Table Of Contents
Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(3)
Cisco NAC Appliance Service Contract/Licensing Support
System and Hardware Requirements
Release 4.1(3) and Cisco NAC Profiler
Important Installation Information for NAC-3310
Additional Hardware Support Information
Supported Switches for Cisco NAC Appliance
VPN and Wireless Components Supported for Single Sign-On (SSO)
Software Compatibility Matrixes
Release 4.1(3) Compatibility Matrix
Release 4.1(3) CAM/CAS Upgrade Compatibility Matrix
Release 4.1(3) Clean Access Agent Upgrade Compatibility Matrix
Determining the Software Version
Clean Access Manager (CAM) Version
Clean Access Server (CAS) Version
Cisco NAC Appliance Agents Versioning
Cisco Clean Access Updates Versioning
Enhancements in Release 4.1.3.2
Windows Clean Access Agent Language Template Support Enhancement (Version 4.1.3.2)
Enhancements in Release 4.1.3.1
Enhancements in Release 4.1(3)
Support for Clients with Multiple Active NICs
Clean Access Server HA Heartbeat Link Enhancement
Clean Access Manager HA Configuration and Heartbeat Link Enhancements
Guest User Login and Registration Enhancements
LDAP Authentication Enhancement
Clean Access Server and WSUS Interaction Enhancement
Agent Restricted User Access Enhancement
Device Filter List Display and Import/Export Enhancement
Agent Report Information Display and Export Enhancement
Syslog Configuration Enhancement
Debug Log Download Enhancement
ARP Broadcast Packet Handling Improvement
Clean Access Server HA ARP Broadcast Enhancement
Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature
Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
Clean Access Agent Auto Remediation
64-bit Windows Operating System Agent Support
Supported AV/AS Product List Enhancements (Version 67)
Access to Authentication VLAN Change Detection Enhancement
SNMP Inform Notification Enhancement
SNMP "MAC Move Notification" Switch Port Configuration Support
Cisco NAC Appliance Agent Enhancements
Windows Clean Access Agent Language Template Support Enhancement (Version 4.1.3.0)
Windows Clean Access Agent Enhancements
Windows Clean Access Agent Version 4.1.3.2
Windows Clean Access Agent Version 4.1.3.1
Windows Clean Access Agent Version 4.1.3.0
Mac OS X Clean Access Agent Enhancements
Mac OS X Clean Access Agent Version 4.1.3.1
Mac OS X Clean Access Agent Version 4.1.3.0
Cisco NAC Web Agent Enhancements
Cisco NAC Web Agent Version 4.1.3.10
Cisco NAC Web Agent Version 4.1.3.9
Clean Access Supported AV/AS Product List
Clean Access AV Support Chart (Windows Vista/XP/2000)
Clean Access AV Support Chart (Windows ME/98)
Clean Access AS Support Chart (Windows Vista/XP/2000)
Supported AV/AS Product List Version Summary
Resolved Caveats - Windows Clean Access Agent 4.1.3.2
Resolved Caveats - Mac OS X Agent 4.1.3.1
Resolved Caveats - Release 4.1.3.1
Resolved Caveats - Cisco NAC Web Agent 4.1.3.10
Resolved Caveats - Windows Clean Access Agent 4.1.3.1
Resolved Caveats - Release 4.1(3)
Known Issues for Cisco NAC Appliance
Known Issues with HP ProLiant DL140 G3 Servers
Known Issue with NAC-3310 CD Installation
Known Issues with NAC-3300 Series Appliances and Serial HA (Failover) Connection
Known Issues with Cisco NAC Profiler Release 2.1.7
Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)
Known Issues with Broadcom NIC 5702/5703/5704 Chipsets
Known Issues for Windows Vista and Agent Stub
Use "No UI" or "Reduced UI" Installation Option
"Interactive Services Dialog Detection" and Uninstall
Known Issues with MSI Agent Installer
Known Issue with Windows 2000 Clean Access Agent/Local DB Authentication
Known Issue with Windows 98/ME/2000 and Windows Script 5.6
New Installation of Release 4.1(3)
Settings That May Change With Upgrade
General Preparation for Upgrade
Upgrading from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+—Standalone Machines
Web Console Upgrade—Standalone Machines
Console/SSH Upgrade—Standalone Machines
Upgrading from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+—HA Pairs
