Cisco NAC Appliance - Clean Access

Manager Installation and Administration

Guide
Release 4.1
December 2006

Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100

Text Part Number: OL-12214-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems,
Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press,
Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing,
FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys,
MeetingPlace, MGX, Networking Academy, Network Registrar, Packet, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet
Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0705R)

Nessus is the trademark of Tenable Network Security.

Cisco NAC Appliance - Clean Access Manager includes software developed by the Apache Software Foundation (http://www.apache.org/) Copyright © 1999-2000 The
Apache Software Foundation. All rights reserved. The APACHE SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS OR CISCO OR ITS CONTRIBUTORS BE LIABLE FOR
ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THE APACHE SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
© 2007 Cisco Systems, Inc. All rights reserved.
 C O N T E N T S

Audience i

Purpose i

Document Conventions ii

Product Documentation ii

Obtaining Documentation iii

Cisco.com iii
Product Documentation DVD iv
Ordering Documentation iv
Documentation Feedback iv

Cisco Product Security Overview iv

Reporting Security Problems in Cisco Products v

Product Alerts and Field Notices v

Obtaining Technical Assistance vi

Cisco Support Website vi
Submitting a Service Request vii
Definitions of Service Request Severity vii

Obtaining Additional Publications and Information vii

CHAPTER 1 Introduction 1-1

What Is Cisco NAC Appliance (Cisco Clean Access)? 1-1

Cisco NAC Appliance Components 1-2
Clean Access Manager (CAM) 1-4
Clean Access Server (CAS) 1-4
Clean Access Agent 1-5
Managing Users 1-5

Installation Requirements 1-7

Product Licensing and Service Contract Support 1-7
Upgrading the Software 1-7
Cisco NAC Appliance Hardware Platforms 1-7
Supported Server Hardware Platforms 1-8
Minimum System Requirements 1-8
Important Release Information 1-8
Overview of Web Admin Console Elements 1-8

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 i
 Contents

Clean Access Server (CAS) Management Pages 1-9

Admin Console Summary 1-11

CHAPTER 2 Installing the Clean Access Manager 2-1

Overview 2-1

Set Up the Clean Access Manager NAC Appliance 2-2

Access the CAM Over a Serial Connection 2-4

Install the Clean Access Manager Software from CD-ROM 2-6

CD Installation Steps 2-6
Perform the Initial Configuration 2-7
Configuration Utility Script 2-8
Important Notes for SSL Certificates 2-10

Using the Command Line Interface (CLI) 2-11

Troubleshooting Network Card Driver Support Issues 2-12

CAM/CAS Connectivity Across Firewall 2-12

Access the CAM Web Console 2-12

CHAPTER 3 Device Management: Adding Clean Access Servers, Adding Filters 3-1

Working with Clean Access Servers 3-2

Add Clean Access Servers to the Managed Domain 3-2
Troubleshooting when Adding the Clean Access Server 3-4
Manage the Clean Access Server 3-4
Check Clean Access Server Status 3-5
Disconnect a Clean Access Server 3-5
Reboot the Clean Access Server 3-5
Remove the Clean Access Server from the Managed Domain 3-5
Global and Local Administration Settings 3-6
Global and Local Settings 3-7
Global Device and Subnet Filtering 3-7
Overview 3-7
Device Filters and User Count License Limits 3-8
Adding Multiple Entries 3-9
Corporate Asset Authentication and Posture Assessment by MAC Address 3-9
Device Filters for In-Band Deployment 3-10
Device Filters for Out-of-Band Deployment 3-10
Device Filters and IPSec/L2TP/PPTP Connections to CAS 3-11
Device Filters and Gaming Ports 3-11
Global vs. Local (CAS-Specific) Filters 3-11

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
ii OL-12214-01
 Contents

Configure Device Filters 3-12

Add Global Device Filter 3-12
Display / Search Device Filter Policies 3-15
Order Device Filter Wildcard/Range Policies 3-16
Test Device Filter Policies 3-17
View Active L2 Device Filter Policies 3-17
Edit Device Filter Policies 3-18
Delete Device Filter Policies 3-18
Configure Subnet Filters 3-19

CHAPTER 4 Switch Management: Configuring Out-of-Band (OOB) Deployment 4-1

Overview 4-1
In-Band Versus Out-of-Band 4-2
Out-of-Band Requirements 4-2
SNMP Control 4-4
Deployment Modes 4-4
Basic Connection 4-4
Out-of-Band Virtual Gateway Deployment 4-6
Out-of-Band Real-IP/NAT Gateway Deployment 4-9
L3 Out-of-Band Deployment 4-12
Configuring Your Network for Out-of-Band 4-12

Configure Your Switches 4-12

Configuration Notes 4-12
Example Switch Configuration Steps 4-13
OOB Network Setup / Configuration Worksheet 4-17

Configure OOB Switch Management in the CAM 4-18

Add Out-of-Band Clean Access Servers and Configure Environment 4-19
Configure Group Profiles 4-21
Add Group Profile 4-22
Edit Group Profile 4-22
Configure Switch Profiles 4-23
Add Switch Profile 4-24
Configure Port Profiles 4-26
Add Port Profile 4-27
Configure SNMP Receiver 4-32
SNMP Trap 4-32
Advanced Settings 4-33
Add Managed Switch 4-36
Add New Switch 4-36

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 iii
 Contents

Search New Switches 4-38

Discovered Clients 4-39
Manage Switch Ports 4-40
Ports Tab 4-40
Config Tab 4-47
Out-of-Band User List Summary 4-50

OOB Troubleshooting 4-51

OOB Switch Trunk Ports After Upgrade 4-51
Unable to Control <Switch IP> 4-51
OOB Error: connected device <client_MAC> not found 4-52

CHAPTER 5 Configuring User Login Page and Guest Access 5-1

User Login Page 5-2
Unauthenticated Role Traffic Policies 5-2
Proxy Settings 5-3
Add Default Login Page 5-3

Change Page Type (to Frame-Based or Small-Screen) 5-5

Enable Web Client for Login Page 5-6

DHCP Release/Renew with Clean Access Agent/ActiveX/Applet 5-6

Customize Login Page Content 5-9

Create Content for the Right Frame 5-11

Upload a Resource File 5-12

Customize Login Page Styles 5-13

Configure Other Login Properties 5-14

Redirect the Login Success Page 5-14
Specify Logout Page Information 5-15
Guest User Access 5-16
Enable Login Page “Guest Access” 5-16
Enable Guest Users with Any Credential 5-17

CHAPTER 6 User Management: Configuring User Roles and Local Users 6-1

Overview 6-1

Create User Roles 6-1

User Role Types 6-2
Unauthenticated Role 6-3
Normal Login Role 6-3
Clean Access Roles 6-4
Session Timeouts 6-5

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
iv OL-12214-01
 Contents

Default Login Page 6-6

Traffic Policies for Roles 6-6
Add New Role 6-6
Role Properties 6-8
Modify Role 6-12
Edit a Role 6-12
Delete Role 6-13
Create Local User Accounts 6-14
Create a Local User 6-14

CHAPTER 7 User Management: Configuring Auth Servers 7-1

Overview 7-1
Adding an Authentication Provider 7-4
Kerberos 7-5
RADIUS 7-6
Windows NT 7-8
LDAP 7-9
Active Directory Single Sign-On (SS0) 7-10
Windows NetBIOS SSO 7-10
Implementing Windows NetBIOS SSO 7-10
Cisco VPN SSO 7-12
Allow All 7-13
Configuring Authentication Cache Timeout (Optional) 7-14

Authenticating Against Backend Active Directory 7-15

AD/LDAP Configuration Example 7-15
Map Users to Roles Using Attributes or VLAN IDs 7-17
Configure Mapping Rule 7-18
Editing Mapping Rules 7-23
Auth Test 7-25

RADIUS Accounting 7-27

Enable RADIUS Accounting 7-27
Restore Factory Default Settings 7-28
Add Data to Login, Logout or Shared Events 7-28
Add New Entry (Login Event, Logout Event, Shared Event) 7-29

CHAPTER 8 Configuring Active Directory Single Sign-On (AD SSO) 8-1

AD SSO Overview 8-1

Windows SSO Process (Kerberos Ticket Exchange) 8-2

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 v
 Contents

CAS Communication with AD Server 8-3

AD SSO Configuration Step Summary 8-4

Configuration Prerequisites 8-4
Configuration Step Summary 8-5
Add Active Directory SSO Auth Server 8-6

Configure Traffic Policies for Unauthenticated Role 8-7

Configure AD SSO on the CAS 8-9

Configure the AD Server and Run KTPass Command 8-11

Create the CAS User 8-11
Install Support Tools 8-14
Run ktpass.exe Command 8-15
Example KTPass Command Execution 8-18
Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos) 8-19

Confirm AD SSO Service Is Started 8-20

Enable GPO Updates 8-21

Add LDAP Lookup Server for Active Directory SSO (Optional) 8-22

Troubleshooting 8-24

CHAPTER 9 User Management: Traffic Control, Bandwidth, Schedule 9-1

Overview 9-1
Global vs. Local Scope 9-3
View Global Traffic Control Policies 9-3

Add Global IP-Based Traffic Policies 9-4

Add IP-Based Policy 9-4
Edit IP-Based Policy 9-7
Add Global Host-Based Traffic Policies 9-8
Add Trusted DNS Server for a Role 9-8
Enable Default Allowed Hosts 9-9
Add Allowed Host 9-10
View IP Addresses Used by DNS Hosts 9-11
Proxy Servers and Host Policies 9-12
Control Bandwidth Usage 9-13

Configure User Session and Heartbeat Timeouts 9-15

Session Timer 9-15
Heartbeat Timer 9-15
In-Band (L2) Sessions 9-15
OOB (L2) and Multihop (L3) Sessions 9-16
Session Timer / Heartbeat Timer Interaction 9-16

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
vi OL-12214-01
 Contents

Configure Session Timer (per User Role) 9-17

Configure Heartbeat Timer (User Inactivity Timeout) 9-17

Configure Policies for Agent Temporary and Quarantine Roles 9-19

Configure Clean Access Agent Temporary Role 9-19
Configure Session Timeout for the Temporary Role 9-19
Configure Traffic Control Policies for the Temporary Role 9-20
Configure Network Scanning Quarantine Role 9-21
Create Additional Quarantine Role 9-21
Configure Session Timeout for Quarantine Role 9-22
Configure Traffic Control Policies for the Quarantine Role 9-23
Example Traffic Policies 9-24
Allowing Authentication Server Traffic for Windows Domain Authentication 9-24
Allowing Traffic for Enterprise AV Updates with Local Servers 9-24
Allowing Gaming Ports 9-24
Microsoft Xbox 9-25
Other Game Ports 9-25
Adding Traffic Policies for Default Roles 9-27
Troubleshooting Host-Based Policies 9-29

