for Single Sign-On (SSO) with Cisco NAC Appliance. Elements in the same row are compatible with each other.

Table 1 VPN and Wireless Components Supported By Cisco NAC Appliance For SSO

Cisco NAC Appliance Version
VPN Concentrator/Wireless Controller
VPN Clients

4.0(x)

Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)1

N/A

Cisco ASA 5500 Series Adaptive Security Appliances, Version 7.2(0)81 or above

Cisco SSL VPN Client (Full Tunnel)

Cisco VPN Client (IPSec)

Cisco WebVPN Service Modules for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Cisco VPN 3000 Series Concentrators, Release 4.7

Cisco PIX Firewall

1 For additional details, see also Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs).



Note Only the SSL Tunnel Client mode of the Cisco WebVPN Services Module is currently supported.


For further details, see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.0 and Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.0.

Software Compatibility

This section describes software compatibility for releases of Cisco NAC Appliance:

Software Compatibility Matrixes

Determining the Software Version

For details on Clean Access Agent client software versions and AV integration support, see:

Clean Access Supported AV/AS Product List

Clean Access Agent Version Summary

Software Compatibility Matrixes

This section describes the following:

Release 4.0(x) Compatibility Matrix

Release 4.0(x) CAM/CAS Upgrade Compatibility Matrix

Release 4.0(x) Agent Upgrade Compatibility Matrix

Release 4.0(x) Compatibility Matrix

Table 3, "Release 4.0(x) Compatibility Matrix" shows Clean Access Manager and Clean Access Server compatibility and the Agent version bundled with each CCA 4.0(x) release (if applicable). CAM/CAS/Agent versions displayed in the same row are compatible with one another. Cisco recommends that you synchronize your software images to match those shown as compatible in the table.

Prior versions of the 4.0.x.x Clean Access Agent are compatible with the latest 4.0(x) CAM/CAS release, unless otherwise specified. See Clean Access Agent Version Summary for details and caveats resolved for each Agent version.

Table 2 Release 4.0(x) Compatibility Matrix  

Clean Access Manager
Clean Access Server
Clean Access Agent

4.0.6.1

4.0.6.1

4.0.6.2 1
4.0.6.1 1

4.0(6)

4.0(6)

4.0.6.0

4.0(5) 2 , 3

4.0(5) 2, 3

4.0.5.1 4
4.0.5.0 5
4.0.4.0 6
4.0.2.1 7
4.0.2.0 8
4.0.1.0
4.0.0.1
4.0.0.0

4.0(4)

4.0(4)

4.0.3.3 9 ,10

4.0.3.3 9, 10

4.0.3.2 11

4.0.3.1 12

4.0.3.1 12

4.0(3) 13

4.0(3) 13

4.0.2.2 14

4.0.2.2 14

4.0.0.1 15

4.0.0.1 15

4.0.2.1 16

4.0(2)

4.0.1.0
4.0.0.1 17
4.0.0.0

4.0(2)

4.0(1) 18 [obsoleted by 4.0(2)]

4.0(1) 18 [obsoleted by 4.0(2)]

4.0(0)

4.0(0)

1 The 4.0.6.1 and later Agents perform authentication only for 64-bit Windows Vista and Windows XP client operating systems. Once the user is authenticated, the Agent does not perform posture assessment or remediation. To support 64-bit operating system Agents, the CAM and CAS must also be running release 4.0.6.1. Because Cisco NAC Appliance provides authentication-only support for 64-bit operating system Agents, nessus scanning via the Clean Access Agent does not perform remediation on the client machine.

2 Release 4.0(5) is a required upgrade for NAC-3310, NAC-3350, NAC-3390 appliances (MANAGER and SERVER). See Enhancements in Release 4.0(5) and Resolved Caveats - Release 4.0(5) for details.

3 If you are installing new system software from a CD-ROM (rather than performing an upgrade) on a NAC-3310 (both MANAGER and SERVER), you must enter DL140 or serial_DL140 at the "boot:" prompt. For details, see Important Installation Notes for NAC-3310.

4 See Resolved Caveats - Agent Version 4.0.5.1 for resolved caveats. For a new installation of Sophos 5.x and 6.x, the definition date is empty until the first update.

5 4.0.5.0 Agent resolves caveat CSCsh40166. See also Clean Access Agent (4.0.5.0).

6 Releases starting from 4.0(4) and 4.0.x.x Agent versions starting from 4.0.4.0 are the only 4.0(x) releases that support Windows Vista client operating systems. Clean Access Agent stub is supported on Windows Vista starting from release 4.0(6). See also New Features and Enhancements in Release 4.0(4).

7 4.0.2.1 Agent resolves caveat CSCsg37846.

8 4.0.2.0 Agent is not backward compatible with versions 4.0(0) and 4.0(2) of the CAS. This issue is resolved by CAM/CAS patch releases 4.0.0.1 and 4.0.2.2. See Enhancements in Release 4.0.2.2 and Enhancements in Release 4.0.0.1 for details.

9 Release 4.0.3.3 is available on NAC 3300 series platforms only and cannot be downloaded from Cisco Secure Software. See Enhancements in Release 4.0.3.3 and Resolved Caveats - Release 4.0.3.3 for details.

10 If you purchased a Cisco NAC Appliance 3300 Series platform, you can upgrade from 4.0.3.3 to the latest applicable 4.0(x) release only. You cannot upgrade to release 4.1(0).

11 Patch release 4.0.3.2 is applied to the CAM only. For complete upgrade compatibility details and instructions, see Enhancements in Release 4.0.3.2. For details on resolved caveats, see Resolved Caveats - Release 4.0.3.2.

12 Patch release 4.0.3.1 is an upgrade-only patch for 3.6(x) or 4.0(2) and below systems that replaces the upgrade package for 4.0(3). If you are planning to upgrade from 3.6(x)/4.0(x), then upgrade directly to release 4.0.3.1. If you have already upgraded from 3.6(x)/4.0(x) to 4.0(3), there is no need to apply the 4.0.3.1 patch; however, you must apply the workarounds described in Resolved Caveats - Release 4.0.3.1 for compatibility with 4.0.2.0 Agent. See Enhancements in Release 4.0.3.1 for details.

13 Release 4.0(3) is compatible with 4.0.2.0 Agent for new installations or in-place upgrade from 3.5(7)+ only. If you have already upgraded from 3.6(x)/4.0(x) to release 4.0(3) and 4.0.2.0 Agent, you must apply the workarounds described in Resolved Caveats - Release 4.0.3.1.

14 Patch release 4.0.2.2 is applied to 4.0.2.1/4.0(2) CAM and 4.0(2) CAS and is required for compatibility with the 4.0.2.0 Agent (released with CAM/CAS 4.0(3)). See Enhancements in Release 4.0.2.2 and Resolved Caveats - Release 4.0.2.2 for details.

15 Patch release 4.0.0.1 is applied to 4.0(0) CAM and CAS and is required for compatibility with the 4.0.2.0 Agent (released with CAM/CAS 4.0(3)). See Enhancements in Release 4.0.0.1 and Resolved Caveats - Release 4.0.0.1 for details.

16 Release 4.0.2.1 is applied to 4.0(2) CAMs only and resolves caveat CSCse99396. See Enhancements in Release 4.0.2.1 for details.

17 4.0.0.1 Agent resolves caveat CSCse64395.

18 Release 4.0(1) is obsoleted and replaced by release 4.0(2). If your system is running 4.0(1) or 3.5(x) or 3.6(x) and you wish to upgrade to release 4.0(x), upgrade to the latest 4.0(x) release directly.


Release 4.0(x) CAM/CAS Upgrade Compatibility Matrix

Table 3, "Release 4.0(x)CAM/CAS Upgrade Compatibility Matrix" shows 4.0(x) CAM/CAS upgrade compatibility. You can upgrade/migrate your CAM/CAS from the previous release(s) specified to the latest release shown in the same row. When you upgrade your system software, Cisco recommends you upgrade to the most current release available whenever possible.


Note Release 4.0.3.3 is not available as a software upgrade to customers running 3.5.x/3.6.x/4.0.x systems. It is an appliance-only release and can only be obtained through ordering the Cisco NAC-3310, NAC-3350, or NAC-3390 Appliances. See Enhancements in Release 4.0.3.3 for details.


Table 3 Release 4.0(x)CAM/CAS Upgrade Compatibility Matrix

Clean Access Manager
Clean Access Server

Upgrade From:

To:
Upgrade From:
To:
Current 3.5(x), 3.6(x), and 4.0(x) Release Upgrade Options

4.0(x)
3.6(x)
3.5(7)+ 1

4.0.6.1 2 ,3 ,4

4.0(x)
3.6(x)
3.5(7)+ 1

4.0.6.1 2,3,4

3.5(x), 3.6(x), and 4.0(x) Release Upgrade Options Prior to 4.0(5)

4.0(x)
3.6(x)
3.5(7)+ 1

4.0(4) 4,5

4.0(x)
3.6(x)
3.5(7)+ 1

4.0(4) 4,5

3.5(x), 3.6(x), and 4.0(x) Release Upgrade Options Prior to 4.0(4)

4.0(0) to 4.0.2.1
3.6(x)

4.0.3.2 6
4.0.3.1 7

4.0(0) and 4.0(2)
3.6(x)

4.0.3.17

3.5(7)+ 1

4.0(3) 8

3.5(7)+ 1

4.0(3) 8

4.0(x) Release Upgrade Options Prior to 4.0(3)

4.0.2.1 9
4.0(2)

4.0.2.2 10

4.0(2)

4.0.2.2 10

4.0(x) Release Upgrade Options Prior to 4.0(2)

4.0(0)

4.0.0.1 11

4.0(0)

4.0.0.1 11

1 To upgrade from 3.5(7) and above, you must use In-Place Upgrade from 3.5(7)+ to 4.0(x)—Standalone Machines and In-Place Upgrade from 3.5(7)+ to 4.0(x)—HA-Pairs, as appropriate.

2 Release 4.0(5) is a required upgrade for NAC-3310, NAC-3350, NAC-3390 appliances (CAM and CAS). See EEnhancements in Release 4.0(5) and Resolved Caveats - Release 4.0(5) for details.

3 If you purchased a Cisco NAC Appliance 3300 Series platform, you can upgrade from 4.0.3.3 to the latest applicable 4.0(x) release only; you cannot upgrade to release 4.1(0).

4 If you are installing new system software from a CD-ROM (rather than performing an upgrade) on a NAC-3310 (both MANAGER and SERVER), you must enter DL140 or serial_DL140 at the "boot:" prompt. For details, see Important Installation Notes for NAC-3310.

5 Releases starting from 4.0(4) and 4.0.x.x Agent versions starting from 4.0.4.0 are the only 4.0(x) releases that support Windows Vista client operating systems. Clean Access Agent stub is supported on Windows Vista starting from release 4.0(6). See also New Features and Enhancements in Release 4.0(4) for Windows Vista support details and Resolved Caveats - Release 4.0(4).

6 Patch release 4.0.3.2 is applied to the CAM only. For complete upgrade compatibility details and instructions, see Enhancements in Release 4.0.3.2. For details on resolved caveats, see Resolved Caveats - Release 4.0.3.2.

7 Patch release 4.0.3.1 is an upgrade-only patch for systems running release 3.6(x) or 4.0(x) releases prior to 4.0(3) that replaces the upgrade package for 4.0(3). If you are planning to upgrade from 3.6(x)/4.0(x), then upgrade directly to release 4.0.3.1. If you have already upgraded from 3.6(x)/4.0(x) to 4.0(3), there is no need to apply the 4.0.3.1 patch; however, you must apply the workarounds described in Resolved Caveats - Release 4.0.3.1 for compatibility with 4.0.2.0 Agent. See Enhancements in Release 4.0.3.1 for details.

8 Release 4.0(3) is compatible with 4.0.2.0 Agent for new installations or in-place upgrade from 3.5(7)+ only. If you have already upgraded from 3.6(x)/4.0(x) to release 4.0(3) and 4.0.2.0 Agent, you must apply the workarounds described in Resolved Caveats - Release 4.0.3.1.

9 Release 4.0.2.1 is applied to 4.0(2) CAMs only and resolves caveat CSCse99396. See Enhancements in Release 4.0.2.1 for details.

10 Patch release 4.0.2.2 is applied to 4.0.2.1 or 4.0(2) CAM and 4.0(2) CAS and is required for compatibility with the 4.0.2.0 Agent. See Enhancements in Release 4.0.2.2 and Resolved Caveats - Release 4.0.2.2 for details.

11 Patch release 4.0.0.1 is applied to 4.0(0) CAM and CAS and is required for compatibility with the 4.0.2.0 Agent. See Enhancements in Release 4.0.0.1 and Resolved Caveats - Release 4.0.0.1 for details.


.

Release 4.0(x) Agent Upgrade Compatibility Matrix

Table 4, "Release 4.0.x.x Agent Upgrade Compatibility Matrix" shows Clean Access Agent upgrade compatibility when upgrading existing versions of the Agent after 4.0(x) CAM/CAS upgrade. Except where noted, you can auto-upgrade any 3.5.1+ Agent directly to the latest 4.0.x.x Agent.

Table 4 Release 4.0.x.x Agent Upgrade Compatibility Matrix

Clean Access Manager
Clean Access Server
Clean Access Agent 1
Upgrade From:
To Latest Compatible Version: 2

4.0.6.1 3

4.0.6.1 3

4.0.6.1 3
4.0.6.0
4.0.5.1
4.0.5.0
4.0.4.0 7
4.0.2.1 4
4.0.2.0 5 ,6
4.0.1.0
4.0.0.1
4.0.0.0
3.6.x.x
3.5.1 and above

4.0.6.2 3

4.0(6)

4.0(6)

4.0(5)

4.0(5)

4.0(4) 7

4.0(4) 7

4.0.3.3 8

4.0.3.3

4.0.2.0
4.0.1.0
4.0.0.1
4.0.0.0
3.6.x.x
3.5.1 and above

4.0.2.1

4.0.3.2 9

4.0.3.1 10

4.0.3.1 10

4.0(3) 11

4.0(3) 11

4.0.2.2

4.0.2.2

4.0.0.1

4.0.0.1

4.0.2.1
4.0(2)

4.0(2)

4.0.0.1
4.0.0.0
3.6.x.x
3.5.1 and above

4.0.1.0

4.0(0)

4.0(0)

1 For checks/rules/requirements, the Agent can detect "N" (European) versions of the Windows Vista operating system, but the CAM/CAS treat "N" versions of Vista as their US counterpart.

2 Agent versions are not supported across major releases. Do not use 4.0.x.x Agents with 3.6(x) or prior releases. However, auto-upgrade is supported from any 3.5.1 or above Agent directly to the latest 4.x.x.x Agent. See Clean Access Agent Version Summary for further details.

3 The 4.0.6.1 and later Agents perform authentication only for 64-bit Windows Vista and Windows XP client operating systems. Once the user is authenticated, the Agent does not perform posture assessment or remediation. To support 64-bit operating system Agents, the CAM and CAS must also be running release 4.0.6.1. Because Cisco NAC Appliance provides authentication-only support for 64-bit operating system Agents, nessus scanning via the Clean Access Agent does not perform remediation on the client machine.

4 4.0.2.1 Agent resolves caveat CSCsg37846.

5 If you have already upgraded from 3.6(x)/4.0(x) to CAM/CAS release 4.0(3) and 4.0.2.0 Agent, you must download the CCAAgentUpgrade-4.0.2.0.tar.gz from Cisco Secure Downloads and upload it to the CAM via Device Management > Clean Access > Clean Access Agent > Distribution. See Clean Access Agent (4.0.2.0) for details.

6 4.0.2.0 Agent is not backward compatible with versions 4.0(0) and 4.0(2) of the CAS. This issue is resolved by CAM/CAS patch releases 4.0.0.1 and 4.0.2.1. See Enhancements in Release 4.0.2.2 and Enhancements in Release 4.0.0.1 for details.

7 Releases starting from 4.0(4) and 4.0.x.x Agent versions starting from 4.0.4.0 are the only 4.0(x) releases that support Windows Vista client operating systems. Clean Access Agent stub is supported on Windows Vista starting from release 4.0(6). See also New Features and Enhancements in Release 4.0(4). Upgrade to 4.0.4.0 is not otherwise required for non-Vista client PCs.

8 Release 4.0.3.3 is available on NAC 3300 hardware platforms only and cannot be downloaded from Cisco Secure Software. See Enhancements in Release 4.0.3.3 and Resolved Caveats - Release 4.0.3.3 for details.

9 Patch release 4.0.3.2 is applied to the CAM only. For complete upgrade compatibility details and instructions, see Enhancements in Release 4.0.3.2. For details on resolved caveats, see Resolved Caveats - Release 4.0.3.2.

10 Patch release 4.0.3.1 is an upgrade-only patch for 3.6(x) or 4.0(2) and below systems that replaces the upgrade package for 4.0(3). Upgrading from 3.6(x)/4.0(x) to release 4.0.3.1 provides compatibility with the 4.0.2.0 Agent. See Enhancements in Release 4.0.3.1 for details.

11 Release 4.0(3) is compatible with 4.0.2.0 Agent for new installations or in-place upgrade from 3.5(7)+ only. If you have already upgraded from 3.6(x)/4.0(x) to release 4.0(3) and 4.0.2.0 Agent, you must apply the workarounds described in Resolved Caveats - Release 4.0.3.1.


Determining the Software Version

There are several ways to determine the version of software running on your Clean Access Manager (CAM), Clean Access Server (CAS), or Clean Access Agent, as described below.

Clean Access Manager (CAM) Version

Clean Access Server (CAS) Version

Clean Access Agent Versioning

Cisco Clean Access Updates Versioning

Clean Access Manager (CAM) Version

The top of the CAM web console displays the software version installed. Starting from release 4.0(4), after you add the CAM license, the top of the CAM web console displays the license type (Lite, Standard, Super). Additionally, the Administration > CCA Manager > Licensing page displays the types of licenses present after they are added.

The software version is also displayed as follows:

From the CAM web console, go to Administration > CCA Manager > System Upgrade | Current Version

SSH to the machine and type: cat /perfigo/build

Clean Access Server (CAS) Version

From the CAM web console, go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Misc > Update | Current Version

Or, from CAS direct access console, go to: Administration > Software Update | Current Version
(CAS direct console is accessed via https://<CAS_eth0_IP>/admin)

Or, SSH to the machine and type: cat /perfigo/build


Note If configuring High Availability CAM or CAS pairs, see also Access Web Consoles for High Availability for additional information.


Clean Access Agent Versioning

On the CAM web console, you can determine Clean Access Agent versioning from the following pages:

Monitoring > Summary (Setup and Patch Version)

Device Management > Clean Access > Clean Access Agent > Distribution (Setup and Patch Version)

Device Management > Clean Access > Clean Access Agent > Updates (Patch Version; see also Cisco Clean Access Updates Versioning)

Device Management > Clean Access > Clean Access Agent > Reports | View (individual report shows username, OS, Agent version, client AV/AS version)

From the Clean Access Agent itself on the client machine, you can view the following information from the Agent taskbar menu icon:

Right-click About to view the Agent version.

Right-click Properties to view AV/AS version information for any AV/AS software installed, and the Discovery Host (used for L3 deployments)

Cisco Clean Access Updates Versioning

To view the latest version of Updates downloaded to your CAM, including Cisco Checks & Rules, CCA Agent Upgrade Patch, Supported AV/AS Product List, go to Device Management > Clean Access > Clean Access Agent > Updates on the CAM web console. See Clean Access Supported AV/AS Product List and Cisco Pre-Configured Rules ("pr_") for additional details.

New and Changed Information

This section describes any new features or enhancements added to the following releases of Cisco NAC Appliance for the Clean Access Manager and Clean Access Server.

Enhancements in Release 4.0.6.1

Enhancements in Release 4.0(6)

Enhancements in Release 4.0(5)

New Features and Enhancements in Release 4.0(4)

Enhancements in Release 4.0.3.3

Enhancements in Release 4.0.3.2

Enhancements in Release 4.0.3.1

Enhancements in Release 4.0(3)

Enhancements in Release 4.0.2.2

Enhancements in Release 4.0.2.1

Enhancements in Release 4.0(2)

New Features and Enhancements in Release 4.0(1)

Enhancements in Release 4.0.0.1

New Features and Enhancements in Release 4.0(0)

For additional details, see also:

Clean Access Supported AV/AS Product List

Clean Access Agent Version Summary

Caveats

Known Issues for Cisco NAC Appliance

Enhancements in Release 4.0.6.1

Release 4.0.6.1 is a general and important bug fix release for the Clean Access Manager, Clean Access Server, and Clean Access Agent that addresses the caveats described in Resolved Caveats - Release 4.0(6) and provides the enhancements listed below. No new features are added.

Clean Access Agent (4.0.6.2)

Clean Access Agent (4.0.6.1)

Supported AV/AS Product List Enhancements

Release 4.0.6.1 is provided as both an upgrade.tar.gz file and ISO file for new CD installations.


Note Release 4.0.6.1 does not support and cannot be installed on the Cisco NAC Network Module (NME-NAC-K9).


For upgrade instructions refer to Upgrading to 4.0(x).

Clean Access Agent (4.0.6.2)

Release 4.0.6.2 is a bug fix release for the Clean Access Agent that addresses the caveats described in Resolved Caveats - Agent Version 4.0.6.2 and provides additional AV/AS product support as detailed in Clean Access Agent Version Summary.


Note The 4.0.6.2 Agent performs authentication only for 64-bit Windows Vista and Windows XP client operating systems. Once the user is authenticated, the Agent does not perform posture assessment or remediation. To support 64-bit operating system Agents, the CAM and CAS must also be running release 4.0.6.1. Because Cisco NAC Appliance provides authentication-only support for 64-bit operating system Agents, nessus scanning via the Clean Access Agent does not perform remediation on the client machine.


Clean Access Agent (4.0.6.1)

Release 4.0.6.1 introduces a Clean Access Agent that performs authentication on 64-bit client operating systems (i.e., Windows Vista and Windows XP) and provides additional AV/AS product support as detailed in Supported AV/AS Product List Enhancements and Clean Access Agent Version Summary.


Note The 4.0.6.1 Agent performs authentication only for 64-bit Windows Vista and Windows XP client operating systems. Once the user is authenticated, the Agent does not perform posture assessment or remediation. To support 64-bit operating system Agents, the CAM and CAS must also be running release 4.0.6.1. Because Cisco NAC Appliance provides authentication-only support for 64-bit operating system Agents, nessus scanning via the Clean Access Agent does not perform remediation on the client machine.


Supported AV/AS Product List Enhancements

Version 66 of the Supported AV/AS Product List and 4.0.6.2 Agent add AV/AS product support as described in Clean Access Supported AV/AS Product List.

Version 64 of the Supported AV/AS Product List and 4.0.6.1 Agent added AV/AS product support as listed in Supported AV/AS Product List Version Summary for a list of AV/AS product support changes/additions.

See Clean Access Supported AV/AS Product List for the latest AV/AS product charts.

Enhancements in Release 4.0(6)

This section details the enhancements delivered with Cisco NAC Appliance release 4.0(6)

Release 4.0(6) is a general and important bug fix release for Cisco NAC Appliance 3300 Series platforms that addresses the caveats described in Resolved Caveats - Release 4.0(6) and provides the enhancements listed below. No new features are added.

Debug Log Download Enhancement

Syslog Configuration Enhancement

Clean Access Agent (4.0.6.0)

Supported AV/AS Product List Enhancements (Version 63)


Note Release 4.0(6) does not support and cannot be installed on the Cisco NAC Network Module (NME-NAC-K9).


Debug Log Download Enhancement

Beginning with release 4.0(6), you can now specify the number of days of collected debug logs to download in order to aid troubleshooting efforts when working with Cisco technical support. The default setting is one week (7 days). Previously, debug logs included all recorded log entries in the CAM/CAS database.

This enhancement adds a new field, "Download technical support logs for the last [] days" to the following web console pages:

CAM web console: Administration > Clean Access Manager > Support Logs |

CAS web console: Monitoring > Support Logs

Syslog Configuration Enhancement

Release 4.0(6) features a Syslog Settings page configuration enhancement allowing you to specify the Syslog Facility setting for a designated Syslog server where you direct Syslog messages originating from the CAM. You can use the default "User-Level" facility type, or you can assign any of the "local use" Syslog facility types defined in the Syslog RFC ("Local use 0" to "Local use 7"). This feature gives you the ability to differentiate Cisco NAC Appliance Syslog messages from "User-Level" Syslog entries you may already generate and direct to your Syslog server from other network components.

This enhancement affects the following page of the CAM web console:

Monitoring > Event Logs > Syslog Settings | new Syslog Facility dropdown menu and options

Clean Access Agent (4.0.6.0)

Version 4.0.6.0 of the Clean Access Agent:

Adds support for stub installer on Windows Vista operating system.


Note When non-admin users install/uninstall the Agent through stub service on Windows Vista, they will see an "Interactive Services Dialog Detection" dialog. If the user is installing, no input is required in the dialog session—it will automatically disappear. If the client machine is fast, the user may not even see the dialog appear at all, so the resulting behavior is as if the Agent gets silently installed after a few seconds. When uninstalling, however, the uninstall process does not complete until the user responds to a prompt inside the dialog.

This is expected behavior because, unlike earlier Windows operating systems, Windows Vista services run in an isolated session (session 0) from user sessions, and thus do not have access to video drivers. As a workaround for interactive services like the Agent stub installer, Windows Vista uses an Interactive Service Detection Service to prompt users for user input for interactive services and enable access to dialogs created by interactive services. The "Interactive Service Detection Service" will automatically launch by default and, in most cases, users are not required to do anything. If the service is disabled for some reason, however, Agent installation by non-admin users will not function.


For more information on the stub installer and its behavior, see Support for Stub Installation/Update of the Clean Access Agent. See also Known Issue with MSI Agent Installer File Name.

Provides additional AV/AS product support as detailed in Supported AV/AS Product List Enhancements (Version 63).

For additional details, see Clean Access Agent Version Summary.

Supported AV/AS Product List Enhancements (Version 63)

See Supported AV/AS Product List Version Summary for a list of AV/AS product support changes/additions.

See Clean Access Supported AV/AS Product List for the latest AV/AS product charts.

Enhancements in Release 4.0(5)

Release 4.0(5) is a general and important bug fix release and patch for Cisco NAC Appliance 3300 Series platforms that addresses the caveats described in Resolved Caveats - Release 4.0(5). No new features are added.

Cisco NAC-3300 series appliance customers planning to connect appliances for HA (failover) using a serial cable deployment option must refer to New Installation of Release 4.0(x).

NAC-3310 customers must refer to Important Installation Notes for NAC-3310 and Known Issues with HP ProLiant DL140 G3 Servers.

Release 4.0(5) is a required upgrade for NAC-3310, NAC-3350, and NAC-3390 appliances (MANAGER or SERVER) only. For upgrade instructions, refer to Upgrading to 4.0(x).

CD installation of release 4.0(5) is supported. The cca-4.0_5-K9.iso file is required for new CD installation of the Clean Access Server or Clean Access Manager on the NAC-3310 and NAC-3350 platforms. A separate ISO file, Super CAM-cca-4.0_5-K9.iso is required for CD installation of the Clean Access Super Manager on the NAC-3390 platform.

Clean Access Manager 4.0(5) is bundled with Clean Access Agent 4.0.4.0.


For additional details, see:

Important Installation Notes for NAC-3310

Release 4.0(x) CAM/CAS Upgrade Compatibility Matrix

Resolved Caveats - Release 4.0(5)

Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access)


Warning Web upgrade is NOT supported for software upgrade of HA-CAM pairs. Upgrade of high availability Clean Access Manager pairs must always be performed via console as described in Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs.


Enhancements

Clean Access Agent (4.0.5.1)

Clean Access Agent (4.0.5.0)

Supported AV/AS Product List Enhancements

Important Installation Notes for NAC-3310

NAC-3310 Required BIOS/Firmware Upgrade

NAC-3310 Required DL140 or serial_DL140 CD Installation Directive

NAC-3310 Required BIOS/Firmware Upgrade

The NAC-3310 appliance is based on the HP ProLiant DL140 G3 server and is subject to any BIOS/firmware upgrades required for the DL140 G3. Refer to Known Issues with HP ProLiant DL140 G3 Servers for detailed instructions.

NAC-3310 Required DL140 or serial_DL140 CD Installation Directive

The NAC-3310 appliance (MANAGER and SERVER) requires you to enter the DL140 or serial_DL140 installation directive at the "boot:" prompt when you install new system software from a CD-ROM. For more information, refer ro Known Issue with NAC-3310 CD Installation.

Clean Access Agent (4.0.5.1)

Version 4.0.5.1 of the Clean Access Agent includes fixes for caveats and new AV/AS product support. For more information, see Resolved Caveats - Agent Version 4.0.5.1 and Clean Access Supported AV/AS Product List.

Clean Access Agent (4.0.5.0)

Version 4.0.5.0 of the Clean Access Agent:

Resolves caveat CSCsh40166

Provides additional AV/AS product support as detailed in Supported AV/AS Product List Enhancements.

For additional details, see Clean Access Agent Version Summary.

Supported AV/AS Product List Enhancements

Version 59 of the Supported AV/AS Product List and 4.0.5.1 Agent add AV/AS product support as listed in Clean Access Supported AV/AS Product List.

Version 55 of the Supported AV/AS Product List and 4.0.5.0 Agent added AV/AS product support. See Supported AV/AS Product List Version Summary.

See Clean Access Supported AV/AS Product List for the latest AV/AS product charts.

New Features and Enhancements in Release 4.0(4)

This section details the new feature and enhancements delivered with Cisco NAC Appliance release 4.0(4) for the Clean Access Manager and Clean Access Server.

New Features

Support for Windows Vista Operating System

Enhancements

License Manager Support for Cisco Clean Access Lite, Standard, and Super Managers

Improved Memory Footprint for Clean Access Agent Reports

Broadcast ARP Server Management Option Removed

Kernel Upgrade

Clean Access Agent (4.0.4.0)

Supported AV/AS Product List Enhancements (Version 47)

Support for Windows Vista Operating System

Release 4.0(4) adds the following new Clean Access Agent configuration support for Windows Vista operating systems:

Full Clean Access Agent support for Windows Vista operating systems Windows Vista Home, Windows Vista Business, Windows Vista Ultimate, and Windows Vista Enterprise.

Administrators can now configure Agent checks/rules/requirements and hotfixes for Windows Vista with release 4.0(4) and version 4.0.4.0 of the Agent.


Note When a Windows Vista user attempts to access the system with Internet Explorer 7 running in "protected mode," an error message appears explaining that the CAS IP address/domain name is NOT in the list of IE's Trusted sites and prompts the user to add it. This is because IE 7 enables by default the "Check for server certificate revocation" option. To resolve this issue, refer to Agent Error: "Network Error SSL Certificate Rev Failed 12057".


This enhancement affects the following pages of the CAM web console:

Device Management > Clean Access > Clean Access Agent > [Rules/Requirements/Reports] now feature Operating System checkboxes/dropdown menus for the Windows Vista operating system, including Windows Vista (All), Vista Home Basic, Vista Home Premium, Vista Business, Vista Ultimate, and Vista Enterprise.

License Manager Support for Cisco Clean Access Lite, Standard, and Super Managers

In release 4.0(4), the CAM web console now differentiates the three Cisco Clean Access Manager license types:

The Clean Access Lite Manager option is designed for small installations featuring no more than 3 associated Clean Access Servers (or 3 HA-CAS pairs).

The Clean Access Standard Manager option allows you to install, configure, and manage the traditional 20 Clean Access Servers (or 20 HA-CAS pairs) under a single Clean Access Manager.

The new Clean Access Super Manager license option accompanies the new Cisco NAC-3390 Super CAM appliance available from Cisco Systems. A Super CAM enables you to connect and manage as many as 40 Clean Access Servers (or 40 HA-CAS pairs).

Administrators still acquire license files and enable them using the same method as in previous releases, but the Clean Access Manager web user interface displays more specific license parameters in the Administration > CCA Manager > Licensing window.

For more specific information on Cisco NAC Appliance licensing via the FlexLM licensing tool, see the Cisco NAC Appliance Service Contract/Licensing Support.

Improved Memory Footprint for Clean Access Agent Reports

The Clean Access Manager web console now uses less memory for Agent reports. The default number of maximum reports has been decreased from 30,000 to 20,000. (The allowable range—100 to 200,000—remains unchanged.)

This enhancement affects the following pages of the CAM web console:

Device Management > Clean Access > Clean Access Agent > Reports.

Broadcast ARP Server Management Option Removed

The Clean Access Manager web console no longer offers the "Continuously broadcast gratuitous ARP with VLAN ID" Clean Access Server management option.

This enhancement affects the following page of the CAM web console:

Device Management > CCA Servers > Manage [CAS_IP] > Advanced > ARP.

Kernel Upgrade

CAM/CAS release 4.0.3.3 and above support the 2.6.11 SP2 kernel and associated NIC card drivers. The kernel upgrade featured in release 4.0(4) supports additional hardware capabilities required for the Cisco NAC Appliance 3390 Series.

Clean Access Agent (4.0.4.0)

Version 4.0.4.0 of the Clean Access Agent supports users running the Windows Vista operating system.


Note Only 4.0(x) releases starting from 4.0(4) and 4.0.x.x Agent versions starting from 4.0.4.0 support Windows Vista client operating systems.


For additional details, see Clean Access Agent Version Summary.

Supported AV/AS Product List Enhancements (Version 47)

The Supported AV/AS Product List remains at version 47 for release 4.0(4).

See Supported AV/AS Product List Version Summary for details on what is new for this version update to the list.

See Clean Access Supported AV/AS Product List for the latest AV/AS product charts.

Enhancements in Release 4.0.3.3

Release 4.0.3.3 is an appliance-only release that is pre-installed on Cisco NAC Appliance 3300 Series hardware platforms only.

Release 4.0.3.3 provides additional hardware support for the Cisco NAC Appliance 3310, 3350 and 3390, and resolves some important caveats. No new features are added.


Note Release 4.0.3.3 is not available as a software upgrade to customers running 3.5.x/3.6.x/4.0.x systems. It is an appliance-only release that can only be obtained through ordering the Cisco NAC Appliance 3310, NAC Appliance 3350, or NAC Appliance 3390 hardware platforms.


Enhancement

Daylight Savings Time Support

Daylight Savings Time Support

Release 4.0.3.3 and above support the Daylight Savings Time (DST) change to March (second Sunday) and November (first Sunday) starting in 2007. Prior to 2007, DST started in April (first Sunday) and ended in October (last Sunday). See also CSCsg44268 for details.


Note For more information, see U.S. Daylight Saving Time (DST) Changes for 2007 and CSCsg44268 Bug Details.


For additional details, see:

Release 4.0(x) Compatibility Matrix

Resolved Caveats - Release 4.0.3.3

Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access)

Enhancements in Release 4.0.3.2

Release 4.0.3.2 is a general and important bug fix release and patch for the Clean Access Manager (CAM) only that resolves the caveats described in Resolved Caveats - Release 4.0.3.2. No new features are added.


NoteThe 4.0.3.2 patch is a mandatory patch applied to the Clean Access Manager only.

The 4.0.3.2 patch can only be applied to 4.0(3) or 4.0.3.1 systems.

If your system is running 4.0.3.1, you can apply the 4.0.3.2 patch directly.

If you upgraded to 4.0(3) from 4.0.2.2, 4.0.2.1, 4.0(2), 4.0.0.1, or 4.0(0), your system is affected by the caveats described in Resolved Caveats - Release 4.0.3.1 and you must apply the workaround procedures detailed in that section before applying the 4.0.3.2 patch. Refer to Enhancements in Release 4.0.3.1 for complete details.

If you upgraded to 4.0(3) from 3.5(x) using the in-place CD-based upgrade procedure, you can apply the 4.0.3.2 patch directly.

The 4.0.3.2 patch includes a script to update all the existing ARP entries on your CAM to ensure that only the right ARP entries are present.


See the following sections:

Upgrade Instructions for 4.0.3.2

Clean Access Agent (4.0.2.1)

Resolved Caveats - Release 4.0.3.2

See also Software Compatibility Matrixes for additional details.