Access Web Consoles for High Availability
Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs
Vista/IE 7 Certificate Revocation List
Windows Vista Agent Stub Installer Error
Agent Stub Upgrade and Uninstall Error
Clean Access Agent AV/AS Rule Troubleshooting
Generating Windows Installer Log Files for Agent Stub
Debug Logging for Cisco NAC Appliance Agents
Generate Windows Agent Debug Log
Generate Mac OS X Agent Debug Log
Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x)
No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM
Troubleshooting Switch Support Issues
Troubleshooting Network Card Driver Support Issues
Other Troubleshooting Information
Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(3)
Revised: June 24, 2008, OL-14508-01Contents
These release notes provide late-breaking and release information for Cisco® NAC Appliance, formerly known as Cisco Clean Access (CCA), release 4.1(3). This document describes new features, changes to existing features, limitations and restrictions ("caveats"), upgrade instructions, and related information. These release notes supplement the Cisco NAC Appliance documentation included with the distribution. Read these release notes carefully and refer to the upgrade instructions prior to installing the software.
•
Cisco NAC Appliance Service Contract/Licensing Support
•
•
•
•
•
Cisco NAC Appliance Releases
Note
Cisco NAC Appliance Service Contract/Licensing Support
For complete details on service contract support, new licenses, evaluation licenses, legacy licenses and RMA, refer to the Cisco NAC Appliance Service Contract / Licensing Support.
System and Hardware Requirements
This section describes the following:
•
•
System Requirements
See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for system requirement information for the Clean Access Manager (CAM), Clean Access Server (CAS), and Cisco NAC Appliance Agents.
Hardware Supported
This section describes the following:
•
•
Cisco NAC Network Module
Release 4.1(3) supports the Cisco NAC Appliance network module (NME-NAC-K9) on the next generation service module for the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers (ISRs). The Cisco NAC Network Module for Integrated Services Routers supports the same software features as the Clean Access Server on a NAC Appliance, with the exception of high availability. NME-NAC-K9 does not support failover from one module to another.
For hardware installation instructions (how to install the NAC network module in an Integrated Service Router), refer to the following sections of the Cisco Network Modules Hardware Installation Guide.
•
•
For software installation instructions (how to install the Clean Access Server software on the NAC network module) refer to Getting Started with Cisco NAC Network Modules in Cisco Access Routers.
Note
While upgrading to release 4.1(3) and later is not required to support Cisco NAC network modules, if you are supporting 64-bit Windows Vista client systems, you must upgrade to release 4.1.2.1 or later.
NAC-3300 Series Appliances
Release 4.1(3) supports Cisco NAC Appliance 3300 Series platforms.
Customers have the option to upgrade NAC-3310, NAC-3350, or NAC-3390 MANAGER and SERVER appliances to release 4.1(3) using a single upgrade file, cca_upgrade-4.1.3.x.tar.gz.
CD installation of release 4.1(3) is also supported:
•
Note
•
Note
Release 4.1(3) and Cisco NAC Profiler
Release 4.1(3) includes the Cisco NAC Profiler Collector component that resides on Clean Access Server installations.
Refer to the Release Notes for Cisco NAC Profiler for updated product information.
See also Known Issues with Cisco NAC Profiler Release 2.1.7.
Important Installation Information for NAC-3310
•
•
NAC-3310 Required BIOS/Firmware Upgrade
The NAC-3310 appliance is based on the HP ProLiant DL140 G3 server and is subject to any BIOS/firmware upgrades required for the DL140 G3. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for detailed instructions.