CHAPTER 10 Clean Access Implementation Overview 10-1

Clean Access Overview 10-1

Clean Access Agent 10-5
Clean Access Updates 10-6
Network Scanner 10-7
Certified List 10-7
Role-Based Configuration 10-9
Clean Access Setup Steps 10-9
Retrieving Updates 10-11
Download Cisco Updates 10-14

General Setup Summary 10-17

Agent Login 10-17
Web Login 10-20
User Page Summary 10-22

Manage Certified Devices 10-26

Add Exempt Device 10-27
Clear Certified or Exempt Devices Manually 10-28
View Clean Access Reports for Certified Devices 10-28
View Switch Information for Out-of-Band Certified Devices 10-29
Configure Certified Device Timer 10-29

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 vii
 Contents

Add Floating Devices 10-32

CHAPTER 11 Distributing the Clean Access Agent 11-1

Summary 11-1
Configuration Steps for Clean Access Agent 11-2

Add Default Login Page 11-3

Require Use of the Clean Access Agent 11-3

Configure Restricted Network Access for Agent Users 11-5
Configure Network Policy Page (Acceptable Use Policy) for Agent Users 11-6
Configure the Clean Access Agent Temporary Role 11-6
Enable Network Access (L3 or L2) 11-7
Enable L3 Deployment Support 11-8
Clean Access Agent Sends IP/MAC for All Available Adapters 11-8
VPN/L3 Access for Clean Access Agent 11-9
Enable L3 Support 11-9
Disabling L3 Capability 11-10
Enabling L2/L3 Strict Mode (Clean Access Agent Only) 11-11
Configuring Agent Distribution/Installation 11-12
Distribution Page 11-12
Installation Page 11-15
Clean Access Agent Stub Installer 11-17
SSL Requirements for Mac OS/CAS Communication 11-18

Configure Clean Access Agent Auto-Upgrade 11-19

Enable Agent Auto-Upgrade on the CAM 11-19
Disable Agent Upgrades to Users 11-19
Disable Mandatory Auto-Upgrade on the CAM 11-19
User Experience for Auto-Upgrade 11-20
Uninstalling the Agent 11-20
Agent Setup and Agent Patch (Upgrade) Files 11-20
Loading Agent Installation Files to the CAM 11-21
Auto-Upgrade Compatibility 11-21
Upgrading from 3.5.0 and Below Agents 11-23
Agent Upgrade Through File Distribution Requirement 11-23

Manually Uploading the Agent to the CAM 11-25

Downgrading the Agent 11-26

CHAPTER 12 Configuring Clean Access Agent Requirements 12-1

Summary 12-1

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
viii OL-12214-01
 Contents

Configuration Steps for Clean Access Agent Requirements 12-2

Create Clean Access Agent Requirements 12-3

Configuring Windows Update Requirement 12-4
Create Windows Update Requirement 12-5
Map Windows Update Requirement to Windows Rules 12-7
Configuring AV/AS Definition Update Requirements 12-8
AV Rules and AS Rules 12-9
Verify AV/AS Support Info 12-10
Create AV Rule 12-12
Create AV Definition Update Requirement 12-14
Create AS Rule 12-16
Create AS Definition Update Requirement 12-17
Configure Launch Programs Requirement 12-19
Cisco Pre-Configured Rules (“pr_”) 12-21
Using Cisco Pre-Configured Rules to Check for CSA 12-21
Configure Custom Checks, Rules and Requirements 12-22
Custom Requirements 12-22
Cisco Rules 12-23
Cisco Checks 12-23
Copying Checks and Rules 12-23
Create Custom Check 12-24
Create Custom Rule 12-28
Validate Rules 12-30
Create Custom Requirement 12-31
Map Requirement to Rules 12-34
Apply Requirements to Role 12-36
Validate Requirements 12-37
Configure an Optional Requirement 12-38
Launch Programs Example 12-40

Viewing Clean Access Agent Reports 12-49

Limiting the Number of Reports 12-50
Clean Access Agent User Dialogs 12-51
Windows Agent Dialogs 12-51
Mac OS X Agent Dialogs (Authentication Only) 12-62
Agent Localized Language Templates 12-69
Troubleshooting the Agent 12-71
Client Cannot Connect/Login 12-71
No Agent Pop-Up/Login Disabled 12-71
Client Cannot Connect (Traffic Policy Related) 12-72

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 ix
 Contents

AV/AS Rule Troubleshooting 12-72

Known Issue for Windows Script 5.6 12-73
Known Issue for MS Update Scanning Tool (KB873333) 12-73
Workaround 12-74

CHAPTER 13 Configuring Network Scanning 13-1

Overview 13-1
Network Scanning Implementation Steps 13-2

Configure the Quarantine Role 13-3

Load Nessus Plugins into the Clean Access Manager Repository 13-3
Uploading Plugins 13-4
Deleting Plugins 13-5
Configure General Setup 13-6
Apply Plugins 13-7

Configure Plugin Options 13-9

Configure Vulnerability Handling 13-10

Test Scanning 13-12

Show Log 13-13

View Scan Reports 13-14

Customize the User Agreement Page 13-16

CHAPTER 14 Monitoring 14-1

Overview 14-1

Online Users List 14-3

Interpreting Active Users 14-4
View Online Users 14-5
In-Band Users 14-5
Out-of-Band Users 14-7
Display Settings 14-10
Interpreting Event Logs 14-12
View Logs 14-12
Event Log Example 14-15
Limiting the Number of Logged Events 14-16
Configuring Syslog Logging 14-16
Log Files 14-16

SNMP 14-17
Enable SNMP Polling/Alerts 14-18
Add New Trapsink 14-19

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
x OL-12214-01
 Contents

CHAPTER 15 Administration 15-1

Overview 15-1

Network & Failover 15-2

Set System Time 15-4

Manage CAM SSL Certificates 15-5

Generate Temporary Certificate 15-8
Export CSR/Private Key/Certificate 15-9
Verify Currently Installed Private Key and Certificates 15-10
Import Signed Certificate 15-13
View Certificate Files Uploaded for Import 15-14
Troubleshooting Certificate Issues 15-15
No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM 15-15
Private Key in Clean Access Server Does Not Match the CA-Signed Certificate 15-16
Regenerating Certificates for DNS Name Instead of IP 15-16
Certificate-Related Files 15-17
System Upgrade 15-18

Licensing 15-20

Support Logs 15-22

Admin Users 15-24

Admin Groups 15-24
Add a Custom Admin Group 15-24
Admin Users 15-26
Login / Logout an Admin User 15-26
Add an Admin User 15-26
Edit an Admin User 15-27
Active Admin User Sessions 15-28
Manage System Passwords 15-30
Change the CAM Web Console Admin Password 15-30
Change the CAS Web Console Admin User Password 15-31
Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x) 15-31
Recovering Root Password for CAM/CAS (Release 3.5.x or Below) 15-32
Backing Up the CAM Database 15-33
Automated Daily Database Backups 15-33
Manual Backups from Web Console 15-33
Creating Manual Backup 15-34
Restoring Configuration from CAM Snapshot 15-34
Database Recovery Tool 15-35
Manual Database Backup from SSH 15-36

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 xi
 Contents

API Support 15-36

Usage Requirements 15-36
Authentication Requirement 15-36
Guest Access Support 15-37
Summary of Operations 15-37
Examples 15-39

CHAPTER 16 Configuring High Availability (HA) 16-1

Overview 16-1

Before Starting 16-3

Connect the Clean Access Manager Machines 16-4
Serial Connection 16-4
Configure the HA-Primary CAM 16-5
Configure the HA-Secondary CAM 16-8
Complete the Configuration 16-10
Upgrading an Existing Failover Pair 16-10

Failing Over an HA-CAM Pair 16-10

Useful CLI Commands for HA 16-11

Adding High Availability Cisco NAC Appliance To Your Network 16-13

CHAPTER 17 Device Management: Roaming (Deprecated) 17-1

Overview 17-1
Requirements 17-1
How Roaming Works 17-2
Roaming Modes 17-3
Before Starting 17-4
Setting Up Simple Roaming 17-5

Setting Up Advanced Roaming 17-6

Monitoring Roaming Users 17-8

APPENDIX A Error and Event Log Messages 18-1

Client Error Messages 18-1

CAM Event Log Messages 18-2

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
xii OL-12214-01
 About This Guide

This preface includes the following sections:

• Audience
• Purpose
• Document Conventions
• Product Documentation
• Obtaining Documentation
• Documentation Feedback
• Cisco Product Security Overview
• Product Alerts and Field Notices
• Obtaining Technical Assistance
• Obtaining Additional Publications and Information

Audience
This guide is for network administrators who are implementing the Cisco NAC Appliance solution to
manage and secure their networks. Cisco NAC Appliance comprises the Clean Access Manager (CAM)
administration appliance, Clean Access Server (CAS) enforcement appliance, and Clean Access Agent
end-user client software. Use this document along with the Cisco NAC Appliance - Clean Access Server
Installation and Administration Guide to install and administer your Cisco NAC Appliance deployment.

Purpose
The Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide describes how
to install and configure the Clean Access Manager NAC Appliance. You can use the Clean Access
Manager (CAM) and its web-based administration console to manage multiple Clean Access Servers
(CASes) in a deployment. End users connect through the Clean Access Server to the network via web
login or the Clean Access Agent. This guide describes how to use the CAM web administration console
to configure most aspects of Cisco NAC Appliance. It also provides information specific to the Clean
Access Manager, such how to implement High Availability. See Product Documentation for further
details on the document set for Cisco NAC Appliance.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 About This Guide
Document Conventions

Document Conventions

Item Convention
Indicates command line output. Screen font
Indicates information you enter. Boldface screen font
Indicates variables for which you supply values. Italic screen font
Indicates web admin console modules, menus, tabs, links and Boldface font
submenu links.
Indicates a menu item to be selected. Administration > User Pages

Product Documentation
Table 1 lists documents are available for Cisco NAC Appliance on Cisco.com at the following URL:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html

Tip To access external URLs referenced in this document, right-click the link in Adobe Acrobat and select
“Open in Weblink in Browser.”