Upgrade Instructions for 4.0.3.2

To upgrade your CAM to 4.0.3.2, perform the following steps.


Step 1 Download the cam_upgrade-4.0.3.2.tar.gz upgrade file to your local computer from the http://www.cisco.com/pcgi-bin/tablebuild.pl/cleanaccess-4.0.3 folder.

Step 2 If running either 4.0.3.1 on your system, or 4.0(3) on a system that was upgraded from 3.5(x) to 4.0(3) using in-place CD upgrade, apply the 4.0.3.2 patch to the CAM using one of the following procedures. Carefully follow instructions to upgrade the CAM:

Upgrade CAM from CAM Web Console, or

Console/SSH Upgrade—Standalone Machines, or

Upgrading from 3.6(x)/4.0(x)—HA-Pairs (for HA-CAMs only)

Step 3 If running 4.0(3) on a system that was upgraded from 4.0.2.2, 4.0.2.1, 4.0(2), 4.0.0.1, or 4.0(0) to 4.0(3), you must first perform the workarounds described in Resolved Caveats - Release 4.0.3.1 before applying the 4.0.3.2 patch as described in Step 2 above.

Step 4 After the CAM has been upgraded to 4.0.3.2, access the console for each attached Clean Access Server (CAS) and perform service perfigo restart. (Or you can perform service perfigo reboot if preferred.) For a CAS HA-pair, it is sufficient to perform service perfigo restart on the currently active CAS.


Clean Access Agent (4.0.2.1)

Version 4.0.2.1 of the Clean Access Agent resolves caveat CSCsg37846 (Trend Micro AV does not allow auto-update to be launched). Cisco recommends you upgrade clients using Trend Micro AV products to version 4.0.2.1 of the Clean Access Agent.

For additional details, see Clean Access Agent Version Summary.

Enhancements in Release 4.0.3.1

Patch release 4.0.3.1 is an important upgrade-only patch for 4.0(x) and 3.6(x) systems that replaces the upgrade package for 4.0(3). Patch release 4.0.3.1 is applied to the Clean Access Manager (CAM) and Clean Access Server (CAS). Patch 4.0.3.1 resolves caveats CSCsf24570 and CSCsf24583. No new features are added.


NoteThe 4.0.3.1 patch upgrade must be applied to both the CAS and the CAM.

If planning to upgrade your CAM/CAS which is on 3.6(0), 3.6(1), 3.6(2), 3.6(3), 3.6(4), 4.0(0), or 4.0(2), you must upgrade your system directly to release 4.0.3.1. Do NOT upgrade these systems to release 4.0(3). 4.0.3.1 is a upgrade package patch which only affects the upgrade package used for web/SSH upgrades. The 4.0.3.1 upgrade package should be used and is effective only for upgrades from 3.6(x) or 4.0(2) and below. See Upgrade Instructions for 4.0.3.1 for upgrade steps.

If you are planning to upgrade your CAM/CAS which is on 3.5(7), 3.5(8), 3.5(9), 3.5(10), 3.5(11), you must use the "In-Place upgrade" procedure which requires a CD. In this case, perform In-Place upgrade to release 4.0(3) (using the 4.0(3) ISO file CD). You do not need to apply the 4.0.3.1 upgrade patch if you are performing In-Place upgrade. See Upgrading to 4.0(x) for in-place upgrade instructions for standalone and HA systems.

If you have already upgraded to 4.0(3) from 3.6(x) or 4.0(x) using the 4.0(3) upgrade package, you must apply the workarounds described in Resolved Caveats - Release 4.0.3.1 for compatibility with the 4.0.2.0 Agent, and to reconfigure any previous DHCP global options. The 4.0.3.1 upgrade package is not intended for nor will it have any effect on 3.6(x)/4.0(x) systems that have already been upgraded to 4.0(3). See Resolved Caveats - Release 4.0.3.1 for details.


See the following sections:

Upgrade Instructions for 4.0.3.1

Resolved Caveats - Release 4.0.3.1

See also Software Compatibility Matrixes for additional details.

Upgrade Instructions for 4.0.3.1

To upgrade your CAM/CAS from 3.6(x) or 4.0(2) and below to 4.0.3.1, perform the following steps.


Step 1 Download the cca_upgrade-4.0.3.1.tar.gz upgrade file to your local computer from the http://www.cisco.com/pcgi-bin/tablebuild.pl/cleanaccess-4.0.3 folder.

Step 2 Upgrade each CAS using one of the following procedures. Carefully follow instructions to upgrade each CAS:

Upgrade CAS from CAS Management Pages, or

Upgrade CAS from CAS Direct Access Web Console, or

Console/SSH Upgrade—Standalone Machines, or

Upgrading from 3.6(x)/4.0(x)—HA-Pairs (for HA-CASes only)

Step 3 Upgrade the CAM using one of the following procedures. Carefully follow instructions to upgrade the CAM:

Upgrade CAM from CAM Web Console, or

Console/SSH Upgrade—Standalone Machines, or

Upgrading from 3.6(x)/4.0(x)—HA-Pairs (for HA-CAMs only)


Enhancements in Release 4.0(3)

This section details the new feature and enhancements delivered with Cisco NAC Appliance release 4.0(3) for the Clean Access Manager and Clean Access Server.

Enhancements

Support for Windows XP Media Center Edition (MCE)/Tablet PC Operating Systems

New "pr_" Rules for MCE/Tablet PC Hotfixes

Restricted Network Access Option for Clean Access Agent Users

Clean Access Agent (4.0.2.0)

Supported AV/AS Product List Enhancements (Version 44)

For additional details see also Resolved Caveats - Release 4.0(3).

If performing a new installation, see New Installation of Release 4.0(x). If upgrading to this release refer to Upgrading to 4.0(x).

Support for Windows XP Media Center Edition (MCE)/Tablet PC Operating Systems

Release 4.0(3) adds the following new Clean Access Agent configuration support for Windows XP operating systems:

Full Clean Access Agent support for Windows XP Media Center Edition and Tablet PC operating systems. Administrators can now configure Agent checks/rules/requirements and hotfixes for XP MCE or XP Tablet PC with release 4.0(3)+ and version 4.0.2.0 + of the Agent.

New additional OS categories for Windows XP (All), Windows XP Pro/Home.


Note All Clean Access Agent checks/rules/requirements previously configured as Windows XP are treated as Windows XP (All) family from release 4.0(3) and above.


Note that to change from Windows XP to the newer and more specific designations (e.g.Windows XP Pro/Home, Windows XP Media Center, and Windows XP Tablet PC) requires manual reconfiguration of previous checks/rules/requirements.


Note Windows XP MCE/Tablet PC operating systems are included as part of the Windows XP family for all configuration pages that are not under the Clean Access Agent tab. This includes Network Scanner tab, General Setup | Web Login, and Login Page configuration pages. For web login users only, the MCE/Tablet PC OS will display as "Windows XP" under Monitoring > Online Users > View Online Users.


This enhancement affects the following pages of the CAM web console:

Device Management > Clean Access > Clean Access Agent > [Rules/Requirements/Reports] (all Operating System checkboxes/dropdown menus formerly for Windows XP only are now expanded to Windows XP (All), Windows XP Pro/Home, Windows XP Media Center, and Windows XP Tablet PC)

New "pr_" Rules for MCE/Tablet PC Hotfixes

Release 4.0(3) (with the latest version of the Cisco Updates ruleset) adds two additional pre-configured rules ("pr_") to incorporate hotfixes for Windows XP Media Center Edition and Tablet PC operating systems. The new rules are pr_XP_MCE_Hotfixes and pr_XP_TabletPC_Hotfixes. Mapping these rules to your Clean Access Agent requirements will enable you to ensure that Agent users have the appropriate hotfixes installed for these operating systems.


Note Make sure to perform an Update or Clean Update on your CAM to obtain the new rules.


See Cisco Pre-Configured Rules ("pr_") for additional information on "pr_" rules.

This enhancement affects the following pages of the CAM web console:

Device Management > Clean Access > Clean Access Agent > Rules > Rule List (new rules pr_XP_MCE_Hotfixes and pr_XP_TabletPC_Hotfixes)

Device Management > Clean Access > Clean Access Agent > Rules > Check List (various new hotfix "pc_" checks that are mapped to the new pr_ rules)

Restricted Network Access Option for Clean Access Agent Users

Release 4.0(3) provides administrators the ability to allow restricted network access to users when they cannot download and install the Clean Access Agent themselves, due to lack of permissions on the machine or for guest access purposes.

This enhancement is intended to aid guests or partners in a corporate environment to get access to the network even if their original role requires use of the Agent.

The restricted network access option can only be configured when the "Require use of the Clean Access Agent" checkbox is enabled, and the option allows you to configure the user role to which these users will be assigned in addition to the button and text presented. When the user performs initial web login and is redirected to download the Agent, the "Restricted Network Access" text and button will appear below the "Download Clean Access Agent" button on the page if this option is enabled in the CAM web console. If the user is not able to download the Clean Access Agent, the user can click "Get Restricted Network Access" to gain the access permitted by the assigned role through the same browser page.

Restricted network access users appear on the In-Band Online Users List denoted by blue shading. Restricted network access users do not appear on the Certified List (since they have not met posture assessment requirements).

This enhancement affects the following pages of the CAM web console:

Device Management > Clean Access > General Setup (this page is now split into Web Login and Agent Login configuration forms)

Device Management > Clean Access > General Setup | Agent Login | "Allow restricted network access in case user cannot use Clean Access Agent" (new checkbox/configurable text/button fields)

Device Management > Monitoring > Online Users > View Online Users > In-Band (displays restricted network access users with blue shading)

In addition, the Download Clean Access Agent user page will now display a new Get Restricted Network Access button/text if the restricted network access option is configured for Agent users.

Clean Access Agent (4.0.2.0)

Release 4.0(3) and 4.0.2.0 Agent provide full support for Windows XP Media Center Edition (MCE) or Windows XP Tablet PC machines. Users on these operating systems can download/install the Agent and administrators can configure checks/rules/requirements and hotfixes specific to XP Pro/Home, XP MCE, XP Tablet PC or XP All.

Note that Clean Access Agent checks/rules/requirements previously configured as Windows XP are treated as Windows XP (All) family from release 4.0(3) and above.


NoteAgent 4.0.2.0 is compatible with CAM/CAS release 4.0.3.1, 4.0(3) (new install or in-place upgrade only), 4.0.2.2 and 4.0.0.1. See Enhancements in Release 4.0.3.1 and Software Compatibility Matrixes for further details.

If you have upgraded from release 3.6(x)/4.0(x) to release 4.0(3)/4.0.2.0 Agent, you must download the CCAAgentUpgrade-4.0.2.0.tar.gz file from Cisco Secure Downloads and upload it to the CAM via Device Management > Clean Access > Clean Access Agent > Distribution to allow the CAS to distribute it to users.



Note Because version 4.0.1.0 of the Agent (by design) automatically bypasses WinXP Agent checks/hotfixes for Windows MCE/Tablet PC systems, with upgrade to CAM/CAS release 4.0.3.1/4.0(3), Cisco recommends you upgrade 4.0.1.0 Agents to 4.0.2.0.


Version 4.0.2.0 of the Agent now provides support for IE 7 Beta 3.


Note Support for any future IE 7 releases will only be added after testing and certification has been performed on those releases.


For additional details, see Clean Access Agent Version Summary.

Supported AV/AS Product List Enhancements (Version 44)

The Supported AV/AS Product List remains at version 44 for release 4.0(3).

See Supported AV/AS Product List Version Summary for details on what is new for this version update to the list.

See Clean Access Supported AV/AS Product List for the latest AV/AS product charts.

Enhancements in Release 4.0.2.2

Release 4.0.2.2 is a general and important bug fix release and patch for the Clean Access Manager (CAM) and Clean Access Server (CAS) that resolves caveats CSCsf22777 and CSCsf22786. No new features are added.


NoteThe 4.0.2.2 patch is applied to both the CAM and CAS.

The 4.0.2.2 patch is applied to 4.0.2.1 or 4.0(2) CAM and 4.0(2) CAS.

Patch release 4.0.2.2 is required for compatibility with the 4.0.2.0 Agent (released with CAM/CAS 4.0(3)).

If you have not deployed or do not want to deploy the 4.0.2.0 Agent, you do not need to upgrade your CAM/CAS to the 4.0.2.2 patch.


See the following sections:

Upgrade Instructions for 4.0.2.2

Resolved Caveats - Release 4.0.2.2

See also Software Compatibility Matrixes for additional details.

Upgrade Instructions for 4.0.2.2

To upgrade your 4.0.2.1 or 4.0(2) Clean Access Manager and 4.0(2) Clean Access Server, execute the following update procedure steps.


Step 1 Download the cca_upgrade-4.0.2.2.tar.gz upgrade file to your local computer from the http://www.cisco.com/pcgi-bin/tablebuild.pl/cleanaccess-4.0.2 folder.

Step 2 Upgrade each CAS using one of the following procedures. Carefully follow instructions to upgrade each CAS:

Upgrade CAS from CAS Management Pages, or

Upgrade CAS from CAS Direct Access Web Console, or

Console/SSH Upgrade—Standalone Machines, or

Upgrading from 3.6(x)/4.0(x)—HA-Pairs (for HA-CASes only)

Step 3 Upgrade the CAM using one of the following procedures. Carefully follow instructions to upgrade the CAM:

Upgrade CAM from CAM Web Console, or

Console/SSH Upgrade—Standalone Machines, or

Upgrading from 3.6(x)/4.0(x)—HA-Pairs (for HA-CAMs only)


Enhancements in Release 4.0.2.1

Release 4.0.2.1 is a general and important bug fix release and patch for the Clean Access Manager and that resolves caveat CSCse99396. No new features are added.


NoteThe 4.0.2.1 patch is a mandatory upgrade for all 4.0(2) systems. All customers on 4.0(2) should apply this patch.

The 4.0.2.1 patch is applied to the Clean Access Manager (CAM) only.

You can only apply the 4.0.2.1 patch to 4.0(2) systems. There is no ISO CD for the 4.0.2.1 patch. If running a prior release, you must upgrade to 4.0(2) first before applying the 4.0.2.1 patch.


Information for the 4.0(2) patch is in the following sections:

Upgrade Instructions for 4.0.2.2

Resolved Caveats - Release 4.0.2.2

Upgrade Instructions for 4.0.2.1

To upgrade your 4.0(2) Clean Access Manager, execute the following update procedure steps.


Step 1 Download the cam-4.0.2-to-4.0.2.1-upgrade.tar.gz upgrade file to your local computer from the http://www.cisco.com/pcgi-bin/tablebuild.pl/cleanaccess-4.0.2 folder.

Step 2 Upgrade each CAS using one of the following procedures. Carefully follow instructions to upgrade each CAS:

Upgrade CAS from CAS Management Pages, or

Upgrade CAS from CAS Direct Access Web Console, or

Console/SSH Upgrade—Standalone Machines, or

Upgrading from 3.6(x)/4.0(x)—HA-Pairs (for HA-CASes only)

Step 3 Upgrade the CAM using one of the following procedures. Carefully follow instructions to upgrade the CAM:

Upgrade CAM from CAM Web Console, or

Console/SSH Upgrade—Standalone Machines, or

Upgrading from 3.6(x)/4.0(x)—HA-Pairs (for HA-CAMs only)


Enhancements in Release 4.0(2)

Release 4.0(2) is a general and important bug fix patch and release for the Clean Access Manager and Clean Access Server. No new features are added.


NoteRelease 4.0(2) obsoletes release 4.0(1) and incorporates all 4.0(1) features.

Release 4.0(2) is a mandatory upgrade for all 4.0(0) and 4.0(1) systems. All customers on 4.0(0) or above should upgrade to 4.0(2).

The 4.0(2) upgrade must be applied to both the CAS and the CAM.


Information for the 4.0(2) release is in the following sections:

Upgrade Instructions for 4.0(2)

Resolved Caveats - Release 4.0(2)

Upgrade Instructions for 4.0(2)

To upgrade your 4.0(0)/4.0(1) system, execute the following update procedure steps on your CAM and CAS.


Step 1 Download the cca_upgrade-4.0.2.tar.gz upgrade file to your local computer from the http://www.cisco.com/pcgi-bin/tablebuild.pl/cleanaccess-4.0.2 folder.

Step 2 Upgrade each CAS using one of the following procedures. Carefully follow instructions to upgrade each CAS:

Upgrade CAS from CAS Management Pages, or

Upgrade CAS from CAS Direct Access Web Console, or

Console/SSH Upgrade—Standalone Machines, or

Upgrading from 3.6(x)/4.0(x)—HA-Pairs (for HA-CASes only)

Step 3 Upgrade the CAM using one of the following procedures. Carefully follow instructions to upgrade the CAM:

Upgrade CAM from CAM Web Console, or

Console/SSH Upgrade—Standalone Machines, or

Upgrading from 3.6(x)/4.0(x)—HA-Pairs (for HA-CAMs only)


New Features and Enhancements in Release 4.0(1)


Warning Release 4.0(1) has been obsoleted. If your system is running 4.0(1), please upgrade to release 4.0(2). If your system is running 3.5(x) or 3.6(x) and you wish to upgrade to release 4.0(x), please upgrade to release 4.0(2) directly.


New Features

Enable L3 Strict Mode

OOB Support for 3750 NME Modules for Cisco 2800/3800 ISRs

Link-Failure Based Failover in CAS HA

Upgrade Enhancements

Enhancements

CAM Disable Serial Login

CAM Admin Console Login Enhancements

Client OS Detection Signature Lookup

Start Timer Specification for Cisco Updates

API Enhancements

Enhancements for Windows XP Media Center Edition/Tablet PC

Clean Access Agent (4.0.1.0)

Supported AV/AS Product List Enhancements (Version 43)

Enable L3 Strict Mode

With release 4.0(1)+, administrators with L3 deployments can now optionally restrict L3 Clean Access Agent clients from connecting to the Clean Access Server through NAT devices using the "Enable L3 strict mode to block NAT devices with Clean Access Agent" option.

When this feature is enabled in conjunction with "Enable L3 support," the CAS will check the client IP information automatically sent by the Clean Access Agent against source IP information to ensure no NAT device exists between the CAS and the client. If a NAT device is detected between the client device and the CAS, the user is not allowed to log in.

With release 4.0(1)+, administrators now have the following options when enabling network access for clients on the CAS:

Enable L3 support—The CAS allows all users from any hops away.

Enable L3 strict mode to block NAT devices with Clean Access Agent—When this option is checked (in conjunction with "Enable L3 support"), the CAS verifies the source IP address of user packets against the IP address sent by the Clean Access Agent and blocks all L3 Agent users with NAT devices between those users and the CAS.

Enable L2 strict mode to block L3 devices with Clean Access Agent—When this option is enabled, the CAS verifies the source MAC address of user packets against the MAC address sent by the Clean Access Agent and blocks all L3 Agent users (those more than one hop away from the CAS). The user will be forced to remove any router between the CAS and the user's client machine to gain access to the network.

All options left unchecked (Default setting)—The CAS performs in L2 mode and expects that all clients are one hop away. The CAS will not be able to distinguish if a router is between the CAS and the client and will allow the MAC address of router as the machine of the first user who logs in and any subsequent users. Checks will not be performed on the actual client machines passing through the router as a result, as their MAC addresses will not be seen.

This affects the following web admin console page:

Device Management > CCA Servers > Manage [CAS_IP] > Network > IP (new checkbox for "Enable L3 strict mode to block NAT devices with Clean Access Agent"; and renaming of "Enable L2 strict mode for Clean Access Agent" to "Enable L2 strict mode to block L3 devices with Clean Access Agent")

OOB Support for 3750 NME Modules for Cisco 2800/3800 ISRs

With release 4.0(1)+, Cisco NAC Appliance OOB adds support for the following Cisco 3750 EtherSwitch service module (NME) cards for Cisco 2800/3800 Series Integrated Services Routers:

NME-16ES-1G

NME-16ES-1G-P

NME-X-23ES-1G

NME-X-23ES-1G-P

NME-XD-24ES-1S-P

NME-XD-48ES-2S-P

These NMEs are essentially a Cisco Catalyst 3750 switch packaged as a blade for the 2800/3800 ISR router, and are supported on these ISRs only (e.g. 2600 is not supported).


Note Adding 3750 NME modules to the CAM for OOB switch management requires the same steps as if adding a 3750 switch. When configuring the switch profile for these NMEs, choose Cisco Catalyst 3750 series under Switch Management > Profiles > Switch > New | Switch Model.


For complete switch support details, see Switch Support for Cisco NAC Appliance.

Link-Failure Based Failover in CAS HA

When configuring Clean Access Server pairs in High Availability (HA) mode, release 4.0(1)+ now allows you to optionally configure each CAS to respond to link failures on the trusted and/or untrusted sides as failover events. This option is configured in addition to Serial/UDP Heartbeat configuration. You can configure the same or different link-detect IP addresses for each CAS in the HA pair for comparison (depending on your network), as only the number of nodes that can be reached is considered. The CAS will attempt to ping the link-detect address(es) entered, then count the number of nodes it can reach (0-for no addresses, 1-for either trusted/untrusted, 2-for both trusted/untrusted). If the Standby CAS can reach more nodes than the Active CAS, the Standby CAS will take over and become the Active CAS. If both CASes can ping the same number of addresses (all addresses or only one address), no failover event occurs.

This affects the following page of an HA-CAS:

CAS direct access console: Administration > Network Settings > Failover [3 fields: Trusted-side Link-detect IP Address, Untrusted-side Link-detect IP address, Link-detect Timeout]

Upgrade Enhancements

Release 4.0(1) adds functionality to allow future upgrades of High Availability Clean Access Managers via web console in a future release of 4.0(x). (SSH connection may still be required to stop/start the perfigo service on each CAM.)


Warning Web upgrade is NOT supported for software upgrade of HA-CAM pairs. Upgrade of high availability Clean Access Manager pairs must always be performed via console as described in Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs.


CAM Disable Serial Login

Release 4.0(1)+ provides a new Disable Serial Login checkbox on the CAM web console. When there is only one serial port on the CAM machine, this checkbox allows administrators to disable serial login on COM1 so that it can be used as the Heartbeat Serial Interface for a pair of HA-Clean Access Managers. Prior to this feature, serial login had to be disabled manually via the command line.


Note Serial login is enabled by default on the CAM, and the first serial port detected on the CAM is configured for console input/output. If you are using COM1 for the Heartbeat Serial Interface of the CAM, you must click the Disable Serial Login checkbox to disable serial login on COM1. Note that in this case, you can still use SSH or KVM console to access the command line of the CAM.


This enhancement affects the following CAM web console page:

Administration > Clean Access Manager > Network & Failover | Failover Settings | Disable Serial Login (new checkbox)

CAM Admin Console Login Enhancements

With release 4.0(1) and above, the left-pane navigational menu of the CAM web admin console is only displayed to admin users after successful authentication (for both standalone and HA-CAM consoles). This enhancement further strengthens web console security and allows for future version-based menu option enhancements.

Client OS Detection Signature Lookup

With release 4.0(1)+, if a client is wrongly classified as Windows OS, you can type the Client IP Address and click the Display Signature button to display the TCP/IP stack signature stored for the client on the CAM. When troubleshooting, you can copy and paste the text that appears in the TCP/IP Stack Signature field (for example, TCP/IP Stack Signature: Windows 2000 SP4, XP SP1+ [<OS signature>]) into the customer support request when contacting Cisco TAC.

This affects the following web admin console page:

Device Management > CCA Servers > Manage[CAS_IP] > Authentication > OS Detection | Display OS Detection Signatures


Note The OS detection/fingerprinting feature uses both browser user-agent string and TCP/IP stack information to try to determine the OS of the client machine. While the detection routines will attempt to find the best match, it is possible that the OS may be detected incorrectly if the end-user modifies the TCP/IP stack on the client machine and changes the user-agent string on the browser. If there is concern regarding malicious users evading the OS fingerprinting/detection mechanisms, then administrators are advised to use network scanning in order to confirm the OS on the machine. If, for any reason, it is not possible or not desirable to use network scanning, then network administrators should consider pre-installing the Clean Access Agent on machines.


Start Timer Specification for Cisco Updates

Release 4.0(1)+ now allows administrators to specify a delay in the initial start time of Cisco Updates when configuring automatic updates on the CAM. Note that the start time is specified in a 24 hr. format (e.g. 14:30:00) and the repeat interval time is still specified in hours (e.g. 1 hour).

This affects the following web admin console page:

Device Management > Clean Access > Clean Access Agent > Updates | "Automatically check for updates starting from x:xx every x hours"

API Enhancements

The Clean Access API for your Clean Access Manager is accessed from a web browser as follows: https://<cam-ip-or-name>/admin/cisco_api.jsp. With release 4.0(1) and above, the Cisco Clean Access API utility script, cisco_api.jsp, provides the following enhancements:

New APIs:

kickuserbymac—Removes in-band logged in user(s) by MAC address. For multiple users, you can specify a comma-separated list of MAC addresses.

changeloggedinuserrole—Change in-band user access permissions by modifying a user's logged in role to the specified role. For multiple users, you can specify a comma-separated list of IP addresses.

Enhanced APIs:

changeuserrole—With 4.0(1)+, change in-band user access permissions by removing the user from the Online Users list and adding the user's MAC address to the Device Filters with new specified role.

kickoobuser—Removes logged-in out-of-band user(s). With 4.0(1)+ you can specify a comma-separated list of IP addresses to remove multiple users.

kickuser—Removes logged-in in-band user(s). With 4.0(1)+ you can specify a comma-separated list of IP addresses to remove multiple users.

removemac—Removes MAC address(es) from Device Filters list. With 4.0(1)+ specify a comma-separated list of MAC addresses to remove multiple addresses.

clearcertified—With 4.0(1)+, removes OOB users in addition to IB users from the Clean Access Certified Devices list.

Enhancements for Windows XP Media Center Edition/Tablet PC

Version 4.0.1.0 of the Clean Access Agent detects users with Window Media Center Edition and Windows Tablet PC client operating systems and allows these systems to bypass hotfixes and checks intended for Windows XP systems. Because Windows MCE/Tablet PC are flavors of the XP engine, this enhancement enables users with these operating systems to still be able to access the network.

This enhancement affects the following pages of the CAM web console:

Device Management > Clean Access > Clean Access Agent > Reports > Report List (new entries for "Windows XP Media Center Edition" and "Windows XP Tablet PC Edition" in the "User OS" column, "Any OS" dropdown menu, and "Operating System" field of the client report)

Monitoring > Online Users > View Online Users ("OS" column)


Note Windows MCE/Tablet PC client operating systems will be fully supported in a future release of Cisco NAC Appliance.


Clean Access Agent (4.0.1.0)

Version 4.0.1.0 of the Clean Access Agent features the following enhancements:

Enhancements for Windows XP Media Center Edition/Tablet PC

Resolves a number of caveats, as listed in the Clean Access Agent Version Summary. See also Resolved Caveats - Release 4.0(1) for additional details.


Note Windows MCE/Tablet PC client operating systems are fully supported in release 4.0(3). See Enhancements in Release 4.0(3).


Supported AV/AS Product List Enhancements (Version 43)

See Supported AV/AS Product List Version Summary for details on what is new for this version update to the list.

See Clean Access Supported AV/AS Product List for the latest actual AV/AS product charts.

Enhancements in Release 4.0.0.1

Release 4.0.0.1 is a general and important bug fix release and patch for the Clean Access Manager (CAM) and Clean Access Server (CAS) that resolves caveats CSCsf22777 and CSCsf22786. No new features are added.


NoteThe 4.0.0.1 patch is applied to the 4.0(0) CAM and 4.0(0) CAS.

Patch release 4.0.0.1 is required for compatibility with the 4.0.2.0 Agent (released with CAM/CAS 4.0(3)).

If you have not deployed or do not want to deploy the 4.0.2.0 Agent, you do not need to upgrade your CAM/CAS to the 4.0.0.1 patch.


See the following sections:

Upgrade Instructions for 4.0.0.1

Resolved Caveats - Release 4.0.0.1

See also Software Compatibility Matrixes for additional details.

Upgrade Instructions for 4.0.0.1

To upgrade your 4.0(0) Clean Access Manager and 4.0(0) Clean Access Server, execute the following update procedure steps.


Step 1 Download the cca_upgrade-4.0.0.1.tar.gz upgrade file to your local computer from the http://www.cisco.com/pcgi-bin/tablebuild.pl/cleanaccess-4.0.0 folder.

Step 2 Upgrade each CAS using one of the following procedures. Carefully follow instructions to upgrade each CAS:

Upgrade CAS from CAS Management Pages, or

Upgrade CAS from CAS Direct Access Web Console, or

Console/SSH Upgrade—Standalone Machines, or

Upgrading from 3.6(x)/4.0(x)—HA-Pairs (for HA-CASes only)

Step 3 Upgrade the CAM using one of the following procedures. Carefully follow instructions to upgrade the CAM:

Upgrade CAM from CAM Web Console, or

Console/SSH Upgrade—Standalone Machines, or

Upgrading from 3.6(x)/4.0(x)—HA-Pairs (for HA-CAMs only)


New Features and Enhancements in Release 4.0(0)

This section details the new features delivered with Cisco NAC Appliance release 4.0(0) for the Clean Access Manager and Clean Access Server, as well as enhancements from release 3.6(x).

New Features

Support for Active Directory (Windows Domain) Single Sign-On (SSO)

Corporate Asset Authentication and Posture Assessment by MAC Address

Support for Layer 3 Out-of-Band (OOB) Deployment

New Windows Update Requirement Type

SMP Kernel Support for Super CAM

Support for Assigning VLANs by VLAN Name in OOB Deployments

Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments

Ability to Change Priority of Wildcard/Range Global Device Filters

Ability to View or Search Active L2 Devices in Device Filter List

Ability to Test MAC Addresses Against Device Filters

Support for Relay IP Class Restrictions on DHCP Server

Support for DHCP Global Actions

New "service perfigo maintenance" CLI Command for CAS

Ability of Clean Access Agent to Send IP/MAC for All Available Adapters

Clean Access Agent (4.0.0.0)

Support for Stub Installation/Update of the Clean Access Agent

Enhancements

OOB Page Redirection Timers (SNMP Receiver Advanced Settings)

SNMP Enhancements for CAM

CAS Host-Based Traffic Policy Enhancements for Proxy Servers

Enhancements for DHCP Option Configuration Forms

Authentication Cache Timeout

Supported AV/AS Product List Enhancements (Version 42)

Support for Active Directory (Windows Domain) Single Sign-On (SSO)

With release 4.0, Cisco Clean Access can automatically authenticate Clean Access Agent users who are already authenticated to a Windows domain. Release 4.0 supports Windows Single Sign-On (SSO) on Windows 2000/XP client machines and Active Directory (AD) on Windows 2000/2003 servers as shown in Table 5.

Table 5 Active Directory SSO Support

Active Directory (AD) Servers
Client Machines

Windows 2000 Server Service Pack 4

Windows 2003 Enterprise Service Pack 1

Windows 2003 Enterprise R2

Windows 2003 Standard Service Pack 1

Windows 2000 SP4

Windows XP (Home/ Pro) SP1, SP2 and later



Note Active Directory SSO supports Clean Access Agent users on Windows XP/2000 systems only. AD SSO does not apply to web login users.


With Windows SSO, user authentication is first validated against the backend Kerberos Domain Controller (Windows 2000/2003 AD server). After user validation, authorization can then be performed through a separate lookup in Active Directory using LDAP to map users to various access roles (if desired). Configuration of the CAM web console and command line of the Active Directory server is required to implement this feature.

This new feature adds new web console pages or affects existing pages as follows:

User Management > Auth Servers > New | Authentication Type | Active Directory SSO (new configuration page for Windows Domain SSO auth type)

User Management > Auth Servers >Lookup Servers (new configuration tab for secondary AD lookup servers)

Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Windows Auth > Active Directory SSO (new CAS configuration page for AD domain server)

In addition, the Clean Access Agent provides a new dialog that displays on clients when Windows Domain Single Sign-On is being performed.


Note The feature formerly known as "Transparent Windows" is now known as "Windows Netbios SSO" and has been deprecated. Cisco recommends you configure Active Directory SSO instead.


Corporate Asset Authentication and Posture Assessment by MAC Address

With release 4.0, Cisco NAC Appliance can perform MAC-based authentication and posture assessment (Clean Access certification) of client machines without requiring the user to log into Cisco Clean Access. This feature is implemented through the new "CHECK" device filter control for global and local device filters, and through Ability of Clean Access Agent to Send IP/MAC for All Available Adapters.

CHECK (new for 4.0; requires Role assignment)

IB - bypass login, apply posture assessment, assign role

OOB - bypass login, apply posture assessment, assign User Role VLAN

This new feature adds the following new pages to the web admin console:

Device Management > Filters > New/Edit (new "CHECK" option)

Device Management > CCA Servers > Manage [CAS_IP] > Filter > Devices Filters > New/Edit (page completely updated)

Device Management > Filters > List (page display updated)

In addition, the Clean Access Agent provides a new dialog that displays on clients when device-based authentication is being performed.

For a description of additional related enhancements, see also Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments.

Support for Layer 3 Out-of-Band (OOB) Deployment

New Deployment Options for L3

Release 3.5(3) introduced multi-hop L3 support for in-band (wired) deployments, enabling administrators to deploy the Clean Access Server (CAS) in-band centrally (in core or distribution layer) to support users behind L3 Switches (e.g. routed access) and remote users behind VPN Concentrators or remote WAN routers.With L3 IB, users more than one L3 hop away from the CAS are supported and their traffic always goes through Cisco NAC Appliance.

Release 4.0 introduces multi-hop L3 support for out-of-band (wired) deployments, enabling administrators to deploy the CAS out-of-band centrally (in core or distribution layer) to support users behind L3 Switches (e.g. routed access) and remote users behind WAN routers in some instances. With L3 OOB, users more than one L3 hop away from the CAS are supported and their traffic only has to go through Cisco NAC Appliance for authentication/posture assessment only.

With release 4.0, administrators now have the option of deploying a remote CAS or L3 IB CAS for remote WAN users, and in some instances using L3 OOB.


Note L3 OOB requires changing the end-user IP address using port bouncing. Release 4.0.0 does not support the end user behind IP telephony for L3 OOB. Support will be enabled for end users behind IPT for L3 OOB in an upcoming maintenance release.


Client MAC Address Detection—Clean Access Agent or ActiveX/Java Applet

In release 4.0, the MAC detection mechanism of the 4.0.0.0 and above Clean Access Agent will automatically acquire the client MAC address in L3 OOB deployments (see Ability of Clean Access Agent to Send IP/MAC for All Available Adapters).

Users performing web login will download and execute either an Active X control (for IE browsers) or Java applet (for non-IE browsers) to the client machine prior to user login to determine the user machine's MAC address. This information is then reported to the CAS and the CAM to provide the IP address/ MAC address mapping.

ActiveX/Java Applet and Browser Compatibility

ActiveX is supported on IE 6.0 for Windows XP and Windows 2000 systems.

Java applets are supported for major browsers including Safari 1.2+, Mozilla (Camino, Opera), and Internet Explorer on Windows XP, Windows 2000, MacOS 10, and Linux operating systems.

Due to Firefox issues with Java, Java applets are not supported for Firefox on Mac OS X. See the Firefox release notes (http://www.mozilla.com/firefox/releases/1.5.0.3.html) for details.


Note For MAC OS Clients: On Apple MacOS, the browser settings to bypass proxy must have the full CAS IP address (e.g. 10.201.217.93) in order for the client machine to load the Java Applet and login successfully.



Note For Linux OOB Clients:

Because Linux machines behave differently than Windows/Mac OS clients (i.e. do not release IP address when NIC is down and renew IP address when NIC is up), use the following steps for OOB Linux clients:

1. Set a short lease time (e.g. 60 seconds) for the DHCP server on the Auth VLAN.

2. In the Port Profile, disable (uncheck) the "Remove out-of-band online user when SNMP linkdown trap is received" option.

This will cause the Linux client to renew its IP address shortly after authentication/certification.

Note Because Linux shuts down/restarts the NIC when renewing the IP address, if this option is enabled (checked) in the Port Profile, the renewal will set the port back to the Auth VLAN.