NAC-3310 Required DL140 or serial_DL140 CD Installation Directive
The NAC-3310 appliance (MANAGER and SERVER) requires you to enter the DL140 or serial_DL140 installation directive at the "boot:" prompt when you install new system software from a CD-ROM. For more information, refer ro Known Issue with NAC-3310 CD Installation.
Additional Hardware Support Information
See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on:
•
•
•
•
See Troubleshooting for further details.
Supported Switches for Cisco NAC Appliance
See Switch Support for Cisco NAC Appliance for complete details on:
•
•
•
•
VPN and Wireless Components Supported for Single Sign-On (SSO)
Table 1 lists VPN and wireless components supported for Single Sign-On (SSO) with Cisco NAC Appliance. Elements in the same row are compatible with each other.
Table 1 VPN and Wireless Components Supported By Cisco NAC Appliance For SSO
4.1(3)
Cisco WiSM Wireless Service Module for the Cisco Catalyst 6500 Series Switches
N/A
Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)1
N/A
Cisco ASA 5500 Series Adaptive Security Appliances, Version 8.0(3)7 or later2
AnyConnect
Cisco ASA 5500 Series Adaptive Security Appliances, Version 7.2(0)81 or later
•
•
Cisco WebVPN Service Modules for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco VPN 3000 Series Concentrators, Release 4.7
Cisco PIX Firewall
1 For additional details, see also Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs).
2 Release 4.1(3) supports existing AnyConnect clients accessing the network via Cisco ASA 5500 Series devices running release 8.0(3)7 or later. For more information, see VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal and CSCsi75507.
Note
For further details, see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(3) and the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(3).
Software Compatibility
This section describes software compatibility for releases of Cisco NAC Appliance:
•
•
For details on Clean Access Agent and Cisco NAC Web Agent client software versions and AV integration support, see:
•
Software Compatibility Matrixes
This section describes the following:
•
•
•
Release 4.1(3) Compatibility Matrix
Table 2 shows Clean Access Manager and Clean Access Server compatibility and the Clean Access Agent version supported with each CCA 4.1(3) release (if applicable). CAM/CAS/Clean Access Agent versions displayed in the same row are compatible with one another. Cisco recommends that you synchronize your software images to match those shown as compatible in the table.
Table 2 Release 4.1(3) Compatibility Matrix
4.1.3.1 5
4.1(3)4.1.3.1 5
4.1(3)4.1.3.2
4.1.3.1
4.1.3.04.1.3.1
4.1.3.04.1.3.10
4.1.3.94.1.2.x
4.1.1.0
4.1.0.x 64.1.2.x
4.1.1.0
4.1.0.x 6-
-
1 See Cisco NAC Appliance Agents for details on version updates for each Windows/Mac OS X/Web Agent.
2 Version 4.1.3.0 and later of the Windows Clean Access Agent is compatible with the 4.1(3) CAM and 4.1(3) and later CAS releases. See Cisco NAC Appliance Agents for details and caveats resolved for each Agent version.
3 Mac OS X Clean Access Agent supports authentication only (no posture assessment) and auto-upgrade starting from version 4.1.3.0. See Mac OS X Clean Access Agent Version 4.1.3.0 for details.
4 Cisco NAC Web Agent 4.1.3.9 is a new user access option introduced in release 4.1(3). See Cisco NAC Web Agent Enhancements for more information.
5 Cisco NAC Appliance Release 4.1.3.1 is a general and important bug fix release that resolves issues as described in Enhancements in Release 4.1.3.1.
6 Cisco strongly recommends running version 4.1.3.0 of the Clean Access Agent with release 4.1(3) of the CAM/CAS. If necessary, release 4.1(3) allows administrators to optionally configure the 4.1(3) CAM/CAS to allow 4.1.0.x Agent authentication and posture assessment (Windows only). Note that by default, 4.1.0.x Agents are not allowed to log into a 4.1(3) Cisco NAC Appliance system. However, an Agent upgraded to 4.1.3.0 and later can still log into a 4.1(0) CAM/CAS. See 4.1.0.x Agent Support on Release 4.1(1) in the 4.1(1) release notes for details.