Table 1 Cisco NAC Appliance Document Set

Refer to This Document For Information On: Document Title

• Which server hardware supports which versions Supported Hardware and System Requirements
of CAM/CAS software (if using your own for Cisco NAC Appliance
server hardware)
• CAM/CAS/Agent system requirements
• NIC card troubleshooting
• Which switches and NMEs support OOB Switch Support for Cisco NAC Appliance
deployment
• Known issues/troubleshooting for switches and
WLCs
Details on the latest 4.1(x) release, including: Release Notes for Cisco NAC Appliance - Clean
Access Version 4.1(x)
• New features and enhancements
• Fixed caveats
• Upgrade instructions
• Supported AV/AS product charts
• CAM/CAS/Agent compatibility and version
information

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 About This Guide
Obtaining Documentation

Table 1 Cisco NAC Appliance Document Set

Refer to This Document For Information On: Document Title

Complete CAM details, including: Cisco NAC Appliance - Clean Access Manager
• How to install the CAM software Installation and Administration Guide

• Overviews of major concepts and features of

Cisco NAC Appliance
• How to use the CAM web console to perform
global configuration of Cisco NAC Appliance
(applying to all CASes in the deployment)
• How to configure CAM pairs for High
Availability
CAS-specific details, including: Cisco NAC Appliance - Clean Access Server
Installation and Administration Guide
• How to install the CAS software
• Where to deploy the CAS on the network
(general information)
• How to perform local (CAS-specific)
configuration using the CAS management pages
of the CAM web console, or the CAS direct
access console.
• How to configure CAS pairs for High
Availability
Summary of features for release 4.1(0) What's New in Cisco NAC Appliance 4.1

Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. This section explains the
product documentation resources that Cisco offers.

Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/techsupport
You can access the Cisco website at this URL:
http://www.cisco.com
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 About This Guide
Documentation Feedback

Product Documentation DVD

The Product Documentation DVD is a library of technical product documentation on a portable medium.
The DVD enables you to access installation, configuration, and command guides for Cisco hardware and
software products. With the DVD, you have access to the HTML documentation and some of the
PDF files found on the Cisco website at this URL:
http://www.cisco.com/univercd/home/home.htm
The Product Documentation DVD is created and released regularly. DVDs are available singly or by
subscription. Registered Cisco.com users can order a Product Documentation DVD (product number
DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at the Product Documentation
Store at this URL:
http://www.cisco.com/go/marketplace/docstore

Ordering Documentation
You must be a registered Cisco.com user to access Cisco Marketplace. Registered users may order Cisco
documentation at the Product Documentation Store at this URL:
http://www.cisco.com/go/marketplace/docstore
If you do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do

Documentation Feedback
You can provide feedback about Cisco technical documentation on the Cisco Support site area by
entering your comments in the feedback form available in every online document.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you will find information about how to do the following:
• Report security vulnerabilities in Cisco products
• Obtain assistance with security incidents that involve Cisco products
• Register to receive security information from Cisco
A current list of security advisories, security notices, and security responses for Cisco products is
available at this URL:
http://www.cisco.com/go/psirt
To see security advisories, security notices, and security responses as they are updated in real time, you
can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS)
feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 About This Guide
Product Alerts and Field Notices

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them,
and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability
in a Cisco product, contact PSIRT:
• For emergencies only — [email protected]
An emergency is either a condition in which a system is under active attack or a condition for which
a severe and urgent security vulnerability should be reported. All other conditions are considered
nonemergencies.
• For nonemergencies — [email protected]
In an emergency, you can also reach PSIRT by telephone:
• 1 877 228-7302
• 1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to
encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been
encrypted with PGP versions 2.x through 9.x.

Never use a revoked encryption key or an expired encryption key. The correct public key to use in your
correspondence with PSIRT is the one linked in the Contact Summary section of the Security
Vulnerability Policy page at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT to find other means of encrypting the data before sending
any sensitive material.

Product Alerts and Field Notices

Modifications to or updates about Cisco products are announced in Cisco Product Alerts and Cisco Field
Notices. You can receive these announcements by using the Product Alert Tool on Cisco.com. This tool
enables you to create a profile and choose those products for which you want to receive information.
To access the Product Alert Tool, you must be a registered Cisco.com user. Registered users can access
the tool at this URL:
http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do?local=en
To register as a Cisco.com user, go to this URL:
http://tools.cisco.com/RPF/register/register.do

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 About This Guide
Obtaining Technical Assistance

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The
Cisco Support website on Cisco.com features extensive online support resources. In addition, if you
have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide
telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Support Website

The Cisco Support website provides online documents and tools for troubleshooting and resolving
technical issues with Cisco products and technologies. The website is available 24 hours a day at
this URL:
http://www.cisco.com/en/US/support/index.html
Access to all tools on the Cisco Support website requires a Cisco.com user ID and password. If you have
a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do

Note Before you submit a request for service online or by phone, use the Cisco Product Identification Tool
to locate your product serial number. You can access this tool from the Cisco Support website
by clicking the Get Tools & Resources link, clicking the All Tools (A-Z) tab, and then choosing
Cisco Product Identification Tool from the alphabetical list. This tool offers three search options:
by product ID or model name; by tree view; or, for certain products, by copying and pasting show
command output. Search results show an illustration of your product with the serial number label
location highlighted. Locate the serial number label on your product and record the information
before placing a service call.

Tip Displaying and Searching on Cisco.com

If you suspect that the browser is not refreshing a web page, force the browser to update the web page
by holding down the Ctrl key while pressing F5.

To find technical information, narrow your search to look in technical documentation, not the
entire Cisco.com website. After using the Search box on the Cisco.com home page, click the
Advanced Search link next to the Search box on the resulting page and then click the
Technical Support & Documentation radio button.

To provide feedback about the Cisco.com website or a particular technical document, click
Contacts & Feedback at the top of any Cisco.com web page.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 About This Guide
Obtaining Additional Publications and Information

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and
S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411
Australia: 1 800 805 227
EMEA: +32 2 704 55 55
USA: 1 800 553 2447
For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.
Severity 1 (S1)—An existing network is “down” or there is a critical impact to your business operations.
You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operations are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of the network is impaired while most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.
• The Cisco Online Subscription Center is the website where you can sign up for a variety of Cisco
e-mail newsletters and other communications. Create a profile and then select the subscriptions that
you would like to receive. To visit the Cisco Online Subscription Center, go to this URL:
http://www.cisco.com/offer/subscribe

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 About This Guide
Obtaining Additional Publications and Information

• The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief
product overviews, key features, sample part numbers, and abbreviated technical specifications for
many Cisco products that are sold through channel partners. It is updated twice a year and includes
the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick
Reference Guide, go to this URL:
http://www.cisco.com/go/guide
• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo
merchandise. Visit Cisco Marketplace, the company store, at this URL:
http://www.cisco.com/go/marketplace/
• Cisco Press publishes a wide range of general networking, training, and certification titles. Both new
and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:
http://www.ciscopress.com
• Internet Protocol Journal is a quarterly journal published by Cisco for engineering professionals
involved in designing, developing, and operating public and private internets and intranets. You can
access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• Networking products offered by Cisco, as well as customer support services, can be obtained at
this URL:
http://www.cisco.com/en/US/products/index.html
• Networking Professionals Connection is an interactive website where networking professionals
share questions, suggestions, and information about networking products and technologies with
Cisco experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
• “What’s New in Cisco Documentation” is an online publication that provides information about the
latest documentation releases for Cisco products. Updated monthly, this online publication is
organized by product category to direct you quickly to the documentation for your products. You
can view the latest release of “What’s New in Cisco Documentation” at this URL:
http://www.cisco.com/univercd/cc/td/doc/abtunicd/136957.htm
• World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 C H A P T E R 1
Introduction

This chapter provides a high-level overview of the Cisco NAC Appliance solution. Topics include:
• What Is Cisco NAC Appliance (Cisco Clean Access)?, page 1-1
• Cisco NAC Appliance Components, page 1-2
• Managing Users, page 1-5
• Installation Requirements, page 1-7
• Overview of Web Admin Console Elements, page 1-8
• Clean Access Server (CAS) Management Pages, page 1-9
• Admin Console Summary, page 1-11

What Is Cisco NAC Appliance (Cisco Clean Access)?

The Cisco Network Admission Control (NAC) Appliance (also known as Cisco Clean Access) is a
powerful, easy-to-use admission control and compliance enforcement solution. With comprehensive
security features, in-band or out-of-band deployment options, user authentication tools, and bandwidth
and traffic filtering controls, Cisco NAC Appliance is a complete solution for controlling and securing
networks. As the central access management point for your network, Cisco NAC Appliance lets you
implement security, access, and compliance policies in one place instead of having to propagate the
policies throughout the network on many devices.
The security features in Cisco NAC Appliance include user authentication, policy-based traffic filtering,
and Clean Access vulnerability assessment and remediation (also referred to as posture assessment).
Clean Access stops viruses and worms at the edge of the network. With remote or local system checking,
Clean Access lets you block user devices from accessing your network unless they meet the requirements
you establish.
Cisco NAC Appliance is a network-centric integrated solution administered from the web console of the
Clean Access Manager (CAM) administration server and enforced through the Clean Access Server
(CAS) and the Clean Access Agent. You can deploy the Cisco NAC Appliance in the configuration that
best meets the needs of your network. The Clean Access Server can be deployed as the first-hop gateway
for your edge devices providing simple routing functionality, advanced DHCP services, and other
services. Alternatively, if elements in your network already provide these services, the CAS can work
alongside those elements without requiring changes to your existing network by being deployed as a
“bump-in-the-wire.”
Other key features of Cisco NAC Appliance include:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 1-1
 Chapter 1 Introduction
Cisco NAC Appliance Components

• Standards-based architecture— Uses HTTP, HTTPS, XML, and Java Management Extensions
(JMX).
• User authentication—Integrates with existing backend authentication servers, including Kerberos,
LDAP, RADIUS, and Windows NT domain.
• VPN concentrator integration—Integrates with Cisco VPN concentrators (e.g. VPN 3000, ASA) and
provides Single Sign-On (SSO).
• Active Directory SSO—Integrates with Active Directory on Windows Servers to provide Single
Sign-On for Clean Access Agent users logging into Windows systems.
• Clean Access compliance policies—Allows you to configure client vulnerability assessment and
remediation via use of Clean Access Agent or Nessus-based network port scanning.
• L2 or L3 deployment options—The Clean Access Server can be deployed within L2 proximity of
users, or multiple hops away from users. You can use a single CAS for both L3 and L2 users.
• In-band (IB) or out-of-band (OOB) deployment options— Cisco NAC Appliance can be deployed
in-line with user traffic, or out-of-band to allow clients to traverse the Clean Access network only
during vulnerability assessment and remediation while bypassing it after certification (posture
assessment).
• Traffic filtering policies—Role-based IP and host-based policies provide fine-grained and flexible
control for in-band network traffic.
• Bandwidth management controls—Limit bandwidth for downloads or uploads.
• High availability—Active/Passive failover (requiring two servers) ensures services continue if an
unexpected shutdown occurs. You can configure pairs of Clean Access Manager (CAM) machines
and/or CAS machines in high-availability mode.