3. Alternatively, you can set the Port Profile to: "Change to [Access VLAN] if the device is certified but not in the out-of-band user list." This ensures the port stays on the Access VLAN for an authenticated/certified Linux client that is reconnecting to the port after renewing its DHCP lease.



Note The Enable L2 strict mode for Clean Access Agent feature requires the Clean Access Agent to get the client MAC address. The ActiveX/ Java Applet MAC address fetch is currently not enabled for L2 strict mode in L3 OOB deployment.


This new feature modifies the following web admin console pages:

A new checkbox and dropdown menu is added for "Use Active X or Java Applet to detect client MAC address when Clean Access Server cannot detect the MAC address" in the following user login configuration pages:

CAM web console: Administration > User Pages > Login Page > List [Edit] | General

CAS management pages: Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Login Page > List [Edit] > General

Device Management > Clean Access > Clean Access Agent > Updates (version information for updates to L3 Java Applet Web Client and L3 ActiveX Web Client)

In addition, the web login pages for L3 OOB users will reflect status information related to loading the Active X control or Java applet, and renewing the client IP address.

New Windows Update Requirement Type

Release 4.0 adds a new Clean Access Agent "Windows Update" Requirement type configuration page to allow administrators to check and modify Windows Update settings, and launch Windows Updater (Automatic Updates/WSUS Agent for Local WSUS Server) on Clean Access Agent user machines. When this requirement is configured, the administrator can turn on Automatic Updates on Windows 2000 or XP clients which have this option disabled on the machine. If Automatic Updates are already enabled on the user machine, the administrator can override the user-specified update option with the administrator-specified option. In addition, administrator-specified Windows Update settings can be applied temporarily on the user machine or can be set to permanently override user preferences to ensure updates are always performed.

The "Windows Update" requirement (set to Optional) provides an Update button on the Clean Access Agent for remediation. When the end user clicks the Update button, the CCA Agent will launch the AU/WSUS Agent and force it to get the update software from the WSUS Server. The software download from WSUS may take some time. Cisco recommends you set the Windows Update requirement to Optional for WSUS remediation to occur as a background process.


Note Administrators must ensure that the AU Agent is updated to support the local WSUS server for the auto-launch to work. For details, refer to: http://www.microsoft.com/windowsserversystem/updateservices/evaluation/faqs.mspx


This new feature adds the following web admin console page:

Device Management > Clean Access > Clean Access Agent > Requirements > New/Edit Requirement | Requirement Type: Windows Update

SMP Kernel Support for Super CAM

Release 4.0 adds SMP (Symmetric Multi-Processing) support to the Clean Access Manager kernel. However, this support is only available in the upcoming SuperManager (Super CAM) product.

A SuperManager (Super CAM) is a Clean Access Manager on a hardware platform that will be capable of managing up to 40 Clean Access Servers (CAS). Currently, the limit for the number of CASes that can be managed by a regular CAM is 20.

Note that regular CCA release 4.0, as well as upgrades to 4.0 (from 3.5 or 3.6), will continue to support only single processor servers.


Note SMP support is added to support new Super CAM hardware platforms expected to ship in the FY'06 time frame. See Current Supported Components Required for Super CAM below.


Current Supported Components Required for Super CAM

Table 6 lists the current supported components required to install the SuperManager (Super CAM) product software. The Super CAM software is currently supported only for the platform specified in Table 6.

Table 6 Current Supported Components Required for Cisco NAC Appliance-Super CAM

Cisco NAC Appliance Version
Supported Server Hardware1
SSL Accelerator Card 2

4.0(x)

HP Proliant DL360 G5 (Serial Attached SCSI (SAS) controller)

Note Must be dual-processor, with 4 GB of RAM and 4 hard drives.

Cavium CN1120-NHB-E

1 Super CAM software version 4.0.3.3 and newer will only be supported on the Cisco NAC Appliance 3390 hardware platform.

2 You must purchase and install the Cavium CN1120-NHB-E SSL Accelerator Card on the server hardware to install the Super CAM software. The Super CAM will not run without it. Refer to http://www.cavium.com/EnterpriseBoards/overview.html for details.


See Upgrading or Installing Super Manager Software for further details.

Support for Assigning VLANs by VLAN Name in OOB Deployments

With release 4.0, administrators now have the option of specifying the VLAN Name or the VLAN ID in the Port Profile form or in the User Role form (when role-based VLAN assignment is used for Out-of-Band deployments). Note that VLAN Name is case-sensitive. If specifying wildcards for VLAN Name, you can use: abc, *abc, abc*, *abc*. The switch will use the first match for the wildcard VLAN Name.


Note Disable VTP configuration on switches if using VLAN by Name.


This new feature modifies the following web admin console pages:

Switch Management > Port Profile > New/Edit | VLAN Settings (VLAN Name/VLAN ID dropdown added)

User Management > User Roles> New/Edit Role | Out-of-Band User Role VLAN (VLAN Name/VLAN ID dropdown added)

Support for "IGNORE" Global Device Filter for IP Phones in OOB Deployments

Release 4.0 provides a new "IGNORE" global device filter control which when set for the specified MAC address will ignore SNMP traps from managed switches in Out-of-Band deployments. This feature is intended to support OOB client machines connected to the network via IP phones.

IGNORE: (new for 4.0; OOB only)

OOB - Ignore SNMP traps from managed switches (switchports) for devices on the IGNORE list (e.g. IP Phones)


NoteAfter 4.0 upgrade, administrators should reconfigure any "allow" device filters specified for IP phones with previous CCA releases to the new "IGNORE" option.

The "IGNORE" option applies to OOB deployments and global device filters only. It does not apply to CAS-specific filters, and for IB deployments this option has no effect.


This new feature is part of the overall enhancements to the following web admin console page:

Device Management > Filters > New/Edit (new "IGNORE" option)

For a description of additional related enhancements, see also Corporate Asset Authentication and Posture Assessment by MAC Address.

Ability to Change Priority of Wildcard/Range Global Device Filters

Release 4.0 provides a new "Order" page control to allow administrators to change the priority of global device filters configured using wildcards or address ranges. By reordering the priority of a device filter policy up or down, the administrator can quickly change the access type for the devices which fall under the device filter rule.


Note If a device filter is specified for an exact MAC address, the rules of that filter apply instead and any existing wildcard/range filters are not used.


This new feature adds the following new web admin console page:

Device Management > Filters > Order (new tab)

Ability to View or Search Active L2 Devices in Device Filter List

Release 4.0 provides a new control to view or search the IP addresses, Access Types, and Role of all L2 clients currently connected to the CAS, sending packets and with their MAC addresses in a global or local device filter. Active L2 devices can be viewed across all Clean Access Servers via the CAM web console, or per CAS via the CAS management pages.

This new feature adds the following new pages to the web admin console:

Device Management > Filters > Active (new tab)

Device Management > CCA Servers > Manage [CAS_IP] > Filter > Devices Filters > Active (new tab)

Ability to Test MAC Addresses Against Device Filters

Release 4.0 provides a new "Test" page control to allow administrators to determine which device filter and access type will be applied to the specified MAC for the specified Clean Access Server.

Device Management > Filters > Test (new tab)

Support for Relay IP Class Restrictions on DHCP Server

With release 4.0, when the CAS is configured as a DHCP server, administrators can now also restrict DHCP subnet ranges based on a Relay IP address (in addition to restricting ranges based on VLAN ID).

For IPs with VLAN restrictions, all IPs must be in a managed subnet, and you must create a managed subnet first before creating an IP range (DHCP pool).

For IPs with relay restrictions, all IPs should typically be in static routes, but can be in managed subnets if integrating the CAS with Aironet devices or other non-RFC 2131/2132 compliant devices. Note that these IP address pools must be in either a static route or a managed subnet, and IPs with relay restrictions should only be put in a managed subnet for these non-compliant devices.

This new feature modifies the following web admin console pages (when the CAS is configured as a DHCP Server):

Device Management > CCA Servers > Manage [CAS_IP] > Network > DHCP > Subnet List > New / Edit (new "Restrict range to: VLAN ID | RELAY IP" dropdown)

Device Management > CCA Servers > Manage [CAS_IP] > Network > DHCP > Global Options (new "Class Options" configuration section)

Support for DHCP Global Actions

With release 4.0, when the CAS is configured as a DHCP server, administrators can now globally modify and apply the following settings:

Default Lease Time (seconds) - except for IP reservations

Maximum Lease Time (seconds) - except for IP reservations

DNS Suffix

DNS Servers

WIN Servers

You can globally apply these settings to the following:

All manually created subnets

All auto-generated subnets

All reserved IP entries

All forms specified by VLAN ID

Or, all of these elements together ("Everything")

This feature creates the following new web console tab (for a CAS-DHCP Server):

Device Management > CCA Servers > Manage [CAS_IP] > Network > DHCP > Global Action (new tab)

New "service perfigo maintenance" CLI Command for CAS

Release 4.0 provides a new service perfigo maintenance CLI command that can be issued on the CAS machine to maintain network connectivity when bringing the CAS into maintenance mode. In maintenance mode, only the basic CAS router runs and continues to handle VLAN-tagged packets. The new command allows communication through the management VLAN to the CAS, and is intended for environments where the CAS is in trunk mode and the native VLAN is different than the management VLAN. This command provides a better alternative to the service perfigo stop command, which when issued and the management VLAN is set, causes the CAS to lose network connectivity.


Note service perfigo maintenance is available on the CAS CLI only (does not apply to CAM).


Ability of Clean Access Agent to Send IP/MAC for All Available Adapters

With release 4.0, version 4.0.0.0 of the Clean Access Agent is now able to transfer the MAC address of all network adapters on the client to the Clean Access Server for the following applications:

MAC-based device authentication (see Corporate Asset Authentication and Posture Assessment by MAC Address)

With release 4.0 and above, if the MAC address of a Clean Access Agent user is in a "allow" device filter, the CAS now informs the Agent in its UDP discovery response, and the Agent will allow device authentication and posture assessment of the device without requiring any user login.

L3 OOB deployments see Support for Layer 3 Out-of-Band (OOB) Deployment

The Agent always sends the MAC/IP address pair of the client at login request regardless of the CAS configuration. The CAS then determines what to read or discard. If the CAS is configured for L3 OOB, the CAS takes the MAC/IP address of the Agent at UDP discovery and at login request. If the CAS is configured for L2 Strict mode, the CAS discards all IP addresses, because they are not needed.

Clean Access Agent (4.0.0.1)

Version 4.0.0.1 of the Clean Access Agent resolves caveat CSCse64395.

See also Clean Access Agent Version Summary.

Clean Access Agent (4.0.0.0)

Version 4.0.0.0 adds the following functionality to the Clean Access Agent:

Agent is now aware of when a user machine is in an MAC-based device filter.

Agent now sends the MAC/IP address of all available network adapters on the client to the CAS.

Agent now detects OS Mismatch and re-performs posture assessment.

Stub is now available to distribute the Agent installation files when users do not have admin privileges on their machines.

The Installer Proxy of the Agent Installer now checks user privileges before installing the Clean Access Agent. If the user has admin privileges, the installation proceeds; if the user has non-admin privileges, the installer proxy attempts to communicate with the stub.


Note Microsoft Internet Explorer 7.0 is only supported when using Clean Access Agent 4.0.4.0. For other versions of the Agent to login and perform operations, users must uninstall IE 7.0 Beta 2. See Troubleshooting for details.


See also Clean Access Agent Version Summary.

Support for Stub Installation/Update of the Clean Access Agent

Release 4.0 provides a stub installer to allow users without administrator permissions on their machines to install or update the Clean Access Agent after the stub is installed by an admin user. With release 4.0 the installer proxy of the Agent installer is also enhanced to check the digital signature of any target executable and to only perform installation when the digital signatures are trusted.

In release 4.0 when the Agent Setup Installation program is started, it:

1. Extracts the installer

2. Checks the privileges of the current user

3. If the user has admin privileges, the installer is launched.

4. If the user is not an admin user:

a. It verifies whether or not the stub is running (or installed but not running)

b. If the stub is not running, the real installer of the Agent is not extracted and the Agent is not installed.

c. If the stub is running, a request is sent to the stub to launch the installer in the Temp directory of the local user (CCA will know the exact location of where the real installer has been extracted).

The stub installer must be distributed by the administrator and can be downloaded from Cisco Secure Downloads or obtained from the CAM using the administrator download buttons on the Clean Access Agent Distribution page: CCAA MSI Stub (Microsoft Installer format) or CCAA EXE Stub (generic executable format).

This new feature modifies the following web admin console page:

Device Management > Clean Access > Clean Access Agent > Distribution (new CCAA MSI Stub and CCAA EXE Stub download buttons)

OOB Page Redirection Timers (SNMP Receiver Advanced Settings)

When configuring OOB for web login users, release 4.0(0) provides new "Redirection Delay with/without Bouncing" options for additional control of webpage redirection intervals (to allow time for port bouncing or to minimize redirection time if no port bouncing is required). This allows the port to be bounced after a configured interval, and the page to be redirected after another configured interval. The total of these configured intervals then becomes the redirection interval experienced by the user after login, by default 20 seconds when the port is bounced. The client will then be on the Access VLAN.

When the port is not bounced, the total redirection interval that the user experiences is the value of the Redirection Delay without Bouncing field.

When the port is bounced, the total redirection interval that the user experiences is the sum of 2 fields: Redirection Delay with Bouncing and Port Bounce Interval.

This enhancement modifies the following web admin console page:

Switch Management > Profiles > SNMP Receiver > Advanced Settings (new "Redirection Delay without Bouncing" and "Redirection Delay with Bouncing" fields

SNMP Enhancements for CAM

With release 4.0, the SNMP settings for traps the CAM sends to SNMP management tools are saved on CAM failover peers. In addition, the state of all levels the CAM monitors (state of disks, memory, CPU, and critical processes) are sent within a few minutes of SNMP server startup (i.e., after SNMP configuration changes or CAM machine reboot).

CAS Host-Based Traffic Policy Enhancements for Proxy Servers

Release 4.0 provides an enhancement to host-based traffic policy handling on the Clean Access Server when users are required to use a proxy server to connect to the network. When the "Parse Proxy Traffic for Roles other than Unauthenticated Role" checkbox is enabled on the Allowed Hosts form, the CAS will check the payloads of GET, POST and CONNECT HTTP/HTTPS/FTP traffic to ensure the host is on the host policy list before allowing traffic to the proxy server specified on the Proxy configuration page of the CAS. This feature also enhances the Proxy page so that the proxy server IP address as well as port can be specified. Note that the proxy server IP and port should be configured first before enabling the "parse proxy" checkbox.

This enhancement modifies the following web admin console pages:

Device Management > CCA Servers > Manage [CAS_IP] > Advanced > Proxy (field updated for "Proxy Server (IP):Port")

Device Management > CCA Servers > Manage [CAS_IP] > Filter > Roles > Allowed Host (new checkbox for "Parse Proxy Traffic for Roles other than Unauthenticated Role")

Enhancements for DHCP Option Configuration Forms

When the CAS is configured as a DHCP Server, release 4.0 enhances the configuration forms for specifying DHCP options.

For Root Global and Scoped Global options, administrators can now specify an option number and choose from an option type dropdown, or create a custom option by specifying an ID and a data type (for options that are not on the list or of a different type). Custom DHCP options may be used by VoIP vendors to provide IP phone information that needs to be routed on the network.

Similar Class Options configuration forms are now provided to allow administrators to specify class options for VLAN ID or Relay IP restricted subnets.

This enhancement adds the following web admin console page (when the CAS is configured as a DHCP Server):

Device Management > CCA Servers > Manage [CAS_IP] > Network > DHCP > Global Options


Note For DHCP Options: When upgrading to 4.0, any existing DHCP options on the CAS will be lost. Administrators must re-enter any previously configured DHCP options using the Global Options page.


Authentication Cache Timeout

For performance reasons, the Clean Access Manager caches the authentication results from user authentication for 2 minutes by default. Release 4.0 provides a new "Authentication Cache Timeout" control on the Auth Server list page that allows administrators to configure the number of seconds the authentication result will be cached in the CAM. When a user account is removed from the authentication server (LDAP, RADIUS, etc), administrators can restrict the time window a user can login again into CCA by configuring the Authentication Cache Timeout.

This enhancement modifies the following web admin console page:

User Management > Auth Servers > Auth Servers > List (new "Authentication Cache Timeout" field)

Supported AV/AS Product List Enhancements (Version 42)

See Clean Access Supported AV/AS Product List for the latest AV/AS product charts.

See Supported AV/AS Product List Version Summary for details on each update to the list.

Cisco Pre-Configured Rules ("pr_")

Cisco NAC Appliance provides a set of pre-configured rules and checks that are downloaded to the CAM via the Updates page on the CAM web console (under Device Management > Clean Access > Clean Access Agent > Updates).

Pre-configured rules have a prefix of "pr" in their names (e.g. "pr_XP_Hotfixes"), and can be copied (for use as a template), but cannot be edited or removed. You can click the Edit button for any "pr_" rule to view the rule expression that defines it. The rule expression for a pre-configured rule will be composed of pre-configured checks (e.g. "pc_Hotfix835732") and boolean operators. The rule expression for pre-configured rules is updated via Cisco Updates. For example, when new Critical Windows OS hotfixes are released for Windows XP, the pr_XP_Hotfixes rule will be updated with the corresponding hotfix checks.

Pre-configured rules are listed under Device Management > Clean Access > Clean Access Agent > Rules > Rule List. Pre-configured checks have a prefix of "pc" in their names and in turn are listed under Device Management > Clean Access > Clean Access Agent > Rules > Check List


Note Cisco pre-configured rules provide support for Critical Windows OS hotfixes.



Note For complete details on configuring Clean Access Agent requirements, rules, and checks see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.0.


Using Cisco Rules to Check for CSA

You can use Cisco rules to create a Clean Access Agent requirement that checks if the Cisco Security Agent (CSA) is already installed and/or running on a client (from version 14663 and above of the Cisco Updates ruleset). To do this:

1. Create a new Link Distribution or File Distribution requirement (for Windows XP/2000).

2. Associate the requirement to one or both of the following rules (for Windows XP/2000):

pr_CSA_Agent_Version_5_0

pr_CSA_Agent_Service_Running

3. Associate the requirement to the user role(s) for which it will apply.

Clean Access Supported AV/AS Product List

This section describes the Supported AV/AS Product List that is downloaded to the Clean Access Manager via Device Management > Clean Access > Clean Access Agent > Updates to provide the latest antivirus (AV) and anti-spyware (AS) product integration support. The Supported AV/AS Product List is a versioned XML file distributed from a centralized update server that provides the most current matrix of supported AV/AS vendors and product versions used to configure AV/AS Rules and AV/AS Definition Update requirements.

The Supported AV/AS Product List contains information on which AV/AS products and versions are supported in each Clean Access Agent release along with other relevant information. It is updated regularly to bring the relevant information up to date and to include newly added products for new releases. Cisco recommends that you keep your list current, especially when you upload a new Agent Setup version or Agent Patch version to your CAM. Having the latest Supported AV/AS list ensures your AV/AS rule configuration pages list all the new products supported in the new Agent.


Note Cisco recommends that you keep your Supported AV/AS Product List up-to-date on your CAM by configuring the Update Settings under Device Management > Clean Access > Clean Access Agent > Updates to "Automatically check for updates every 1 hour."


The following charts list the AV and AS product/version support per client OS as of the latest Clean Access release:

Clean Access AV Support Chart (Windows Vista/XP/2000)

Clean Access AV Support Chart (Windows ME/98)

Clean Access AS Support Chart (Windows Vista/XP/2000)

The charts show which AV/AS product versions support virus or spyware definition checks and automatic update of client virus/spyware definition files via the user clicking the Update button on the Clean Access Agent.

For a summary of the product support that is added per version of the Supported AV/AS Product List or Clean Access Agent, see also:

Supported AV/AS Product List Version Summary

Clean Access Agent Version Summary

You can access additional AV and AS product support information from the CAM web console under Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info.

Where possible, Cisco recommends you use AV Rules mapped to AV Definition Update Requirements when checking antivirus software on clients, and AS Rules mapped to AS Definition Update Requirements when checking anti-spyware software on clients. In the case of non-supported AV or AS products, or if an AV/AS product/version is not available through AV Rules/AS Rules, administrators always have the option of creating their own custom checks, rules, and requirements for the AV/AS vendor (and/or using Cisco provided pc_ checks and pr_rules) through Device Management > Clean Access > Clean Access Agent (use New Check, New Rule, and New File/Link/Local Check Requirement). See the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.0 for configuration details.

Note that Clean Access works in tandem with the installation schemes and mechanisms provided by supported AV/AS vendors. In the case of unforeseen changes to underlying mechanisms for AV/AS products by vendors, the Cisco NAC Appliance team will update the Supported AV/AS Product List and/or Clean Access Agent in the timeliest manner possible in order to support the new AV/AS product changes. In the meantime, administrators can always use the "custom" rule workaround for the AV/AS product (such as pc_checks/pr_ rules) and configure the requirement for "Any selected rule succeeds."

Clean Access AV Support Chart (Windows Vista/XP/2000)

Table 7 lists Windows Vista/XP/2000 Supported Antivirus Products as of the latest release of the Cisco NAC Appliance software. (See Table 8 for Windows ME/98).

Table 7 Clean Access Antivirus Product Support Chart (Windows Vista/XP/2K)
Version 66, 4.0.6.2 Agent / Release 4.0.6.1 (Sheet 1 of 10)

Product Name
Product Version
AV Checks Supported
(Minimum Agent Version Needed)1
Live Update 2 , 3
Installation4
Virus Definition
AEC, spol. s r.o.

TrustPort Antivirus

2.x

yes (4.0.6.0)

-

yes

AhnLab, Inc.

AhnLab Security Pack

2.x

yes (3.5.10.1)

yes (3.5.10.1)

yes

AhnLab V3 Internet Security 2007 Platinum

7.x

yes (3.6.5.0)

yes (3.6.5.0)

yes

AhnLab V3 Internet Security 7.0 Platinum Enterprise

7.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

V3Pro 2004

6.x

yes (3.5.10.1)

yes (3.5.12)

yes

V3 VirusBlock 2005

6.x

yes (4.1.2.0)

yes (4.1.2.0)

-

ALWIL Software

avast! Antivirus

4.x

yes (3.5.10.1)

yes (3.5.10.1)

yes

avast! Antivirus (managed)

4.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

avast! Antivirus Professional

4.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

America Online, Inc.

Active Virus Shield

6.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

AOL Safety and Security Center Virus Protection

102.x

yes (4.0.4.0)

yes (4.0.4.0)

-

AOL Safety and Security Center Virus Protection

1.x

yes (3.5.11.1)

yes (3.5.11.1)

-

AOL Safety and Security Center Virus Protection

210.x

yes (4.0.4.0)

yes (4.0.4.0)

-

AOL Safety and Security Center Virus Protection

2.x

yes (4.1.0.0)

yes (4.1.0.0)

-

Authentium, Inc.

Command Anti-Virus Enterprise

4.x

yes (3.5.0)

yes (3.5.0)

yes

Command AntiVirus for Windows

4.x

yes (3.5.0)

yes (3.5.0)

yes

Command AntiVirus for Windows Enterprise

4.x

yes (3.5.2)

yes (3.5.2)

yes

Cox High Speed Internet Security Suite

3.x

yes (4.0.4.0)

yes (4.0.4.0)

yes

Avira GmbH

Avira AntiVir Windows Workstation

7.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Avira Premium Security Suite

7.x

yes (3.6.5.0)

yes (3.6.5.0)

yes

Beijing Rising Technology Corp. Ltd.

Rising Antivirus Software AV

17.x

yes (3.5.11.1)

yes (3.5.11.1)

yes

Rising Antivirus Software AV

18.x

yes (3.5.11.1)

yes (3.5.11.1)

yes

Rising Antivirus Software AV

19.x

yes (4.0.5.0)

yes (4.0.5.0)

yes

BellSouth

BellSouth Internet Security Anti-Virus

5.x

yes (4.0.5.1)

yes (4.0.5.1)

-

BullGuard Ltd.

BullGuard 7.0

7.x

yes (4.1.2.0)

yes (4.1.2.0)

-

Check Point, Inc

ZoneAlarm Anti-virus

7.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

ZoneAlarm (AntiVirus)

7.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

ZoneAlarm Security Suite Antivirus

7.x

yes (4.0.5.0)

yes (4.0.5.0)

yes

ClamAV

ClamAV

devel-x

yes (4.0.6.0)

yes (4.0.6.0)

yes

ClamWin

ClamWin Antivirus

0.x

yes (3.5.2)

yes (3.5.2)

yes

ClamWin Free Antivirus

0.x

yes (3.5.4)

yes (3.5.4)

yes

Computer Associates International, Inc.

CA Anti-Virus

8.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

CA eTrust Antivirus

7.x

yes (3.5.0)

yes (3.5.0)

yes

CA eTrust Internet Security Suite AntiVirus

7.x

yes (3.5.11)

yes (3.5.11)

yes

CA eTrustITM Agent

8.x

yes (3.5.12)

yes (3.5.12)

yes

eTrust EZ Antivirus

6.1.x

yes (3.5.3)

yes (3.5.8)

yes

eTrust EZ Antivirus

6.2.x

yes (3.5.0)

yes (3.5.0)

yes

eTrust EZ Antivirus

6.4.x

yes (3.5.0)

yes (3.5.0)

yes

eTrust EZ Antivirus

7.x

yes (3.5.0)

yes (3.5.0)

yes

eTrust EZ Armor

6.1.x

yes (3.5.0)

yes (3.5.8)

yes

eTrust EZ Armor

6.2.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

eTrust EZ Armor

7.x

yes (3.5.0)

yes (3.5.0)

yes

Defender Pro LLC

Defender Pro Anti-Virus

5.x

yes (4.0.4.0)

yes (4.0.4.0)

yes

EarthLink, Inc.

Aluria Security Center AntiVirus

1.x

yes (4.1.0.0)

yes (4.1.0.0)

-

EarthLink Protection Control Center AntiVirus

1.x

yes (3.5.10.1)

yes (3.5.10.1)

-

EarthLink Protection Control Center AntiVirus

2.x

yes (4.0.5.1)

yes (4.0.5.1)

-

eEye Digital Security

eEye Digital Security Blink Personal

3.x

yes (4.0.6.0)

yes (4.0.6.0)

yes

eEye Digital Security Blink Professional

3.x

yes (4.0.6.0)

yes (4.0.6.0)

-

Eset Software

NOD32 antivirus system

2.x

yes (3.5.5)

yes (3.5.5)

yes

Fortinet Inc.

FortiClient Consumer Edition

3.x

yes (4.0.6.0)

yes (4.0.6.0)

yes

Frisk Software International

F-PROT Antivirus for Windows

6.0.x

yes (4.0.5.1)

yes (4.0.5.1)

-

F-Prot for Windows

3.14e

yes (3.5.0)

yes (3.5.0)

yes

F-Prot for Windows

3.15

yes (3.5.0)

yes (3.5.0)

yes

F-Prot for Windows

3.16c

yes (3.5.11)

yes (3.5.11)

yes

F-Prot for Windows

3.16d

yes (3.5.11)

yes (3.5.11)

yes

F-Prot for Windows

3.16x

yes (3.5.11.1)

yes (3.5.11.1)

yes

F-Secure Corp.

F-Secure Anti-Virus

5.x

yes (3.5.0)

yes (3.5.0)

yes

F-Secure Anti-Virus

6.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

F-Secure Anti-Virus

7.x

yes (4.0.4.0)

yes (4.0.4.0)

-

F-Secure Anti-Virus 2005

5.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

F-Secure Anti-Virus Client Security

6.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

F-Secure Internet Security

6.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

F-Secure Internet Security

7.x

yes (4.0.4.0)

yes (4.0.4.0)

-

F-Secure Internet Security 2006 Beta

6.x

yes (3.5.8)

yes (3.5.8)

yes

GData Software AG

AntiVirusKit 2006

2006.x

yes (4.1.0.0)

yes (4.1.0.0)

-

Grisoft, Inc.

Antivirussystem AVG 6.0

6.x

yes (3.5.0)

yes (3.5.0)

-

AVG 6.0 Anti-Virus - FREE Edition

6.x

yes (3.5.0)

yes (3.5.0)

-

AVG 6.0 Anti-Virus System

6.x

yes (3.5.0)

yes (3.5.0)

-

AVG 7.5

7.x

yes (4.0.4.0)

yes (4.0.4.0)

yes

AVG Antivirensystem 7.0

7.x

yes (3.5.0)

yes (3.5.0)

yes

AVG Anti-Virus 7.0

7.x

yes (3.5.0)

yes (3.5.0)

yes

AVG Anti-Virus 7.1

7.1.x

yes (3.6.3.0)

yes (3.6.3.0)

yes

AVG Free Edition

7.x

yes (3.5.0)

yes (3.5.0)

yes

HAURI, Inc.

ViRobot Desktop

5.0.x

yes (4.0.5.1)

yes (4.0.5.1)

-

H+BEDV Datentechnik GmbH

AntiVir PersonalEdition Classic Windows

7.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

AntiVir/XP

6.x

yes (3.5.0)

yes (3.5.0)

yes

Avira AntiVir PersonalEdition Premium

7.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

IKARUS Software GmbH

IKARUS Guard NT

2.x

yes (4.0.6.0)

yes (4.0.6.0)

-

IKARUS virus utilities

5.x

yes (4.0.6.0)

yes (4.0.6.0)

-

Internet Security Systems, Inc.

Proventia Desktop

8.x

yes (4.0.6.0)

-

-

Proventia Desktop

9.x

yes (4.0.6.0)

yes (4.0.6.0)

-

Kaspersky Labs

Kaspersky Anti-Virus 2006 Beta

6.0.x

yes (3.5.8)

yes (3.5.8)

-

Kaspersky Anti-Virus 6.0

6.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Kaspersky Anti-Virus 6.0 Beta

6.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Kaspersky Anti-Virus for Windows File Servers

5.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

Kaspersky Anti-Virus for Windows Workstations

5.0.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

Kaspersky Anti-Virus for Windows Workstations

6.x

yes (4.0.6.0)

yes (4.0.6.0)

yes

Kaspersky Anti-Virus for Workstation

5.0.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

Kaspersky Anti-Virus Personal

4.5.x

yes (3.5.0)

yes (3.5.0)

yes

Kaspersky Anti-Virus Personal

5.0.x

yes (3.5.0)

yes (3.5.0)

yes

Kaspersky Anti-Virus Personal Pro

5.0.x

yes (3.5.11)

yes (3.5.11)

yes

Kaspersky Internet Security

6.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Kaspersky(TM) Anti-Virus Personal 4.5

4.5.x

yes (3.5.0)

yes (3.5.0)

yes

Kaspersky(TM) Anti-Virus Personal Pro 4.5

4.5.x

yes (3.5.0)

yes (3.5.0)

yes

Kingsoft Corp.

Kingsoft AntiVirus 2004

2004.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Kingsoft Internet Security

7.x

yes (3.6.5.0)

yes (3.6.5.0)

yes

Kingsoft Internet Security 2006 +

2006.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

McAfee, Inc.

McAfee Internet Security 6.0

8.x

yes (3.5.4)

yes (3.5.4)

yes

McAfee Managed VirusScan

3.x

yes (3.5.8)

yes (3.5.8)

yes

McAfee Managed VirusScan

4.x

yes (4.0.4.0)

yes (4.0.4.0)

yes

McAfee VirusScan

10.x

yes (3.5.4)

yes (3.5.4)

yes

McAfee VirusScan

11.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

McAfee VirusScan

4.5.x

yes (3.5.0)

yes (3.5.0)

yes

McAfee VirusScan

8.x

yes (3.5.1)

yes (3.5.1)

yes

McAfee VirusScan

8xxx

yes (3.5.0)

yes (3.5.0)

yes

McAfee VirusScan

9.x

yes (3.5.1)

yes (3.5.1)

yes

McAfee VirusScan

9xxx

yes (3.5.0)

yes (3.5.0)

yes

McAfee VirusScan Enterprise

7.0.x

yes (3.5.0)

yes (3.5.0)

yes

McAfee VirusScan Enterprise

7.1.x

yes (3.5.0)

yes (3.5.0)

yes

McAfee VirusScan Enterprise

7.5.x

yes (3.5.0)

yes (3.5.0)

yes

McAfee VirusScan Enterprise

8.0.x

yes (3.5.0)

yes (3.5.0)

yes

McAfee VirusScan Enterprise

8.x

yes (3.6.5.0)

yes (3.6.5.0)

yes

McAfee VirusScan Home Edition

7.x

yes (4.0.6.1)

yes (4.0.6.1)

yes

McAfee VirusScan Professional

8.x

yes (3.5.1)

yes (3.5.1)

yes

McAfee VirusScan Professional

8xxx

yes (3.5.0)

yes (3.5.0)

yes

McAfee VirusScan Professional

9.x

yes (3.5.1)

yes (3.5.1)

yes

McAfee VirusScan Professional Edition

7.x

yes (3.5.0)

yes (3.5.0)

yes

Total Protection for Small Business

4.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

Microsoft Corp.

Microsoft Forefront Client Security

1.5.x

yes (4.0.5.0)

yes (4.0.5.0)

-

Windows Live OneCare

1.x

yes (4.1.0.0)

yes (4.1.0.0)

-

Windows OneCare Live

0.8.x

yes (3.5.11.1)

-

-

MicroWorld

eScan Anti-Virus (AV) for Windows

8.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

eScan Corporate for Windows

8.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

eScan Internet Security for Windows

8.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

eScan Professional for Windows

8.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

eScan Virus Control (VC) for Windows

8.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Norman ASA

Norman Virus Control

5.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Panda Software

Panda Antivirus 2007

2.x

yes (4.0.4.0)

yes (4.0.4.0)

-

Panda Antivirus 2008

3.x

yes (4.0.6.1)

yes (4.0.6.1)

-

Panda Antivirus 6.0 Platinum

6

yes (3.5.0)

yes (3.5.0)

yes

Panda Antivirus + Firewall 2007

6.x

yes (4.0.4.0)

yes (4.0.4.0)

yes

Panda Antivirus Lite

1.x

yes (3.5.0)

yes (3.5.0)

-

Panda Antivirus Lite

3.x

yes (3.5.9)

yes (3.5.9)

-

Panda Antivirus Platinum

7.04.x

yes (3.5.0)

yes (3.5.0)

yes

Panda Antivirus Platinum

7.05.x

yes (3.5.0)

yes (3.5.0)

yes

Panda Antivirus Platinum

7.06.x

yes (3.5.0)

yes (3.5.0)

yes

Panda Client Shield

4.x

yes (4.0.4.0)

yes (4.0.4.0)

-

Panda Internet Security 2007

11.x

yes (4.0.4.0)

yes (4.0.4.0)

yes

Panda Internet Security 2008

12.x

yes (4.0.6.1)

yes (4.0.6.1)

yes

Panda Platinum 2005 Internet Security

9.x

yes (3.5.3)

yes (3.5.3)

yes

Panda Platinum 2006 Internet Security

10.x

yes (4.0.4.0)

yes (4.0.4.0)

yes

Panda Platinum Internet Security

8.03.x

yes (3.5.0)

yes (3.5.0)

yes

Panda Titanium 2006 Antivirus + Antispyware

5.x

yes (3.5.10.1)

yes (3.5.10.1)

yes

Panda Titanium Antivirus 2004

3.00.00

yes (3.5.0)

yes (3.5.0)

yes

Panda Titanium Antivirus 2004

3.01.x

yes (3.5.0)

yes (3.5.0)

yes

Panda Titanium Antivirus 2004

3.02.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Panda Titanium Antivirus 2005

4.x

yes (3.5.1)

yes (3.5.1)

yes

Panda TruPrevent Personal 2005

2.x

yes (3.5.3)

yes (3.5.3)

yes

Panda TruPrevent Personal 2006

3.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

WebAdmin Client Antivirus

3.x

yes (3.5.11)

yes (3.5.11)

-

Radialpoint Inc.

Radialpoint Virus Protection

5.x

yes (4.0.5.1)

yes (4.0.5.1)

-

Zero-Knowledge Systems Radialpoint Security Services Virus Protection

6.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

SalD Ltd.