Release 4.1(3) CAM/CAS Upgrade Compatibility Matrix
Table 3 shows 4.1(3) CAM/CAS upgrade compatibility. You can upgrade/migrate your CAM/CAS from the previous release(s) specified to the latest release shown in the same row. When you upgrade your system software, Cisco recommends you upgrade to the most current release available whenever possible.
Table 3 Release 4.1(3) CAM/CAS Upgrade Compatibility Matrix
Upgrade From:
4.1.3.1 3
4.1(3)4.1.3.1 3
4.1(3)
1 Release 4.1(0), 4.1.0.1, and 4.1.0.2 do not support and cannot be installed on Cisco NAC Appliance 3300 Series platforms.
2 "In-place" upgrade from version 3.5(11) to 4.1(3) is not supported. Customers wishing to upgrade a system from 3.5(11) to 4.1(3) must use the supported in-place upgrade procedure to upgrade from 3.5(11) to 4.0(6), and then upgrade to 4.1(3). (See CSCsl76977.)
3 Cisco NAC Appliance Release 4.1.3.1 is a general and important bug fix release that resolves issues as described in Enhancements in Release 4.1.3.1.
.
Release 4.1(3) Clean Access Agent Upgrade Compatibility Matrix
Table 4 shows Clean Access Agent upgrade compatibility when upgrading existing versions of the Agent after 4.1(3) CAM/CAS upgrade. You can auto-upgrade any 3.5.1+ Windows Agent directly to the latest 4.1.3.x Windows Agent. You can auto-upgrade Mac OS X Agents starting from version 4.1.3.0 and later.
Note
Refer to the "Cisco NAC Appliance Agents Systems Requirements" section of the Supported Hardware and System Requirements for Cisco NAC Appliance for additional compatibility details.
Table 4 Release 4.1.3.x Agent Upgrade Compatibility Matrix
4.1.3.1
4.1(3)4.1.3.1
4.1(3)4.1.2.x
4.1.1.0
4.1.0.x 44.1.3.2
4.1.3.1 5
4.1.3.04.1.3.1 6
4.1.3.04.0.x.x
3.6.x.x
3.5.1 and later4.1.3.1 5
4.1.3.0—
1 Clean Access Agent versions are not supported across major releases. Do not use 4.1.3.x Agents with 4.0(x) or prior releases. However, auto-upgrade is supported from any 3.5.1 and later Agent directly to the latest 4.1.3.x Agent.
2 See Cisco NAC Appliance Agents for details on version updates for each Windows/Mac OS X/Web Agent.
3 For checks/rules/requirements, version 4.1.1.0 and later Clean Access Agents can detect "N" (European) versions of the Windows Vista operating system, but the CAM/CAS treat "N" versions of Vista as their US counterpart.
4 Cisco strongly recommends running the latest 4.1.3.x version of the Clean Access Agent with release 4.1(3) of the CAM/CAS. If necessary, release 4.1(3) allows administrators to optionally configure the 4.1(3) CAM/CAS to allow 4.1.0.x Agent authentication and posture assessment. Note that by default, 4.1.0.x Agents are not allowed to log into a 4.1(3) Cisco NAC Appliance system. However, an Agent upgraded to 4.1.3.0 and later can still log into a 4.1(0) CAM/CAS. See 4.1.0.x Agent Support on Release 4.1(1) in the 4.1(1) release notes for details.
5 Windows Clean Access Agent version 4.1.3.1 resolves caveat CSCsm05207. See Windows Clean Access Agent Version 4.1.3.1 and Resolved Caveats - Windows Clean Access Agent 4.1.3.1 for details.