Cisco NAC Appliance Components

Cisco NAC Appliance is a network-centric integrated solution administered from the Clean Access
Manager web console and enforced through the Clean Access Server and (optionally) the Clean Access
Agent. Cisco NAC Appliance checks client systems, enforces network requirements, distributes patches
and antivirus software, and quarantines vulnerable or infected clients for remediation before clients
access the network. Cisco NAC Appliance consists of the following components (in Figure 1-1):
• Clean Access Manager (CAM)—Administration server for Clean Access deployment. The secure
web console of the Clean Access Manager is the single point of management for up to 20 Clean
Access Servers in a deployment (or 40 CASes if installing a SuperCAM). For Out-of-Band (OOB)
deployment, the web admin console allows you to control switches and VLAN assignment of user
ports through the use of SNMP.

Note The CAM web admin console supports Internet Explorer 6.0 or above only, and requires
high encryption (64-bit or 128-bit). High encryption is also required for client browsers for
web login and Clean Access Agent authentication.

• Clean Access Server (CAS)—Enforcement server between the untrusted (managed) network and
the trusted network. The CAS enforces the policies you have defined in the CAM web admin
console, including network access privileges, authentication requirements, bandwidth restrictions,
and Clean Access system requirements. It can be deployed in-band (always inline with user traffic)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
1-2 OL-12214-01
Chapter 1 Introduction
Cisco NAC Appliance Components

or out-of-band (inline with user traffic only during authentication/posture assessment). It can also
be deployed in Layer-2 mode (users are L2-adjacent to CAS) or Layer-3 mode (users are multiple
L3 hops away from the CAS).
• Clean Access Agent (CAA)—Optional read-only agent that resides on Windows clients. The Clean
Access Agent checks applications, files, services or registry keys to ensure that clients meets your
specified network and software requirements prior to gaining access to the network.

Note There is no client firewall restriction with Clean Access Agent vulnerability assessment. The
Agent can check the client registry, services, and applications even if a personal firewall is
installed and running.

• Clean Access Policy Updates—Regular updates of pre-packaged policies/rules that can be used to
check the up-to-date status of operating systems, antivirus (AV), antispyware (AS), and other client
software. Provides built-in support for 24 AV vendors and 17 AS vendors.

Figure 1-1 Cisco NAC Appliance Deployment (L2 In-Band Example)

Internet

Switch Router
L2 Firewall
L3
eth1 eth0
LAN/Intranet
Clean Access
Server (CAS)

PCs with
Clean Access Clean Access
Agent (CAA) Manager (CAM)

Clean Access Manager

Web admin console Authentication sources
(LDAP, RADIUS, Kerberos,
WindowsNT)

Admin laptop
180342

DNS
server

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 1-3
 Chapter 1 Introduction
Cisco NAC Appliance Components

Clean Access Manager (CAM)

The Clean Access Manager (CAM) is the administration server and database which centralizes
configuration and monitoring of all Clean Access Servers, users, and policies in a Cisco NAC Appliance
deployment. You can use it to manage up to 20 Clean Access Servers. The web admin console for the
Clean Access Manager is a secure, browser-based management interface (Figure 1-2). See Admin
Console Summary, page 1-11 for a brief introduction to the modules of the web console. For out-of-band
(OOB) deployment, the web admin console provides the Switch Management module to add and
control switches in the Clean Access Manager’s domain and configure switch ports.

Figure 1-2 CAM Web Admin Console

Clean Access Server (CAS)

The Clean Access Server (CAS) is the gateway between an untrusted and trusted network. The Clean
Access Server can operate in one of the following in-band (IB) or out-of-band (OOB) modes:
• IB Virtual Gateway (L2 transparent bridge mode)
• IB Real-IP Gateway
• IB NAT Gateway (IP router/default gateway with Network Address Translation services)
• OOB Virtual Gateway
• OOB Real-IP Gateway
• OOB NAT Gateway

Note NAT Gateway (in-band or out-of-band) is not supported for production deployment.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
1-4 OL-12214-01
 Chapter 1 Introduction
Managing Users

This guide describes the global configuration and administration of Clean Access Servers and Cisco
NAC Appliance deployment using the Clean Access Manager web admin console.
For a summary of CAS operating modes, see Add Clean Access Servers to the Managed Domain, page
3-2. For complete details on CAS deployment, see the Cisco NAC Appliance - Clean Access Server
Installation and Administration Guide.
For details on OOB implementation and configuration, see Chapter 4, “Switch Management:
Configuring Out-of-Band (OOB) Deployment.”
For details on options configured locally on the CAS, such as DHCP configuration, Cisco VPN
Concentrator integration, CAS High-Availability implementation, or local traffic policies, see the Cisco
NAC Appliance - Clean Access Server Installation and Administration Guide.

Clean Access Agent

When enabled for your Cisco NAC Appliance deployment, the Clean Access Agent can ensure that
computers accessing your network meet the system requirements you specify. The Clean Access Agent
is a read-only, easy-to-use, small-footprint program that resides on Windows user machines. When a user
attempts to access the network, the Clean Access Agent checks the client system for the software you
require, and helps users acquire any missing updates or software.
Agent users who fail the system checks you have configured are assigned to the Clean Access Agent
Temporary role. This role gives users limited network access to access the resources needed to comply
with the Clean Access Agent requirements. Once a client system meets the requirements, it is considered
“clean” and allowed network access.

Managing Users
The Clean Access Manager makes it easy to apply existing authentication mechanisms to users on the
network (Figure 1-3). You can customize user roles to group together and define traffic policies,
bandwidth restrictions, session duration, Clean Access vulnerability assessment, and other policies
within Cisco Clean Access for particular groups of users. You can then use role-mapping to map users
to these policies based on VLAN ID or attributes passed from external authentication sources.
When the Clean Access Server receives an HTTP request from the untrusted network, it checks whether
the request comes from an authenticated user. If not, a customizable secure web login page is presented
to the user. The user submits his or her credentials securely through the web login page, which can then
be authenticated by the CAM itself (for local user testing) or by an external authentication server, such
as LDAP, RADIUS, Kerberos, or Windows NT. If distributing the Clean Access Agent, users download
and install it after the initial web login, then use the Agent after that for login/posture assessment.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 1-5
 Chapter 1 Introduction
Managing Users

Figure 1-3 Authentication Path

Clean Access
Local users:
Manager
user list:
jjacobi
jrahim
klane

Username: jsmits
Password: xxxxxxx

eth1 eth0 Authentication

sources (e.g. LDAP, Kerberos)
Switch
Clean Access External users:
Server
tableUsers:
jamir
jdornan
Untrusted network Trusted network

180337
jsmits

You can configure and apply Clean Access vulnerability assessment and remediation (posture
assessment) to authenticated users by configuring requirements for the Clean Access Agent and/or
network port scanning (via the Clean Access module of the web admin console).
With IP-based and host-based traffic policies, you can control network access for users before
authentication, during posture assessment, and after a user device is certified as “clean.”
Finally, you can monitor user activity from the web console through the Online Users page (for L2 and
L3 deployments) and the Certified Devices List (L2 deployments only).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
1-6 OL-12214-01
 Chapter 1 Introduction
Installation Requirements

Installation Requirements
This section describes the following:
• Product Licensing and Service Contract Support
• Upgrading the Software
• Cisco NAC Appliance Hardware Platforms
• Supported Server Hardware Platforms
• Minimum System Requirements
• Important Release Information

Product Licensing and Service Contract Support

Note Refer to Cisco NAC Appliance Service Contract / Licensing Support for complete step-by-step
instructions for how to obtain and install product licenses and obtain service contract support for
Cisco NAC Appliances.

With release 4.1, when you add the initial CAM license, the top of the CAM web console will display
the type of Clean Access Manager license installed:
• Cisco Clean Access Lite Manager supports 3 Clean Access Servers
• Cisco Clean Access Standard Manager supports 20 Clean Access Servers
• Cisco Clean Access Super Manager supports 40 Clean Access Servers
(SuperCAM runs only on the NAC-3390 platform)
Additionally, the Administration > CCA Manager > Licensing page will display the types of licenses
present after they are added. See Licensing, page 15-20 for further details.

Upgrading the Software

Refer to “Upgrading to 4.1(x)” in the Release Notes for Cisco NAC Appliance (Cisco Clean Access),
Version 4.1(x) for complete instructions on upgrading your CAM/CAS to the latest software release.

Cisco NAC Appliance Hardware Platforms

The Cisco NAC Appliance 3300 Series provides Linux-based network hardware appliances which are
pre-installed with either the CAM (MANAGER) or CAS (SERVER) application, the operating system
and all relevant components on a dedicated server machine. The operating system comprises a hardened
Linux kernel based on a Fedora core. Cisco NAC Appliance does not support the installation of any other
packages or applications onto a CAM or CAS dedicated machine.

Note You will be able to upgrade Cisco NAC Appliance 3300 Series hardware platforms to release 4.1(x).
However, the 4.1(0) release is not available for and cannot be installed on NAC 3300 Series platforms.
Refer to the applicable Release Notes for details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 1-7
 Chapter 1 Introduction
Overview of Web Admin Console Elements

The Cisco NAC Appliance 3100 Series comprises the Cisco Clean Access 3140 (CCA-3140-H1) NAC
Appliance. The CCA-3140-H1 requires CD installation of either the Clean Access Server or Clean
Access Manager software. See Installing CCA-3140 Cisco NAC Appliance for instructions.
Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access)
and the Cisco NAC Appliance Quick Start Guide for complete details on the Cisco NAC Appliance 3300
Series and 3100 Series hardware appliances.

Supported Server Hardware Platforms

If providing your own server hardware on which to install the Cisco NAC Appliance software, the Clean
Access Manager is available as software that can be installed on the supported platforms described in
Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).

Minimum System Requirements

Refer to “System Requirements” in the Supported Hardware and System Requirements for Cisco NAC
Appliance (Cisco Clean Access) document for details on minimum system requirements to run the Clean
Access Manager and Clean Access Server software and Clean Access Agent client software.