Dr.Web

4.32.x

yes (3.5.0)

yes (3.5.0)

yes

Dr.Web

4.33.x

yes (3.5.11.1)

yes (3.5.11.1)

yes

Sereniti, Inc.

Sereniti Antivirus

1.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

The River Home Network Security Suite

1.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

SOFTWIN

BitDefender 8 Free Edition

8.x

yes (3.5.8)

yes (3.5.8)

-

BitDefender 8 Professional Plus

8.x

yes (3.5.0)

yes (3.5.0)

-

BitDefender 8 Standard

8.x

yes (3.5.0)

yes (3.5.0)

-

BitDefender 9 Internet Security AntiVirus

9.x

yes (3.5.11.1)

yes (3.5.11.1)

-

BitDefender 9 Professional Plus

9.x

yes (3.5.8)

yes (3.5.8)

yes

BitDefender 9 Standard

9.x

yes (3.5.8)

yes (3.5.8)

yes

BitDefender Antivirus Plus v10

10.x

yes (4.0.4.0)

yes (4.0.4.0)

yes

BitDefender Antivirus v10

10.x

yes (4.0.4.0)

yes (4.0.4.0)

yes

BitDefender Free Edition

7.x

yes (3.5.0)

yes (3.5.0)

-

BitDefender Internet Security v10

10.x

yes (4.0.4.0)

yes (4.0.4.0)

yes

BitDefender Professional Edition

7.x

yes (3.5.0)

yes (3.5.0)

-

BitDefender Standard Edition

7.x

yes (3.5.0)

yes (3.5.0)

-

Sophos Plc.

Sophos Anti-Virus

3.x

yes (3.5.3)

yes (3.5.3)

-

Sophos Anti-Virus

4.x

yes (3.6.3.0)

yes (3.6.3.0)

-

Sophos Anti-Virus

5.x

yes (3.5.3)

yes (3.5.3)

yes

Sophos Anti-Virus

6.x

yes (4.0.1.0)

yes (4.0.1.0)

yes

Sophos Anti-Virus

7.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

Sophos Anti-Virus version 3.80

3.8

yes (3.5.0)

yes (3.5.0)

-

Symantec Corp.

Norton 360 (Symantec Corporation)

1.x

yes (4.1.1.0)

yes (4.1.1.0)

yes

Norton AntiVirus

10.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus

14.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Norton AntiVirus

15.x

yes (4.0.6.1)

yes (4.0.6.1)

yes

Norton AntiVirus 2002

8.00.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2002

8.x

yes (3.5.1)

yes (3.5.1)

yes

Norton AntiVirus 2002 Professional

8.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2002 Professional Edition

8.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2003

9.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2003 Professional

9.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2003 Professional Edition

9.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2004

10.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2004 Professional

10.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2004 Professional Edition

10.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2004 (Symantec Corporation)

10.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2005

11.0.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2006

12.0.x

yes (3.5.5)

yes (3.5.5)

yes

Norton AntiVirus 2006

12.x

yes (3.5.5)

yes (3.5.5)

yes

Norton AntiVirus Corporate Edition

7.x

yes (3.5.1)

yes (3.5.1)

yes

Norton Internet Security

7.x

yes (3.5.0)

yes (3.5.0)

yes

Norton Internet Security

8.0.x

yes (3.5.0)

yes (3.5.0)

yes

Norton Internet Security

8.2.x

yes (3.5.1)

yes (3.5.1)

yes

Norton Internet Security

8.x

yes (3.5.1)

yes (3.5.1)

yes

Norton Internet Security

9.x

yes (3.5.10.1)

yes (3.5.10.1)

yes

Norton Internet Security (Symantec Corporation)

10.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Norton SystemWorks 2003

6.x

yes (3.5.3)

yes (3.5.3)

yes

Norton SystemWorks 2004 Professional

7.x

yes (3.5.4)

yes (3.5.4)

yes

Norton SystemWorks 2005

8.x

yes (3.5.3)

yes (3.5.3)

yes

Norton SystemWorks 2005 Premier

8.x

yes (3.5.3)

yes (3.5.3)

yes

Norton SystemWorks 2006 Premier

12.0.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Symantec AntiVirus

10.x

yes (3.5.3)

yes (3.5.3)

yes

Symantec AntiVirus

9.x

yes (3.5.0)

yes (3.5.0)

yes

Symantec AntiVirus Client

8.x

yes (3.5.0)

yes (3.5.0)

yes

Symantec AntiVirus Server

8.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Symantec AntiVirus Win64

10.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

Symantec Client Security

10.x

yes (3.5.3)

yes (3.5.3)

yes

Symantec Client Security

9.x

yes (3.5.0)

yes (3.5.0)

yes

Symantec Endpoint Protection

11.x

yes (4.0.6.1)

yes (4.0.6.1)

yes

Symantec Scan Engine

5.x

yes (4.0.5.1)

yes (4.0.5.1)

-

Trend Micro, Inc.

PC-cillin 2002

9.x

yes (3.5.1)

yes (3.5.1)

-

PC-cillin 2003

10.x

yes (3.5.0)

yes (3.5.0)

-

ServerProtect

5.x

yes (4.1.0.0)

yes (3.6.5.0)

-

Trend Micro Antivirus

11.x

yes (3.5.0)

yes (3.5.0)

yes

Trend Micro AntiVirus

15.x

yes (3.6.5.0)

yes (3.6.5.0)

-

Trend Micro Client/Server Security

6.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Trend Micro Client/Server Security Agent

7.x

yes (3.5.12)

yes (3.5.12)

yes

Trend Micro HouseCall

1.x

yes (4.0.1.0)

yes (4.0.1.0)

-

Trend Micro Internet Security

11.x

yes (3.5.0)

yes (3.5.0)

yes

Trend Micro Internet Security

12.x

yes (3.5.0)

yes (3.5.0)

-

Trend Micro OfficeScan Client

5.x

yes (3.5.1)

yes (3.5.1)

yes

Trend Micro OfficeScan Client

6.x

yes (3.5.1)

yes (3.5.1)

yes

Trend Micro OfficeScan Client

7.x

yes (3.5.3)

yes (3.5.3)

yes

Trend Micro OfficeScan Client

8.x

yes (4.0.5.0)

yes (4.0.5.0)

yes

Trend Micro PC-cillin 2004

11.x

yes (3.5.0)

yes (3.5.0)

yes

Trend Micro PC-cillin Internet Security 12

12.x

yes (4.0.1.0)

yes (4.0.1.0)

-

Trend Micro PC-cillin Internet Security 14

14.x

yes (4.0.1.0)

yes (4.0.1.0)

yes

Trend Micro PC-cillin Internet Security 2005

12.x

yes (3.5.3)

yes (3.5.3)

yes

Trend Micro PC-cillin Internet Security 2006

14.x

yes (3.5.8)

yes (3.5.8)

yes

Trend Micro PC-cillin Internet Security 2007

15.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

VCOM

Fix-It Utilities 7 Professional [AntiVirus]

7.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

SystemSuite 7 Professional [AntiVirus]

7.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

VCOM Fix-It Utilities Professional 6 [AntiVirus]

6.x

yes (4.0.6.1)

yes (4.0.6.1)

yes

Verizon

Verizon Internet Security Suite Anti-Virus

5.x

yes (4.0.5.1)

yes (4.0.5.1)

-

Yahoo!, Inc.

AT&T Yahoo! Online Protection [AntiVirus]

7.x

yes (4.0.6.1)

yes (4.0.6.1)

yes

SBC Yahoo! Anti-Virus

7.x

yes (3.5.10.1)

yes (3.5.10.1)

yes

Verizon Yahoo! Online Protection [AntiVirus]

7.x

yes (4.0.6.1)

yes (4.0.6.1)

yes

Zone Labs LLC

ZoneAlarm Anti-virus

6.x

yes (3.5.5)

yes (3.5.5)

-

ZoneAlarm Security Suite

5.x

yes (3.5.0)

yes (3.5.0)

-

ZoneAlarm Security Suite

6.x

yes (3.5.5)

yes (3.5.5)

-

ZoneAlarm with Antivirus

5.x

yes (3.5.0)

yes (3.5.0)

-

1 "Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).

2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.

3 For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.

4 For a new installation of Sophos 5.x and 6.x, the definition date is empty until the first update.


Clean Access AV Support Chart (Windows ME/98)

Table 8 lists Windows ME/98 Supported AV Products as of the latest release of the Cisco NAC Appliance software. (See Table 7 for Windows Vista/XP/2000.)

Table 8 Clean Access Antivirus Product Support Chart (Windows ME/98)
Version 66, 4.0.6.2 Agent / Release 4.0.6.1 (Sheet 1 of 2)

Product Name
Product Version
AV Checks Supported
(Minimum Agent Version Needed)1
Live Update 2 , 3
Installation
Virus Definition
Beijing Rising Technology Corp. Ltd.

Rising Antivirus Software AV

18.x

yes (4.0.5.0)

yes (4.0.5.0)

yes

Computer Associates International, Inc.

CA eTrust Antivirus

7.x

yes (3.5.3)

yes (3.5.3)

yes

eTrust EZ Antivirus

6.1.x

yes (3.5.0)

yes (3.5.8)

yes

eTrust EZ Antivirus

6.2.x

yes (3.5.0)

yes (3.5.0)

yes

eTrust EZ Antivirus

6.4.x

yes (3.5.0)

yes (3.5.0)

yes

eTrust EZ Antivirus

7.x

yes (3.5.3)

yes (3.5.3)

yes

eTrust EZ Armor

6.1.x

yes (3.5.3)

yes (3.5.8)

yes

McAfee, Inc.

McAfee Managed VirusScan

3.x

yes (3.5.8)

yes (3.5.8)

yes

McAfee VirusScan

10.x

yes (3.5.4)

yes (3.5.4)

yes

McAfee VirusScan

4.5.x

yes (3.5.0)

yes (3.5.0)

yes

McAfee VirusScan

8.x

yes (3.5.3)

yes (3.5.3)

yes

McAfee VirusScan

9.x

yes (3.5.3)

yes (3.5.3)

yes

McAfee VirusScan Professional

8.x

yes (3.5.3)

yes (3.5.3)

yes

McAfee VirusScan Professional

8xxx

yes (3.5.0)

yes (3.5.0)

yes

McAfee VirusScan Professional

9.x

yes (3.5.3)

yes (3.5.3)

yes

McAfee VirusScan Professional Edition

7.x

yes (3.5.0)

yes (3.5.0)

yes

SOFTWIN

BitDefender 8 Free Edition

8.x

yes (3.5.8)

yes (3.5.8)

-

BitDefender 8 Professional Plus

8.x

yes (3.5.0)

yes (3.5.0)

-

BitDefender 8 Standard

8.x

yes (3.5.0)

yes (3.5.0)

-

BitDefender 9 Professional Plus

9.x

yes (3.5.8)

yes (3.5.8)

-

BitDefender 9 Standard

9.x

yes (3.5.8)

yes (3.5.8)

-

BitDefender Free Edition

7.x

yes (3.5.0)

yes (3.5.0)

-

BitDefender Professional Edition

7.x

yes (3.5.0)

yes (3.5.0)

-

BitDefender Standard Edition

7.x

yes (3.5.0)

yes (3.5.0)

-

Symantec Corp.

Norton AntiVirus

10.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2002

8.00.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2002

8.x

yes (3.5.1)

yes (3.5.1)

yes

Norton AntiVirus 2003

9.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2003 Professional Edition

9.x

yes (3.5.3)

yes (3.5.3)

yes

Norton AntiVirus 2004

10.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2004 (Symantec Corporation)

10.x

yes (3.5.0)

yes (3.5.0)

yes

Norton AntiVirus 2005

11.0.x

yes (3.5.0)

yes (3.5.0)

yes

Norton Internet Security

8.0.x

yes (3.5.0)

yes (3.5.0)

yes

Norton Internet Security

8.x

yes (3.5.1)

yes (3.5.1)

yes

Symantec AntiVirus

10.x

yes (4.0.5.0)

yes (4.0.5.0)

yes

Symantec AntiVirus

9.x

yes (3.5.8)

yes (3.5.3)

yes

Symantec AntiVirus Client

8.x

yes (3.5.9)

yes (3.5.9)

yes

Trend Micro, Inc.

PC-cillin 2003

10.x

yes (3.5.0)

yes (3.5.0)

-

Trend Micro Internet Security

11.x

yes (3.5.0)

yes (3.5.0)

-

Trend Micro Internet Security

12.x

yes (3.5.0)

yes (3.5.0)

-

Trend Micro OfficeScan Client

7.x

yes (4.0.5.0)

yes (4.0.5.0)

-

Trend Micro PC-cillin 2004

11.x

yes (3.5.0)

yes (3.5.0)

-

Trend Micro PC-cillin Internet Security 2005

12.x

yes (3.5.3)

yes (3.5.3)

-

1 "Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).

2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.

3 For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.


Clean Access AS Support Chart (Windows Vista/XP/2000)

Table 9 lists Windows Vista/XP/2000 Supported Antispyware Products as of the latest release of the Cisco Clean Access software.

Table 9 Clean Access Antispyware Product Support Chart (Windows Vista/XP/2000)
Version 66, 4.0.6.2 Agent / Release 4.0.6.1 (Sheet 1 of 5)

Product Name
Product Version
AS Checks Supported
(Minimum Agent Version Needed)1
Live Update2
Installation
Spyware Definition
AhnLab, Inc.

AhnLab SpyZero 2.0

2.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

AhnLab SpyZero 2007

3.x

yes (3.6.5.0)

yes (3.6.5.0)

yes

AhnLab V3 Internet Security 2007 Platinum AntiSpyware

7.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

AhnLab V3 Internet Security 7.0 Platinum Enterprise AntiSpyware

7.x

yes (4.1.2.0)

yes (4.1.2.0)

yes

America Online, Inc.

AOL Safety and Security Center Spyware Protection

2.0.x

yes (4.1.0.0)

-

-

AOL Safety and Security Center Spyware Protection

2.1.x

yes (4.1.0.0)

yes (4.1.0.0)

-

AOL Safety and Security Center Spyware Protection

2.2.x

yes (4.1.0.0)

yes (4.1.0.0)

-

AOL Safety and Security Center Spyware Protection

2.3.x

yes (4.1.0.0)

yes (4.1.0.0)

-

AOL Safety and Security Center Spyware Protection

2.x

yes (3.6.1.0)

yes (3.6.1.0)

-

AOL Spyware Protection

1.x

yes (3.6.0.0)

yes (3.6.0.0)

-

AOL Spyware Protection

2.x

yes (3.6.0.0)

-

-

Anonymizer, Inc.

Anonymizer Anti-Spyware

1.x

yes (4.1.0.0)

yes (4.1.0.0)

-

Anonymizer Anti-Spyware

3.x

yes (4.1.0.0)

yes (4.1.0.0)

-

Authentium, Inc.

Cox High Speed Internet Security Suite

3.x

yes (4.0.4.0)

-

yes

BellSouth

BellSouth Internet Security Anti-Spyware

5.x

yes (4.0.5.1)

yes (4.0.5.1)

-

Bullet Proof Soft

BPS Spyware & Adware Remover

9.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

BPS Spyware-Adware Remover

8.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

BPS Spyware Remover

9.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Check Point, Inc

ZoneAlarm (AntiSpyware)

7.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

ZoneAlarm Anti-Spyware

7.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

ZoneAlarm Pro Antispyware

7.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

ZoneAlarm Security Suite Antispyware

7.x

yes (4.0.5.0)

yes (4.0.5.0)

yes

Computer Associates International, Inc.

CA eTrust Internet Security Suite AntiSpyware

5.x

yes (3.6.1.0)

yes (3.6.1.0)

yes

CA eTrust Internet Security Suite AntiSpyware

8.x

yes (4.1.2.0)

yes (4.1.2.0)

yes

CA eTrust Internet Security Suite AntiSpyware

9.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

CA eTrust PestPatrol

5.x

yes (3.6.1.0)

yes (4.0.6.0)

yes

CA eTrust PestPatrol Anti-Spyware

8.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

CA eTrust PestPatrol Anti-Spyware Corporate Edition

5.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

PestPatrol Corporate Edition

4.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

PestPatrol Standard Edition (Evaluation)

4.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

EarthLink, Inc.

Aluria Security Center AntiSpyware

1.x

yes (4.1.0.0)

yes (4.1.0.0)

-

EarthLink Protection Control Center AntiSpyware

1.x

yes (3.6.0.0)

yes (3.6.0.0)

-

EarthLink Protection Control Center AntiSpyware

2.x

yes (4.0.6.0)

-

-

Primary Response SafeConnect

2.x

yes (3.6.5.0)

-

-

FaceTime Communications, Inc.

X-Cleaner Deluxe

4.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Grisoft, Inc.

AVG Anti-Malware [AntiSpyware]

7.x

yes (4.1.2.0)

-

-

AVG Anti-Spyware 7.5

7.x

yes (4.0.5.1)

yes (4.0.5.1)

-

Javacool Software LLC

SpywareBlaster v3.1

3.1.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

SpywareBlaster v3.2

3.2.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

SpywareBlaster v3.3

3.3.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

SpywareBlaster v3.4

3.4.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

SpywareBlaster v3.5.1

3.5.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Kingsoft Corp.

Kingsoft Internet Security [AntiSpyware]

7.x

yes (4.0.6.1)

yes (4.0.6.1)

yes

Lavasoft, Inc.

Ad-Aware 2007 Professional

7.x

yes (4.0.6.1)

-

yes

Ad-aware 6 Professional

6.x

yes (3.6.0.0)

yes (3.6.0.0)

-

Ad-Aware SE Personal

1.x

yes (3.6.0.0)

yes (3.6.0.0)

-

Ad-Aware SE Professional

1.x

yes (3.6.1.0)

yes (3.6.1.0)

yes

McAfee, Inc.

McAfee AntiSpyware

1.5.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

McAfee AntiSpyware

1.x

yes (3.6.0.0)

yes (4.1.0.0)

yes

McAfee AntiSpyware

2.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

McAfee AntiSpyware Enterprise

8.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

McAfee Anti-Spyware Enterprise Module

8.0.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

McAfee VirusScan AS

11.x

yes (4.0.6.1)

yes (4.0.6.1)

yes

MicroSmarts LLC

Spyware Begone

4.x

yes (3.6.0.0)

-

-

Spyware Begone

6.x

yes (4.1.0.0)

-

-

Spyware Begone

8.x

yes (4.1.0.0)

-

-

Spyware Begone Free Scan

7.x

yes (3.6.0.0)

-

-

Spyware Begone V7.30

7.30.x

yes (3.6.1.0)

-

-

Spyware Begone V7.40

7.40.x

yes (3.6.1.0)

-

-

Spyware Begone V7.95

7.95.x

yes (4.1.0.0)

-

-

Spyware Begone V8.20

8.20.x

yes (4.1.0.0)

-

-

Spyware Begone V8.25

8.25.x

yes (4.1.0.0)

-

-

Microsoft Corp.

Microsoft AntiSpyware

1.x

yes (4.0.6.0)

-

yes

Windows Defender

1.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Windows Defender Vista

1.x

yes (4.0.5.0)

yes (4.0.5.0)

yes

PC Tools Software

Spyware Doctor

4.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Spyware Doctor

5.x

yes (4.0.6.0)

-

yes

Spyware Doctor 3.0

3.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

Spyware Doctor 3.1

3.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

Spyware Doctor 3.2

3.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

Spyware Doctor 3.5

3.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Spyware Doctor 3.8

3.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Prevx Ltd.

Prevx1

1.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Prevx1

2.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

Prevx Home

2.x

yes (3.6.0.0)

yes (3.6.0.0)

-

Radialpoint Inc.

Radialpoint Spyware Protection

5.x

yes (4.0.5.1)

yes (4.0.5.1)

-

Zero-Knowledge Systems Radialpoint Security Services Spyware Protection

6.x

yes (4.0.6.0)

yes (4.0.6.0)

yes

Safer Networking Ltd.

Spybot - Search & Destroy 1.3

1.3

yes (3.6.0.0)

yes (3.6.0.0)

yes

Spybot - Search & Destroy 1.4

1.4

yes (3.6.0.0)

yes (3.6.0.0)

yes

Spybot - Search & Destroy 1.5

1.x

yes (4.0.6.1)

yes (4.0.6.1)

-

Sereniti, Inc.

Sereniti Antispyware

1.x

yes (4.0.6.0)

-

yes

The River Home Network Security Suite Antispyware

1.x

yes (4.0.6.0)

-

yes

SOFTWIN

BitDefender 9 Antispyware

9.x

yes (4.1.0.0)

yes (4.1.0.0)

-

Sunbelt Software

CounterSpy Enterprise Agent

1.8.x

yes (4.0.6.0)

-

-

Sunbelt CounterSpy

1.x

yes (3.6.0.0)

-

yes

Sunbelt CounterSpy

2.x

yes (4.0.6.0)

-

yes

Symantec Corp.

Norton Spyware Scan

2.x

yes (4.1.0.0)

yes (4.1.0.0)

-

Trend Micro, Inc.

Trend Micro Anti-Spyware

3.5.x

yes (4.0.5.1)

yes (4.0.5.1)

-

Trend Micro Anti-Spyware

3.x

yes (3.6.0.0)

-

-

Trend Micro PC-cillin Internet Security 2007 AntiSpyware

15.x

yes (4.1.0.0)

-

yes

VCOM

Fix-It Utilities 7 Professional [AntiSpyware]

7.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

SystemSuite 7 Professional [AntiSpyware]

7.x

yes (4.0.5.1)

yes (4.0.5.1)

yes

VCOM Fix-It Utilities Professional 6 [AntiSpyware]

6.x

yes (4.0.6.1)

yes (4.0.6.1)

yes

Verizon

Verizon Internet Security Suite Anti-Spyware

5.x

yes (4.0.5.1)

yes (4.0.5.1)

-

Webroot Software, Inc.

Spy Sweeper

3.x

yes (3.6.0.0)

-

-

Spy Sweeper

4.x

yes (3.6.0.0)

-

-

Spy Sweeper

5.x

yes (4.1.0.0)

-

-

Webroot Spy Sweeper Enterprise Client

1.x

yes (3.6.0.0)

-

-

Webroot Spy Sweeper Enterprise Client

2.x

yes (3.6.1.0)

-

-

Webroot Spy Sweeper Enterprise Client

3.x

yes (4.0.5.1)

-

-

Yahoo!, Inc.

AT&T Yahoo! Online Protection

2006.x

yes (4.0.6.1)

yes (4.0.6.1)

yes

SBC Yahoo! Applications

2005.x

yes (3.6.0.0)

yes (3.6.0.0)

yes

Verizon Yahoo! Online Protection

2005.x

yes (4.0.6.1)

yes (4.0.6.1)

yes

Yahoo! Anti-Spy

1.x

yes (3.6.0.0)

yes (3.6.0.0)

-

Zone Labs LLC

Integrity Agent

6.x

yes (4.1.2.0)

yes (4.1.2.0)

-

1 "Yes" in the AS Checks Supported columns indicates the Agent supports the AS Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).

2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AS Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AS product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.


Supported AV/AS Product List Version Summary

Table 10 details enhancements made per version of the Supported Antivirus/Antispyware Product List. See Clean Access Supported AV/AS Product List for the latest Supported AV list as of the latest release. See New and Changed Information for the release feature list.

Table 10 Supported AV /AS Product List Versions 

Version
Enhancements

Release 4.0.6.1—4.0.6.2 Agent

Version 66

AV Chart (Windows Vista/XP/2000)added live update support for new product:

Trend Micro OfficeScan Client 8.x

Version 65

Minor internally used data change

Release 4.0.6.1—4.0.6.1 Agent

Version 64

AV Chart (Windows Vista/XP/2000)added support for new products:

McAfee VirusScan Home Edition, 7.x

Panda Antivirus 2008, 3.x

Panda Internet Security 2008, 12.x

Norton AntiVirus, 15.x

Symantec Endpoint Protection, 11.x

VCOM Fix-It Utilities Professional 6 [AntiVirus], 6.x

AT&T Yahoo! Online Protection [AntiVirus], 7.x

Verizon Yahoo! Online Protection [AntiVirus], 7.x

Added Live Update for the following AV product:

eEye Digital Security Blink Personal, 3.x

AS Chart (Windows Vista/XP/2000) added support for new products:

Kingsoft Internet Security [AntiSpyware], 7.x

Ad-Aware 2007 Professional, 7.x

McAfee VirusScan AS, 11.x

Spybot - Search & Destroy 1.5, 1.x

VCOM Fix-It Utilities Professional 6 [AntiSpyware], 6.x

AT&T Yahoo! Online Protection, 2006.x

Verizon Yahoo! Online Protection, 2005.x

Release 4.0(6)—4.0.6.0 Agent

Version 63

AV Chart (Windows Vista/XP/2000)added support for new products:

V3 VirusBlock 2005, 6.x

BullGuard 7.0, 7.x

eEye Digital Security Blink Personal, 3.x

eEye Digital Security Blink Professional, 3.x

FortiClient Consumer Edition, 3.x

IKARUS Guard NT, 2.x

IKARUS virus utilities, 5.x

Kaspersky Anti-Virus for Windows Workstations, 6.x

TrustPort Antivirus, 2.x

Proventia Desktop, 8.x

Proventia Desktop, 9.x

ClamAV, devel-x

AS Chart (Windows Vista/XP/2000)added support for new products:

AhnLab V3 Internet Security 7.0 Platinum Enterprise AntiSpyware, 7.x

CA eTrust Internet Security Suite AntiSpyware, 8.x

AVG Anti-Malware [AntiSpyware], 7.x

Integrity Agent, 6.x

Spyware Doctor, 5.x

EarthLink Protection Control Center AntiSpyware, 2.x

Microsoft AntiSpyware, 1.x

Sereniti Antispyware, 1.x

The River Home Network Security Suite Antispyware, 1.x

Zero-Knowledge Systems Radialpoint Security Services Spyware Protection, 6.x

CounterSpy Enterprise Agent, 1.8.x

Sunbelt CounterSpy, 2.x

Webroot Spy Sweeper Enterprise Client, 3.x

Version 62, 61, and 60

Minor internally used data change

Release 4.0(5)—4.0.5.1 Agent

Version 59

AV Chart (Windows Vista/XP/2000)added support for new product:

AhnLab V3 Internet Security 7.0 Platinum Enterprise, 7.x

BellSouth Internet Security Anti-Virus,5.x

ZoneAlarm Anti-virus, 7.x

ZoneAlarm (AntiVirus), 7.x

ClamAV, devel-x

EarthLink Protection Control Center AntiVirus, 2.x

F-PROT Antivirus for Windows, 6.0.x

ViRobot Desktop, 5.0.x

Kaspersky Anti-Virus for Windows File Servers, 5.x

Kaspersky Anti-Virus for Windows Workstations, 5.0.x

Kaspersky Anti-Virus for Workstation, 5.0.x

Total Protection for Small Business, 4.x

Radialpoint Virus Protection, 5.x

Zero-Knowledge Systems Radialpoint Security Services Virus Protection, 6.x

Sereniti Antivirus, 1.x

The River Home Network Security Suite, 1.x

Sophos Anti-Virus, 7.x

Symantec AntiVirus Win64Symantec AntiVirus Win64, 10.x

Symantec Scan Engine, 5.x

Symantec AntiVirus Win64, 10.x

Fix-It Utilities 7 Professional [AntiVirus], 7.x

SystemSuite 7 Professional [AntiVirus], 7.x

Verizon Internet Security Suite Anti-Virus, 5.x

Version 59 (continued)

AS Chart (Windows Vista/XP/2000)added support for new product:

AhnLab V3 Internet Security 2007 Platinum AntiSpyware, 7.x

BellSouth Internet Security Anti-Spyware, 5.x

ZoneAlarm (AntiSpyware), 7.x

AVG Anti-Spyware 7.5, 7.x

McAfee Anti-Spyware Enterprise Module, 8.0.x

ZoneAlarm Anti-Spyware, 7.x

ZoneAlarm Pro Antispyware, 7.x

Radialpoint Spyware Protection, 5.x

Zero-Knowledge Systems Radialpoint Security Services Spyware Protection, 6.x

Trend Micro Anti-Spyware, 3.5.x

Fix-It Utilities 7 Professional [AntiSpyware], 7.x

SystemSuite 7 Professional [AntiSpyware], 7.x

Verizon Internet Security Suite Anti-Spyware, 5.x

Version 58

AV Chart (Windows Vista/XP/2000)added support for new product:

Check Point ZoneAlarm Security Suite Antivirus 7.x

AS Chart (Windows Vista/XP/2000)added support for new product:

Check Point ZoneAlarm Security Suite Antispyware 7.x

Version 57

AV Chart (Windows Vista/XP/2000):

Added def date support for Sophos Anti-Virus 6.x

Version 56

Minor internally used data change

Version 55

AV Chart (Windows Vista/XP/2000)added support for new products:

AhnLab V3 Internet Security 2007 Platinum, 7.x

Kingsoft Internet Security, 7.x

McAfee VirusScan Enterprise, 8.x

Trend Micro AntiVirus, 15.x

Rising Antivirus Software AV, 19.x

Microsoft Forefront Client Security, 1.5.x

Trend Micro OfficeScan Client, 8.x

AV Chart (Windows ME/98)added support for new products:

Rising Antivirus Software AV, 18.x

Symantec AntiVirus, 10.x

Trend Micro OfficeScan Client, 7.x

AS Chart (Windows Vista/XP/2000)added support for new products:

AhnLab SpyZero 2007, 3.x

Primary Response SafeConnect, 2.x

Windows Defender Vista, 1.x

Release 4.0(5)
Release 4.0(4)—4.0.4.0 Agent

Version 54, 53, 52, 51, 50, 49, 48

Minor internally used data changes

Version 47

AV Chart (Windows Vista/XP/2000): support added for the following new products:

AOL Safety and Security Center Virus Protection, 102.x

AOL Safety and Security Center Virus Protection, 210.x

Cox High Speed Internet Security Suite, 3.x

F-Secure Anti-Virus, 7.x

F-Secure Internet Security, 7.x

AVG 7.5, 7.x

McAfee Managed VirusScan, 4.x

Panda Antivirus 2007, 2.x

Panda Antivirus + Firewall 2007, 6.x

Panda ClientShield, 4.x

Panda Internet Security 2007, 11.x

Panda Platinum 2006 Internet Security, 10.x

BitDefender Antivirus Plus v10, 10.x

BitDefender Antivirus v10, 10.x

BitDefender Internet Security v10, 10.x

AS Chart (Windows Vista/XP/2000): support added for the following new product:

Cox High Speed Internet Security Suite, 3.x

Version 46 and 45

Minor internally used data changes

Release 4.0.3.2/4.0.3.1/4.0(3)—4.0.2.0 Agent
Release 4.0(2)—4.0.1.0 Agent

Version 44

Minor internally used data change

Release 4.0(1)—4.0.10 Agent

Version 43

AV Chart (Windows XP/2000): support added for the following new products:

Sophos Anti-Virus, 6.x

Trend Micro HouseCall, 1.x

Trend Micro PC-cillin Internet Security 12, 12.x

Trend Micro PC-cillin Internet Security 14, 14.x

Release 4.0(0)—4.0.0.1/4.0.0.0 Agent

Version 42, 41, 40, 39, 38

Minor internally used data change

Version 37

AV Chart (Windows XP/2000): Live Update support added for TrendMicro OfficeScan Client 5.x, 6.x and 7.x.


Clean Access Agent Version Summary

This section consolidates information for the Clean Access Agent client software. Table 11 lists the latest enhancements per version of the Clean Access Agent. Unless otherwise noted, enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions.

See Clean Access Supported AV/AS Product List for details on related AV/AS support.

Table 11 Clean Access Agent Versions

Agent Version 1
Feature / Enhancement

4.0.6.2

Version 4.0.6.2 of the Clean Access Agent includes fixes for the following caveats:

CSCsk20213

CSCsk45258

CSCsk68388

Note The 4.0.6.1 and later Agents perform authentication only for 64-bit client operating systems. Once the user is authenticated, the Agent does not perform posture assessment or remediation. To support 64-bit operating system Agents, the CAM and CAS must also be running release 4.0.6.1.

Because Cisco NAC Appliance provides authentication-only support for 64-bit operating system Agents, nessus scanning via the Clean Access Agent does not perform remediation on the client machine.

Adds support as described in Supported AV/AS Product List Version Summary. See also Clean Access Agent (4.0.6.2).

4.0.6.1

Release 4.0.6.1 introduces a Clean Access Agent that performs authentication on 64-bit client operating systems (i.e., Windows Vista and Windows XP). The 64-bit operating systems supported by this function are:

Windows XP Professional x64

Windows Vista Home Basic x64

Windows Vista Home Premium x64

Windows Vista Business x64

Windows Vista Ultimate x64

Windows Vista Enterprise x64

Note The 4.0.6.1 Agent performs authentication only for 64-bit client operating systems. Once the user is authenticated, the Agent does not perform posture assessment or remediation. To support 64-bit operating system Agents, the CAM and CAS must also be running release 4.0.6.1.

Because Cisco NAC Appliance provides authentication-only support for 64-bit operating system Agents, nessus scanning via the Clean Access Agent does not perform remediation on the client machine.

Version 4.0.6.1 of the Clean Access Agent includes fixes for the following caveats:

CSCsj49408

CSCsk01928

CSCsk15081

CSCsk27579

Adds support as described in Supported AV/AS Product List Version Summary. See also Clean Access Agent (4.0.6.1).

4.0.6.0

Version 4.0.6.0 of the Clean Access Agent includes fixes for the following caveats: CSCsi24168, CSCsj29701, CSCsj30409, CSCsj43375

Adds support for stub installer on Windows Vista Operating System

Note When non-admin users install/uninstall the Agent through stub service on Windows Vista, they will see an "Interactive Services Dialog Detection" dialog. If the user is installing, no input is required in the dialog session—it will automatically disappear. If the client machine is fast, the user may not even see the dialog appear at all, so the resulting behavior is as if the Agent gets silently installed after a few seconds. When uninstalling, however, the uninstall process does not complete until the user responds to a prompt inside the dialog.

This is expected behavior because, unlike earlier Windows operating systems, Windows Vista services run in an isolated session (session 0) from user sessions, and thus do not have access to video drivers. As a workaround for interactive services like the Agent stub installer, Windows Vista uses an Interactive Service Detection Service to prompt users for user input for interactive services and enable access to dialogs created by interactive services. The "Interactive Service Detection Service" will automatically launch by default and, in most cases, users are not required to do anything. If the service is disabled for some reason, however, Agent installation by non-admin users will not function.

Adds support as described in Supported AV/AS Product List Version Summary

See also Known Issue with MSI Agent Installer File Name and Clean Access Agent (4.0.6.0).

4.0.5.1

Version 4.0.5.1 of the Clean Access Agent includes fixes for the following caveats:

CSCsi26567

CSCsi42509

CSCsi44500

CSCsh55834

CSCsi59521

Adds support as described in Supported AV/AS Product List Version Summary.

See also Clean Access Agent (4.0.5.1) and Resolved Caveats - Agent Version 4.0.5.1.

4.0.5.0

Version 4.0.5.0 of the Agent:

Resolves caveat CSCsh40166

Adds support as described in Supported AV/AS Product List Version Summary.

See also Clean Access Agent (4.0.5.0).

4.0.4.0

Release 4.0(4)+ and Agent version 4.0.4.0 provide support for users running the Windows Vista operating system. Administrators can configure checks/rules/requirements and hotfixes specific to Windows Vista.

Adds support for Microsoft Internet Explorer 7.0.

Note Only 4.0(x) releases starting from 4.0(4) and 4.0.x.x Agent versions starting from 4.0.4.0 support Windows Vista client operating systems. Clean Access Agent stub is not supported on Windows Vista.

For checks/rules/requirements, the Agent can detect "N" (European) versions of the Windows Vista operating system, but the CAM/CAS treat "N" versions of Vista as their US counterpart.

See also Clean Access Agent (4.0.4.0).

4.0.2.1

Version 4.0.2.1 of the Agent is able to launch auto-update for Trend Micro AV products (resolves caveat CSCsg37846).

Cisco recommends you upgrade clients using Trend Micro AV products to version 4.0.2.1 of the Clean Access Agent.