6 Auto-upgrade of the Mac OS X Agent is supported starting from version 4.1.3.0 and later. Release 4.1(1) and release 4.1(2)+ do not support auto-upgrade for the Mac OS X Agent. Users can upgrade client machines to the latest Mac OS X Agent by downloading the Agent via web login and running the Agent installation. For more information, see Mac OS X Clean Access Agent Enhancements.
Determining the Software Version
There are several ways to determine the version of software running on your Clean Access Manager (CAM), Clean Access Server (CAS), or Clean Access Agent, as described below.
•
•
•
•
Clean Access Manager (CAM) Version
The top of the CAM web console displays the software version installed. After you add the CAM license, the top of the CAM web console displays the license type (Lite, Standard, Super). Additionally, the Administration > CCA Manager > Licensing page displays the types of licenses present after they are added.
The software version is also displayed as follows:
•
•
CAM Lite, Standard, Super
The NAC Appliance Clean Access Manager (CAM) is licensed based on the number of NAC Appliance Clean Access Servers (CASes) it supports. You can view license details under Administration > CCA Manager > Licensing. The top of CAM web console identifies the type of CAM license installed:
•
•
•
Note the following:
•
•
•
Clean Access Server (CAS) Version
You can determine the CCA software version running on the Clean Access Server (whether NAC-3300 appliances or Cisco NAC network modules) using the following methods:
•
•
•
Note
Cisco NAC Appliance Agents Versioning
On the CAM web console, you can determine versioning for the Cisco NAC Appliance Agents from the following pages:
•
•
•
•
From the Clean Access Agent itself on the client machine, you can view the following information from the Agent taskbar menu icon:
•
•
Cisco Clean Access Updates Versioning
To view the latest version of Updates downloaded to your CAM, including Cisco Checks & Rules, Cisco NAC Web Agent, Clean Access Agent Upgrade Patch, Supported AV/AS Product List, go to Device Management > Clean Access > Update > Summary on the CAM web console. See Clean Access Supported AV/AS Product List and Clean Access Supported AV/AS Product List for additional details.
New and Changed Information
This section describes enhancements added to the following releases of Cisco NAC Appliance for the Clean Access Manager and Clean Access Server.
•
•
•
See Cisco NAC Appliance Agents for new features and enhancements to Cisco NAC Appliance Agents.
For additional details, see also:
•
•
Enhancements in Release 4.1.3.2
Windows Clean Access Agent Language Template Support Enhancement (Version 4.1.3.2)
Added Agent language template support for Russian, Turkish, and Serbian (Cyrillic) for Windows Agents. The Agent will display localized text for these languages if run from localized Windows operating system.
Note
Note
See Cisco NAC Appliance Agents for enhancement details per Agent version.
Enhancements in Release 4.1.3.1
Release 4.1.3.1 is a general and important bug fix release for the Clean Access Manager and Clean Access Server that addresses the caveats described in Resolved Caveats - Release 4.1.3.1. No new features are added.
For upgrade instructions, please refer to Upgrading to 4.1(3).
Enhancements in Release 4.1(3)
This section details the enhancements delivered with Cisco NAC Appliance release 4.1(3) for the Clean Access Manager and Clean Access Server.
General Enhancements
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Out-of-Band Enhancements
•
•
•
Cisco NAC Appliance Agent Enhancements
•
General Enhancements
Cisco NAC Web Agent
Warning
Cisco NAC Appliance release 4.1(3) introduces a new temporal Agent for Windows client machines. Unlike the Clean Access Agent, the Cisco NAC Web Agent is not a "persistent" entity, thus it only exists on the client machine long enough to accommodate a single user session. Instead of downloading and installing an Agent application, once the user opens a browser window, logs in to the Cisco NAC Appliance web login page, and chooses to launch the Cisco NAC Web Agent, an ActiveX control or Java applet (you specify the preferred method using the Web Client (Active X/Applet) option in the Administration > User Pages > Login Page configuration page) initiates a self-extracting stub installer on the client machine to install Agent files in a client's temporary directory, perform posture assessment/scan the system to ensure security compliance, and report compliance status back to the Cisco NAC Appliance system. During this period, the user is granted access only to the Temporary Role and if the client machine is not compliant for one or more reasons, the user is informed of the issues preventing network access and may do one of the following:
•
•
Note
Once the user has provided appropriate login credentials and the Web Agent ensures the client machine meets the NAC Appliance security requirements, the browser session remains open and the user is logged in to the network until the user clicks the Logout button in the Web Agent browser window, shuts off their system, or the NAC Appliance administrator terminates the session from the CAM. After the session terminates, the Web Agent "removes" itself from the client machine and the temporary files used to install are deleted from the system.