Important Release Information

Refer to the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(x) for additional
and late-breaking information on 4.1(x) software releases.

Overview of Web Admin Console Elements

Once the Cisco NAC Appliance software is enabled with a license, the web admin console of the CAM
provides an easy-to-use interface for managing Cisco NAC Appliance deployment. The left panel of the
web console displays the main modules and submodules. The navigation path at the top of the web
console indicates your module and submodule location in the interface. Clicking a submodule opens the
tabs of the interface, or in some cases configuration pages or forms directly. Configuration pages allow
you to perform actions, and configuration forms allow you to fill in fields. Web admin console pages can
comprise the following elements shown in Figure 1-4 on page 1-9.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
1-8 OL-12214-01
Chapter 1 Introduction
Clean Access Server (CAS) Management Pages

Figure 1-4 Web Admin Console Page Elements

Note This document uses the following convention to describe navigational links in the admin console:
Module > Submodule > Tab > Tab Link > Subtab link (if applicable)

Clean Access Server (CAS) Management Pages

The Clean Access Server must be added to the Clean Access Manager domain before it can be managed
from the web admin console. Chapter 3, “Device Management: Adding Clean Access Servers, Adding
Filters,” explains how to do this. Once you have added a Clean Access Server, you access it from the
admin console as shown in the steps below. In this document, “CAS management pages” refers to the set
of pages, tabs, and forms shown in Figure 1-5.
1. Click the CCA Servers link in the Device Management module. The List of Servers tab appears
by default.

2. Click the Manage button ( ) for the IP address of the Clean Access Server you want to access.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 1-9
 Chapter 1 Introduction
Clean Access Server (CAS) Management Pages

Note For high-availability Clean Access Servers, the Service IP is automatically listed first, and the IP address
of the currently active CAS is shown in brackets.

3. The CAS management pages for the Clean Access Server appear as shown in Figure 1-5.

Figure 1-5 CAS Management Pages

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
1-10 OL-12214-01
 Chapter 1 Introduction
Admin Console Summary

Admin Console Summary

Table 1-1 summarizes the major functions of each module in the web admin console.

Table 1-1 Summary of Modules in Clean Access Manager Web Admin Console

Module Module Description

The Device Management module allows you to:
• Add, configure, manage, and perform software upgrade on Clean Access Servers via the CAS
management pages (shown in Figure 1-5).
See Chapter 3, “Device Management: Adding Clean Access Servers, Adding Filters”.
For details on local CAS configuration including DHCP, Cisco VPN Concentrator integration, and
High-Availability (failover), see the Cisco NAC Appliance - Clean Access Server Installation and
Administration Guide. For details on configuring the CAS for AD SSO, see Authenticating
Against Backend Active Directory, page 7-15.
For upgrade information, see Chapter 18, “Upgrading to a New Software Release”.
• Configure device or subnet filters to allow devices on the untrusted side to bypass authentication
and posture assessment (referred to as “Clean Access certification” in this document)
See Global Device and Subnet Filtering, page 3-7 for details.
• Configure Clean Access (Network Scanning/Clean Access Agent) vulnerability assessment and
remediation per user role and OS. See:
– Chapter 10, “Clean Access Implementation Overview”
– Chapter 13, “Configuring Network Scanning”
– Chapter 12, “Configuring Clean Access Agent Requirements”
Note User sessions are managed by MAC address (if available) or IP address, as well as the user
role assigned to the user, as configured in the User Management module.
The Switch Management module is used for Cisco NAC Appliance Out-of-Band deployment. It
allows you to:
• Configure out-of-band Group, Switch, and Port profiles, as well as the Clean Access Manager’s
SNMP Receiver.
• Add supported out-of-band switches, configure the SNMP traps sent, manage individual switch
ports via the Ports (and Port Profile) page and monitor the list of Discovered Clients.
See Chapter 4, “Switch Management: Configuring Out-of-Band (OOB) Deployment”

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 1 Introduction
Admin Console Summary

Table 1-1 Summary of Modules in Clean Access Manager Web Admin Console (continued)

Module Module Description

The User Management module allows you to:
• Create normal login user roles to associate groups of users with authentication parameters, traffic
control policies, session timeouts, and bandwidth limitations. If using role-based configuration
for OOB Port Profiles, you can configure the Access VLAN via the user role.
• Add IP and host-based traffic control policies to configure network access for all the user roles.
Configure traffic policies/session timeout for Clean Access Agent Temporary role and quarantine
role(s) to limit network access if a client device fails requirements or is found to have network
scanning vulnerabilities.
• Add Auth Servers to the CAM (configure external authentication sources on your network).
• Add auth sources such as Active Directory SSO and Cisco VPN SSO to enable Single Sign-On
(SSO) when the CAS is configured for AD SSO or Cisco VPN Concentrator integration.
• Create complex mapping rules to map users to user roles based on LDAP or RADIUS attributes,
or VLAN IDs.
• Perform RADIUS accounting.
• Create local users authenticated internally by the CAM (for testing)
For details see:
– Chapter 6, “User Management: Configuring User Roles and Local Users”
– Chapter 7, “User Management: Configuring Auth Servers”
– Chapter 9, “User Management: Traffic Control, Bandwidth, Schedule”
For additional details on Cisco VPN Concentrator integration, see the Cisco NAC Appliance - Clean
Access Server Installation and Administration Guide.
The Monitoring module allows you to:
• View a status summary of your deployment.
• Manage in-band and out-of-band online users.
• View, search, and redirect Clean Access Manager event logs.
• Configure basic SNMP polling and alerting for the Clean Access Manager
See Chapter 14, “Monitoring”.
The Administration module allows you to:
• Configure Clean Access Manager network and high availability (failover) settings.
See Chapter 16, “Configuring High Availability (HA)”.
• Configure CAM SSL certificates, system time, CAM /CAS product licenses, create or restore
CAM database backup snapshots, and download technical support logs
See Chapter 15, “Administration”
• Perform software upgrade on the CAM
See Chapter 18, “Upgrading to a New Software Release”.
• Add the default login page (mandatory for all user authentication), and customize the web login
page(s) for web login users.
See Chapter 5, “Configuring User Login Page and Guest Access”.
• Configure multiple administrator groups and access privileges.
See Admin Users, page 15-24.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
1-12 OL-12214-01
 2
Installing the Clean Access Manager

This chapter describes how to install and set up the Cisco NAC Appliance - Clean Access Manager.
Topics include:
• Overview, page 2-1
• Set Up the Clean Access Manager NAC Appliance, page 2-2
• Access the CAM Over a Serial Connection, page 2-4
• Install the Clean Access Manager Software from CD-ROM, page 2-6
• Perform the Initial Configuration, page 2-8
• Using the Command Line Interface (CLI)
• Troubleshooting Network Card Driver Support Issues, page 2-12
• Cisco NAC Appliance Connectivity Across a Firewall, page 2-12
• Access the CAM Web Console, page 2-14

Overview
The Cisco NAC Appliance is a Linux-based network hardware appliance.
Cisco NAC Appliance software is distributed as an installation CD-ROM that will install either the Clean
Access Manager or Clean Access Server application, the operating system and all relevant components
on a dedicated server machine. The operating system comprises a hardened Linux kernel based on a
Fedora core. Once the software is installed (either CAM or CAS) on a dedicated server, the Cisco NAC
Appliance does not support the installation of any other packages or applications onto a CAS or CAM.
If you received the Clean Access Manager on a distribution CD-ROM, you will need to install it on the
target machine as follows:

Step 1 Physically connect the server machine to the network.

Step 2 Connect a monitor and keyboard to the server, or connect to the server from a workstation with a serial
cable.
Step 3 For the CD-ROM installation, mount the CD-ROM and run the installation program.
Step 4 Perform the initial configuration of the server. For the CD-ROM installation, the server’s initial
configuration is part of the installation procedure.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 2 Installing the Clean Access Manager
Set Up the Clean Access Manager NAC Appliance

The following sections describe the installation steps. When finished, you will be able to administer the
installed components through the web-based administration console.

Tip Install the Clean Access Server (CAS) first, prior to installing the Clean Access Manager (CAM), to
quickly continue to web admin console configuration after CAM installation. See the Cisco NAC
Appliance - Clean Access Server Installation and Administration Guide for details on CAS installation.

Caution Cisco NAC Appliance (Cisco Clean Access) software is not intended to coexist with other software or
data on the target machine. The installation process formats and partitions the target hard drive,
destroying any data or software on the drive. Before starting the installation, make sure that the target
machine does not contain any data or applications that you need to keep.

Set Up the Clean Access Manager NAC Appliance

These instructions describe how to set up the Clean Access Manager on the CCA-3140-H1 Cisco Clean
Access 3140 NAC Appliance server hardware. If you are using different hardware, the connectors on
your machine may not match those shown. If needed, refer to the documentation that came with your
server machine to find the serial and Ethernet connectors equivalent to those described here.
1. The Clean Access Manager server uses one of the two 10/100/1000BASE-TX interface connectors
on the back panel. Connect the network interface (number 7 in Figure 2-3) on the server machine to
your local area network (LAN) with a CAT5 Ethernet cable.
2. Connect the power by plugging one end of the AC power cord into the back of the server machine
and the other end into an electrical outlet.
3. Power on the server machine by pressing the power button on the front of the server. The diagnostic
LEDs will flash a few times as part of an LED diagnostic test. Status messages are displayed on the
console as the server boots up.

Figure 2-1 Front View— CCA-3140-H1

5 7
1 2 3 4 6 8

UID 1 2
144873

1 1-inch Non-Hot Plug SATA or SCSI Hard Drive Bay 6 NIC activity LEDs
2 1-inch Non-Hot Plug SATA or SCSI Hard Drive Bay 7 Disc activity LED
3 Optional CD-ROM or DVD drive 8 Power Switch
4 UID LED 9 USB ports
5 System Health Monitor LED

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 2 Installing the Clean Access Manager
Set Up the Clean Access Manager NAC Appliance

Figure 2-2 Front View Detail— CCA-3140-H1

5 7
4 6 8

UID 1 2

144874
9

Figure 2-3 Back View— CCA-3140-H1

1 2 3 4 5 3 6

144875
7 8 9 10 11 12 13 14

1 Ventilation holes 8 UID button with LED indicator (blue)

This button mirrors the function of the UID button
located on the front panel.
2 Thumbscrew for the top cover 9 USB 2.0 ports (black)
3 Thumbscrews for the PCI riser board 10 Video port (blue)
assembly
4 Low profile 64-bit/133 MHz PCI-X 11 Serial port (teal)
riser board slot cover
5 Standard height/ full-length 12 PS/2 keyboard port (purple)
64-bit/133 MHz PCI-X riser board
slot cover
6 Power supply cable socket 13 PS/2 mouse port (green)
7 GbE LAN ports for NIC 1 (eth0) on 14 10/100 Mbps LAN port for IPMI management (RJ-45)
the left-hand side and NIC 2 (eth1)
on the right-hand side (RJ-45).