See also Resolved Caveats - Release 4.0.3.2 and Clean Access Agent (4.0.2.1) for further details.

4.0.2.0

Release 4.0(3)+ and version 4.0.2.0 provide full support for Windows XP MCE/ Tablet PC machines. Administrators can configure checks/rules/requirements and hotfixes specific to XP Pro/Home, XP MCE, XP Tablet PC, or XP All.

Adds support for IE 7.0 Beta 3.

Note 4.0.2.0 Agent is compatible with CAM/CAS release 4.0.3.1+, 4.0(3) (new install or in-place upgrade only), 4.0.2.2 and 4.0.0.1. See Enhancements in Release 4.0.3.1 and Software Compatibility Matrixes for further details.

Note If you have upgraded from release 3.6(x)/4.0(x) to release 4.0(3)/4.0.2.0 Agent, you must download the CCAAgentUpgrade-4.0.2.0.tar.gz file from Cisco Secure Downloads and upload it to the CAM via Device Management > Clean Access > Clean Access Agent > Distribution to allow the CAS to distribute it to users.

Note Because the 4.0.1.0 Agent (by design) automatically bypasses WinXP Agent checks/hotfixes for Windows MCE/Tablet PC systems, with upgrade to CAM/CAS release 4.0(3)/4.0.3.1, Cisco recommends you upgrade 4.0.1.0 Agents to 4.0.2.0.

Note For 4.0.2.0+ Agent, Japanese Windows XP/2000 clients only are affected by caveats CSCsg38702 and CSCse86581 for Trend AV products. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for further details.

See also Clean Access Agent (4.0.2.0).

4.0.1.0

Version 4.0.1.0 detects Window MCE/Tablet PC OSes and automatically bypasses hotfixes and checks configured for Windows XP systems.

Resolves the following caveats:

CSCse72371, CSCse72396, CSCse76201, CSCse84747, CSCse85453, CSCse85994, CSCse86002

Note IE 7.0 Beta is not supported when using Clean Access Agent 4.0.1.0 and below. For the Agent to login and perform other operations, users must uninstall IE 7.0 Beta 2. See Clean Access Agent 4.0.1.0 and IE 7.0 Beta for details.

Note 4.0.1.0 Agent users on XP MCE/Tablet PC can download/install the Agent, and checks/rules/requirements and hotfixes configured for WinAll are applied, but those configured for WinXP only are automatically bypassed.

See also Resolved Caveats - Release 4.0(1) and Clean Access Agent (4.0.1.0).

4.0.0.1

Resolves caveat CSCse64395.

Note 4.0.0.1 Agent users on XP MCE/Tablet PC can download/install the Agent, and checks/rules/requirements and hotfixes configured for WinXP and WinAll are applied. TabletPC machines cannot meet XP hotfix requirements, and MCE machines may meet some of them.

See also Clean Access Agent (4.0.0.1).

4.0.0.0

Agent is now aware of when a user machine is in a MAC-based device filter.

Agent now sends the MAC/IP address of all available network adapters on the client to the CAS.

Agent now detects OS Mismatch and re-performs posture assessment.

Stub is now available to distribute the Agent installation files when users do not have admin privileges on their machines.

The Installer Proxy of the Agent Installer now checks user privileges before installing the Clean Access Agent. If the user has admin privileges, the installation proceeds; if the user has non-admin privileges, the installer proxy attempts to communicate with the stub.

See also Clean Access Agent (4.0.0.0).

1 See Release 4.0(x) Agent Upgrade Compatibility Matrix for upgrade compatibility details.


Caveats

This section describes the following caveats:

Open Caveats - Release 4.0.6.1

Resolved Caveats - Agent Version 4.0.6.2

Resolved Caveats - Release 4.0.6.1

Resolved Caveats - Release 4.0(6)

Resolved Caveats - Agent Version 4.0.5.1

Resolved Caveats - Release 4.0(5)

Resolved Caveats - Release 4.0(4)

Resolved Caveats - Release 4.0.3.3

Resolved Caveats - Release 4.0.3.2

Resolved Caveats - Release 4.0.3.1

Resolved Caveats - Release 4.0(3)

Resolved Caveats - Release 4.0.2.2

Resolved Caveats - Release 4.0.2.1

Resolved Caveats - Release 4.0(2)

Resolved Caveats - Release 4.0(1)

Resolved Caveats - Release 4.0.0.1

Resolved Caveats - Release 4.0(0)


Note If you are a registered cisco.com user, you can view Bug Toolkit on cisco.com at the following website:

http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl

To become a registered cisco.com user, go to the following website:

http://tools.cisco.com/RPF/register/register.do


Open Caveats - Release 4.0.6.1

Table 12 List of Open Caveats  

DDTS Number
Software Release 4.0.6.1
Corrected
Caveat

CSCeh96620

No

Agent Installer Does Not Have Signature

When the user downloads the 3.5.1 or above Clean Access Agent, most security alert O/S software will indicate that the installer doesn't have a known publisher and a valid digital signature.

CSCsd90433

No

Apache does not start on HA-Standby CAM after heartbeat link is restored

CSCse37028

No

Cannot create DHCP Reserved IP address with Relay-IP restriction

CSCse86581

No

Agent does not correctly recognize def versions on the following Trend AV products:

PC-cillin Internet Security 2005

PC-cillin Internet Security 2006

OfficeScan Client

Tested Clients:

PC-cillin Internet Security 2006 (English) on US-English Windows 2000 SP4

OfficeScan Client (English) on US-English Windows 2000 SP4

VirusBaster 2006 Internet Security (Japanese) on Japanese Windows XP SP2

VirusBaster Corporate Edition (Japanese) on Japanese Windows XP SP2

CSCsg07369

No

Incorrect "IP lease total" displayed on editing manually created subnets

Steps to reproduce:

1. Add a Managed Subnet having at least 2500+ IP addresses for e.g. 10.101.0.1 / 255.255.240.0 using CAM web page "Device Management > Clean Access Servers > Manage [IP Address] > Advanced > Managed Subnet"

2. Create a DHCP subnet with 2500+ hosts using CAM web page "Device Management > Clean Access Servers > Manage [IP Address] > Network > DHCP > Subnet List > New"

3. Edit the newly created subnet using CAM web page "Device Management > Clean Access Servers > Manage [IP Address] > Network > DHCP > Subnet List > Edit"

4. Click "Update". The CAM throws a warning announcing the current IP Range brings IP lease total up to a number that is not correct. The CAM counts the IP in the subnet twice which creates the discrepancy.

The issue does not affect DHCP functionality and is strictly known to be a cosmetic issue

CSCsg38702

No

Agent cannot recognize Japanese Trend AV installation.
Agent properties shows "Product Name" garbled.

Client OS affected:

Japanese Windows XP Professional SP2

Japanese Windows 2000 Professional SP4

AV product affected:

Japanese VirusBaster Corporate Edition 7.3
(US Product Name: Trend Micro OfficeScan Client)

Steps to reproduce:
Make a new AV rule:
- Type: Installation
- OS: Windows XP/2K
- Checks for Selected Operating Systems: Trend Micro OfficeScan Client 7.x

CSCsh50701

No

Default gateway collision detection for DHCP yields false positive

Steps to reproduce:

1. Create a managed subnet 192.168.128.1/23

2. Auto-generate 62 DHCP subnet starting from 192.168.128.0 and Commit Subnet List.

3. Manually create a DHCP subnet using IP address range 192.168.129.10 to .254 with default gateway 192.168.128.1 and ensure the subnet/netmask behavior is "Calculate from existing managed subnets".

4. Click Update.

The web user interface displays a "(1) - Default Gateway conflicts with Subnet Range 192.168.128.2 - 192.168.128.2" error message.

Explanation

The first auto-generated subnet 192.168.128.0 is disabled by default, since its gateway conflicts with the existing managed subnet IP address.

Expected Results:

When an auto-generated subnet is created overlapping the managed subnet IP address, users should be able to create manual DHCP ranges in the same managed subnet.

CSCsi07595

No

DST fix will not take effect if generic MST, EST, HST, etc. options are specified

Due to a Java runtime implementation, the DST 2007 fix does not take effect for Cisco NAC Appliances that are using generic time zone options such as "EST," "HST," or "MST" on the CAM/CAS UI time settings.

Workaround

If your CAM/CAS machine time zone setting is currently specified via the UI using a generic option such as "EST," "HST," or "MST." change this to a location/city combination, such as "America/Denver."

Note CAM/CAS machines using time zone settings specified by the "service perfigo config" script or specified as location/city combinations in the UI, such as "America/Denver" are not affected by this issue.

CSCsi97216

No

CAM does not change port to Authentication VLAN when Certified Devices List is cleared using a port bounce

When the CDL is cleared, the CAM does one of the following, depending on the Remove out-of-band online user without bouncing the port profile setting:

If the port setting is enabled (checked), the CAM changes the port to Authentication VLAN, but does not bounce the port.

If the above setting is disabled (unchecked), the CAM bounces the port, but does not change it to Authentication VLAN.

The CAM must change the port to the Authentication VLAN every time the CDL is cleared (i.e., when user is removed from the Online Users list) regardless of whether the port is bounced or not.

Note This issue is resolved in release 4.1(3).

CSCsj84398

No

NAC-3310: "hda" error appears with specific Seagate hard drive model

An "hda" error message shows up on Cisco NAC-3310s with a specific Seagate hard drive model. (A known test issue was discovered and recorded with the Seagate hard drive model ST380815AS featuring "HPFO" firmware.)

As a result, the following error message appears on the user console and is logged in the /var/log/messages file:

hda: status timeout: status=0xd0 { Busy }

ide: failed opcode was: unknown
hda: no DRQ after issuing MULTWRITE_EXT
ide0: reset: success

CSCsk73298

No

Avira Antivirus PE Classic detected as unknown product on Agent

Clean Access Agent versions 4.0.6.1 and 4.0.6.2 detect Avira Antivirus Personal Edition Classic for Windows (7.06.00.270) as an unknown product on client machines running the Windows XP operating system.


Resolved Caveats - Agent Version 4.0.6.2

Table 13 List of Closed Caveats  

DDTS Number
Agent Version 4.0.6.2
Corrected
Caveat

CSCsk20213

Yes

The Windows Vista Agent fails Windows Update check in the Korean time zone

The Clean Access Agent for clients running the Windows Vista operating system fail the Windows Update check because the Agent and operating system use different delimiters for date formats. (The Windows Vista operating system uses a (yyyy-mm-dd) date format while the Clean Access Agent uses (yyyy/mm/dd).

CSCsk45258

Yes

Clean Access Agent freezes with Lavasoft Ad-Aware 2007 installed

If a client upgrades the Clean Access Agent to version 4.0.6.1 and the client has Lavasoft Ad-Aware 2007 installed, the Agent locks up and will not launch.

CSCsk68388

Yes

Clean Access Agent may not work if Avira AntiVirus PE Classic 7.x is installed and updated

Updating the Avira AntiVirus Personal Edition Classic 7.x during a user session can lock up the Clean Access Agent.


Resolved Caveats - Release 4.0.6.1

Table 14 List of Closed Caveats  

DDTS Number
Software Release 4.0.6.1
Corrected
Caveat

CSCsj49408

Yes

Clean Access Agent lists Microsoft Forefront Unknown Microsoft Product

Clean Access Agent 4.0.5.1 and 4.1.1.0 do not properly detect the Microsoft Forefront Client even though it is listed as a supported product for these platforms.

CSCsk01928

Yes

Norton Antivirus on Windows 98/ME no longer detected by 4.0.6.0 agent

Windows 98 Agent login fails when Norton AntiVirus 2005 is the only AV application installed on the client. (No AV is present in the Agent Report Log and the Agent Properties dialog does not display any AV application.)

CSCsk15081

Yes

Apple iPhone should not be categorized as Mac OS X

Right now, iPhone users are categorized as Mac OS X users (in the online user list, for example). Because the Mac Agent does not support iPhone, we should not categorize iPhone users as Mac OS X.

CSCsk27579

Yes

Agent on 64-bit operating system displays incorrect error message

After installing the Clean Access Agent on a Windows Vista/XP 64-bit operating system, users are presented a "The client version is old and not compatible. Please login from web browser to see the download link for the new version" Agent error message.


Resolved Caveats - Release 4.0(6)

Table 15 List of Closed Caveats  

DDTS Number
Software Release 4.0(6)
Corrected
Caveat

CSCse45941

Yes

Hitting "Cancel" during the package selection will make install continue

CSCsg98960

Yes

4.0.5 Installer does not recognize certain SCSI drives

When you install 4.0.5 code (Manager/Server) on certain hardware with SCSI Drives (LSI Logic drives), the Installer will fail with a message as follows:

"An error has occurred - no valid devices were found on 
which to create new filesystems. Please check your hardware 
for the cause of the problem."

Conditions

Only new CD installs of 4.0.5/4.1 are affected. Upgrades to 4.0.5/4.1 from previous versions are not affected by this bug.

Workaround:

At the boot prompt for Install, type DL140 then press Enter:

Cisco Clean Access Installer (C) 2006 Cisco Systems, Inc.
Welcome to the Cisco Clean Access Installer!
 - To install a Cisco Clean Access device, press the 
<ENTER> key.
 - To install a Cisco Clean Access device over a serial 
console, 
 enter serial at the boot prompt and press the <ENTER> key.
boot: DL140

Additional Details

Dell 1850 is one of affected platforms

For IBM x336, the DL140 installation directive is still required after the 4.0(6) fix.

CSCsh32363

Yes

Cisco Clean Access—Tomcat service fails in some failover configurations

Scenario

Customers running release 4.0.3.1 on a pair of CAMs deployed in HA mode

Failover configured on the Ethernet 1 interface

Devices located in remote data centers using a low-latency MAN for communication between CAMs.

Issue

When a communication disruption occurs between these locations, the secondary CAM correctly detects that the heartbeat from the primary is lost and activates, as configured. The Tomcat services on the secondary device, however, fail when this happens, resulting in the following:

1. If the primary CAM fails again, the secondary will not "take over" the HA functions because the Tomcat service has failed.

2. Due to the way the fostate script polls for failover status, the results are misleading. Both the fostate script and the web user interface display both CAMs in "active" state while, in reality, only one of the two units is active. You can verify this misrepresentation using ifconfig -a. (Only one of the two units will be "listening" on the subinterface used for the HA address, although both will feature a fake interface for this address.)

CSCsh64663

Yes

Clean Access Agents cannot communicate with the CAS after failover is disabled in the CAS configuration

When the CAS boots and the service IP address is still in the perfigo.conf file, the Agent ports (UDP 8905 and 8906) unsuccessfully attempt to bind to the nonexistent service IP address. The result is that the CAS cannot communicate with Clean Access Agents.

CSCsh67387

Yes

Error count increases indefinitely in /proc/interrupts with network load on NAC-3350 appliances

The error count in the /proc/interrupts file increases indefinitely when a network load is applied to a Cisco NAC-3350 Appliance (DL360 G5) featuring default BIOS settings.

To view the error and spurious interrupt count, issue the cat /proc/interrupts command on a NAC-3350 CAS in command line mode. You should see messages similar to the following relatively soon after start-up:

Jan 31 10:51:09 cas-shabharg-5 kernel: irq 7: nobody cared!
Jan 31 10:51:09 cas-shabharg-5 kernel: handlers:
Jan 31 10:51:09 cas-shabharg-5 kernel: [<c027b090>] 
(usb_hcd_irq+0x0/0x80)

CSCsh74848

Yes

VLAN mapping stops working for DHCP traffic

When connected via the untrusted VLAN, clients stop getting IP address assignments from DHCP. After manually re-mapping untrusted/trusted VLANs, clients start receiving IP addresses from DHCP again. (If a static IP is configured, the client is able to function normally.)

Workaround

1. Ensure all the required VLAN mappings are added and reboot the CAS in question. If the CAS is part of an HA Pair, then reboot the Active CAS and failover to Standby. You can also fail back to the original CAS. Because the problem comes up when a VLAN mapping is deleted from an Active CAS, you must reboot/failover every time a VLAN mapping is deleted/modified.

2. Remove and then re-add the VLAN mapping for the problematic VLANs(). Note that this workaround is not as reliable as the previous workaround and may cause similar issues with other VLAN mappings on the same CAS.

CSCsh84260

Yes

User gets redirected to CAS after successful web login using a Safari browser in Mac OS

When functioning normally, a Mac OS client browser opens another window that displays the original URL requested at login following successful authentication. The issue in this case, however, is that the Safari 2.0.3 browser on the client opens another window displaying the CAS web login form over again.

CSCsi04677

Yes

In some cases, administrators might see a number of "A.B.C.D has been disconnected" messages (about one per minute) in the entries under Monitoring > Event Logs on the CAM

CSCsi19481

Yes

CAS server hangs randomly

After a certain period of time, the CAS can become unresponsive and hang randomly, cutting off access via SSH, Console, serial, etc. The only way to bring it back up is to manually reboot the CAS.

This issue is often caused by malformatted DNS responses.

Workaround

To resolve this issue, remove "any DNS server" in the CAS Host Policy configuration and trust only the DNS servers present on the LAN.

CSCsi23228

Yes

CAM database performance degraded over time

Clean Access Manager performance degrades over time, users may experience slowness during login process and CAM web administration interfaces. The slowness may start to exhibit itself after an extensive number of database delete/insert/modify operations.

There are three workarounds for this issue which can be applied under different conditions.

Workaround 1: This can be applied during maintenance window when CAM is not in service. Note that this may take up several minutes, please do not interrupt the process.

1. service perfigo stop

2. su -l postgres

3. vacuumdb -h 127.0.0.1 -a -f

4. exit

5. service postgresql restart

6. service perfigo start

Workaround 2: This can be applied when system is in service with light load. Note that this may take up several minutes, please do not interrupt the process.

1. su -l postgres

2. vacuumdb -h 127.0.0.1 -a -f

3. exit

Workaround 3: This can be added as system daily cron job to prevent the potential slowness.

1. Create a file named "db_vacuum.sh" under "/etc/cron.daily" with the following content:
#!/bin/sh
su - postgres -c "vacuumdb -h 127.0.0.1 -a -f"

2. cd /etc/cron.daily

3. chmod +x db_vacuum.sh

CSCsi24168

Yes

Agent fails authentication when there is leading/trailing space in password

CSCsi31287

Yes

Authentication fails for LDAP server when user is located in child DC

If an LDAP server is configured to point to the root Active Directory Domain Controller. only user credentials authenticated on the root DC pass an Authentication Test, while user credentials available on a child DC fail the Authentication Test.

CSCsi33630

Yes

CAM/CAS should not pull all old logs when getting support logs

When the option to download the support logs from the Clean Access Manager and/or Clean Access Server is used download a .tar archive of the logs, the entire history of that CAM or CAS is downloaded resulting in massive log files with very little relevant content which are downloaded by the customer and sent to Cisco TAC to troubleshoot the Clean Access system.

CSCsi46191

Yes

Password Encryption: RADIUS and LDAP passwords are stored as plain text in the CAM database

The CAM database stores the RADIUS pre-shared key and LDAP search passwords in plain-text in the database. If the RADIUS pre-shared key is compromised, then RADIUS packets between the CAM and RADIUS server can be decrypted to view user passwords.

CSCsi67522

Yes

Custom block page not being displayed for users, default being used.

Users matched to a role defined under Device Management > Filters > Subnets for the Block redirection feature are redirected to the default blocked page instead of the custom block page for the role the user is placed in.

CSCsi79315

Yes

Nessus Scanner: unable to update "SMB domain (optional)" value

Administrators cannot update or remove the preference value for the SMB domain specified under Device Management > Clean Access > Network Scanner > Options > "Login Configurations" Category > Preference Name SMB.

CSCsi83381

Yes

Clean Access presents an erroneous popup window when case-insensitive is enabled

When the Case-Insensitive option under a user role is enabled, the Clean Access system returns a popup window for users after they log in through the web interface.

CSCsi86205

Yes

A kernel error results when a user manages a CAS with the "ifconfig eth1 down" command

The Cisco NAC Appliance - Clean Access Server Installation and Administration Guide, Release 4.0 instructs users to enter the "ifconfig eth1 down" command before managing a CAS operating in Virtual Gateway mode. Cisco recommends physically disconnecting the CAS eth1 interface before adding the CAS to the CAM.

Note Future releases of the Cisco Clean Access system software will address the "ifconfig eth1 down" command issue.

CSCsi69677

Yes

Client can use tools to bypass posture by sending a Null OS string

With substantial software changes on the client side, a user may be able to construct and send a string containing a null OS value and bypass posture assessment.

Note The user still needs to authenticate to the network. and they can only bypass certain posture assessment pieces.

CSCsi93687

Yes

File Date comparison should be based on UTC

When the Agent compares the date information for a file, it should use UTC format instead of the local time zone setting.

CSCsj02240

Yes

Windows Vista machines with a UK time zone designation fail the Windows Update check because of a different date format.

CSCsj05741

Yes

Spaces in Distinguished Name (DN) cause LDAP authentication failure

When attempting an auth test with an LDAP provider, if the DN contains a space, the auth fails and returns a "LDAP: error code 49" message. The space can be anywhere in the DN, and is represented with the %20 escape character found in the perfigo-log.

Note There could also be a "," or other special character in the DN. For example, "CN= Doe, Jane".

CSCsj08474

Yes

Release 4.0(x) does not allow same default gateway for multiple subnets

A check was added in release 4.0(x) to prevent administrators from specifying the same default gateway for more than one IP subnet range in the DHCP subnet list. This check can prove problematic for customers upgrading to 4.0(x) from 3.5.7 out of necessity to support Windows Vista because they must modify the setup to have a separate default gateway/VLAN for every /24 network, which can place additional routing burden on CAS.

CSCsj08522

Yes

HA Active CAM should abort upgrade if Standby CAM is still on

When upgrading between various 4.x.x releases, if the customer leaves their Standby CAM up during the upgrade, the database can become corrupted.

The CAM installer script should detect if the CAM is part of an HA pair and abort the upgrade or stop communicating with the secondary CAM instead of staying in a state where the database can become corrupted.

CSCsj18047

Yes

HTML tags entered in the text field for the "Blocked Access" page are not displayed.

CSCsj18239

Yes

Requirement description does not allow double quotes

When adding a description featuring double-quotes to a requirement, any text after the first double quote is removed after saving the requirement and the text is included in the Agent report. (Single quotes in requirement descriptions work fine.)

CSCsj28193

Yes

Agent does not correctly detect Kaspersky 6.0 Antivirus

The Agent does not pass install checks for the Kaspersky 6.0 Antivirus application.

CSCsj29701

Yes

Agent may pop up again after login in OOB deployment

In an OOB deployment, the Agent login screen may pop up again after login when it gets a SWISS response between successful login and the CAMs authorization-to-access VLAN change. During this period, SWISS thinks Agent is not authenticated and continues sending UDP discovery packets while the CAM is about to set the access VLAN for the Agent.

CSCsj29800

Yes

User passwd fields need to be empty if SSO fails

If the user enables the "Remember Me" option in the regular login screen, the login window displays the SSO user name with domain info and wrong password (because SSO does not have the password.)

Even if "Remember Me" is enabled in a situation where SSO login is switched with regular login, the user password fields are required to be empty to avoid confusion and/or incorrect credentials from the user.

CSCsj30395

Yes

Once SSO fails and falls back, terminated user sessions do not re-trigger SSO

To get SSO to re-trigger, exit and then log back into the Agent.

Note Simply logging out of the Agent does not resolve the issue because in case of OOB there is no agent logout functionality.

CSCsj30409

Yes

With VSClient (SSL VPN Client) the Clean Access Agent locks up when the connection is broken

With VSClient running and the physical connection fails or the client machine goes into hibernate mode and comes back up, the Clean Access Agent locks up until the connection is reset/reestablished.

CSCsj35621

Yes

User SSO log-in process when booting up the client machine is much longer than subsequent (connection reestablishment) events

When a user starts a Windows client machine, the Clean Access Agent starts automatically, as it is already an item in the Windows startup folder. If SSO is enabled, the SSO process delays approximately 30 seconds before displaying remediation or successful login pages.

If the user becomes disconnected and reestablishes the connection without rebooting their machine, however, the same SSO login window delays only about 5 seconds before displaying subsequent screens.

CSCsj36082

Yes

Device Filter assigns incorrect user role

With Device Filters configured for MAC addresses in the network, the Clean Access system assigns incorrect roles to user profiles.

CSCsj37496

Yes

Virus Definition File Version intermittently missing from Agent

Agent 4.0.5.1 on Windows Vista is intermittently missing the Virus Definition File Version, resulting in authentication failure.

CSCsj43375

Yes

Agent does not attempt SSO unless restarted after previous SSO failure

If the initial attempt for SSO fails for any reason, the Agent does not attempt to perform SSO again until the user exits and restarts the Agent.

Practical scenario:

1. User logs in to the machine and fails SSO for some reason (no access to Domain Controller, etc.).

2. User logs in manually using his authentication credentials when prompted by the Agent.

3. If the user session is terminated, the Agent does not attempt SSO again.

CSCsj62927

Yes

If the CAS Administrator password changes, AD SSO service stops working

CSCsj85521

Yes

Need to include User Role and Operating System information in CAM/CAS event logs

CSCsj92822

Yes

McAfee Anti-Spyware Enterprise Module 8.0.0.989 is not detected by CCA Agent 4.0.6.0


Resolved Caveats - Agent Version 4.0.5.1

Table 16 List of Closed Caveats  

DDTS Number
Clean Access Agent Version 4.0.5.1
Corrected
Caveat

CSCsh55834

Yes

Users running Sophos AV software (updated 2/5/2007) failed authentication because the Agent checked for version 4.14; however, updated systems were running version 4.14(75).

CSCsi26567

Yes

Multi AD SSO credentials mismatch results in login error

During Windows AD SSO via the Clean Access Agent, the Agent displays a "Performing Windows Domain Automatic Login for Clean Access" popup, but the standard Clean Access login screen appears as well. The user name is filled in (user@domain) for the currently logged in user and the Agent login screen shows "Invalid Provider Name."

Additional symptoms:

1. Agent does not perform SSO initially (CAS Service ticket is not seen in Kerbtray)
2. Agent performs SSO after being restarted (Kerberos ticket is seen)

Workaround

Close the Clean Access Agent and attempt to log in again.

CSCsi42509

Yes

The Agent did not read the file version property correctly for systems running Windows Vista.

CSCsi44500

Yes

When using a cell phone to retrieve data to a PC, Layer 3 SWISS packets exhibited worm-like behavior, which caused deauthorization in environments where intrusion detection software (IDS) was used.

The Agent sent traffic using multiple source IP addresses that did not belong to the service provider's network. IDS identified and deauthorized the traffic.

CSCsi59521

Yes

Users running Sophos AV software (version 6.5.4 with definition version 4.16) failed authentication because the Agent incorrectly detected the AV definition.

Workaround:

Check by date of last update instead of by definition version number.


Resolved Caveats - Release 4.0(5)

Table 17 List of Closed Caveats  

DDTS Number
Software Release 4.0(5)
Corrected
Caveat

CSCsh37587

Yes

Clicking on "System Time" on HA-Inactive CAM yields exception

To reproduce the issue, setup CAM in high availability mode. Login on the HA-Inactive CAM and click on the "System Time" in left navigational menu.

CSCsh39119

Yes

Editing auto-generated DHCP subnet removes ARP entries from Clean Access Server (CAS), except for the very first auto-generated subnet.

Workaround:

Disable the first DHCP auto-generated subnet. If there is any concern about the state of the ARP table, run arpregen.pl.

CSCsh40166

Yes

Clean Access AD SSO fails on Win2k machines when username contains space

When doing Clean Access Single Sign On to a Windows AD from a Windows 2000 client, if the user name contains a space, SSO will fail. When the agent dialog box pops back up, there will be no providers in the auth provider box.

CSCsh45016

Yes

Cisco NAC Appliance 3350s operating as CAS Virtual Gateway mode do not properly recognize packet VLAN tags, affecting VLAN-related operations such as VLAN mapping.

CSCsh45405

Yes

After upgrade /etc/inittab has incorrect entry for terminal type "vt100-nav"

DL140 hardware models with 3.6.0 CAS or CAM has the following entry in file /etc/inittab: "co:2345:respawn:/sbin/agetty ttyS0 9600 vt100-nav"

After upgrade, this entry is changed to "-nav", which is syntactically incorrect in /etc/inittab file. When you reboot the CAS or CAM, the following error message appears:

"INIT: /etc/inittab[45]: id field too long (max 4 characters)"

CSCsh51053

Yes

AV/AS support matrix should indicate Sophos Antivirus definition date as "Not Supported"

With the 4.0.5.0 Agent, the AV/AS support chart indicates that the CAM attempts to verify the version of Sophos Antivirus using the definition date starting from Agent release 4.0.1.0. However, the CAM only uses the applicable definition version to determine Sophos Antivirus support.

CSCsh60391

Yes

Uploaded files using CAM are not replicated on HA-Inactive CAM

When files are uploaded to /perfigo/control/tomcat/webapps/upload/ file repository using the Administration > User Pages > File Upload tool, the files are not replicated on the HA-Standby CAM on failover.


Resolved Caveats - Release 4.0(4)

Table 18 List of Closed Caveats  

DDTS Number
Software Release 4.0(4)
Corrected
Caveat

CSCsd52349

Yes

When viewing the Cisco Clean Access Agent report, if the Administrator clicks on a specific user ID to view details, the report refreshes back to the first/welcome page.

CSCse46141

Yes

SSO fail in case CAS cannot reach Active Directory server during startup.

If the Active Directory server is not reachable from the CAS at the time of CAS startup, AD SSO service is not started.

Workaround: The admin is required to go to Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Windows Auth > Active Directory SSO and click the Update button to restart the AD SSO service.

CSCse60046

Yes

Database connection failed entry visible in Clean Access Server log files

According to correct design architecture, a Clean Access Server should never make a direct connection to the PostgreSQL database.

CSCse68178

Yes

ActiveX control version checking fix

IE may request installation of ocget.dll. While using activeX for L3 OOB, in some Windows machines, the IE browser pops up a request to install ocget.dll. This does not occur during initial web login when the ActiveX control is not yet installed on the machine. It occurs in subsequent web logins after the Active X control has already been installed.

This is a Microsoft bug that makes an unnecessary POST request to ocget.dll.

CSCse71604

Yes

"View MACs" option not displayed when using "Restrict Range to Relay IP" subnet setting

"View MACs" option missing from "Device Management > CCA Servers > Manage[CAS_IP] > Network > DHCP > DHCP Status" when the "Restrict Range to Relay IP" option has been enabled for a particular subnet.

CSCse84000

Yes

Cron job to sync system time not created or updated on HA-Inactive CAS

The file /etc/cron.daily/sync-time gets created or updated on modifying the time servers for CAS. This cron file does not get created on high availability HA-Inactive CAS, thereby depriving the inactive system to sync the system time from the time servers on a regular basis

Steps to reproduce:

1. Setup CAS in HA-failover mode
2. Go to web page: Device Management > Clean Access Servers > IP Address > Misc > Time
3. Change the time servers to "clock.cisco.com"
4. Verify the changes have been reflected in cron job /etc/cron.daily/sync-time on active CAS
5. Check the HA-Inactive CAS for the cron file /etc/cron.daily/sync-time. The file may either not be present or have old time server settings

Expected Results: The cron job file to sync the system time on HA-Inactive CAS should reflect the changes upon modification of time server settings on HA-Active CAS using either CAM or HA-Active CAS GUI

Workaround: Modify the time servers on HA-Inactive CAS using GUI.

CSCsf98683

Yes

CAM does not send Class attribute in Radius accounting

The CAM does not include the Class attribute when transmitting user login account information to a Radius server.

CSCsg00598

Yes

When you upload a CA Signed Certificate to the CAM, you are also required to import the associated private key.

CSCsg03367

Yes

In release 4.0.1, the "link-based HA" feature was added to Cisco NAC Appliance. When you ping a dead "link-based" node, the Cisco NAC Appliance updates the node's status in the ha_status database. Unfortunately, a DHCP server can then call on the ha_status database to [incorrectly] determine that the peer node is dead. As a result, standard DHCP data synchronization might fail.

CSCsg11143

Yes

In an HA configuration, if the active Clean Access Server (CAS1) loses connectivity with the Clean Access Manager, but does not reboot, CAS2 then becomes active server. If you then fail back to CAS1, CAS1 does not republish the intern_validation_table from the CAM's database. Instead, CAM1 repeatedly adds older entries to the validation table.

CSCsg41272

Yes

A DHCP server can repeatedly assign a user an IP address that another user on the network has statically assigned to a host. Ideal behavior is for the DHCP server to abandon that IP after clients repeatedly decline it.

There are two known workarounds for this bug:

Enable the "ping-check" option and set it to "true" or "on." Be advised, however, that this practice slows DHCP lease assignment and should not be used in large deployments. In addition, this workaround does not work if the user who assigned the static IP address is using a firewall.

Identify network users who are statically assigning IP addresses in the DHCP range and prohibit static IP address assignment for the designated IP pool.

CSCsg41565

Yes

When using a cookie to authenticate to cisco_api.jsp, authentication fails

CCA release 4.0(0) introduced an additional means of security that uses a cookie or session to verify whether a POST to the API should be permitted or denied. The cisco_api.jsp identifier was erroneously left off this list.

CSCsg44387

Yes

When trying to add a NAT Gateway CAS to the CAM, the CAM user interface displays a warning message stating that NAT Gateway mode (in-band or out-of-band) is not supported for production deployment.

CSCsg71490

Yes

The Clean Access Server web admin pass code should be stored as a hashed value.

CSCsg73620

Yes

Empty shared secrets should not be allowed by ssconf ("service perfigo config" on the Clean Access Server), smconf ("service perfigo config" on the Clean Access Manager), or in the hashpatch.sh file.

Leaving shared secrets undefined could open potential security vulnerabilities in the Clean Access Manager and Clean Access Server.

CSCsh15238

Yes

Memory Leak in RADIUS Authentication/Accounting Module

If you are using a RADIUS server to perform authentication/accounting functions in your network (set up in either User Management > Auth Server > Auth Server or User Management > Auth Server > Accounting), a slow memory leak exists that can eventually cause the server to run out of memory.


Resolved Caveats - Release 4.0.3.3

Table 19 List of Closed Caveats  

DDTS Number
Software Release 4.0.3.3
Corrected
Caveat

CSCsg14148

Yes

Swap space is not loaded properly when using CCISS driver

When the CCISS driver is being used, e.g. with Smartarray6i RAID controllers, the installer does not seem to load the swap space information correctly. Performing a free on the boxes shows no swap space. TOP reveals 0K of SWAP. Also, in some cases, the /etc/fstab file shows a jumbled set of characters for the swap space location

CSCsg24153

Yes

"service perfigo config" does not update shared secret in /root/.secret

When changing the shared secret in the CAS and CAM using 'service perfigo config', the shared secret between the CAM and CAS is not updated. The existing pre-shared key will remain in use.

Note This caveat and workaround apply only to releases 4.0.0 to 4.0.3.2 and 3.6.0 to 3.6.4.2.

When updating the pre-shared key using `service perfigo config' on the CLI, the script edits /root/.secret but the hash stays the same even after restarting. The shared secret is generated but is always the same constant string.

Workaround: If the customer needs to change the shared secret between the CAM and CAS, then apply patch-CSCsg24153.tar.gz from http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches.

CSCsg44268

Yes

Need to accommodate for new daylight saving time regime from 2007.


Resolved Caveats - Release 4.0.3.2

Table 20 List of Closed Caveats  

DDTS Number
Software Release 4.0.3.2
Corrected
Caveat

CSCsg02604

Yes

Default gateway ARP Entries for some DHCP scopes unexpectedly flushing out of the CAS ARP table.

CSCsg04433

Yes

Changes in Disabled / Enabled subnets list gets committed despite errors

When editing an auto-generated subnet in the subnet list tab on CAM GUI "Device Management > Manage [IP_Address] > Network > DHCP > Subnet List > Edit", any changes made to the Disabled / Enabled subnets list are committed and saved even if the update failed due to an error or warning in other input provided.