Note
The Cisco NAC Web Agent enhancement affects the following page of the CAM web console:
•
Note
Support for Clients with Multiple Active NICs
Cisco NAC Appliance release 4.1(3) includes an enhancement to help stabilize connection problems from client machines with more than one active Network Interface Card (NIC). For example, a client machine may have an active LAN Ethernet connection and an active wireless NIC connection where each interface sends SWISS UDP discovery packets to initiate a connection to a network CAS. To address this potential situation, the CAS now examines the SWISS packets from the client machine to record the requesting NIC IP address and verifies all subsequent SWISS UDP packets for the NIC IP address to ensure the same client only logs in from one interface.
Without this enhancement, the following scenario can occur:
The client machine A sends out SWISS UDP discovery packets to the CAS and receives a response directing the user to enter their authentication credentials. During this process, another active NIC on client machine A sends SWISS UDP discovery plackets to the same CAS even though the first interface is already establishing a connection. After the first client session is established, the user sees a login screen again, despite having already successfully established connection. Until the secondary NIC is disabled or the client machine does something to halt SWISS UDP packet transmission, the user can continually see login screen after login screen.
For information regarding clients with multiple active NICs and how to configure them to interoperate with the Access to Authentication VLAN change detection feature, see Access to Authentication VLAN Change Detection Interoperability with Clients Featuring More Than One Active NIC.
For more information, see the "Supporting Multiple Active NICs on the Clean Access Agent Client Machine" section in the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(3).
Clean Access Server HA Heartbeat Link Enhancement
Clean Access Server HA heartbeat link capabilities have been enhanced in release 4.1(3). In addition to the existing serial interface and optional trusted (eth0 and eth2/eth3) interface heartbeat connections, you can now also configure the CAS to employ the (untrusted side) eth1 interface to provide redundant HA heartbeat monitoring.
This enhancement affects the following page of the CAS web console:
•
Clean Access Manager HA Configuration and Heartbeat Link Enhancements
In release 4.1(3), the Clean Access Manager web console interface now features a new (separate) Failover tab as well as additional failover configuration settings to support up to three optional redundant Heartbeat UDP Interfaces. In addition to the existing optional serial interface and dedicated eth1 interface heartbeat connections, you can now also configure the CAM to employ the (trusted side) eth0 interface and an additional optional Ethernet link to provide redundant HA heartbeat monitoring.
This enhancement affects the following pages of the CAM web console:
•
•
Guest User Login and Registration Enhancements
Release 4.1(3) enhances the way the CAM handles Guest user login, registration, and access with a new Guest Registration feature. Rather than allow users to simply gain undifferentiated Guest access to the system, the administrator can now configure guest users to register their own local accounts on the CAM using a variety of fields, including email, phone number, or affiliation. The new feature provides a customizable level of guest authentication using a new Guest Auth Server Type, new Guest Registration configuration pages, and the default guest role.
The CAM can automatically time out guest accounts using token expiration, or flush out unused guest accounts from the local database after a configurable number of days. Administrators can view newly created guest accounts on a new Guest Users local users list, and on the Certified Device List and Online Users List by configured Guest Auth Provider and Guest role.
Note
To update any existing Guest user access model on the CAM to take advantage of the enhancements in release 4.1(3), administrators can perform the following tasks:
1.
2.
3.
4.