Note The CCA-3140-H1 Cisco Clean Access NAC Appliance is based on the HP ProLiant DL140 G2 server.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 2 Installing the Clean Access Manager
Access the CAM Over a Serial Connection

Access the CAM Over a Serial Connection

To install the Clean Access Manager software from CD-ROM or to perform its initial configuration, you
will need to access the server’s command line. This can be done in one of two ways:
1. Connect a monitor and keyboard directly to the server machine via the keyboard connector and video
monitor/console connector on the back panel, or
2. Connect a serial cable from an external workstation (PC/laptop) to the server machine and open a
serial connection using terminal emulation software (such as HyperTerminal or SecureCRT) on the
external workstation.
This section describes how to access the server over a serial connection.

Note The steps described here for accessing the server directly through a serial connection can be used later
for troubleshooting. If the server cannot be reached through the web admin console, you can serially
connect to the server to restore the server to a reachable state, usually by correcting its network settings.

To use a serial connection, first connect the computer you will be using as the admin workstation to an
available serial port on the server machine with a serial cable.

Note If the server is already configured for High-Availability (failover), one of its serial connections may be
in use for the peer heartbeat connection. In this case, the server machine must have at least two serial
ports to be able to manage the server over a serial connection. If it does not, you can use an Ethernet port
for the peer connection. For more information, see Chapter 16, “Configuring High Availability (HA).”

After physically connecting the workstation to the server, you can access the serial connection interface
using any terminal emulation software. The following steps describe how to connect using Microsoft®
HyperTerminal. If you are using different software, the steps may vary.
To set up the HyperTerminal connection:
1. Click Start > Programs > Accessories > Communications > HyperTerminal to open the
HyperTerminal window.
2. Type a name for the session and click OK:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 2 Installing the Clean Access Manager
Access the CAM Over a Serial Connection

3. In the Connect using list, choose the COM port on the workstation to which the serial cable is
connected (usually either COM1 or COM2) and click OK.

4. Configure the Port Settings as follows:

Bits per second – 9600
Data bits – 8
Parity – None
Stop bits – 1
Flow control – None
5. Go to File > Properties, or click the Properties icon ( ) to open the Properties dialog for the
session. Change the Emulation setting to:
Emulation– VT100
You should now be able to access the command interface for the server. You can now:
• Install the Clean Access Manager Software from CD-ROM, page 2-6
• Perform the Initial Configuration, page 2-8

Note If you already performed the initial installation, but need to modify the original settings, you can log in
as root user and run service perfigo config.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 2 Installing the Clean Access Manager
Install the Clean Access Manager Software from CD-ROM

Install the Clean Access Manager Software from CD-ROM

This section describes how to install the Clean Access Manager software from the distribution CD-ROM.
It is assumed that you have already connected the server to the network, as described in Set Up the Clean
Access Manager NAC Appliance, page 2-2 and are working on the server from either a console or over
a serial connection.

Caution The Clean Access Manager software is not intended to coexist with other software or data on the target
machine. The installation process formats and partitions the target hard drive, destroying any data or
software on the drive. Before starting the installation, make sure that the target machine does not contain
any data or applications that you need to keep.

CD Installation Steps
The entire installation process, including the configuration steps described in Perform the Initial
Configuration, page 2-8 should take about 15 minutes.
1. Insert the distribution CD-ROM that contains the Clean Access Manager .iso file into the CD-ROM
drive of the target server machine.

Note The Cisco NAC-3390 Super Manager appliance requires its own .iso installer.

2. Reboot the machine. The Cisco Clean Access Installer welcome screen appears after the machine
restarts:
Cisco Clean Access Installer (C) 2006 Cisco Systems, Inc.

Welcome to the Cisco Clean Access Installer!

- To install a Cisco Clean Access device, press the <ENTER> key.

- To install a Cisco Clean Access device over a serial console,

enter serial at the boot prompt and press the <ENTER> key.

boot:

3. Depending on your specific NAC Appliance platform and type of connection, at the “boot:” prompt:
For Cisco NAC-3350 and Cisco NAC-3390:
Press the Enter key if your monitor and keyboard are directly connected to the target machine.
Type serial and press enter in the terminal emulation console if you are accessing the target
machine over a serial connection.
For Cisco NAC-3310:
Type DL140 if you are directly connected (monitor, keyboard, and mouse) to the target machine.
Type serial_DL140 if you are installing the software via serial console connection.
4. For release 4.1(x), the Package Group Selection screen appears next to prompt you to choose CCA
Manager software installation or CCA Server software installation. At the following screen prompt,
choose CCA Manager and select OK to begin the installation. Use the space bar and the “+” and “-”
keys to select the appropriate type. Use the Tab key to tab to the OK field, and press the Enter key
when done to start the installation of the package type selected.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 2 Installing the Clean Access Manager
Install the Clean Access Manager Software from CD-ROM

Welcome to Cisco Clean Access

++ Package Group Selection ++

| |
| Total install size: 606M |
| |
| [*] CCA Manager # |
| [ ] CCA Server # |
| # |
| # |
| # |
| # |
| # |
| # |
| |
| +----+ +------+ |
| | OK | | Back | |
| +----+ +------+ |
| |
| |
+---------------------------+

<Space>,<+>,<-> selection | <F2> Group Details | <F12> next screen

Caution With release 4.1, only one CD is used for installation of the Clean Access Server or Clean Access
Manager software. The Package Group Selection is set by default to CCA Manager. However, the
installation script does not automatically detect CAS or CAM installation for the target server. You must
select the appropriate type, either CAS or CAM, for the target machine on which you are performing
installation, then tab to the OK field and press Enter to start the installation.

Note Do not select the “Back” option from the Package Group Selection screen.

5. The Clean Access Manager Package Installation then executes. The installation takes a few minutes.
When finished, the welcome screen for the Clean Access Manager quick configuration utility
appears, and a series of questions prompt you for the initial server configuration, as described in the
next section, Configuration Utility Script, page 2-8.
If after installation you need to reset the configuration settings for the Clean Access Manager (such as
the eth0 IP address), you can modify these values by connecting to the Clean Access Manager machine
serially or via SSH and running the service perfigo config command. See Using the Command Line
Interface (CLI), page 2-11 for details.

Note Most other settings can also be modified later from the web admin console.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 2 Installing the Clean Access Manager
Perform the Initial Configuration

Perform the Initial Configuration

When installing the Clean Access Manager from CD-ROM, the Configuration Utility Script
automatically appears after the software packages install to prompt you for the initial server
configuration.

Note If necessary, you can always manually start the Configuration Utility Script as follows:
1. Over a serial connection or working directly on the server machine, log onto the server as user root
with default password cisco123.
2. Run the initial configuration script by entering the following command:
service perfigo config
You can run the service perfigo config command to modify the configuration of the server if it cannot
be reached through the web admin console. For further details on CLI commands, see Using the
Command Line Interface (CLI), page 2-11.

Configuration Utility Script

The configuration utility script suggests default values for particular parameters. To configure the
installation, either accept the default value or provide a new one, as described below.
1. After the software is installed from the CD and package installation is complete, the welcome script
for the configuration utility appears:
Welcome to the Cisco Clean Access Manager quick configuration utility.
Note that you need to be root to execute this utility.
The utility will now ask you a series of configuration questions.
Please answer them carefully.
Cisco Clean Access Manager, (C) 2006 Cisco Systems, Inc.

2. You are first prompted for the IP address of the interface eth0:
Configuring the network interface:
Please enter the IP address for the interface eth0 [10.0.2.15]: 10.201.240.11
You entered 192.168.151.2 Is this correct? (y/n)? [y]

At the prompt, enter y to accept the default address, or n to specify another IP address. In this case,
type the address you want to use for the trusted network interface in dotted-decimal format. Confirm
the value when prompted.
3. Type the subnet mask for the interface address at the prompt or press enter for the default. Confirm
the value when prompted.
Please enter the netmask for the interface eth0 [255.255.255.0]:
You entered 255.255.255.0, is this correct? (y/n)? [y]

4. Specify and confirm the address of the default gateway for the Clean Access Manager. This is
typically the IP address of the router between the Clean Access Manager subnet and the Clean
Access Server subnet.
Please enter the IP address for the default gateway [192.168.151.1]

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 2 Installing the Clean Access Manager
Perform the Initial Configuration

5. Provide a host name for the Clean Access Manager. The host name will be matched with the
interface address in your DNS server, enabling it to be used to access the Clean Access Manager
admin console from a browser. The default host name is camanager.
Please enter the hostname [camanager]:

6. Specify the IP address of the Domain Name System (DNS) server in your environment or accept the
default at the following prompt:
The nameserver(s) is currently set to nameserver [192.168.1.1] Would you like to
change this setting? (y/n)?

Please enter the IP address for the nameserver:

7. The Clean Access Manager and Clean Access Servers in a deployment authenticate each other
through a shared secret. The shared secret serves as an internal password for the deployment. The
default shared secret is cisco123. Type and confirm the shared secret at the prompts.

Caution The shared secret must be the same for the Clean Access Manager and all Clean Access Servers in the
deployment. If they have different shared secrets, they cannot communicate.

8. Specify the time zone in which the Clean Access Manager is located as follows:
a. Choose your region from the continents and oceans list. Type the number next to your location
on the list, such as 2 for the Americas, and press enter. Enter 11 to enter the time zone in Posix
TZ format, such as GST-10.
b. The next list that appears shows the countries for the region you chose. Choose your country
from the country list, such as 45 for the United States, and press enter.
c. If the country contains more than one time zone, the time zones for the country appear.
d. Choose the appropriate time zone region from the list and press enter (for example, 16 for
Pacific Time).
e. Confirm your choices by entering 1, or use 2 to cancel and start over.
9. Now configure the SSL security certificate that enables secure connections between the Clean
Access Manager and the web-based admin console as follows:
a. At the following prompt:
Enter fully qualified domain name or IP [192.168.1.2]

Type the IP address or domain name for which you want the certificate to be issued, or press
enter to accept the default IP address (this will normally be the eth0 IP address you already
specified).