To reproduce the issue, add IP range that exceeds the recommended DHCP IP lease limit of 5000 and edit auto-generated subnet on CAM GUI "Device Management > Manage [IP_Address] > Network > DHCP > Subnet List > Edit". Alternatively, incorrect input such as incorrect VLAN ID can be provided instead of having DHCP IP lease limit of 5000.

Expected Results: Either none or all the changes should be committed. The warning message must include that the requested changes are not being saved and clicking "Update" button again will save those changes in case of exceeding the recommended DHCP IP lease limit.

CSCsg37846

Yes

Problem is seen when using CCA Agent to update Virus definitions for Trend Micro.

Note This issue is fixed in the 4.0.2.1 Agent

When this behavior is seen, the patches do get updated, but CCA Agent still claims that it could not complete Trend Micro update and then asks for a manual update. Agent is able to call the Trend client locally, which in turn is able to run the Autopccp.exe file on the share drive located at \\<trendserverip\ofcscan\Autopccp.exe. This is why the patches do get downloaded. Therefore, the problem is not due to the file location not being shared or access to Trend server not being available in temp role.

The problem is due the fact that the underlying code used for Trend waits for 1 minute for the Trend client call to come back and indicate it is complete. If the update takes longer than 1 minute, then the underlying code in CCA assumes that it was not successful, although it could be successful after 1 minute and 20 seconds for example.


Resolved Caveats - Release 4.0.3.1

Table 21 List of Closed Caveats  

DDTS Number
Software Release 4.0.3.1
Corrected
Caveat

CSCsf24570

Yes

4.0.3 upgrade package deletes previously created DHCP options

The 4.0.3 upgrade package deletes valid options created using 4.0.0 or 4.0.2. Deletion should only happen if the system being upgraded is older than 4.0.0.

Workaround: If DHCP options are lost, administrators must recreate them manually.

CSCsf24583

Yes

4.0.3 upgrade causes problems with Agent upgrade package

After 4.0.3 upgrade is applied, users cannot upgrade to Agent version 4.0.2.0 (they get a 404 message).

Workaround: With CAM/CAS 4.0.3/4.0.2.0 Agent, the CCAAgentUpgrade-4.0.2.0.tar.gz must be downloaded from Cisco Secure Downloads and uploaded to the CAM via Device Management > Clean Access > Clean Access Agent > Distribution.


Resolved Caveats - Release 4.0(3)

Table 22 List of Closed Caveats  

DDTS Number
Software Release 4.0(3)
Corrected
Caveat

CSCse82094

Yes

Single sign on with WLC fails

Customer has CCA with 4.0 and the Airespace WLC with 4.0 and has configured SSO with the WLC. Symptom seen is after the user authenticates, the Agent pops up and requests manual login. Captured sniffer trace shows the following.

1. A WLAN client associates to WLC SSID.
2. WLAN Authentication starts.
3. WLAN Authentication succeeds and WLC sends a start to CAS.
4. WLAN clients renews its DHCP address and WLC sends a stop to CAS.
5. DHCP process finishes and WLC sends another start to CAS.
6. CCA Client sends discoveries on UDP 8905 and 8906.
7. Manual login screen pops.

CSCse91635

Yes

System time changes after In-Place upgrade

CCA system time changes after performing In Place upgrade. The In-Place upgrade installer treats the BIOS time as GMT and then changes the system time.

CSCse96696

Yes

Changes in Time zone setting should be preserved across CAS / CAM reboot

Steps to reproduce:

1. Configure CAM & CAS using GUI
2. Go to CAM web page "Device Management > Clean Access Servers > IP Address > Misc > Time" to modify CAS time zone. [Or "Administration > Clean Access Manager > System Time" to modify CAM time zone]
3. Change time zone from the drop down menu
4. Click "Update Time Zone"
5. Reboot the CAS [or CAM]
6. Check the time zone on CAS [or CAM]. The time zone will be reset

Expected Results: Changes in time zone setting should be preserved across CAS / CAM reboot

CSCsf01786

Yes

/etc/grub.conf should be a symbolic link to /boot/grub/grub.conf

In 3.6.0~3.6.3 and 4.0.0, grub.conf is not changed correctly when ttyS0 is used as the heartbeat link. Some customers manually edited /etc/grub.conf manually as a workaround, and some of them break the symbolic link by mistake.

The upgrade script should make sure /etc/grub.conf is a symbolic link to /boot/grub/grub.conf

CSCsf03465

Yes

Certificate import does not delete old .tomcat.csr file

When a private key/certificate combination is imported into either the CAM or the CAS, the existing .tomcat.csr file should be deleted. Otherwise, when the CSR is exported, it will be an incorrect CSR.

As a precaution, it is better to always generate a new CSR based on the current key and cert.

CSCsf08482

Yes

OpenSSL has issues verifying some root certificates

Problem is seen as follows:-

Import the private key -- Success
Import the certificate -- Success
Import the Root certificate -- Success

When you click the verify and install certificates button you see an error message: "Error: Unable to establish certificate chains. Please upload the correct Root/Intermediate CA"

Problem happens for both CAM and CAS

CSCsf17230

Yes

Link creation from normal-webapps to webapps affects flexlm in HA

The link from admin-webapps & normal-webapps to webapps upon switching from standby to primary is not being created before the licenses are copied from the database.

CSCsf18052

Yes

VGW recovery from active-active HA status might cause spanning loop

How to reproduce:
1. Setup virtual gateway failover pair with heartbeat link on eth0 only (and with vlan mapping)
2. shut down the switch port X on the port the eth0 of the active CAS1 connects to
3. standby CAS2 become active and CAM connects to CAS2
4. enable port X, CAS1 and CAS2 detect active-active status and restart itself
5. one of the CAS become active again, and the other CAS become standby
6. at this time, if user send broadcast requests (ex: DHCP discovery)
7. the broadcast request will cause a loop

Workaround: Set up a serial link as the heartbeat link

CSCsf18821

Yes

Linux-HA Heartbeat Remote Denial of Service Vulnerability

Linux-HA heartbeat version older than 1.2.5 and 2.0.7 are subject to remote DOS attack (http://www.securityfocus.com/bid/19516/info).


Resolved Caveats - Release 4.0.2.2

Table 23 List of Closed Caveats  

DDTS Number
Software Release 4.0.2.2
Corrected
Caveat

CSCsf22777

Yes

4.0.2.0 Agent not compatible with 4.0.0/ 4.0.2 AD SSO

4.0.2.0 Agent sends OS information that cannot be understood by 4.0.0 and 4.0.2 CASs. Hence, AD SSO fails.

CSCsf22786

Yes

4.0.2.0 Agent incompatibility with 4.0.0/4.0.2 login

OS info sent by 4.0.2.0 Agent not understood by 4.0.0 and 4.0.2 CASs. Hence, after login, null OS is displayed. Also, no requirements get applied.


Resolved Caveats - Release 4.0.2.1

Table 24 List of Closed Caveats  

DDTS Number
Software Release 4.0.2.1
Corrected
Caveat

CSCse99396

Yes

VPN SSO attribute mapping does not assign the correct role in 4.0.2.

As a result, administrators using VPN SSO are experiencing users not placed in the correct role.


Resolved Caveats - Release 4.0(2)

Table 25 List of Closed Caveats  

DDTS Number
Software Release 4.0(2)
Corrected
Caveat

CSCse89648

Yes

Upgrade re-enables serial login

3.5.11, all 3.6 branch and all 4.0 branch upgrades enable serial login, even if it was previously disabled via the HA UI.

Workaround: After upgrading to one of the affected versions, go in via the UI and disable serial login again.

Note This issue affects 3.5(11), 3.6(3), 4.0(1)

CSCse90117

Yes

Macintosh breaks network connectivity if CAS configured w/ VLAN mapping

On L2 Inband CAS with VLAN mapping configured, if a Macintosh is introduced on the untrusted network and if the Macintosh is sending out DHCP requests, it breaks packet forwarding on the CAS for all users in the VLAN.

Symptoms include devices on the untrusted VLAN not being able to reach any device on the trusted network. Users will not be able to get an IP address.

Note This issue affects 3.6.3 and 4.0.1 only.

CSCse91178

Yes

Old chain certificate not deleted when temporary certificate regenerated

The old chain certificate (.chain.crt) is not deleted when a new temporary certificated is generated. Steps to reproduce:

1) Import a certificate
2) Import a root/intermediate root cert
3) Restart perfigo service
4) Generate a new temporary certificate

You will get SSL handshake errors. The old .chain.crt is still present. It will need to be deleted before SSL handshake can successfully occur.

Note This issue affects 4.0(0)

CSCse91268

Yes

Post-3.5 to 3.6/4.0 upgrade NIC switch, HA issue with SSKEY

When NICs are switched as a result of upgrading a 3.5 system to 3.6/4.0, the HA JSPs have an issue with the SSKEY. When CAM connects to the newly upgraded CASs, it detects that CAS SSKEY has changed and resets it to the old one. However, the CAS HA pages detect that the SSKEY is not what it should be and then changes it back.

Note This issue affects 4.0(0)


Resolved Caveats - Release 4.0(1)

Table 26 List of Closed Caveats  

DDTS Number
Software Release 4.0(1)
Corrected
Caveat

CSCei38858

Yes

CAS failover does not occur when untrusted (eth1) interface goes down

When the Clean Access Server is configured for LAN based failover (i.e. not serial line failover), when the eth1 (or untrusted interface) goes down on the Clean Access Server, failover does not commence.

There is no link-state failover, only system failover. If you stop the services or shut down the Clean Access Server, failover will work. However this does not provide full reliability in the event that a NIC fails, a switchport fails, or some other network error that could occur between the Clean Access Server and the network device to which it is connected.

CSCsd84038

Yes

CCA In-band virtual-access does not forward traffic between Access VLANs

CCA 3.5.6 deployed in virtual-gateway mode with a Catalyst 6500. Mapping multiple VLAN pairs such as:

10 (Auth VLAN) ---> 110 (Access VLAN)
20 (Auth VLAN) ---> 120 (Access VLAN) etc.

DG of the devices points to the MSFC of the access VLAN on Cat 6k.

Authenticated users can access Internet and other resources not protected by the CAS. Likewise, they can access other resources within their access VLAN. They however cannot access resources in other access VLANS (that is in the above example an authenticated user physically plugged into VLAN 10 could not reach a source physically on VLAN 20 / authenticated to VLAN 120). Packets that meet this criteria reach the untrusted interface of the CAS but are not forwarded back out the untrusted interface.

Issue is observed regardless of filters (and even if the devices are added to the exemption list). Moving one of the two devices directly to the access VLAN resolves the issue. Sniffer traces make it clear the drop is occurring at the CAS.

CSCse45772

Yes

Link-detect Timeout should not be mandatory when no link-detect IP entered

CSCse56062

Yes

OOB online users are not deleted when timer removes certified devices

When CAM is configured to use timer to remove certified devices, related OOB users are not deleted when timer removes certified devices.

CSCse60519

Yes

Cron job to sync system time not created or updated on HA-Inactive CAM

The file /etc/cron.daily/sync-time gets created or updated on modifying the time servers for CAM. This cron file does not get created on high availability HA-Inactive CAM, thereby depriving the inactive system to sync the system time from the time servers on a regular basis. Steps to reproduce:

1. Setup CAM in HA-failover mode
2. Go to web page: Administration > Clean Access Manager > System Time
3. Change the time servers to "clock.cisco.com"
4. Verify the changes have been reflected in cron job /etc/cron.daily/sync-time on active CAM
5. Check the HA-Inactive CAM for the cron file /etc/cron.daily/sync-time. The file may either not be present or have old time server settings

Expected Results: The cron job file to sync the system time on HA-Inactive CAM should reflect the changes upon modification of time server settings on HA-Active CAM

Workaround: After modifying the time servers setting on HA-Active CAM, do a failover by shutting down the active CAM; This will make the inactive CAM take over the Service IP address; Modify the time server settings; and start the other CAM.

CSCse67864

Yes

VLAN name does not support special characters

When VLAN name support was added to 4.0.0, only letters and digits are valid in VLAN name. But in IOS configuration, any ASCII character is allowed.

CSCse69355

Yes

DHCP renew fails using new Relay IP feature but release/renew works

This problem is seen when using the new CCA 4.0 feature where DHCP scopes can be defined on the CAS such that IP addresses are allocated based on the Relay IP address (say IP helper).

In this scenario, we can see that when the DHCP client performs a ipconfig/renew, then the CAS sends a NAK. However, when the same client performs an ipconfig/release followed by ipconfig/renew, then the CAS is seen to be sending a ACK.

CSCse71310

Yes

Radius Accounting does not work with CHECK-type device filter

Steps to reproduce:

1. add client's MAC address into device filter as type "CHECK"
2. configure [User Management > Auth Servers > Accounting]
3. when the client uses CCA agent to gain network access, CAM failed to send "start" requests to the configured Radius accounting server, and there are errors in /perfigo/logs/perfigo-log0.log "unable to find auth server...."

CSCse72371

Yes

CCA Agent could not recognize McAfee Enterprise + Anti-Spyware Module 8.0.0

CSCse72396

Yes

CCA Agent could not recognize CA eTrust Antivirus 7.1

CSCse73716

Yes

After upgrade to 4.0 L3 users from behind a NATed device

After upgrading to CCA 4.0, L3 users coming from behind a NATed device cannot login. This is because the L3 mode in 4.0 has been enhanced to behave like L3 strict and hence will not allow users from behind a NAT device to login if L3 is enabled. There are a few people who would like to have this optional though (just like how we have L2 and L2 strict)

Workaround:

1. SSH to CAS.
2. cd /perfigo/access/tomcat/webapps/auth/
3. cp perfigo_dm_validate.jsp perfigo_dm_validate.jsp.bak
4. Edit perfigo_dm_validate.jsp, and replace the line:

Boolean ipMismatch = iplist.length() > 0 && 
iplist.indexOf(ipAddr) == -1);

with: Boolean ipMismatch = false;

Note If NAT-routers are allowed, only the first user behind the NAT router needs to login and get certified, and all other users connecting to that (wireless) NAT router will have free network access. So, the above workaround and fix for this should not be used if you want all the users from behind the NAT device to be logging in and certified/remediated.

CSCse74152

Yes

Serial Login disabling does not work

Serial Login capability did not work as intended in any 3.6 or 4.0 branch builds. On the Clean Access Server, the "Disable Serial Login" checkbox could be enabled or disabled, and the state of the Serial Login for that server would not change. On the Clean Access Manager, the instructions described a procedure that, if followed, would not alter the state of the Serial Login for that manager.

CSCse76201

Yes

Unknown publisher for 4.0.0 agent

CCA Agent 4.x has to be saved and run rather running it off the browser

With the new CCA 4.0.0.0 and 4.0.0.1 Agents, the agent software needs to be first saved to the PC before the installer can be executed. Running it off the browser itself will give an error similar to "Windows has found a problem with this file. Name: CCAAgent_Setup.exe Publisher: Unknown Publisher. The file was blocked because it does not have a valid digital signature that verifies its publisher". When the user clicks on the only option - "OK" the install does not take place.

This problem is not seen with the 3.6.x and 3.5.x agents

CSCse76848

Yes

After upgrading to 4.0, the first VPN 3K user's MAC is recorded

After upgrading to 4.0, for users coming in via VPN3K, the Online user list does not display the MAC-address of the concentrator inside. Instead, it displays the MAC-address of the first user who logs in (VPN client's MAC address).

CSCse81871

Yes

Perfigo script is not copied to /etc/init.d/perfigo in upgrade script

Perfigo script is modified to fix bug CSCse53459, however, this script is not copied (or linked) to /etc/init.d/perfigo

CSCse81942

Yes

Display client AV/AS info in Agent report

In CAM 4.0.0 and lower, the Agent report only displays client AV/AS info when any AV/AS check fails. The AV/AS info should be always displayed in agent report regardless whether there is any AV/AS check configured or fails.

CSCse84747

Yes

CCA Agent could not recognize Sophos Anti-Virus 6.x

CSCse85453

Yes

3.6 Agent cannot detect VPN SSO with 4.0.0 server

1) Seen on 3.6.3 Client, CAS and CAM running Radius SSO for VPN
2) CAS and CAM upgraded to 4.0.0
3) The 3.6.3 Clients no longer perform SSO.

Work around: upgrade to 4.0.0+ agent

CSCse85994

Yes

CCA agent could not launch Sophos update

The Agent Update button could not launch virus definition update.

The problem exists in 3.6.3.0, 3.6.3.1 and 4.0.0.1 Agent

CSCse86002

Yes

CCA Agent could not launch Grisoft update

The Agent Update button could not launch Grisoft virus definition file update. The problem exists in 3.6.3.0, 3.6.3.1 and 4.0.0.1

CSCse87071

Yes

In-place upgrade fails for RAID arrays

The in-place upgrade does not detect RAID arrays whose device files are found in the /dev/cciss directory. This includes most Adaptec RAID cards.

To determine if a system will be affected by this bug, type:

df | sed -n -e "/\/$/p" | awk '{print $1}'

If the resulting device file starts with "/dev/cciss", then the in-place upgrade should not be attempted on this machine.


Resolved Caveats - Release 4.0.0.1

Table 27 List of Closed Caveats  

DDTS Number
Software Release 4.0.0.1
Corrected
Caveat

CSCsf22777

Yes

4.0.2.0 agent not compatible with 4.0.0/ 4.0.2 AD SSO

4.0.2.0 agent sends OS information that cannot be understood by 4.0.0 and 4.0.2 CASs. Hence, AD SSO fails.

CSCsf22786

Yes

4.0.2.0 agent incompatibility with 4.0.0/4.0.2 login

OS info sent by 4.0.2.0 agent not understood by 4.0.0 and 4.0.2 CASs. Hence, after login, null OS is displayed. Also, no requirements get applied.


Resolved Caveats - Release 4.0(0)

Table 28 List of Closed Caveats  

DDTS Number
Software Release 4.0(0)
Corrected
Caveat

CSCsc75335

Yes

SNMP traps for CCA error conditions not sent

CSCsd73487

Yes

Upgrade script fails to enable DHCP failover after migration from 3.5.x

CSCsd74376

Yes

CCA 3.6.x Reset Issues with HP servers with Broadcom NICs

BCM5702/5703/5704 NICs may reset and not come back up which leads to users being unable to SSH/ping/manage the CCA servers. This can be confirmed by checking /var/log/messages for output similar to that which is shown below:

Mar 21 11:43:02 cas2b kernel: NETDEV WATCHDOG: eth1: 
transmit timed out Mar 21 11:43:02 cas2b kernel: tg3: eth1: 
transmit timed out, resetting Mar 21 11:43:02 cas2b kernel: 
tg3: tg3_stop_block timed out, ofs=1400 enable_bit=2
Mar 21 11:43:02 cas2b kernel: tg3: tg3_stop_block timed 
out, ofs=c00 enable_bit=2
Mar 21 11:43:02 cas2b kernel: tg3: eth1: Link is down.
Mar 21 11:43:05 cas2b kernel: tg3: eth1: Link is up at 1000 
Mbps, full duplex
Mar 21 11:43:05 cas2b kernel: tg3: eth1: Flow control is 
off for TX and off for RX.

Solution:

1. Customers can verify which type of NIC controller is being used on their CAM/CAS servers by looking at the output of the lspci -v command.

2. Customers with machines that have the 5702/5703/5704 Broadcom chipsets must apply the firmware upgrade from HP:
http://h18023.www1.hp.com/support/files/networking/us/download/24056.html

See also Known Issues with Broadcom NIC 5702/5703/5704 Chipsets for additional information.

CSCsd79205

Yes

DB Sync in HA CAMs can be broken by restarting standby

CSCsd80006

Yes

Disabling an entry for Reserved IP in DHCP does not work

CSCse24415

Yes

Editing a disabled role policy should not enable it with no notification

CSCse38790

Yes

OS Detection Fingerprint updates not replicated to HA-Standby CAM

CSCse53459

Yes

Need to wait until heartbeat module's up before getting peer node status

CSCse64395

Yes

4.0 Agent does not resolve DNS for Windows SSO

Agent does not perform Windows SSO successfully when the certificates generated on the CAS are name based as opposed to IP based. It is seen that the client can resolve DNS successfully for the CAS name (used in the certificate) when the problem happens.

Workaround: Generate the CAS certificate with the IP address.

Note This issue is resolved with version 4.0.0.1 of the Clean Access Agent.


Known Issues for Cisco NAC Appliance

Known Issue with NAT/PAT Devices and L3 Deployments

Known Issues with HP ProLiant DL140 G3 Servers

Known Issue with NAC-3310 CD Installation

New Installation of Release 4.0(x)

Known Issues with Switches

Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)

Known Issues with Broadcom NIC 5702/5703/5704 Chipsets

Known Issue with MSI Agent Installer File Name

Known Issue with Windows 98/ME/2000 and Windows Script 5.6

Known Issue with NAT/PAT Devices and L3 Deployments

Cisco NAC Appliance does not support the use of a NAT/PAT device, such as a Firewall/Router, placed between users and the Clean Access Server in Layer 3 deployments. In Layer 3 deployments, where users are multiple hops away from the Clean Access Server, the CAS needs a unique user IP address for each client on which NAC enforcement is performed.

If NAT/PAT is used between the users and the CAS, all users appear to originate from the same IP address (the NAT/PATed IP) from a CAS perspective. Hence, only the first user goes through NAC enforcement, and after this user is certified, all remaining users are exempted from NAC enforcement.

Known Issues with HP ProLiant DL140 G3 Servers

The NAC-3310 appliance is based on the HP ProLiant DL140 G3 server and is subject to any BIOS/firmware upgrades required for the DL140 G3. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for detailed instructions.

Known Issue with NAC-3310 CD Installation

The NAC-3310 appliance (MANAGER and SERVER) requires you to enter the DL140 or serial_DL140 installation directive at the "boot:" prompt when you install new system software from a CD-ROM.

When following the CD-ROM system software installation procedures outlined in Chapter 2: "Installing the Clean Access Manager" of the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.0 and Chapter 4: "Installing the Clean Access Server NAC Appliance" of the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.0, users installing release 4.0(5) on a NAC-3310 appliance (both MANAGER and SERVER) from a CD-ROM are presented with the following prompt during the installation process:

Cisco Clean Access Installer (C) 2007 Cisco Systems, Inc. 
Welcome to the Cisco Clean Access Installer! 
- To install a Cisco Clean Access device, press the <ENTER> key. 
- To install a Cisco Clean Access device over a serial console, enter serial at the boot 
prompt and press the <ENTER> key.
boot:

The standard procedure asks you to press "Enter" or, if installing via serial console connection, enter serial at the "boot:" prompt, For release 4.0(5), however, NAC-3310 customers are required enter one of the following, instead:

DL140—if you are directly connected (monitor, keyboard, and mouse) to the NAC-3310

serial_DL140—if you are installing the software via serial console connection

After you enter either of these commands, the Package Group Selection screen appears where you can then specify whether you are setting up a Clean Access Manager or Clean Access Server and install the system software following the standard installation process.

Known Issues with NAC-3300 Series Appliances and Serial HA (Failover) Connection

When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.

Known Issues with Switches

For complete details, see Switch Support for Cisco NAC Appliance.

Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)

Due to changes in DHCP server operation with Cisco NAC Appliance release 4.0(2) and above, networks with Cisco 2200/4400 Wireless LAN Controllers (also known as Airespace WLCs) which relay requests to the Clean Access Server (operating as a DHCP server) may have issues. Client machines may be unable to obtain DHCP addresses. Refer to Switch Support for Cisco NAC Appliance for detailed instructions.


Note For further details on configuring DHCP options, see the Cisco NAC Appliance - Clean Access Server Installation and Administration Guide, Release 4.0.


Known Issues with Broadcom NIC 5702/5703/5704 Chipsets

Customers running Cisco NAC Appliance release 4.0(x) on servers with 5702/5703/5704 Broadcom NIC cards may be impacted by caveat CSCsd74376. Server models with Broadcom 5702/5703/5704 NIC cards may include: Dell PowerEdge 850, CCA-3140-H1, HP ProLiant DL140 G2/ DL360/DL380. This issue involves the repeated resetting of the Broadcom NIC cards. The NIC cards do not recover from some of the resets causing the machine to become unreachable via the network.

For details, see the Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).

Known Issue with MSI Agent Installer File Name

The Clean Access Agent stub installer (either MSI or EXE) allows administrators to install and update the Clean Access Agent on client machines for users without administrator privileges . The Clean Access Agent MSI (Microsoft Installer format) file can be obtained in one of the following ways:

Download and unzip the Clean Access Agent MSI file (CCAAgentMSIStub.zip) from the Clean Access Manager by clicking the CCAA MSI Stub download button from the Device Management > Clean Access > Clean Access Agent > Distribution page of the CAM web console (4.0.x).

Download the Clean Access Agent MSI file (CCAAgent-<version>.msi) from the Cisco Software Download site at http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-agent.


Caution Make sure the .msi file is named "CCAAgent.msi" before installing it, particularly if downloading the file from Cisco Secure Software (where the version is specified in the download filename). Renaming the file to "CCAAgent.msi" ensures that the install package can remove the previous version then install the latest version when upgrading the Agent on clients.

Known Issue with Windows 98/ME/2000 and Windows Script 5.6

Windows Script 5.6 is required for proper functioning of the Clean Access Agent in release 3.6(x) and above. Most Windows 2000 and older operating systems come with Windows Script 5.1 components. Microsoft automatically installs the new 5.6 component on performing Windows updates. Windows installer components 2.0 and 3.0 also require Windows Script 5.6. However, PC machines with a fresh install of Windows 98, ME, or 2000 that have never performed Windows updates will not have the Windows Script 5.6 component. Cisco Clean Access cannot redistribute this component as it is not provided by Microsoft as a merge module/redistributable.

In this case, administrators will have to access the MSDN website to get this component and upgrade to Windows Script 5.6. For convenience, links to the component from MSDN are listed below:

Win 98, ME, NT 4.0:

Filename: scr56en.exe

URL: http://www.microsoft.com/downloads/details.aspx?familyid=0A8A18F6-249C-4A72-BFCF-FC6AF26DC390&displaylang=en

Win 2000, XP:

Filename: scripten.exe

URL: http://www.microsoft.com/downloads/details.aspx?familyid=C717D943-7E4B-4622-86EB-95A22B832CAA&displaylang=en


Tip If these links change on MSDN, try a search for the file names provided above or search for the phrase "Windows Script 5.6."


New Installation of Release 4.0(x)

If you purchased and/or are performing a new installation of Cisco NAC Appliance (Cisco Clean Access), use the steps described below.

If performing upgrade, refer to the instructions in Upgrading to 4.0(x).

If performing CD installation on a NAC-3390 (Super Manager) refer to Upgrading or Installing Super Manager Software.

For New Installation:

1. If you are going to perform a new installation but are running a previous version of Cisco Clean Access, back up your current Clean Access Manager installation and save the snapshot on your local computer, as described in General Preparation for Upgrade.

2. Follow the instructions on your welcome letter to obtain a license file for your installation. See Cisco NAC Appliance Service Contract/Licensing Support for details. (If you are evaluating Cisco Clean Access, visit http://www.cisco.com/go/license/public to obtain an evaluation license.)

3. Install the latest version of 4.0(x) on each Clean Access Server and Clean Access Manager, as follows:

a. Insert the product CD in the CD-ROM drive for each target installation machine, and follow the auto-run procedures.

b. Or, login to Cisco Secure Software and download the latest 4.0.x.ISO from http://www.cisco.com/public/sw-center/ciscosecure/cleanaccess.shtml and burn it as a bootable disk to a CD-R. Insert the CD into the CD-ROM drive of each installation server. Follow the instructions in the auto-run installer.


Warning If you are installing new system software from a CD-ROM (rather than performing an upgrade) on a NAC-3310 (both MANAGER and SERVER), you must enter DL140 or serial_DL140 at the "boot:" prompt. For details, see Important Installation Notes for NAC-3310.


4. After software installation, access the Clean Access Manager web admin console by opening a web browser and typing the IP address of the CAM as the URL. The Clean Access Manager License Form will appear the first time you do this to prompt you to install your FlexLM license files.

5. Install a valid FlexLM license file for the Clean Access Manager (either evaluation, starter kit, or individual license). You should have already acquired license files as described in Cisco NAC Appliance Service Contract/Licensing Support.

6. At the admin login prompt, login with the default user name and password admin/cisco123 or with the web console username and password you configured when you installed the Clean Access Manager.

7. In the web console, navigate to Administration > CCA Manager > Licensing if you need to install any additional FlexLM license files for your Clean Access Servers.

8. For detailed software installation steps and further steps for adding the Clean Access Server(s) to the Clean Access Manager and performing basic configuration, refer to the following guides:

Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.0

Cisco NAC Appliance - Clean Access Server Installation and Administration Guide, Release 4.0


Note Clean Access Manager 4.0.6.1 is bundled with Clean Access Agent 4.0.6.1.


Upgrading to 4.0(x)

This section provides instructions for how to upgrade your existing Cisco Clean Access system to release 4.0(x).

Refer to the following general information prior to upgrade:

Notes on 4.0(x) Upgrade

Settings That May Change With Upgrade

General Preparation for Upgrade

Refer to one of the following sets of upgrade instructions for the upgrade you need to perform:

In-Place Upgrade from 3.5(7)+ to 4.0(x)—Standalone Machines

In-Place Upgrade from 3.5(7)+ to 4.0(x)—HA-Pairs

Upgrading from 3.6(x)/4.0(x) —Standalone Machines

Upgrading from 3.6(x)/4.0(x)—HA-Pairs

Upgrading or Installing Super Manager Software

If you need to perform a fresh installation of the software, refer instead to New Installation of Release 4.0(x).

If you need to upgrade from a much older version of Cisco Clean Access, you may need to perform an interim upgrade to a version that is supported for upgrade to 4.0(x). In this case, refer to the applicable Release Notes for upgrade instructions for the interim release. Cisco recommends that you always test new releases on a different system first before upgrading your production system.

Notes on 4.0(x) Upgrade

If planning to upgrade to Cisco NAC Appliance (Cisco Clean Access) 4.0.6.1 GD, note the following:

Cisco NAC Appliance (Cisco Clean Access) release 4.0.6.1 GD is a software upgrade release with General Deployment status.

Cisco recommends you use the console/SSH upgrade procedure to upgrade from release 3.6(x) or 4.0(x) to release 4.0.6.1. See Console/SSH Upgrade—Standalone Machines.


Note When upgrading from 3.6(x)/4.0(x) to 4.0(4) or above, you can only perform web console upgrade on standalone (non-HA) CAM machines if they have been patched for caveat CSCsg24153. Standalone CAS machines will still need to be upgraded from 3.6(x)/4.0(x) to the latest 4.0(x) release using the console/SSH upgrade procedure.

If the system has not already been patched, upgrade both your machines via console/SSH. For details on Patch-CSCsg24153, refer to the README-CSCsg24153 file under http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches.



Warning Web upgrade is NOT supported for software upgrade of HA-CAM pairs. Upgrade of high availability Clean Access Manager pairs must always be performed via console as described in Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs.


You can upgrade from release 3.5(7), 3.5(8), 3.5(9), 3.5(10), or 3.5(11) to 4.0.6.1 using the in-place upgrade procedure, in which the installation CD is used to upgrade each machine in place. See In-Place Upgrade from 3.5(7)+ to 4.0(x)—Standalone Machines.

Read and review the installation or upgrade instructions completely before starting. The 3.5(7)+ to 4.0(x) in-place upgrade procedure is different from minor release upgrades and requires physical CD installation.

If you have existing users, test the ED release in your lab environment first and complete a pilot phase prior to production deployment.


Note Your production license will reference the MAC address of your production CAM. When testing on a different machine before upgrading your production Cisco NAC Appliance environment, you will need to get a trial license for your test servers. For details, refer to How to Obtain Evaluation Licenses.



Note Release 4.0(1) is obsoleted. If your system is running 4.0(1) or 3.5(x) or 3.6(x) and you wish to upgrade to release 4.0(x), upgrade to the latest 4.0(x) release directly.


Settings That May Change With Upgrade

5702/5703/5704 Broadcom NIC chipsets: If your system uses 5702/5703/5704 Broadcom NIC chipsets, and you are running either 4.0(x) or 3.6(x) or upgrading from 3.5(x), you will need to perform a firmware upgrade from HP. See Known Issues with Broadcom NIC 5702/5703/5704 Chipsets for details.

Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs): If using the CAS as a DHCP server in conjunction with Airespace WLCs, you may need to configure DHCP options as described in Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)

OOB Deployments: Because Cisco NAC Appliance can control switch trunk ports for OOB (starting from release 3.6(1) +), please ensure the uplink ports for controlled switches are configured as "uncontrolled" ports either before or after upgrade.


Note For additional OOB troubleshooting, see also Switch Support for Cisco NAC Appliance.


DHCP Options: When upgrading from 3.5/3.6 to 4.0, any existing DHCP options on the CAS are not retained. Administrators must re-enter any previously configured DHCP options using the newly-enhanced Global Options page.

SNMP Settings: When upgrading from 3.5/3.6 to 4.0, any existing SNMP traps configured on the CAM are not retained. Administrators must re-enter any previously configured SNMP settings using the newly-enhanced SNMP page.

General Preparation for Upgrade


Caution Please review this section carefully before commencing any Cisco NAC Appliance upgrade.

Homogenous Clean Access Server Software Support

You must upgrade your Clean Access Manager and all your Clean Access Servers concurrently. The Cisco NAC Appliance architecture is not designed for heterogeneous support (i.e., some Clean Access Servers running 4.0 software and some running 3.6 software).

Upgrade Downtime Window

Depending on the number of Clean Access Servers you have, the upgrade process should be scheduled as downtime. For minor release upgrades (e.g. 4.0.0 to 4.0.x), our estimates suggest that it takes approximately 15 minutes for the Clean Access Manager upgrade and 10 minutes for each Clean Access Server upgrade. Use this approximation to estimate your downtime window.


Note Allow more time for the 3.5(7)+ to 4.0(x) in-place upgrade procedure, particularly for high-availability (failover) pairs of machines.


Clean Access Server Effect During Clean Access Manager Downtime

While the Clean Access Manager upgrade is being conducted, the Clean Access Server (which has not yet been upgraded, and which loses connectivity to the Clean Access Manager during Clean Access Manager restart or reboot) continues to pass authenticated user traffic.


Caution New users will not be able to logon or be authenticated until the Clean Access Server re-establishes connectivity with the Clean Access Manager.

High Availability (Failover) Via Serial Cable Connection

When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.

Database Backup (Before and After Upgrade)

For additional safekeeping, Cisco recommends you manually back up your current Clean Access Manager installation (using Administration > Backup) both before and after the upgrade and to save the snapshot on your local computer. Make sure to download the snapshots to your desktop/laptop for safekeeping. Backing up prior to upgrade enables you to revert to your previous 3.5(x) or 3.6(x) database should you encounter problems during upgrade. Backing up immediately following upgrade preserves your upgraded tables and provides a baseline of your 4.0 database. After the migration is completed, go to the database backup page (Administration > Backup) in the CAM web console. Download and then delete all earlier snapshots from there as they are no longer compatible. See also Create CAM DB Backup Snapshot.


Warning You cannot restore a 3.6 or earlier database to a 4.0 Clean Access Manager.


Software Downgrade

Once you have upgraded your software to 4.0, if you wish to revert to your previous version of CCA software, you will need to reinstall the previous CCA version from the CD and recover your configuration based on the backup you performed prior to upgrading to 4.0.

Passwords

For upgrade via console/SSH, you will need your CAM and CAS root user password (default password is cisco123). For web console upgrade, you will need your CAM web console admin user password (and, if applicable, CAS direct access console admin user password).

In-Place Upgrade from 3.5(7)+ to 4.0(x)—Standalone Machines

This section describes the in-place upgrade procedure for upgrading your standalone CAM/CAS from release 3.5(7)/3.5(8)/3.5(9)/3.5(10)/3.5(11)+ to the latest 4.0(x) release. If you have high-availability (HA) pairs of CAM or CAS servers, refer instead to In-Place Upgrade from 3.5(7)+ to 4.0(x)—HA-Pairs.


Note Review the following sections before proceeding with the in-place upgrade instructions:

Upgrading to 4.0(x)

Settings That May Change With Upgrade

General Preparation for Upgrade


In-Place Upgrade Summary

The Cisco Clean Access 4.0 upgrade is different from previous upgrades. Please be sure to read the documentation before proceeding.