5.
This enhancement affects the following pages of the CAM web console:
•
•
•
LDAP Authentication Enhancement
Release 4.1(3) enhances the authentication settings available when authenticating user credentials against an LDAP server. Administrators can now specify either the "Simple" or Generic Security Services Application Programming Interface (GSSAPI) authentication mechanism to better provide secure credential authentication in the network.
This enhancement affects the following pages of the CAM web console:
•
–
–
Clean Access Server and WSUS Interaction Enhancement
Release 4.1(3) improves message text for Windows Server Update Services (WSUS) requirements. When the Clean Access Agent encounters a WSUS requirement compliance issue, the Agent launches a secondary client remediation frame from which the user can download the required Windows Update during client posture assessment.
Note
Agent Restricted User Access Enhancement
Cisco NAC Appliance Agent login behavior has been enhanced in release 4.1(3) to allow users "restricted" network access if/when their client machine does not pass posture assessment as configured in the requirements associated with the user's login role. If this function is enabled by the administrator, a new button labeled "Limited" now appears in the Clean Access Agent login dialog and "Get Restricted Network Access" (or another configurable text string) in the Cisco NAC Web Agent dialog to give the user the option to gain access to a restricted set of network resources via the NAC Appliance system. The administrator has control over which resources are available to users with restricted network access, according to the configuration settings specified in an existing user role. For example, the administrator can create a new user role called "Restricted" in User Management > User Roles that allows users who choose to accept restricted network access to launch their Email program and gain access to the WWW, but nothing else.
This enhancement affects the following web console page:
•
Device Filter List Display and Import/Export Enhancement
Starting from release 4.1(3), Cisco NAC Appliance administrators can export device filter lists to CSV files that can be searched, viewed, and manipulated in Microsoft Excel spreadsheets whenever the administrator needs them to troubleshoot connection issues or compile statistical reports, and the administrator can import device filter list information to populate (or repopulate) the CAMs device filter database from existing CSV files. In addition, the layout and function of the device filter list display (Device Management > Filters > Devices > List) has been updated in release 4.1(3) to give the administrator more direct control over the specific device entries displayed.
This enhancement affects the following page of the CAM web console:
•
Agent Report Information Display and Export Enhancement
Starting from release 4.1(3), Cisco NAC Appliance administrators can export Agent report information to CSV files that can be searched, viewed, and manipulated in Microsoft Excel spreadsheets whenever the administrator needs them to troubleshoot connection issues or compile statistical reports. In addition, the layout and function of the Agent report display list (Device Management > Clean Access > Clean Access Agent > Reports) has been updated in release 4.1(3) to give the administrator more direct control over the specific Agent report entries displayed.
This enhancement affects the following page of the CAM web console:
•
Note
The Export (with text) option provides an extra column containing the raw HTML code of the full Agent report that you can open for each report by clicking on view in the viewer.
VPN SSO Login Enhancement
Release 4.1(3) features a VPN SSO enhancement to ensure that users logging in via VPN are not erroneously presented with the Agent login dialog when signing in. When the user initiates a login session, the CAS passes information alerting the Agent that the user is already part of the VPN login list, thus enabling the CAM to avoid presenting the Agent login screen on the client machine. In network topologies that employ VPN concentrators, this potential situation can be made even more complex if the VPN concentrator delays sending the appropriate VPN login list notification to the CAS. To address this problem, the CAS is now able to specify a delay in the SWISS packet that tells the Agent to wait a short time before presenting the login screen.
VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal
Release 4.1(3) adds accounting update functionality to support existing AnyConnect clients accessing the network via Cisco ASA 5500 Series Adaptive Security Appliances platforms. To support VPN SSO, you must be running Cisco NAC Appliance release 4.1(3) or later and the Cisco ASA 5500 Series device must be running release 8.0(3)7 or later and be configured to send interim accounting update packets.