Note This is also the IP address or domain name to which the web server responds. If DNS is not
already set up for a domain name, the CAM web console will not load. Make sure to create a
DNS entry in your servers, or else use an IP address for the CAM.

b. For the organization unit name, enter the group within your organization that is responsible for
the certificate (for example, information services or engineering).
c. For the organization name, type the name of your organization or company for which you would
like to receive the certificate (for example, Cisco), and press enter.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 2 Installing the Clean Access Manager
Perform the Initial Configuration

d. Type the name of the city or county in which your organization is legally located, and press
enter.
e. Enter the two-character state code in which the organization is located, such as CA or NY, and
press enter.
f. Type the two-letter country code, such as US, and press enter.
g. A summary of the values you entered appears. Press enter to accept the values or N to start over.
10. Configure the root user password for the installed Linux operating system of the Clean Access
Manager. The default password is cisco123. The root user account is used to access the system over
a serial connection or through SSH.

Although password rules are not enforced, it is advised that you use strong passwords (for example,
at least 6 characters, mixed letters and numbers, etc.), to reduce the vulnerability of your network
to password guessing attacks.

Note The default username/password is admin/cisco123 to access the Clean Access Manager web admin
console (the primary administration interface for Cisco NAC Appliance). Passwords for web admin
console users (including default user admin) are configured through the web console. See Manage
System Passwords, page 15-30 for details.

11. When performing a CD install, the following message appears after configuration is complete:
Install has completed. Press <ENTER> to reboot.

a. If installing from CD, press the Enter key to reboot the server.
b. If running the configuration script via service perfigo config , you must execute the
following command to reboot the machine after configuration is complete:
# service perfigo reboot

After restarting, the CAM is accessible through the web console, as described in Access the CAM Web
Console, page 2-14.
• For the commands to manually stop and start the CAM, see Using the Command Line Interface
(CLI), page 2-11
• For network card configuration issues, see Troubleshooting Network Card Driver Support Issues,
page 2-12.

Important Notes for SSL Certificates

• You must generate the SSL certificate during CAM installation or you will not be able to access your
server as an end user.
• After CAM and CAS installation, make sure to synchronize the time on the CAM and CAS via the
web console interface before regenerating a temporary certificate on which a Certificate Signing
Request (CSR) will be based. For further details on the CAM, see:
Set System Time, page 15-4
Manage CAM SSL Certificates, page 15-5
For details on the CAS, see the Cisco NAC Appliance - Clean Access Server Installation and
Administration Guide.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 2 Installing the Clean Access Manager
Using the Command Line Interface (CLI)

• Before deploying the server in a production environment, you can acquire a trusted certificate from
a Certificate Authority to replace the temporary certificate (in order to avoid the security warning
that is displayed to the web user during admin login).

Using the Command Line Interface (CLI)

You can perform most administration tasks for the Clean Access Manager through the web admin
console, such as configure behavior, and perform operations such as starting and rebooting the server.
However, in some cases you may need to access the server configuration directly, for example if the web
admin console is unavailable due to incorrect network or VLAN settings. You can use the Cisco NAC
Appliance command line interface (CLI) to set basic operational parameters directly on the server.
To run the CLI commands, access the server using SSH and log in as user root (default password is
cisco123) If already serially connected to the server, you can run CLI commands from the terminal
emulation console after logging in as root (see Access the CAM Over a Serial Connection, page 2-4).
The format service perfigo <command> is used to enter a command from the command line. Table 2-1
lists the commonly used Cisco NAC Appliance CLI commands.
Table 2-1 CLI Commands

Command
service perfigo start
service perfigo stop
service perfigo restart
service perfigo reboot
service perfigo config
service perfigo time
Description
Starts up the server. If the server is already running, a warning message
appears. The server must be stopped for this command to be used.
Shuts down the Cisco NAC Appliance service.
Shuts down the Cisco NAC Appliance service and starts it up again. This
is used when the service is already running and you want to restart it.
Note service perfigo restart should not be used to test high
availability (failover). Instead, Cisco recommends “shutdown” or
“reboot” on the machine to test failover, or if a CLI command is
preferred, service perfigo stop and service perfigo start
Shuts down and reboots the machine. You can also use the Linux reboot
command.
Starts the configuration script to modify the server configuration. After
completing service perfigo config , you must reboot the server.
Use to modify the time zone settings.

Power Down the CAM

To power down the CAM, use one of the following recommended methods while connected via SSH:
• Type service perfigo stop , then power down the machine, or
• Type /sbin/halt, then power down the machine.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 2 Installing the Clean Access Manager
Troubleshooting Network Card Driver Support Issues

Restart Initial Configuration

To start the configuration script, type service perfigo config while connected through SSH. For
example: [root@camanager root]# service perfigo config

This command causes the configuration utility script to start (on either the CAS or CAM). The script lets
you configure the network settings for the server (see Perform the Initial Configuration, page 2-8 for
instructions). After running and completing service perfigo config, make sure to run service
perfigo reboot or reboot to reset the server with the modified configuration settings.

Note For details on restoring the database from automated and manual backup snapshots via command line
utility, see Database Recovery Tool, page 15-35.

Troubleshooting Network Card Driver Support Issues

For complete details, refer to the “Troubleshooting Network Card Driver Support Issues” section of the
Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).

Cisco NAC Appliance Connectivity Across a Firewall

The Clean Access Manager (CAM) uses Java Remote Method Invocation (RMI) for parts of its
communication with the Clean Access Server (CAS), which means it uses dynamically allocated ports
for this purpose. If your deployment has a firewall between the CAS and the CAM, you will need to set
up rules in the firewall to allow communication between the CAS and CAM machines, that is, a rule that
allows traffic originating from the CAM destined to the CAS and vice versa.
Table 2-2 shows the ports that are required for communication between the CAS and the CAM (per
version of Cisco Clean Access).
Table 2-2 Port Connectivity for CAM/CAS

CCA Version Required Firewall Ports

4.1(x) TCP ports 443, 1099, and 8995~8996
4.0(x)
3.6(x) TCP ports 80, 443, 1099, and 8995~8996
3.5(x) TCP ports 80, 443, 1099, and 32768~61000 (usually 32768~32999 are sufficient).

For Single Sign-On (SSO) capabilities, other ports must be open on the CAS and firewall (if any) to
allow communication between the Agent and the Active Directory Server, as shown in Table 2-3.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 2 Installing the Clean Access Manager
Cisco NAC Appliance Connectivity Across a Firewall

Table 2-3 lists the devices on which you must open ports so that the Cisco NAC Appliance can function
properly, the communicating devices, the ports affected, and the purpose of each port.
Table 2-3 Port Usage

Communicating
Device Devices Ports to Open Purpose
Firewall, if any CAM and CAS UDP 8995, 8996 Java Management Extensions (JMX) communication between
the CAM and CAS, such as pre-connect and connect messages.
TCP 1099
TCP 443 HTTP over Secure Sockets Layer (SSL) communication between
Agent/CAS/CAM, such as end user machine remediation via the
Agent.
TCP 80 (for version HTTP communication between Agent/CAS/CAM. Used to
3.6.x and earlier) download the Agent from the CAM to an end user machine.
CAS and Agent UDP 8905, 8906 SWISS, a proprietary CAS-Agent communication protocol used
by the Agent for UDP discovery of the CAS. UDP 8905 is used
for Layer 2 discovery; and 8906 is used for Layer 3 discovery.
TCP 8910 Microsoft Active Directory lookup to facilitate Active Directory
Single Sign-On (AD SSO).
TCP 443 HTTP over SSL communication between Agent/CAS/CAM,
such as for user redirection to a web login page.
TCP 80 (for version HTTP communication between Agent/CAS/CAM. Used to
3.6.x and earlier) download the Agent from the CAM to an end user machine.
CAS and Agent and Active TCP 88, 135, 389, AD SSO requires the following ports to be open:
firewall (if any) Directory Server 1025, 1026 • TCP 88 (Kerberos)
UDP 88, 389
• TCP 135 (RPC)
• TCP 389 (LDAP) or TCP 636 (LDAP with SSL)
• TCP 1025 (RPC)–non-standard
• TCP 1026 (RPC)–non-standard
If it is not known whether the AD server is using Kerberos, you
must open the following UDP ports instead:
• UDP 88 (Kerberos)
• UDP 389 (LDAP) or UDP 636 (LDAP with SSL)
Note: If your deployment requires LDAP services, use TCP/UDP
port 636 (LDAP with SSL encryption) instead of TCP/UDP port
389 (plain text).
For more information on AD SSO, see Chapter 8, “AD SSO.”

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 2 Installing the Clean Access Manager
Access the CAM Web Console

Access the CAM Web Console

The Clean Access Manager web administration console is the web interface for administering the Cisco
NAC Appliance deployment. The CAM includes a preconfigured web server, so you do not have to set
up a web server to start using the web console.

Warning You must already have obtained a product or evaluation license to access the CAM/CAS and CAM web
console. Refer to Cisco NAC Appliance Service Contract / Licensing Support for complete
step-by-step instructions on how to obtain and install product licenses and obtain service contract
support for Cisco NAC Appliance.

To open the web admin console:

Step 1 Launch a web browser from a computer accessible to the Clean Access Manager by network. The web
console supports Internet Explorer 6.0 or 7.0.
Step 2 In the URL field, type the IP address of the Clean Access Manager machine (or the host name if you
have made the required entry in your DNS server).
Step 3 If using a temporary SSL certificate, the security alert appears and you are prompted to accept the
certificate. Click Yes to accept the certificate. (If using signed certificates, this security dialog will not
appear.)
Step 4 The Clean Access Manager License Form (Figure 4) appears and prompts you to install your CAM
FlexLM license file. For reference, the top of the form displays the eth0 MAC address of the CAM
machine.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 2 Installing the Clean Access Manager
Access the CAM Web Console

Figure 4 Clean Access Manager License Form

Step 5 Browse to the license file you received in the Clean Access Manager License File field and click the
Install License button.

Note Refer to Cisco NAC Appliance Service Contract / Licensing Support for complete step-by-step
instructions for how to obtain and install product licenses and obtain service contract support for
Cisco NAC Appliances.

Caution Cisco recommends obtaining a permanent license before continuing with full-scale deployment.
Evaluation licenses are intended for trial purposes and expire after 30 days. Once a license expires, you
cannot start Cisco NAC Appliance. Contact a Cisco representative to purchase a permanent license.