The Cisco Clean Access 4.0 upgrade will create a complete snapshot of the configuration of your existing deployment, including failover information.

The Cisco Clean Access 4.0 upgrade will not restore local user directories, log files, manually created database snapshots, or nightly database snapshots older than last nights. Any of the above files that are valuable must be backed up separately prior to upgrading.

The upgrade automatically determines from the upgrade snapshot whether the machine is a CAS or a CAM as well as all normal configuration utility settings, such as IP address.

The upgrade will create a log of its activities in the usual upgrade.html and details.html files.

The upgrade will print a warning and exit if too many large files are stored in your Clean Access Manager database. The limit is currently 90 MB for machines with 256 MB of memory, or available memory/2 for machines with more than 256 MB of memory.

Summary of Steps for In-Place Upgrade (Standalone Machines)

The sequence of steps for in-place upgrade is as follows:

1. Create the Installation CD

2. Mount the CD-ROM and Run the Upgrade File

3. Swap Ethernet Cables (if Necessary)

4. Complete the In-Place Upgrade

Create the Installation CD


Step 1 If you already have the 4.0(x) installation CD shipped with your deployment of Cisco NAC Appliance, continue to Mount the CD-ROM and Run the Upgrade File.

Step 2 If the 4.0(x) installation CD is not shipped with your deployment of Cisco NAC Appliance, you can easily create your own installation CD by logging into Cisco Downloads (http://www.cisco.com/public/sw-center/sw-ciscosecure.shtml).

Step 3 Click the link for Cisco Clean Access Software. On the Cisco Secure Software page for Cisco Clean Access, click the link for the appropriate 4.0(x) release. Download the following file to a local computer (replace the .x in the filename with the appropriate version, for example, cca-4.0_6-K9.iso):

cca-4.0_x-K9.iso

Step 4 Use a CD burning tool on your local computer to burn this ISO file as a bootable CD-ROM.

Mount the CD-ROM and Run the Upgrade File

Once you have a 4.0(x) product or installation CD, perform the following steps on each CAM and CAS to upgrade each machine from 3.5(7)/3.5(8)/3.5(9)/3.5(10)/3.5(11) to release 4.0(x).


Caution The Clean Access Manager and Server software is not intended to coexist with other software or data on the target machine. The installation process formats and partitions the target hard drive, destroying any data or software on the drive. Before starting the installation, make sure that the target computer does not contain any data or applications that you need to keep.

Step 5 For each machine to upgrade (either Clean Access Manager or Clean Access Server), connect to the machine either via console or using Putty or SSH.

a. Connect to the machine.

b. Login as user root with the root user password (default password is cisco123)


Warning Do not use SSH connection to upgrade Virtual Gateway CASes. Use direct console connection (keyboard/monitor/KVM) if upgrading Virtual Gateway Clean Access Servers. You can use serial console connection for standalone CASes only.


Step 6 Insert the 4.0(x) installation CD into the CD-ROM drive of the machine to be upgraded.

Step 7 Mount the CD-ROM on the machine to be installed (use the command: mount /dev/cdrom /<mountpoint directory>), for example:

mount /dev/cdrom /mnt

Step 8 Change to the mountpoint directory:

cd /mnt

Step 9 Run the upgrade file:

./upgrade.sh

Note For in-place upgrade, the upgrade.sh command must be lower-case.


Step 10 You will see the following banner

[root@<ccahostname> root]# /mnt/upgrade.sh 
Upgrade works for 3.5.7-3.5.11, continuing
############################################################
#         Welcome to Cisco Clean Access 4.0 upgrade        #
############################################################
The Cisco Clean Access 4.0 upgrade.
The 4.0 upgrade is different from previous upgrades. Please
be sure to read the documentation before proceeding

The Cisco Clean Access 4.0 upgrade will create a complete
snapshot of the configuration of your existing deployment,
including failover information.

The Cisco Clean Access 4.0 upgrade will not restore local
user directories, log files, manually created database snapshots, 
or nightly database snapshots older than last nights. Any of the above
files that are valuable must be backed up separately prior to upgrading.

Step 11 At the following prompt, type y to continue with the upgrade:

Continue with upgrade? (y/n)? [y] 

Step 12 The upgrade proceeds and the system performs a reboot:

Upgrade continuing
Backing up <"Clean Access Manager" or "Clean Access Server IP"> 
Backup complete, system will reboot in 5 seconds

Step 13 The Cisco Clean Access Installer Welcome Screen then appears after the system restarts. At the "boot:" prompt, press Enter if connected directly to the server machine, or type serial and press Enter if connected serially to the machine:

Cisco Clean Access Installer (C) 2006 Cisco Systems, Inc.
                Welcome to the Cisco Clean Access Installer!

 - To install a Cisco Clean Access device, press the <ENTER> key.
 - To install a Cisco Clean Access device over a serial console, 
 enter serial at the boot prompt and press the <ENTER> key.
boot: 

Step 14 The 4.0(x) upgrade then automatically proceeds for approximately 2-5 minutes and the system will reboot one or more times. The display will show the Cisco Clean Access System Installer formatting the hard drive and installing each package.

Swap Ethernet Cables (if Necessary)

Step 15 Before the next automatic reboot, a warning message may be displayed if the new kernel has detected that NIC cards have been re-ordered. If this occurs, the Ethernet cables for eth0 and eth1 must be swapped on the machine. After swapping cables, press the Enter key and proceed with the installation as usual. NIC card re-ordering only occurs when upgrading from previous 3.5 installations; it will only occur only once and only during this stage of the installation.

CCA has detected a change in your networking hardware configuration.
Please switch the network cables between eth0 and eth1.

Press [ENTER] to continue...

Step 16 After pressing Enter on the previous step, the machine will reboot, then reboot again, then come up normally.

Complete the In-Place Upgrade

Step 17 The 4.0(x) upgrade is successfully installed when the installation CD is ejected from the machine and the login prompt appears:

<ccahostname> login: 

Step 18 If you want to verify the software version, machine (CAM or CAS), and version date, you can login as user root with root user password and type the following command:

[root@<ccahostname> ~]# cat /perfigo/build 

Step 19 This completes the 4.0(x) upgrade procedure. Repeat the procedure for each machine to be upgraded to 4.0(x).


Note After performing 3.5(x)-to-4.0(x) migration, the very first time you log into the 4.0(x) CAM web console, the CAM will attempt an automated Cisco Update to populate the AV/AS tables in the database. A popup dialog with following message will appear:

"The system detects that it has just been upgraded to a newer version. It is now trying to 
connect to the Cisco server to get the checks/rules and AV/AS support list update. It 
might take a few minutes."

If the automated update fails (for example, due to incorrect proxy settings on your CAM), you will be prompted to perform Cisco Updates manually from Device Management > Clean Access > Clean Access Agent > Updates. A Cisco Update must be performed (whether automated or manual) before any new AV/AS rules can be configured.


In-Place Upgrade from 3.5(7)+ to 4.0(x)—HA-Pairs

This section describes the in-place upgrade procedure for upgrading high-availability (HA) pairs of CAM or CAS servers from release 3.5(7)/3.5(8)/3.5(9)/3.5(10)/3.5(11)+ to the latest 4.0(x) release.

If you have standalone CAM/CAS servers, refer instead to In-Place Upgrade from 3.5(7)+ to 4.0(x)—Standalone Machines.


Note Review the following sections before proceeding with the in-place HA upgrade instructions:

Upgrading to 4.0(x)

Settings That May Change With Upgrade

General Preparation for Upgrade

Upgrading from 3.6(x)/4.0(x)—HA-Pairs (general instructions)


Summary of Steps for In-Place Upgrade (HA Pairs)

The sequence of steps for HA in-place upgrade is as follows:

1. Prepare for HA Upgrade

2. Determine Active and Standby Machines

3. Shut Down Standby Machine and Upgrade Active Machine In-Place

4. Shut Down Active Machine and Upgrade Standby Machine In-Place

5. Complete the HA In-Place Upgrade


Warning Make sure to follow this procedure to prevent the database from getting out of sync.


Prepare for HA Upgrade


Step 1 Ensure you already have the latest 4.0(x) product CD. If not, follow the steps to Create the Installation CD.

Step 2 Connect to each machine in the failover pair. Login as the root user with the root password (default is cisco123).


Warning Do not use SSH connection to upgrade Virtual Gateway CASes. Use direct console connection (keyboard/monitor/KVM) if upgrading Virtual Gateway Clean Access Servers. You can use serial console connection for standalone CASes only.

If you are using serial connection for HA, do not attempt to connect serially to the CAS during the upgrade procedure. When serial connection is used for HA, serial console/login will be disabled and serial connection cannot be used for installation/upgrade.

If you are using serial connection for HA, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.


Determine Active and Standby Machines

Step 3 Determine which box is active, and which is in standby mode, and that both are operating normally, as follows:


Note The fostate.sh command (failover state) is part of the upgrade script (starting from 3.5(3)+), and is located under /perfigo/common/bin/fostate.sh (from 4.0.2+) and/or under each upgrade directory (i.e. /store/cca_upgrade-<version>/). If needed, you can use locate fostate.sh to find the exact path of the command (you may be prompted to run the updatedb command first).


a. Locate the failover state command (fostate.sh) by changing directory to /perfigo/common/bin/ or /store/<any post-3.5.3 upgrade directory> on each machine, for example:

cd /store/cca_upgrade_3.5.x

b. Perform ls to verify fostate.sh is in the directory.

c. Run the command on each machine:

./fostate.sh 

The results should be either "My node is active, peer node is standby" or "My node is standby, peer node is active". No nodes should be dead. This should be done on both boxes, and the results should be that one box considers itself active and the other box considers itself in standby mode. Future references in these instructions that specify "active" or "standby" refer to the results of this test as performed at this time.

Shut Down Standby Machine and Upgrade Active Machine In-Place

Step 4 Bring the box acting as the standby down by entering the following command via the console or SSH terminal:

shutdown -h now

Step 5 Wait until the standby box is completely shut down.

Step 6 Insert the 4.0(x) installation CD into the CD-ROM drive of the Active machine to be upgraded.

Step 7 Mount the CD-ROM on the Active machine (use the command: mount /dev/cdrom /<mountpoint directory>), for example:

mount /dev/cdrom /mnt

Step 8 Change to the mountpoint directory:

cd /mnt

Step 9 Run the upgrade file:

./upgrade.sh

Note For in-place upgrade, the upgrade.sh command must be lower-case.


Step 10 You will see the following banner

[root@<ccahostname> root]# /mnt/upgrade.sh 
Upgrade works for 3.5.7-3.5.11, continuing
############################################################
#         Welcome to Cisco Clean Access 4.0 upgrade        #
############################################################
The Cisco Clean Access 4.0 upgrade.
The 4.0 upgrade is different from previous upgrades. Please
be sure to read the documentation before proceeding

The Cisco Clean Access 4.0 upgrade will create a complete
snapshot of the configuration of your existing deployment,
including failover information.

The Cisco Clean Access 4.0 upgrade will not restore local
user directories, log files, manually created database snapshots, 
or nightly database snapshots older than last nights. Any of the above
files that are valuable must be backed up separately prior to upgrading.

Step 11 At the following prompt, type y to continue with the upgrade:

Continue with upgrade? (y/n)? [y] 

Step 12 The upgrade proceeds and the system performs a reboot. The upgrade script performs the backup then the regular install takes place.

Upgrade continuing
Backing up <"Clean Access Manager" or "Clean Access Server IP"> 
Backup complete, system will reboot in 5 seconds

Step 13 The Cisco Clean Access Installer Welcome Screen then appears after the system restarts. At the "boot:" prompt, press Enter if connected directly to the server machine, or type serial and press Enter if connected serially to the machine:

Cisco Clean Access Installer (C) 2006 Cisco Systems, Inc.
                Welcome to the Cisco Clean Access Installer!

 - To install a Cisco Clean Access device, press the <ENTER> key.
 - To install a Cisco Clean Access device over a serial console, 
 enter serial at the boot prompt and press the <ENTER> key.
boot: 

Step 14 The 4.0(x) upgrade then automatically proceeds for approximately 2-5 minutes and the system will reboot one or more times. The display will show the Cisco Clean Access System Installer formatting the hard drive and installing each package.

Step 15 If a warning displays because NIC cards have been re-ordered, follow the instructions for Swap Ethernet Cables (if Necessary).


Note For CAM upgrade, the 4.0.6.1 upgrade script automatically upgrades the Clean Access Agent files inside the CAM to version 4.0.6.1.


Step 16 After pressing Enter on the previous step, the machine will reboot, then reboot again, then come up normally with the following messages:

For an upgraded Active HA-CAM:

Starting perfigo: Starting High-Availability services:
[OK]
Please wait while bringing up service IP.
Heartbeat service is running.
Service IP is up on local node.
[OK]
Fedora Core release 4 (Stentz)
Kernel 2.6.11-perfigo on an i686
camanager1 login:

For an upgraded Active HA-CAS:

Starting perfigo: Starting IPSec...
click: starting router thread pid 2826 (f7576800)
Starting High-Availability services:
[OK]
[OK]
Fedora Core release 4 (Stentz)
Kernel 2.6.11-perfigo on an i686
caserver1 login:

Step 17 At the next prompt, run the fostate.sh command again to verify that the failover state of the machine is "My node is active, peer node is dead":

[root@<ccahostname> ~]# /perfigo/common/bin/fostate.sh
My node is active, peer node is dead

Shut Down Active Machine and Upgrade Standby Machine In-Place

Step 18 After the upgrade is completed, shut down the active box (e.g. camanager1 or caserver1 in the example) by entering the following command via the console or SSH terminal:

shutdown -h now

Step 19 Wait until the active box is done shutting down:

Stopping High-Availability services:
[OK]

Step 20 Boot up the standby box by powering up the box.

Step 21 Insert the 4.0(x) installation CD into the CD-ROM drive of the standby machine to be upgraded.

Step 22 Mount the CD-ROM on the standby machine (use the command: mount /dev/cdrom /<mountpoint directory>), for example:

mount /dev/cdrom /mnt

Step 23 Change to the mountpoint directory:

cd /mnt

Step 24 Run the upgrade file:

./upgrade.sh

Note For in-place upgrade, the upgrade.sh command must in lower-case.


Step 25 You will see the following banner

[root@<ccahostname> root]# /mnt/upgrade.sh 
Upgrade works for 3.5.7-3.5.11, continuing
############################################################
#         Welcome to Cisco Clean Access 4.0 upgrade        #
############################################################
The Cisco Clean Access 4.0 upgrade.
The 4.0 upgrade is different from previous upgrades. Please
be sure to read the documentation before proceeding

The Cisco Clean Access 4.0 upgrade will create a complete
snapshot of the configuration of your existing deployment,
including failover information.

The Cisco Clean Access 4.0 upgrade will not restore local
user directories, log files, manually created database snapshots, 
or nightly database snapshots older than last nights. Any of the above
files that are valuable must be backed up separately prior to upgrading.

Step 26 At the following prompt, type y to continue with the upgrade:

Continue with upgrade? (y/n)? [y] 

Step 27 The upgrade proceeds and the system performs a reboot. The upgrade script performs the backup then the regular install takes place.

Upgrade continuing
Backing up <Clean Access Manager or Clean Access Server IP> 
Backup complete, system will reboot in 5 seconds

Step 28 The Cisco Clean Access Installer Welcome Screen then appears after the system restarts. At the "boot:" prompt, press Enter if connected directly to the server machine, or type serial and press Enter if connected serially to the machine:

Cisco Clean Access Installer (C) 2006 Cisco Systems, Inc.
                Welcome to the Cisco Clean Access Installer!

 - To install a Cisco Clean Access device, press the <ENTER> key.
 - To install a Cisco Clean Access device over a serial console, 
 enter serial at the boot prompt and press the <ENTER> key.
boot: 

Step 29 The 4.0(x) upgrade then automatically proceeds for approximately 2-5 minutes and the system will reboot one or more times. The display will show the Cisco Clean Access System Installer formatting the hard drive and installing each package.

Step 30 If a warning displays because NIC cards have been re-ordered, follow the instructions for Swap Ethernet Cables (if Necessary).


Note For CAM upgrade, the 4.0.6.1 upgrade script automatically upgrades the Clean Access Agent files inside the CAM to version 4.0.6.1.


Step 31 The system then reboots. When the system restarts, you will see the following messages:

For an upgraded Standby HA-CAM:

Starting perfigo: Starting High-Availability services:
[OK]
Please wait while bringing up service IP.
Heartbeat service is running.
Service IP is up on local node.
[OK]
Fedora Core release 4 (Stentz)
Kernel 2.6.11-perfigo on an i686
camanager2 login:

For an upgraded Standby HA-CAS:

Starting perfigo: Starting IPSec...
click: starting router thread pid 2826 (f7576800)
Starting High-Availability services:
[OK]
[OK]
Fedora Core release 4 (Stentz)
Kernel 2.6.11-perfigo on an i686
caserver2 login:

Step 32 At the next prompt, run the fostate command again to verify that the failover state of the machine is "My node is active, peer node is dead":

[root@<ccahostname> ~]# /perfigo/common/bin/fostate.sh
My node is active, peer node is dead

Complete the HA In-Place Upgrade

Step 33 Shut down the standby box (e.g. camanager2 or caserver2 in the example) by entering the following command via the SSH terminal:

shutdown -h now

Step 34 Power up the active box. Wait until it is running normally and connection to the web console is possible

Step 35 Power up the standby box.


Note There will be approximately 2-5 minutes of downtime while the servers are rebooting.


Step 36 Login as the root user on the standby box and run the fostate command again to verify that the failover state of the machine is "My node is standby, peer node is active":

[root@<ccahostname> ~]# /perfigo/common/bin/fostate.sh
My node is standby, peer node is active

Note After performing 3.5(x)-to-4.0(x) migration, the very first time you log into the 4.0(x) CAM web console, the CAM will attempt an automated Cisco Update to populate the AV/AS tables in the database. A popup dialog with following message will appear:

"The system detects that it has just been upgraded to a newer version. It is now trying to 
connect to the Cisco server to get the checks/rules and AV/AS support list update. It 
might take a few minutes."

If the automated update fails (for example, due to incorrect proxy settings on your CAM), you will be prompted to perform Cisco Updates manually from Device Management > Clean Access > Clean Access Agent > Updates. A Cisco Update must be performed (whether automated or manual) before any new AV/AS rules can be configured.



Upgrading from 3.6(x)/4.0(x) —Standalone Machines

This section describes the upgrade procedure for upgrading your standalone CAM/CAS machine from release 3.6(x) or 4.0(x) to the latest 4.0(x) release. You can upgrade 3.6(x)/4.0(x) standalone machines to the latest 4.0(x) release using one of the following two methods:

1. Web Console Upgrade—Standalone Machines

2. Console/SSH Upgrade—Standalone Machines


NoteIf upgrading high-availability (HA) pairs of CAM or CAS servers running 3.6(x)/4.0(x), refer instead to Upgrading from 3.6(x)/4.0(x)—HA-Pairs.

If upgrading your system from 3.5(x), refer instead to In-Place Upgrade from 3.5(7)+ to 4.0(x)—Standalone Machines.



Note Review the following sections before proceeding with the upgrade instructions:

Upgrading to 4.0(x)

Settings That May Change With Upgrade

General Preparation for Upgrade


Summary of Steps for 3.6/4.0 Upgrade

The sequence of steps for standalone 3.6(x)/4.0(x) system upgrade is as follows:

1. Create CAM DB Backup Snapshot

2. Download the Upgrade File

3. Web Console Upgrade—Standalone Machines, or

4. Console/SSH Upgrade—Standalone Machines

Create CAM DB Backup Snapshot

Cisco recommends creating a manual backup snapshot of your CAM database. Backing up prior to upgrade enables you to revert to your previous database should you encounter problems during upgrade. Backing up immediately following upgrade preserves your upgraded tables and provides a baseline of your database. Make sure to download the snapshots to another machine for safekeeping.

Note that Cisco NAC Appliance automatically creates daily snapshots of the CAM database and preserves the most recent from the last 30 days (starting from release 3.5(3)). It also automatically creates snapshots before and after software upgrades and failover events. For upgrades and failovers, only the last 5 backup snapshots are kept. (For further details, see "Database Recovery Tool" in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.0.


Note Only the CAM snapshot needs to be backed up. The snapshot contains all CAM database configuration and CAS configuration for all the Clean Access Servers added to the CAM's domain. The snapshot is a standard postgres data dump.


To create a manual backup snapshot:


Step 1 From the CAM web console, go to the Administration > Backup page.

Step 2 The Snapshot Tag Name field automatically populates with a name incorporating the current time and date (e.g. 02_08_07-14-11_snapshot). You can accept the default name or type another.

Step 3 Click Create Snapshot. The CAM generates a snapshot file and adds it to the snapshot list at the bottom of the page. The file physically resides on the CAM machine for archiving purposes. The Version field and the filename display the software version of the snapshot for convenience (e.g. 02_08_07-14-58_snapshot_VER_4_0_5.gz).

Step 4 For backup, download the snapshot to another computer by clicking the Tag Name or the Download button for the snapshot to be downloaded.

Step 5 In the file download dialog, select the Save File to disk option to save the file to your local computer.


Download the Upgrade File

For Cisco NAC Appliance upgrades from 3.6(x) or above, a single file (i.e. cca_upgrade-4.0.x.tar.gz), is downloaded to each Clean Access Manager (CAM) and Clean Access Server (CAS) installation machine. The upgrade script automatically determines whether the machine is a CAM or CAS.
For Cisco NAC Appliance minor release or patch upgrades, the upgrade file can be for the CAM only, CAS only, or for both CAM/CAS, depending on the patch upgrade required.


Step 1 Log into Cisco Downloads (http://www.cisco.com/public/sw-center/sw-ciscosecure.shtml) and click the link for Cisco Clean Access Software.

Step 2 On the Cisco Secure Software page for Cisco Clean Access, click the link for the appropriate release. Upgrade files use the following formats (for patch upgrades, replace the .x and .y in the file name with the minor release version numbers to which you are upgrading, for example, cca_upgrade-4.0.x.tar.gz):

cca_upgrade-4.0.x.tar.gz (CAM/CAS release upgrade file)

cca-4.0.x-to-4.0.x.y-upgrade.tar.gz (CAM/CAS patch upgrade file)

cam-4.0.x-to-4.0.x.y-upgrade.tar.gz (CAM-only patch upgrade file)

cas-4.0.x-to-4.0.x.y-upgrade.tar.gz (CAS-only patch upgrade file)

Step 3 Download the file to the local computer from which you are accessing the CAM/CAS web console.


Web Console Upgrade—Standalone Machines


Note Cisco recommends you use the console/SSH upgrade procedure to upgrade from release 3.6(x) or 4.0(x) to release 4.0.6.1. See Console/SSH Upgrade—Standalone Machines.

When upgrading from 3.6(x)/4.0(x) to 4.0(4) or above, you can only perform web console upgrade on standalone (non-HA) CAM machines if they have been patched for caveat CSCsg24153. Standalone CAS machines will still need to be upgraded from 3.6(x)/4.0(x) to 4.0(4) and above using the console/SSH upgrade procedure.

If the system has not already been patched, upgrade both your machines via console/SSH. For details on Patch-CSCsg24153, download the README-CSCsg24153 file from http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches.



Warning Web upgrade is NOT supported for software upgrade of HA-CAM pairs. Upgrade of high availability Clean Access Manager pairs must always be performed via console as described in Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs.


With web upgrade, administrators can perform software upgrade on standalone CAS and CAM machines using the following web console interfaces:

To upgrade the CAM, go to: Administration > Clean Access Manager > System Upgrade

To upgrade the CAS go to either:

Device Management > CCA Servers > Manage [CAS_IP_address] > Misc (CAS management pages)

Or: https://<CAS_eth0_IP>/admin (CAS direct web console)

For web console upgrade, you will need your CAM web console admin user password.

If using the CAS direct access web console, you will need your CAS direct access console admin user password.


NoteFor web upgrade, upgrade each CAS first, then the CAM.

Release 3.6(0) or above must be installed and running on your CAM/CAS(es) before you can upgrade to release 4.0(x) via web console.

If upgrading failover pairs, refer to Upgrading from 3.6(x)/4.0(x)—HA-Pairs.

Alternatively, you can always upgrade using the instructions in Console/SSH Upgrade—Standalone Machines.


With web upgrade, the CAM and CAS automatically perform all the upgrade tasks that are done manually for console/SSH upgrade (for example, untar file, cd to /store, run upgrade script). The CAM also automatically creates snapshots before and after upgrade. When upgrading via web console only, the machine automatically reboots after the upgrade completes. The steps for web upgrade are as follows:

1. Upgrade CAS from CAS Management Pages, or

2. Upgrade CAS from CAS Direct Access Web Console, and

3. Upgrade CAM from CAM Web Console

Upgrade CAS from CAS Management Pages

You can upgrade your CAS from release 3.6(x) or above to release 4.0(x) using web upgrade via the CAS management pages as described below or if preferred, using the instructions for Upgrade CAS from CAS Direct Access Web Console.


Step 1 Create CAM DB Backup Snapshot.

Step 2 Download the Upgrade File.

Step 3 From the CAM web console, access the CAS management pages as follows:

a. Go to Device Management > CCA Servers > List of Servers

b. Click the Manage button for the CAS to upgrade. The CAS management pages appear.

c. Click the Misc tab. The Update form appears by default.

Step 4 Click Browse to locate the upgrade file you just downloaded from Cisco Downloads (e.g., cca_upgrade-4.0.x.tar.gz).

Step 5 Click the Upload button. This loads the upgrade file into the CAM's upgrade directory for this CAS and all CASes in the List of Servers. (Note that at this stage the upgrade file is not yet physically on the CAS.) The list of upgrade files on the page will display the newly-uploaded upgrade file with its date and time of upload, file name, and notes (if applicable).

Step 6 Click the Apply icon for the upgrade file, and click OK in the confirmation dialog that appears. This will start the CAS upgrade. The CAS will show a status of "Not connected" in the List of Servers during the upgrade. After the upgrade is complete, the CAS automatically reboots.


Note For web console upgrades only, the machine automatically reboots after upgrade.


Step 7 Wait 2-5 minutes for the upgrade and reboot to complete.The CAS management pages will become unavailable during the reboot, and the CAS will show a Status of "Disconnected" in the List of Servers.

Step 8 Access the CAS management pages again and click the Misc tab. The new software version and date will be listed in the Current Version field. (See also Determining the Software Version)

Step 9 Repeat steps 3, 6, 7 and 8 for each CAS managed by the CAM.



Note The format of the Upgrade Details log is: state before upgrade, upgrade process details, state after upgrade. It is normal for the "state before upgrade" to contain several warning/error messages (e.g. "INCORRECT"). The "state after upgrade" should be free of any warning or error messages.


Upgrade CAS from CAS Direct Access Web Console

You can upgrade the CAS from the CAS direct access web console using the following instructions. To upgrade the CASes from the CAM web console, see Upgrade CAS from CAS Management Pages.


Step 1 Create CAM DB Backup Snapshot.

Step 2 Download the Upgrade File.

Step 3 To access the Clean Access Server's direct access web admin console:

a. Open a web browser and type the IP address of the CAS's trusted (eth0) interface in the URL/address field, as follows: https://<CAS_eth0_IP>/admin (for example, https://172.16.1.2/admin)

a. Accept the temporary certificate and log in as user admin (default password is cisco123).

Step 4 In the CAS web console, go to Administration > Software Update.

Step 5 Click Browse to locate the upgrade file you just downloaded from Cisco Downloads (e.g., cca_upgrade-4.0.x.tar.gz).

Step 6 Click the Upload button. This loads the upgrade file to the CAS and displays it in the upgrade file list with date and time of upload, file name, and notes (if applicable).

Step 7 Click the Apply icon for the upgrade file, and click OK in the confirmation dialog that appears. This will start the CAS upgrade. The CAS will show a status of "Not connected" in the List of Servers during the upgrade. After the upgrade is complete, the CAS will automatically reboot.


Note For web console upgrades only, the machine automatically reboots after upgrade.


Step 8 Wait 2-5 minutes for the upgrade and reboot to complete.The CAS web console will become unavailable during the reboot.

Step 9 Access the CAS web console again and go to Administration > Software Update. The new software version and date will be listed in the Current Version field. (See also Determining the Software Version)

Step 10 Repeat steps 3 to 9 for each CAS managed by the CAM.



Note The format of the Upgrade Details log is: state before upgrade, upgrade process details, state after upgrade. It is normal for the "state before upgrade" to contain several warning/error messages (e.g. "INCORRECT"). The "state after upgrade" should be free of any warning or error messages.


Upgrade CAM from CAM Web Console

Upgrade your standalone CAM from the CAM web console using the following instructions.


Warning Web upgrade is NOT supported for software upgrade of HA-CAM pairs. Upgrade of high availability Clean Access Manager pairs must always be performed via console as described in Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs.



Step 1 Create CAM DB Backup Snapshot.

Step 2 Download the Upgrade File.

Step 3 Log into the web console of your Clean Access Manager as user admin (default password is cisco123), and go to Administration > CCA Manager > System Upgrade.

Step 4 Click Browse to locate the upgrade file you just downloaded from Cisco Downloads (e.g., cca_upgrade-4.0.x.tar.gz or cam_upgrade-4.0.x.y.tar.gz).

Step 5 Click the Upload button. This loads the upgrade file to the CAM and displays it in the upgrade file list with date and time of upload, file name, and notes (if applicable).

Step 6 Click the Apply icon for the upgrade file, and click OK in the confirmation dialog that appears. This will start the CAM upgrade. After the upgrade is complete, the CAM will automatically reboot.


Note For web console upgrades only, the machine automatically reboots after upgrade.


Step 7 Wait 2-5 minutes for the upgrade and reboot to complete.The CAM web console will become unavailable during the reboot.

Step 8 Access the CAM web console again. After login, you see the new version, "Cisco Clean Access Manager Version 4.0.x," at the top of the web console. (See also Determining the Software Version.)



Note The format of the Upgrade Details log is: state before upgrade, upgrade process details, state after upgrade. It is normal for the "state before upgrade" to contain several warning/error messages (e.g. "INCORRECT"). The "state after upgrade" should be free of any warning or error messages.


Console/SSH Upgrade—Standalone Machines

This section describes the standard console/SSH upgrade procedure when upgrading your standalone CAM/CAS from release 3.6(x) or 4.0(x) to the latest 4.0(x) release. For this procedure, you need to access the command line of the CAM or CAS machine using one of the following methods:

SSH connection

Direct console connection using KVM or keyboard/monitor connected directly to the machine

Serial console connection (e.g. HyperTerminal or SecureCRT) from an external workstation connected to the machine via serial cable


Warning Do not use SSH connection to upgrade Virtual Gateway CASes. Use direct console connection (keyboard/monitor/KVM) if upgrading Virtual Gateway Clean Access Servers. You can use serial console connection for standalone CASes only.



NoteIf upgrading high-availability (HA) pairs of CAM or CAS servers running 3.6(x)/4.0(x), refer instead to Upgrading from 3.6(x)/4.0(x)—HA-Pairs.

If upgrading your system from 3.5(x), refer instead to In-Place Upgrade from 3.5(7)+ to 4.0(x)—Standalone Machines.


For upgrade via console/SSH, you will need your CAM and CAS root user password.


Note The default username/password for console/SSH login on the CAM/CAS is root/cisco123.


A single file, cca_upgrade-4.0.x.tar.gz, is downloaded to each installation machine. The upgrade script automatically determines whether the machine is a Clean Access Manager (CAM) or Clean Access Server (CAS), and executes if the current system is running release 3.6(0) or above.

For patch upgrades, the upgrade file can be for the CAM only, CAS only, or for both CAM/CAS, depending on the patch upgrade required.


Note Review the following before proceeding with the 3.6 to 4.0 console/SSH upgrade instructions:

Upgrading to 4.0(x)

Settings That May Change With Upgrade

General Preparation for Upgrade


Summary of Steps for Console/SSH Upgrade from 3.6/4.0

Steps are as follows:

1. Download the Upgrade File and Copy to CAM/CAS

2. Perform Console/SSH Upgrade on the CAM

3. Perform Console/SSH Upgrade on the CAS

Download the Upgrade File and Copy to CAM/CAS


Step 1 Create CAM DB Backup Snapshot.

Step 2 Download the Upgrade File.

Step 3 Copy the upgrade file to the Clean Access Manager and Clean Access Server(s) respectively using WinSCP, SSH File Transfer or PSCP as described below (for patch upgrades, replace the .x and .y in the file name with the minor release version numbers to which you are upgrading)

If using WinSCP or SSH File Transfer (replace .x with upgrade version number):

a. Copy cca_upgrade-4.0.x.tar.gz to the /store directory on the Clean Access Manager.

b. Copy cca_upgrade-4.0.x.tar.gz to the /store directory on each Clean Access Server.

If using PSCP (replace .x with upgrade version number):

a. Open a command prompt on your Windows computer.

b. Cd to the path where your PSCP resides (e.g, C:\Documents and Settings\desktop).

c. Enter the following command to copy the file (replace .x with upgrade version number) to the CAM:

pscp cca_upgrade-4.0.x.tar.gz root@ipaddress_manager:/store

d. Enter the following command to copy the file (replace .x with upgrade version number) to the CAS (copy to each CAS):

pscp cca_upgrade-4.0.x.tar.gz root@ipaddress_server:/store

Perform Console/SSH Upgrade on the CAM

Step 4 Connect to the Clean Access Manager to upgrade using console connection, or Putty or SSH.

a. Connect to the Clean Access Manager.

b. Login as the root user with root password (default password is cisco123)

c. Change directory to /store:

cd /store

d. Uncompress the downloaded file (replace .x with upgrade version number):

tar xzvf cca_upgrade-4.0.x.tar.gz 

e. Execute the upgrade process (replace .x with upgrade version number):

cd cca_upgrade-4.0.x
./UPGRADE.sh 

Note If you are upgrading from release 4.0.0-4.0.3.2 or 3.6.0-3.6.4.2 and have not previously applied Patch-CSCsg24153 to the CAM, the upgrade script prompts you to enter and verify the shared secret. (Only the first eight characters of the shared secret are used.)

For more information on the nature and workaround for Patch-CSCsg24153, see the associated table entry in Resolved Caveats - Release 4.0.3.3.


f. If necessary, enter and verify the shared secret configured on the CAM.


Note For CAM upgrade from version 3.6(x), the 4.0.6.1 upgrade script automatically upgrades the Clean Access Agent files inside the CAM to version 4.0.6.1.

For CAM upgrade from a previous version of 4.0(x), the 4.0.6.1 upgrade script prompts you to specify whether or not you want to upgrade the Clean Access Agent files inside the CAM to version 4.0.6.1.


g. When the upgrade is complete, reboot the machine:

reboot

Perform Console/SSH Upgrade on the CAS


Warning Do not use SSH connection to upgrade Virtual Gateway CASes. Use direct console connection (keyboard/monitor/KVM) if upgrading Virtual Gateway Clean Access Servers. You can use serial console connection for standalone CASes only.


Step 5 Connect to the Clean Access Server to upgrade using console connection, or Putty or SSH:

a. Connect to the Clean Access Server.

b. Login as user root with root password (default password is cisco123)/

c. Change directory to /store:

cd /store

d. Uncompress the downloaded file (replace .x with upgrade version number):

tar xzvf cca_upgrade-4.0.x.tar.gz 

e. Execute the upgrade process (replace .x with upgrade version number):

cd cca_upgrade-4.0.x
./UPGRADE.sh 


Note If you are upgrading from release 4.0.0-4.0.3.2 or 3.6.0-3.6.4.2 and have not previously applied Patch-CSCsg24153 to the CAS, the upgrade script prompts you to enter and verify both the shared secret and web console administrator password. (Only the first eight characters of the shared secret are used.)

For more information on the nature and workaround for Patch-CSCsg24153, see the associated table entry in Resolved Caveats - Release 4.0.3.3.


f. If necessary, enter and verify the shared secret and web console administrator password configured on the CAS.

g. When the upgrade is complete, reboot the machine:

reboot

h. Repeat steps a-g for each CAS managed by the CAM.