For example, your Cisco ASA 5500 Series configuration should include:
aaa-server radius protocol radiusinterim-accounting-updateFor VPN/Wireless SSO support information, refer to VPN and Wireless Components Supported for Single Sign-On (SSO)
Note
Syslog Configuration Enhancement
Release 4.1(3) features a Syslog Settings page configuration enhancement allowing you to specify the Syslog Facility setting for a designated Syslog server where you direct Syslog messages originating from the CAM. You can use the default "User-Level" facility type, or you can assign any of the "local use" Syslog facility types defined in the Syslog RFC ("Local use 0" to "Local use 7"). This feature gives you the ability to differentiate Cisco NAC Appliance Syslog messages from "User-Level" Syslog entries you may already generate and direct to your Syslog server from other network components.
This enhancement affects the following page of the CAM web console:
•
Debug Log Download Enhancement
With release 4.1(3), you can now specify the number of days of collected debug logs to download in order to aid troubleshooting efforts when working with Cisco technical support. The default setting is one week (7 days). Previously, debug logs included all recorded log entries in the CAM/CAS database.
This enhancement adds a new field, "Download technical support logs for the last [] days" to the following web console pages:
•
•
cisco_api.jsp Enhancement
In Release 4.1(3), the Cisco NAC Appliance API (https://<CAM-IP-address or hostmame>/admin/cisco_api.jsp) adds the following new functions which provide support for Cisco NAC Profiler deployments:
•
•
•
•
•
The API also includes the following enhancements:
•
•
See also CSRF Protection. For further details on the Cisco NAC Appliance API, see Appendix B "API Support" in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(3).
CSRF Protection
Release 4.1(3) enhances protection from Cross-Site Request Forgery attacks, which maliciously exploit web browser sessions. Release 4.1(3) provides the following enhancements:
•
•
•
Proxy Support Enhancements
Starting with release 4.1(3), proxy-related enhancements enable you to configure the Clean Access Server to allow proxy support for user login sessions using the Unauthenticated role:
•
Note
•
•
•
Note
These enhancements affect the following pages of the CAM web console:
•
•
ARP Broadcast Packet Handling Improvement
Release 4.1(3) features an ARP broadcast enhancement that helps alleviate erroneous ARP broadcast "re-broadcasting." When an ARP broadcast packet arrives at the untrusted eth1 interface on the CAS, the CAS now checks to verify the nature of the broadcast packet. If the destination IP address is a known IP address or a valid IP address as part of a managed subnet, the CAS "re-broadcasts" the packet on to the appropriate managed subnet. If the packet in question is an ARP broadcast itself (a request for the owner of x.y.z.255, for example), then the CAS does not forward/rebroadcast the request because no host on the managed subnet will be able to respond appropriately.
Therefore, the NAC Appliance system now performs as follows when we receive a broadcast message (with a broadcast destination IP address) at the trusted side of the CAS:
1.
2.
3.
Clean Access Server HA ARP Broadcast Enhancement
Release 4.1(3) features an ARP broadcast enhancement to improve Clean Access Server HA capabilities. In the event of a CAS failover, the HA-Secondary CAS (which assumes the HA-Primary role) now sends ARP request broadcast messages to all managed subnets on the untrusted (eth1) interface instead of just the primary subnet. These gratuitous ARPs help ensure that all clients on the untrusted side of the NAC Appliance network have a chance to update their ARP tables with the IP and MAC address of the new active CAS instead of first experiencing a session time-out and having to re-establish connection to the new active CAS.
Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature
The "Retag Trusted-side Egress Traffic with VLAN (In-Band)" feature for User Roles is deprecated in Release 4.1(3) and will be removed completely in a future release.
This affects the following page of the CAM web console:
•
Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
The "Roaming" and "IPSec/L2TP/PPTP/PPP" features that have been deprecated in previous Cisco NAC Appliance releases now no longer appear in the web console interface for release 4.1(3). This change affects many pages of the CAM and CAS web user interfaces, most notably:
•
•
•
•
•
Guest
