Cisco NAC Appliance (Clean Access)

Overview

An interim workaround is available. Although it will result in your not being able to perform posture assessment or SSO for Mac OSX 10.6 or Windows 7, it will enable your users to gain network access. Cisco NAC Release 4.7.1 is planned for release the week of November 23, 2009, and it will contain agents for Mac OSX 10.6 and Windows 7. To take advantage of this new capability, you will have to upgrade your Cisco NAC Server, Manager, and Agent to this release.

• NAC Network Module Deployments: NAC Network Modules will not support Windows 7 or Mac OSX 10.6 until NAC Release 4.7.2 is available. Workarounds detailed in the documentation will need to be in place until the availability of NAC Release 4.7.2. A release date will be available shortly.

• NAC 4.1.x Software-Only Deployments: If you currently use NAC Release 4.1.x on non-Cisco hardware, you will have to migrate to a Cisco NAC Appliance-based solution in order to run NAC Release 4.7.1. The Cisco NAC Migration Program will enable you to upgrade to NAC Release 4.7.1 with the upcoming next-generation appliances. Please contact your channel partner or Cisco account representative for details on the NAC Migration Program.

• NAC FIPS Deployments: The upcoming NAC Release 4.7.0 is FIPS-certified. In NAC Release 4.7.1, Cisco NAC Agents for Windows 7 and Mac OSX 10.6 will not be FIPS-certified, but those agents will be certified as part of NAC Release 4.7.2. As indicated earlier, a NAC Release 4.7.2 release date will be available shortly.

The Solution

In order to resolve the issue, we're introducing a Cisco NAC Release 4.7.1, which will be available the week of November 23. This release will resolve the issue, except for the three use cases outlined earlier. You will have to upgrade to Cisco NAC Release 4.7.1 to take advantage of the release's capabilities.

For Windows 7 clients, browser-based (Internet Explorer 8) user authentication can be used to perform user authentication and allow/deny end-user access to your network. The NAC Agent will not be downloaded onto the Windows 7 client; therefore, posture assessment will not be performed.

For Mac OSX 10.6 clients, browser-based (Firefox 3.5) user authentication can be used to perform user authentication and allow/deny end-user access to your network. The NAC Agent will not be downloaded onto the Mac OSX 10.6 client; therefore, posture assessment will not be performed. We have identified an issue related to the use of Safari. This issue is currently being investigated, and we hope to have it resolved shortly.

For Windows 7 and Mac OSX 10.6, the Java applet needs to be used with Internet Explorer 8 and Firefox 3.5, respectively. You can find the detailed workaround document at http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/presentation_NAC_Solution_Workaround_for_Win.pdf.

Note: NAC Release 4.7.1 will not support NAC Network Modules. Also, NAC Agents running on Windows 7 and Mac OSX 10.6 will not be FIPS-certified. Support for these scenarios will be part of NAC Release 4.7.2. A deployment guide for these scenarios will be part of the NAC Release 4.7.1 release package.

If you are running NAC Release 4.1.x on non-Cisco NAC hardware, you will have to migrate to a Cisco hardware appliance (Cisco NAC 3140, 3310, 3350 or 3390 Appliance). The existing NAC Migration Program is being refreshed to enable you to upgrade to NAC Release 4.7.1 with the upcoming next-generation appliances. Please contact your channel partner or Cisco account representative for details on the NAC Migration Program.

Based on Microsoft's structured release cycle, we have set the following targets for an available NAC release:

• Upon availability of an RTM (Release to Manufacturing) from Microsoft, Cisco's target will be to support an EFT version of NAC within 4 weeks.

• When Microsoft has released product for general availability, Cisco's target will be to support the release with FCS product on the same day.

• Microsoft Service Pack target availability will mirror the OS release target availability.

• Existing hot-fix target availability will continue at 72 hours.

Note: If Microsoft introduces nontrivial changes post-RTM, it may affect our ability to deliver support at FCS.

Based on Apple's release cycle, we have set the following targets for an available NAC release:

• Upon availability of beta software ("seeds") from Apple, Cisco's target will be to offer best-effort support of an EFT version of NAC within 4 weeks.

• When Apple has released product for general availability, Cisco's target will be to support the release with FCS product within 4 weeks.

• Apple software updates target availability will continue to be on a case-by-case basis.

Changes to target release availability for OS, service pack, hot fix, browser, and security software versions will be phased in after NAC Release 4.7.1. As part of this effort, we are creating a separate NAC sustaining engineering team to expedite and issue regular releases of NAC independent from new feature versions.

We also plan to include the Fast Opswat feature in NAC Release 4.7.2; this will expedite support for newer antivirus/antispam versions. Currently, support of newer antivirus/antispam versions is tied to agent code, meaning that a newer version of the Cisco NAC Agent needs to be released to support the latest antivirus/antispam versions. With Fast Opswat, the antivirus/antispam version support and agent version will be decoupled, which will expedite the antivirus/antispam support.

Note: Many of the products and features described herein are in development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery of, or failure to deliver, any of the products or features set forth in this document.