Upgrading from 3.6(x)/4.0(x)—HA-Pairs

This section describes the upgrade procedure for upgrading high-availability (HA) pairs of CAM or CAS servers from release 3.6(x) or 4.0(x) to the latest 4.0(x) release.

If you have standalone CAM/CAS servers, refer instead to Upgrading from 3.6(x)/4.0(x) —Standalone Machines.


Note Your system must be on 3.6(x)/4.0(x) to use the upgrade procedure described in this section. If your system is on 3.5(x), refer instead to the instructions in In-Place Upgrade from 3.5(7)+ to 4.0(x)—HA-Pairs.



Warning Do not use SSH connection to upgrade Virtual Gateway CASes. Use direct console connection (keyboard/monitor/KVM) if upgrading Virtual Gateway Clean Access Servers. You can use serial console connection for standalone CASes only.

If you are using serial connection for HA, do not attempt to connect serially to the CAS during the upgrade procedure. When serial connection is used for HA, serial console/login will be disabled and serial connection cannot be used for installation/upgrade.

If you are using serial connection for HA, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.



Warning Web upgrade is NOT supported for software upgrade of HA-CAM pairs. Upgrade of high availability Clean Access Manager pairs must always be performed via console as described in Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs.



Note Review the following before proceeding with the 3.6 to 4.0 HA upgrade instructions:

Upgrading to 4.0(x)

Settings That May Change With Upgrade

General Preparation for Upgrade


Steps for HA 3.6/4.0 Upgrade

The steps to upgrade HA 3.6(x)/4.0(x) systems are described in the following sections:

Access Web Consoles for High Availability

Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs


Note For additional details on CAS HA requirements, see also Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).


Access Web Consoles for High Availability

Determining Active and Standby CAM

Access the web console for each CAM in the HA pair by typing the IP address of each individual CAM (not the Service IP) in the URL/Address field of a web browser. You should have two browsers open. The web console for the Standby (inactive) CAM will only display the Administration module menu.


Note The CAM configured as HA-Primary may not be the currently Active CAM.


Determining Primary and Secondary CAM

In each CAM web console, go to Administration > CCA Manager > Network & Failover | High Availability Mode.

The Primary CAM is the CAM you configured as the HA-Primary when you initially set up HA.

The Secondary CAM is the CAM you configured as the HA-Secondary when you initially set up HA.


Note For releases prior to 4.0(0), the Secondary CAM is labelled as HA-Standby (CAM) for the initial HA configuration.


Determining Active and Standby CAS

From the CAM web console, go to Device Management > CCA Servers > List of Servers to view your HA-CAS pairs. The List of Servers page displays the Service IP of the CAS pair first, followed by the IP address of the Active CAS in brackets. When a secondary CAS takes over, its IP address will be listed in the brackets as the Active server.


Note The CAS configured in HA-Primary-Mode may not be the currently Active CAS.


Determining Primary and Secondary CAS

Open the direct access console for each CAS in the pair by typing the following in the URL/Address field of a web browser (you should have two browsers open):

For the Primary CAS, type: https://<primary_CAS_eth0_IP>/admin. For example, https://172.16.1.2/admin

For the Secondary CAS, type: https://<secondary_CAS_eth0_IP>/admin. For example, https://172.16.1.3/admin

In each CAS web console, go to Administration > Network Settings > Failover | Clean Access Server Mode.

The Primary CAS is the CAS you configured in HA-Primary-Mode when you initially set up HA.

The Secondary CAS is the CAS you configured in HA-Secondary-Mode when you initially set up HA.


Note For releases prior to 4.0(0), the Secondary CAS is labelled as HA-Standby Mode (CAS) for the initial HA configuration.


Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs

The following steps show the recommended way to upgrade an existing high-availability (failover) pair of Clean Access Managers or Clean Access Servers.


Caution When you upgrade a pair of HA-CAMs, ensure you use the same upgrade option for the Cisco Clean Access Agent on both the HA-Primary and HA-Standby CAM.


Warning Make sure to carefully execute the following procedure to prevent the database from getting out of sync.



Step 1 From either a console connection (keyboard/monitor/KVM) or via SSH, connect into each machine in the failover pair. Login as the root user with the root password (default is cisco123).


Warning Do not use SSH connection to upgrade Virtual Gateway CASes. Use direct console connection (keyboard/monitor/KVM) if upgrading Virtual Gateway Clean Access Servers. You can use serial console connection for standalone CASes only.

If you are using serial connection for HA, do not attempt to connect serially to the CAS during the upgrade procedure. When serial connection is used for HA, serial console/login will be disabled and serial connection cannot be used for installation/upgrade.

If you are using serial connection for HA, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.


Step 2 Verify that the upgrade package is present in the /store directory on each machine. (Refer to Download the Upgrade File and Copy to CAM/CAS for instructions.)

Step 3 Determine which box is active, and which is in standby mode, and that both are operating normally, as follows:

a. Untar the upgrade package in the /store directory of each machine (replace the .x in the file name with the upgrade version number):

tar xzvf cca_upgrade-4.0.x.tar.gz 

b. CD into the created "cca_upgrade-4.0.x directory" directory on each machine.

c. Run the following command on each machine:

./fostate.sh 

The results should be either "My node is active, peer node is standby" or "My node is standby, peer node is active". No nodes should be dead. This should be done on both boxes, and the results should be that one box considers itself active and the other box considers itself in standby mode. Future references in these instructions that specify "active" or "standby" refer to the results of this test as performed at this time.


Note The fostate.sh command is part of the upgrade script (starting from 3.5(3)+). You can also determine which box is active or standby as follows:

Access the web console as described in Access Web Consoles for High Availability, or

SSH to the Service IP of the CAM/CAS pair, and type ifconfig eth0. The Service IP will always access the active CAM or CAS, with the other pair member acting as standby.


Step 4 Bring the box acting as the standby down by entering the following command via the console/SSH terminal:

shutdown -h now

Step 5 Wait until the standby box is completely shut down.

Step 6 Navigate to the created "cca_upgrade-4.0.x" directory on the active box.

cd cca_upgrade-4.0.x 

Step 7 Run the following command on the active box:

./fostate.sh 

Make sure this returns "My node is active, peer node is dead" before continuing.

Step 8 Perform the upgrade on the active box, as follows:

a. Make sure the upgrade package is untarred in the /store directory on the active box.

b. From the untarred upgrade directory created on the active box (for example "cca_upgrade-4.0.x"), run the upgrade script on the active box:

./UPGRADE.sh

Note If you are upgrading from release 4.0.0-4.0.3.2 or 3.6.0-3.6.4.2 and have not previously applied Patch-CSCsg24153 to the CAM, the upgrade script prompts you to enter and verify the shared secret. (Only the first eight characters of the shared secret are used.) If you are performing this upgrade on the CAS, the upgrade script prompts you to enter the web console administrator password in addition to the shared secret. (As with the CAM, only the first eight characters of the shared secret are used.)

For more information on the nature and workaround for Patch-CSCsg24153, see the associated table entry in Resolved Caveats - Release 4.0.3.3.


c. If necessary, enter and verify the shared secret configured on the CAM, or enter and verify the shared secret and web console administrator password configured on the CAS.


Note For CAM upgrade from version 3.6(x), the 4.0.6.1 upgrade script automatically upgrades the Clean Access Agent files inside the CAM to version 4.0.6.1.

For CAM upgrade from a previous version of 4.0(x), the 4.0.6.1 upgrade script prompts you to specify whether or not you want to upgrade the Clean Access Agent files inside the CAM to version 4.0.6.1.


Step 9 After the upgrade is completed, shut down the active box by entering the following command via the console/SSH terminal:

shutdown -h now

Step 10 Wait until the active box is done shutting down.

Step 11 Boot up the standby box by powering it on.

Step 12 Perform the upgrade to the standby box:

a. Make sure the upgrade package is untarred in the /store directory on the standby box.

b. Navigate to the untarred upgrade directory created on the standby box:

cd cca_upgrade-4.0.x 

c. Run the upgrade script on the standby box:

./UPGRADE.sh

Step 13 Shut down the standby box by entering the following command via the console/SSH terminal:

shutdown -h now

Step 14 Power up the active box. Wait until it is running normally and connection to the web console is possible

Step 15 Power up the standby box.


Note There will be approximately 2-5 minutes of downtime while the servers are rebooting.



Upgrading or Installing Super Manager Software

This section describes how to upgrade or perform CD installation of the Clean Access Super Manager (Super CAM) software for release 4.0(x) on the Cisco NAC-3390 Appliance.

Upgrading NAC-3390 MANAGER (Super CAM) Software

CD Installation of Super CAM Software


Note Support for the Super CAM software was introduced in release 4.0(0) (see SMP Kernel Support for Super CAM for further details).


For additional information, refer to the Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.0.

Upgrading NAC-3390 MANAGER (Super CAM) Software

The Clean Access Super Manager software is upgraded to the latest applicable 4.0(x) release in the same way as the Clean Access Lite or Standard Manager software. The same upgrade file (e.g. cca_upgrade-4.0.x.y.tar.gz) is used.

For standalone Super CAM machines refer to the instructions in Upgrading from 3.6(x)/4.0(x) —Standalone Machines.

For high-availability (HA) Super CAM machines, refer to the instructions in Upgrading from 3.6(x)/4.0(x)—HA-Pairs.

CD Installation of Super CAM Software

This section describes how to perform CD installation of the Super CAM software. The Super CAM requires its own ISO file (e.g. Super CAM-cca-4.0_x_y-K9.iso) for CD installation.

Download and Create the Super CAM Installation CD


Step 1 Log into Cisco Downloads and access the page for the latest applicable 4.0(x) release of the Cisco Clean Access Software from http://www.cisco.com/public/sw-center/ciscosecure/cleanaccess.shtml.

Step 2 Download the ISO file for the Super CAM (e.g. Super CAM-cca-4.0_x-K9.iso) to a local computer.

Step 3 Use a CD burning tool on your local computer to burn this ISO file as a bootable CD-ROM.

Perform Super CAM CD Installation


Note Super CAM software is only supported for the NAC-3390 MANAGER platform.


Step 4 Physically connect the Super CAM target server machine to the network. Connect a monitor and keyboard to the server, or connect to the server from a workstation with a serial cable.

Step 5 Insert the installation CD for the Super CAM software into the CD drive of the target server and restart or reboot the server.

Step 6 The Cisco Clean Access Installer Welcome Screen will appears after the system restarts. At the "boot:" prompt, press Enter if connected directly to the server machine, or type serial and press Enter if connected serially to the machine:

Cisco Clean Access Installer (C) 2006 Cisco Systems, Inc.
                Welcome to the Cisco Clean Access Installer!

 - To install a Cisco Clean Access device, press the <ENTER> key.
 - To install a Cisco Clean Access device over a serial console, 
 enter serial at the boot prompt and press the <ENTER> key.
boot: 

Step 7 The Super CAM installation proceeds automatically. When done you will be prompted to perform the initial configuration of the server, which is the same procedure as for the Lite/Standard Clean Access Manager. Refer to the Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.0 or the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.0 for details on performing the initial configuration.

See Determining the Software Version for tips on distinguishing Lite/Standard/Super CAM web consoles and licenses.


Troubleshooting

This section discusses the following:

Windows Vista Agent Stub Installer Error

Agent Error: "Network Error SSL Certificate Rev Failed 12057"

Creating CAM DB Snapshot

Creating CAM/CAS Support Logs

Recovering Root Password for CAM/CAS (Release 4.0(x)/3.6(x))

Recovering Root Password for CAM/CAS (Release 3.5(x) or Below)

No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM

Clean Access Agent 4.0.1.0 and IE 7.0 Beta

Clean Access Agent AV/AS Rule Troubleshooting

Enable Debug Logging on the Clean Access Agent

Troubleshooting Switch Support Issues

Troubleshooting Network Card Driver Support Issues

Other Troubleshooting Information

Windows Vista Agent Stub Installer Error

When initiating the Agent stub installer on the Windows Vista operating system, the user may encounter the following error message:

"Error 1722: There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor."

The possible cause is that there are remnants of a partial previous Agent stub installation present on the client machine stub. The user must take steps to remove the previous partial installation before attempting to run the Agent stub installer again.

To solve the problem:


Step 1 Disable the Windows Vista UAC and restart the computer.

Step 2 In a Command Prompt window, run C:\windows\system32\CCAAgentStub.exe install.

Step 3 Launch the Agent stub installer again and choose Remove.

Step 4 Enable the Windows Vista UAC and restart the computer.

Step 5 Run the stub installer again and it should install the Windows Vista Agent successfully.


Agent Error: "Network Error SSL Certificate Rev Failed 12057"

The "Network error: SSL certificate rev failed 12057" error can occur and prevent login for Agent users in either of the following cases:

1. The client system is using IE 7 and/or Windows Vista operating system, and the certificate issued for the CAS is not properly configured with a CRL (Certificate Revocation List). Note that in IE 7, the "Check for server certificate revocation (requires restart)" checkbox is enabled by default under IE's Tools > Internet Options > Advanced | Security settings.

2. A temporary SSL certificate is being used for the CAS (i.e. issued by www.perfigo.com) AND

The user has not imported this certificate to the trusted root store, OR

The user has not disabled the "Check for server certificate revocation (requires restart)" checkbox in IE.

To resolve the error, perform the following actions:


Step 1 (Preferred) When using a CA-signed CAS SSL certificate, check the "CRL Distribution Points" field of the certificate (including intermediate or root CA), and add the URL hosts to the allowed Host Policy of the Unauthenticated/Temporary/Quarantine Roles. This will allow the Agent to fetch the CRLs when logging in.

Step 2 Or, if continuing to use temporary certificates for the CAS (i.e. issued by www.perfigo.com), the user will need to perform ONE of the following actions:

a. Upgrade Agent to 4.0.4.0.

b. Import the certificate to the client system's trusted root store

c. Disable the "Check for server certificate revocation (requires restart)" checkbox under IE's
Tools > Internet Options > Advanced | Security settings.



Note The 4.0.4.0 Agent will handle the 12057 error and display a standard Windows IE dialog that identifies the revocation error and asks the user permission to continue with login process.

This error message automatically populates the IP address/domain name of the CAS that is on the certificate generated for the CAS. The administrator can confirm this address/domain name by viewing settings in Device Management > CCA Servers > Manage [CAS_IP] > Network > Certs | "Current SSL Certificate Domain:" (For test setups, this is typically the eth0 (trusted) IP address of the CAS.)


Creating CAM DB Snapshot

See the instructions in Create CAM DB Backup Snapshot for details.

Creating CAM/CAS Support Logs

The Support Logs web console pages for the CAM and CAS allow administrators to combine a variety of system logs (such as information on open files, open handles, and packages) into one tarball that can be sent to TAC to be included in the support case. Administrators should Download the CAM and CAS support logs from the CAM and CAS web consoles respectively and include them with their customer support request, as follows:

CAM web console: Administration > CCA Manager > Support Logs

CAS direct access console (https://<CAS_eth0_IP>/admin): Monitoring > Support Logs


NoteCAS-specific support logs are obtained from the CAS direct console only.

For releases 3.6(0)/3.6(1) and 3.5(3)+, the support logs for the CAS are accessed from: Device Management > CCA Servers > Manage [CAS_IP_address] > Misc > Support Logs

For releases prior to 3.5(3), contact TAC for assistance on manually creating the support logs.


Recovering Root Password for CAM/CAS (Release 4.0(x)/3.6(x))

Use the following procedure to recover the root password for a 4.0/3.6 CAM or CAS machine. The following password recovery instructions assume that you are connected to the CAM/CAS via a keyboard and monitor (i.e. console or KVM console, NOT a serial console)

1. Power up the machine.

2. When you see the boot loader screen with the "Press any key to enter the menu..." message, press any key.

3. You will be at the GRUB menu with one item in the list "Cisco Clean Access (2.6.11-perfigo)." Press e to edit.

4. You will see multiple choices as follows:

root (hd0,0)
kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 console=ttyS0,9600n8
Initrd /initrd-2.6.11-perfigo.img

5. Scroll to the second entry (line starting with "kernel...") and press e to edit the line.

6. Delete the line console=ttyS0,9600n8, add the word single to the end of the line, then press Enter. The line should appear as follows:

kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 single

7. Next, press b to boot the machine in single user mode. You should be presented with a root shell prompt after boot-up (note that you will not be prompted for password).

8. At the prompt, type passwd, press Enter and follow the instructions.

9. After the password is changed, type reboot to reboot the box.

Recovering Root Password for CAM/CAS (Release 3.5(x) or Below)

To recover the root password for CAM/CAS on release 3.5(x), you can use the Linux procedure to boot to single user mode and change the root password:

1. Connect to the CAM/CAS machine via console.

2. Power cycle the machine.

3. After power-cycling, the GUI mode displays. Press Ctrl-x to switch to text mode. This displays a "boot:" prompt.

4. At the prompt type: linux single. This boots the machine into single user mode.

5. Type: passwd.

6. Change the password.

7. Reboot the machine using the reboot command.

No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM

Clean Access Server is not properly configured, please report to your administrator

Clean Access Server could not establish a secure connection to the Clean Access Manager at <IP/domain>

Clean Access Server is not properly configured, please report to your administrator

A login page must be added and present in the system in order for both web login and Clean Access Agent users to authenticate. If a default login page is not present, Clean Access Agent users will see the following error dialog when attempting login:

Clean Access Server is not properly configured, please report to your administrator

To resolve this issue, add a default login page on the CAM under Administration > User Pages > Login Page > Add.

Clean Access Server could not establish a secure connection to the Clean Access Manager at <IP/domain>

The following client connection errors can occur if the CAS does not trust the certificate of the CAM, or vice-versa:

No redirect after web login— users continue to see the login page after entering user credentials.

Agent users attempting login get the following error:

Clean Access Server could not establish a secure connection to the Clean Access 
Manager at <IPaddress or domain>

These errors typically indicate one of the following certificate-related issues:

The time difference between the CAM and CAS is greater than 5 minutes.

Invalid IP address

Invalid domain name

CAM is unreachable

To identify common issues:

1. Check the CAM's certificate and verify it has not been generated with the IP address of the CAS:
(under Administration > CCA Manager > SSL Certificate > Export CSR/Private Key/Certificate | Currently Installed Certificate | Details)

2. Check the time set on the CAM and CAS. The time set on the CAM and the CAS must be 5 minutes apart or less:
(under Administration > CCA Manager > System Time, and
Device Management > CCA Servers > Manage [CAS_IP] > Misc > Time

To resolve these issues:

1. Set the time on the CAM and CAS correctly first.

2. Regenerate the certificate on the CAS using the correct IP address or domain.

3. Reboot the CAS.

4. Regenerate the certificate on the CAM using the correct IP address or domain.

5. Reboot the CAM.

Clean Access Agent 4.0.1.0 and IE 7.0 Beta

Internet Explorer 7.0 Beta 2 is not supported when using version 4.0.1.0 or below of Clean Access Agent. The Agent will not be able to login and perform other operations if the user has IE 7.0 installed.

Problem   User sees "Invalid parameter: 87" error from the Windows API.

Solution   Uninstall IE 7.0 Beta 2.

See also ActiveX/Java Applet and Browser Compatibility.


Note IE 7.0 is supported with version 4.0.4.0+ of the Clean Access Agent. IE 7.0 Beta 3 is supported with version 4.0.2.0+ of the Agent. See Clean Access Agent Version Summary.


Clean Access Agent AV/AS Rule Troubleshooting

When troubleshooting AV/AS Rules:

View administrator reports for the Clean Access Agent from Device Management > Clean Access > Clean Access Agent > Reports (see Clean Access Agent Versioning)

Or, to view information from the client right-click the Agent taskbar icon and select Properties.

When troubleshooting AV/AS Rules, please provide the following information:

1. Version of CAS, CAM, and Clean Access Agent (see Determining the Software Version).

2. Version of client OS (e.g. Windows XP SP2)

3. Version of Cisco Updates ruleset (see Cisco Clean Access Updates Versioning(

4. Product name and version of AV/AS software from the Add/Remove Program dialog box

5. What is failing—AV/AS installation check or AV/AS update checks? What is the error message?

6. What is the current value of the AV/AS def date/version on the failing client machine?

7. What is the corresponding value of the AV/AS def date/version being checked for on the CAM? (see Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info)

8. If necessary, provide Agent debug logs as described in Enable Debug Logging on the Clean Access Agent.

9. If necessary, provide CAM support logs as described in Creating CAM/CAS Support Logs.

Enable Debug Logging on the Clean Access Agent


Note For Agent 4.0.0.0 and above (and 3.6.1.0 and above):

The registry key path changes from HKEY_LOCAL_MACHINE\Software\Cisco\Clean Access Agent\ to HKEY_CURRENT_USER\Software\Cisco\Clean Access Agent\.

The event.log path changes from the installation directory (e.g. C:\Program Files\Cisco Systems\Clean Access Agent\event.log) to the user's home directory (e.g. C:\Documents and Settings\<username>\Application Data\CiscoCAA\event.log)


You can enable debug logging on the Clean Access Agent by adding a registry value on the client in HKCU\Software\Cisco\Clean Access Agent\LogLevel with value "debug."

The event log will be created in the directory <user home directory>\ Application Data\CiscoCAA\. You can copy this event log to include it in a customer support case.

Generate Windows Agent Debug Log


Note For Windows Agents, the event log is created in the directory %APPDATA%\CiscoCAA, where %APPDATA% is the Windows environment variable.

For most Windows OSes, the Agent event log is found in <user home directory>\ Application Data\CiscoCAA\

For Windows Vista only, the Agent event log is found in C:\Users\{UserName}\AppData\Roaming\CiscoCAA\


1. Exit the Clean Access Agent on the client by right-clicking the taskbar icon and selecting Exit.

2. Edit the registry of the client by going to Start > Run and typing regedit in the Open: field of the Run dialog. The Registry Editor opens.

3. In the Registry Editor, navigate to HKEY_CURRENT_USER\Software\Cisco\Clean Access Agent\


Note For 3.6.0.0/3.6.0.1 and 3.5.10 and below, this is HKEY_LOCAL_MACHINE\Software\Cisco\Clean Access Agent\


4. If "LogLevel" is not already present in the directory, go to Edit > New > String Value and add a String to the Clean Access Agent Key called LogLevel.

5. Right-click LogLevel and select Modify. The Edit String dialog appears.

6. Type debug in the Value data field and click OK (this sets the value of the LogLevel string to "debug").

7. Restart the Clean Access Agent by double-clicking the desktop shortcut.

8. Re-login to the Clean Access Agent.

9. When a requirement fails, click the Cancel button in the Clean Access Agent.

10. Take the resulting "event.log" file from the home directory of the current user (e.g. C:\Documents and Settings\<username>\Application Data\CiscoCAA\event.log) and send it to TAC customer support, for example:

a. Open Start > Run

b. In the Open: field, type: %APPDATA%/CiscoCAA

c. You will find event.log file there.

11. When done, make sure to remove the newly added "LogLevel" string from the client registry by opening the Registry Editor, navigating to HKEY_CURRENT_USER\Software\Cisco\Clean Access Agent\, right-clicking LogLevel, and selecting Delete.


NoteFor 3.6.0.0/3.6.0.1 and 3.5.10 and below, the event.log file is located in the Agent installation directory (e.g. C:\Program Files\Cisco Systems\Clean Access Agent\).

For 3.5.0 and below, the Agent installation directory is C:\Program Files\Cisco\Clean Access\.


Troubleshooting Switch Support Issues

To troubleshoot switch issues, see Switch Support for Cisco NAC Appliance.

Troubleshooting Network Card Driver Support Issues

For network card driver troubleshooting, see Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).

Other Troubleshooting Information

For general troubleshooting tips, see the following Technical Support webpage:

http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

Documentation Updates

Table 29 Updates to Release Notes for NAC Appliance, Release 4.0(x)

Date
Description

1/30/08

Applied new template and updated trademark information

1/11/08

Added caveat CSCsi97216 to Open Caveats - Release 4.0.6.1

10/4/07

Updates for Clean Access Agent version 4.0.6.2 release:

Added Clean Access Agent (4.0.6.2) to section Enhancements in Release 4.0.6.1

Updated Clean Access Supported AV/AS Product List

Updated Supported AV/AS Product List Version Summary

Updated Clean Access Agent Version Summary

Updated Open Caveats - Release 4.0.6.1

Added Resolved Caveats - Agent Version 4.0.6.2

9/11/07

Added Known Issue with NAT/PAT Devices and L3 Deployments.

8/30/07

Updates for release 4.0.6.1

Updated Software Compatibility Matrixes

Added Enhancements in Release 4.0.6.1

Added Clean Access Supported AV/AS Product List

Updated Supported AV/AS Product List Version Summary

Updated Clean Access Agent Version Summary

Updated Open Caveats - Release 4.0.6.1

Added Resolved Caveats - Release 4.0.6.1

8/15/07

Updated Supported AV/AS Product List Version Summary (added AS product: Webroot Spy Sweeper Enterprise Client 3.x)

8/14/07

Updates for CAM/CAS release 4.0(6):

Updated Software Compatibility Matrixes

Added Enhancements in Release 4.0(6)

Added Clean Access Supported AV/AS Product List

Updated Supported AV/AS Product List Version Summary

Updated Clean Access Agent Version Summary

Updated Open Caveats - Release 4.0(6)

Added Resolved Caveats - Release 4.0(6)

Updated Known Issues for Cisco NAC Appliance

7/30/07

Added caveat CSCsj84398 to Open Caveats

7/6/07

Added notes and other call-outs for "HA BIOS Redirection" write-up

6/20/07

Updated caveat CSCsi26567 to Open Caveats

5/10/07

Added Clean Access Agent (4.0.5.1) to section Enhancements in Release 4.0(5)

Updated the following sections for the Clean Access Agent 4.0.5.1:

Software Compatibility Matrixes

Clean Access Supported AV/AS Product List

Clean Access Agent Version Summary

Open Caveats - Release 4.0.5.1

Resolved Caveats - Agent Version 4.0.5.1

4/26/07

Added Caveat CSCsg98960 to Open Caveats

4/24/07

Added Caveat CSCsi23228 to Open Caveats

4/13/07

Updated Clean Access Supported AV/AS Product List charts for Version 58 (see Table 10)

Updated Create CAM DB Backup Snapshot

3/30/07

Added NAC-3310 Required BIOS/Firmware Upgrade

Added Known Issues with HP ProLiant DL140 G3 Servers

Updated Obtaining Documentation, Obtaining Support, and Security Guidelines boilerplate

3/19/07

Moved Caveat CSCsi07595 to Open Caveats

3/9/07

Added Caveat CSCsi07595 to address the DST 2007 fix

3/2/07

Corrected Version 55 entries in Supported AV/AS Product List Version Summary

3/2/07

Updates for Clean Access Agent 4.0.5.0:

Updated Software Compatibility Matrixes

Added Clean Access Agent (4.0.5.0) to section Enhancements in Release 4.0(5)

Added Supported AV/AS Product List Enhancements

Updated charts in Clean Access Supported AV/AS Product List

Updated Clean Access Agent Version Summary

Updated Resolved Caveats - Release 4.0(5) (for CSCsh40166)

2/12/07

Added CSCsh60391 to Resolved Caveats - Release 4.0(5)

2/8/07

Updates for CAM/CAS release 4.0(5):

Updated Software Compatibility Matrixes

Modified Release 4.0(x) CAM/CAS Upgrade Compatibility Matrix

Added Enhancements in Release 4.0(5)

Updated Supported AV/AS Product List Version Summary

Updated Open Caveats (Release 4.0(5)

Added Resolved Caveats - Release 4.0(5)

Updated Upgrading to 4.0(x)

Updated Upgrading or Installing Super Manager Software

2/6/07

Updated AV/AS Agent support caveat CSCsh51053. Added caveat CSCsh67387 to Open Caveats

2/1/07

Added NAC-3310 system software from CD-ROM installation note to Enhancements in Release 4.0(5)

1/11/07

Added caveat CSCsh39119 to Open Caveats - Release 4.0(4)

1/5/07

Updated Software Compatibility Matrixes (footnotes)

Updated Clean Access Agent Version Summary (4.0.4.0 and 4.0.2.0)

Updated Open Caveats - Release 4.0(4) (removed CSCsf16537)

Moved CSCsh15238 to Resolved Caveats - Release 4.0(4)

Various updates to Upgrading to 4.0(x) subsections

Added additional note to Notes on 4.0(x) Upgrade.

Updated In-Place Upgrade from 3.5(7)+ to 4.0(x)—HA-Pairs

Updated Determine Active and Standby Machines

Updated preface notes for Web Console Upgrade—Standalone Machines

12/28/06

Updates for CAM/CAS release 4.0(4):

Updated Software Compatibility Matrixes

Added New Features and Enhancements in Release 4.0(4)

Updated Clean Access AV Support Chart (Windows Vista/XP/2000)

Updated Clean Access AS Support Chart (Windows Vista/XP/2000)

Updated Clean Access Agent Version Summary

Updated Open Caveats - Release 4.0(4)

Added Resolved Caveats - Release 4.0(4)

Added Agent Error: "Network Error SSL Certificate Rev Failed 12057" to Troubleshooting section

12/1/06

Republished to fix PDF generation problem on CDC/CCO.

11/22/06

Updates for NAC-3300-only release 4.0.3.3:

Updated Software Compatibility Matrixes

Added Enhancements in Release 4.0.3.3

Updated Open Caveats - Release 4.0.3.3

Added Resolved Caveats - Release 4.0.3.3

Also:

Updated Hardware Supported section

Moved section Current Supported Components Required for Super CAM

Removed section "CCA Admin Console System Requirements"

11/14/06

Updates for Patch-CSCsg24153 (applies only to releases 4.0.0-4.0.3.2 and 3.6.0-3.6.4.2)

Added caveat CSCsg24153 to Open Caveats - Release 4.0.3.2

10/24/06

Updates for Clean Access Agent 4.0.2.1:

Updated Software Compatibility Matrixes

Added Clean Access Agent (4.0.2.1)

Updated Clean Access Agent Version Summary

Added caveat CSCsg37846 to Resolved Caveats - Release 4.0.3.2

Also:

Added System Requirements section

Added caveats CSCsg38702 and CSCse86581 (Trend AV on Japanese Windows XP/2000) to Open Caveats

Added related footnote for Trend AV products (Table 7)

Added footnote for Symantec Enterprise AV products (Table 7 and Table 8)

Added CAM Disable Serial Login to 4.0(1) enhancement list.

9/19/06

Updates for CAM patch release 4.0.3.2:

Updated Software Compatibility Matrixes

Added Enhancements in Release 4.0.3.2

Updated Open Caveats - Release 4.0.3.2

Added Resolved Caveats - Release 4.0.3.2

Also:

Updated VPN Components Supported for Single Sign-On (SSO)

Updated Cisco NAC Appliance Service Contract/Licensing Support section

9/11/06

Updated:

Enhancements in Release 4.0.3.1 description

Clean Access Agent Versioning (minor updates)

Resolved Caveats - Release 4.0.3.1 (minor updates)

Legacy Perfigo License Keys description

Warnings re: not using SSH to upgrade VGW CASs throughout section Upgrading to 4.0(x)

8/30/06

Updates for CAM/CAS patch release 4.0.3.1:

Updated Software Compatibility Matrixes

Added Enhancements in Release 4.0.3.1

Updated Clean Access Agent (4.0.2.0)

Updated Clean Access Agent Version Summary

Added Resolved Caveats - Release 4.0.3.1

8/29/06

Updates for CAM/CAS patch release 4.0.2.2 and 4.0.0.1:

Updated Software Compatibility Matrixes

Added Enhancements in Release 4.0.2.2

Added Enhancements in Release 4.0.0.1

Updated Clean Access Agent (4.0.2.0)

Updated Clean Access Agent Version Summary

Added Resolved Caveats - Release 4.0.2.2

Added Resolved Caveats - Release 4.0.0.1

Also, updated description for Client OS Detection Signature Lookup

8/28/06

Updates for CAM/CAS release 4.0(3):

Updated Software Compatibility Matrixes

Added Enhancements in Release 4.0(3)

Updated Clean Access Agent Version Summary

Minor updates to Clean Access Supported AV/AS Product List

Updated Open Caveats - Release 4.0(3)

Added Resolved Caveats - Release 4.0(3)

Minor updates to Upgrading to 4.0(x)

Also:

Added Recovering Root Password for CAM/CAS (Release 4.0(x)/3.6(x))

Updated Cisco NAC Appliance Service Contract/Licensing Support

Updated general Cisco support boilerplate

8/8/06

Various text edits to upgrade section

8/7/06

Updates for CAM patch release 4.0.2.1

Updated Software Compatibility Matrixes

Added Enhancements in Release 4.0.2.1

Added Cisco Pre-Configured Rules ("pr_")

Minor updates to Clean Access Supported AV/AS Product List

Updated Open Caveats - Release 4.0.2.1

Added Resolved Caveats - Release 4.0.2.1

Minor updates to Upgrading to 4.0(x)

8/7/06

Updated all switch support information to point to Switch Support for Cisco NAC Appliance

Updated information for caveat CSCsd74376

Added Known Issues with Broadcom NIC 5702/5703/5704 Chipsets

Added Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)

Updated Settings That May Change With Upgrade (for BCM and WLC)

Updated Troubleshooting

7/28/06

Updates for CAM/CAS release 4.0(2):

Updated Software Compatibility Matrixes

Added Enhancements in Release 4.0(2)

Updated Open Caveats - Release 4.0(2)

Added Resolved Caveats - Release 4.0(2)

Updated Upgrading to 4.0(x)

7/26/06

Warnings added for 4.0.1 upgrade issue

Fixed typo (Enhancements for Windows XP Media Center Edition/Tablet PC)

7/25/06

Updates for CAM/CAS release 4.0(1):

Updated Software Compatibility Matrixes

Added Table 4, "3750 Service Modules for 2800/3800 ISR Supported by Cisco NAC Appliance Out-of-Band (OOB)" (now moved to Switch Support for Cisco NAC Appliance)

Added New Features and Enhancements in Release 4.0(1)

Updated Open Caveats - Release 4.0(1)

Added Resolved Caveats - Release 4.0(1)

Updated Clean Access AV Support Chart (Windows Vista/XP/2000)

Updated Clean Access Agent Version Summary

Updated Upgrading to 4.0(x)

7/10/06

Updates for release of 4.0.0.1 Agent (6/28/06):

Updated Software Compatibility Matrixes

Updated Clean Access Agent Version Summary

Updated Resolved Caveats - Release 4.0(0) (CSCse64395 and CSCse53459)

Updates to "Current Supported Components Required for Super CAM"

6/27/06

Added information for Super CAM: "Current Supported Components Required for Super CAM", and Upgrading or Installing Super Manager Software

Software Compatibility - updates for 4000/4500 and 6000/6500

6/22/06

Updated Clean Access Supported AV/AS Product List summary

Added CSCse60519 to Table 12

6/21/06

Updated charts for Clean Access Supported AV/AS Product List

6/16/06

Added footnote 3 to Table 3 on page 4 (for 2950)

Added OOB Page Redirection Timers (SNMP Receiver Advanced Settings)

Updated Table 7 for Grisoft AVG Anti-Virus 7.0.x/7.1.x

Updated Table 12 for CSCeh96620

6/12/06

Corrected Table 28 (removed CSCei38858)

6/9/06

Added CSCei38858 to Table 12

Added new troubleshooting section: Creating CAM DB Snapshot

Version updated to 39 for AV/AS support charts

6/8/06

Added in-place upgrade footnote to Table 3

Added "Windows 2003 SP1 Standard" to Table 5

Updated notes for ActiveX/Java Applet and Browser Compatibility

Added Authentication Cache Timeout enhancement description

Various text corrections for Caveats and in-place upgrade instructions

6/7/06

4.0(0) Release


Related Documentation

For the latest updates to Cisco NAC Appliance (Cisco Clean Access) documentation on Cisco.com see:

http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

or simply http://www.cisco.com/go/cca

Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.0

Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.0

Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.0

Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access)

Switch Support for Cisco NAC Appliance

Cisco NAC Appliance Service Contract/Licensing Support

Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining technical support, refer to the "Obtaining Technical Assistance" section of the monthly What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, at http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.