12. Once the license is accepted, the web admin console login window appears (Figure 2-5). Type the
username admin and default web admin user password cisco123, and click Login.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 2 Installing the Clean Access Manager
Access the CAM Web Console

Figure 2-5 CAM Web Admin Console Login Page

13. The Monitoring summary page and left-hand navigation pane displays (Figure 2-6). You can now
configure your deployment through the modules of the web admin console.

Figure 2-6 Monitoring Summary Page

To log out of the web admin console, either click the Logout button ( ), or simply close the browser.
For further details on creating different levels of admin users for the web console, see Admin Users, page
15-24.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 C H A P T E R 3
Device Management: Adding Clean Access
Servers, Adding Filters

This chapter describes how to add and manage Clean Access Servers from the Clean Access Manager
and configure device and/or subnet filters. It contains the following sections.
• Working with Clean Access Servers, page 3-2
• Global and Local Administration Settings, page 3-6
• Global Device and Subnet Filtering, page 3-7
The first step in implementing Cisco NAC Appliance is configuring devices in the Clean Access
Manager (CAM)’s administrative domain. Clean Access Servers must be added to the CAM in order to
manage them directly in the web console.
By default, Cisco NAC Appliance forces user devices on the untrusted side of the CAS to authenticate
when attempting to access the network.
User roles, user authentication, user web pages, and traffic policies for in-band user traffic must be
configured for users on the untrusted network as described in the following chapters:
• Chapter 6, “User Management: Configuring User Roles and Local Users”
• Chapter 7, “User Management: Configuring Auth Servers”
• Chapter 9, “User Management: Traffic Control, Bandwidth, Schedule”
If deploying Cisco NAC Appliance for out-of-band, you will also need to configure the CAM as
described in Chapter 4, “Switch Management: Configuring Out-of-Band (OOB) Deployment”.
After Cisco NAC Appliance is configured for user traffic on the unstrusted side of your network, you
may need to allow devices on the untrusted side to bypass authentication and Clean Access certification
(for example printers or VPN boxes). See Global Device and Subnet Filtering, page 3-7 for how to
configure filters in the Clean Access Manager for these kinds of devices.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 3-1
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Working with Clean Access Servers

Working with Clean Access Servers

The Clean Access Server gets its runtime parameters from the Clean Access Manager and cannot operate
until it is added to the CAM’s domain. Once the CAS is installed and added to the CAM, you can
configure local parameters in the CAS and monitor it through the web admin console.
This section describes the following:
• Add Clean Access Servers to the Managed Domain
• Troubleshooting when Adding the Clean Access Server
• Manage the Clean Access Server
• Check Clean Access Server Status
• Disconnect a Clean Access Server
• Reboot the Clean Access Server
• Remove the Clean Access Server from the Managed Domain
For details on configuring local CAS-specific settings, see the Cisco NAC Appliance - Clean Access
Server Installation and Administration Guide.

Add Clean Access Servers to the Managed Domain

The Clean Access Server must be running to be added to the Clean Access Manager.

Note If intending to configure the Clean Access Server in Virtual Gateway mode (IB or OOB), you must
disable or unplug the untrusted interface (eth1) of the CAS until after you have added the CAS to the
CAM from the web admin console. Keeping the eth1 interface connected while performing initial
installation and configuration of the CAS for Virtual Gateway mode can result in network connectivity
issues.
For Virtual Gateway with VLAN mapping (In-Band or OOB), the untrusted interface (eth1) of the CAS
should not be connected to the switch until VLAN mapping has been configured correctly under Device
Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping.

See the Cisco NAC Appliance - Clean Access Server Installation and Administration Guide for details.

To add a Clean Access Server:

1. From Device Management, click the CCA Servers link on the navigation menu.

CAS management
pages link

2. Click the New Server tab.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Working with Clean Access Servers

Figure 3-1 Add New Server

3. In the Server IP address field, type the IP address of the Clean Access Server’s eth0 trusted
interface.

Note The eth0 IP address of the CAS is the same as the Management IP address.

4. Optionally, in the Server Location field, type a description of the Clean Access Server’s location
or other identifying information.
5. For in-band operation, choose one of the following operating modes for the Clean Access Server
from the Server Type list:
Virtual Gateway – Operates as an L2 transparent bridge, while providing IPSec, filtering, virus
protection, and other services.
Real-IP Gateway – Acts as the default gateway for the untrusted network.
NAT Gateway – Acts as an IP router/default gateway and also provides NAT (Network Address
Translation) services for the untrusted network.

Note NAT Gateway mode is primarily intended to facilitate testing, as it requires the least amount of
network configuration and is easy to initially set up. However, because NAT Gateway is limited
in the number of connections it can handle, NAT Gateway mode (in-band or out-of-band) is not
supported for production deployment. Cisco NAC Appliance versions 4.1/4.0/3.6 use ports
20000-65535 (45536 connections) for NAT Gateway mode.

6. For out-of-band operation, you must choose one of the following out-of-band operating types.
Out-of-Band Virtual Gateway — Operates as a Virtual Gateway during authentication and
certification, before the user is switched out-of-band (i.e., the user is connected directly to the
access network).
Out-of-Band Real-IP Gateway — Operates as a Real-IP Gateway during authentication and
certification, before the user is switched out-of-band (i.e., the user is connected directly to the
access network).
Out-of-Band NAT Gateway — Operates as a NAT Gateway during authentication and
certification, before the user is switched out-of-band (i.e., the user is connected directly to the
access network).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Working with Clean Access Servers

Note NAT Gateway (in-band or out-of-band) is not supported for production deployment.

The CAM can control both in-band and out-of-band Clean Access Servers in its domain. However,
the CAS itself must be either in-band or out-of-band.
For more information on out-of-band deployment, see Chapter 4, “Switch Management:
Configuring Out-of-Band (OOB) Deployment.”
See the Cisco NAC Appliance - Clean Access Server Installation and Administration Guide for
further details on the CAS operating modes and NAT session throttling for NAT gateways.
7. Click Add Clean Access Server. The Clean Access Manager looks for the Clean Access Server on
the network, and adds it to its list of managed Servers (Figure 3-2).
The Clean Access Server is now in the Clean Access Manager’s administrative domain.

Troubleshooting when Adding the Clean Access Server

See the Cisco NAC Appliance - Clean Access Server Installation and Administration Guide for
troubleshooting details.

Manage the Clean Access Server

After adding the Clean Access Server, you can configure CAS-specific settings such as VLAN Mapping
or DHCP configuration. For some parameters, such as traffic control policies, the settings in the CAS
can override the CAM’s global settings.
Once you add the CAS to the Clean Access Manager, the CAS appears in the List of Servers tab as one
of the managed Servers, as shown in Figure 3-2.

Figure 3-2 List of Servers Tab

Each Clean Access Server entry lists the IP address, server type, location, and connection status of the
CAS. In addition four management control icons are displayed: Manage ( ), Disconnect ( ), Reboot
( ), and Delete ( ).
Click the Manage icon to administer the Clean Access Server.

Note For further specifics on configuring Clean Access Servers (such as DHCP or high availability) see the
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Working with Clean Access Servers

Check Clean Access Server Status

The operational status of each Clean Access Server appears in the Status column:
• Connected – The CAM can reach the CAS successfully.
• Not connected – The CAS is rebooting, or the network connection between the CAM and CAS is
broken.
If the Clean Access Server has a status of Not connected unexpectedly (that is, it is not down for
standard maintenance, for example), try clicking the Manage button to force a connection attempt. If
successful, the status changes to Connected. Otherwise, check for a connection problem between the
CAM and CAS and make sure the CAS is running. If necessary, try rebooting the CAS.

Note The Clean Access Manager monitors the connection status of all configured Clean Access Servers. The
CAM will try to connect a disconnected CAS every 5 minutes.

Disconnect a Clean Access Server

When a Clean Access Server is disconnected, it displays Not Connected status but remains in the Clean
Access Manager domain. You can always click Manage to connect the CAS and use it.
Using the disconnect option is useful if you need to keep a Clean Access Server offline for maintenance
work. Additionally, if at any point the Clean Access Server is out of sync with the Clean Access
Manager, you can disconnect the Clean Access Server then reconnect it. The Clean Access Manager will
again publish the data configured for the Clean Access Server and keep the CAS in sync.
In contrast, if you delete the Clean Access Server, all secondary configuration settings are lost.

Reboot the Clean Access Server

You can perform a graceful reboot of a Clean Access Server by clicking the Reboot button ( ) in the
List of Servers tab. In a graceful reboot, the Clean Access Server performs all normal shutdown
procedures before restarting, such as writing logging data to disk.

Remove the Clean Access Server from the Managed Domain

Deleting a Clean Access Server in the List of Servers tab removes it from the List of Servers and the
system. To remove a Clean Access Server, click the Delete button ( ) next to the CAS. In order to reuse
a Clean Access Server that you have deleted, you have to re-add it to the Clean Access Manager.
Note that when the Clean Access Server is removed, any secondary configuration settings specific to the
CAS are deleted. Secondary settings are settings that are not configured at installation time or through
the service perfigo config script, and include policy filters, traffic routing, and encryption
parameters.
Settings that are configured at installation time, such as interface addresses, are kept on the Clean Access
Server and are restored if the CAS is later re-added to the CAM’s administrative domain.
Removing an active CAS has the following effect on users accessing the network through the CAS at the
time it is deleted:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global and Local Administration Settings

• If the CAS and CAM are connected when the CAS is deleted, the network connections for active
users are immediately dropped. Users are no longer able to access the network. (This is because the
CAM is able to delete the CAS’s configuration immediately, so that the IP addresses assigned to
active users are no longer valid in relation to any security policies applicable to the CASes.) New
users will be unable to log into the network.
• If the connection between the CAS and CAM is broken at the time the CAS is deleted, active users
will be able to continue accessing the network until the connection is reestablished. This is because
the CAM cannot delete the CAS’s configuration immediately. New users will be unable to log into
the network.

Global and Local Administration Settings

The CAM web admin console has the following types of settings:
• Clean Access Manager administration settings are relevant only to the CAM itself. These include
its IP address and host name, SSL certificate information, and High-Availability (failover) settings.
• Global administration settings are set in the Clean Access Manager and pushed from the CAM to
all Clean Access Servers. These include authentication server information, global device/subnet
filter policies, user roles, and Clean Access configuration.
• Local administration settings are set in the CAS management pages for a Clean Access Server and
apply only to that CAS. These include CAS network settings, SSL certificates, DHCP and 1:1 NAT
configuration, VPN concentrator configuration, IPSec key changes, local traffic control policies,
and local device/subnet filter policies.
The global or local scope of a setting is indicated in the Clean Access Server column in the web admin
console, as shown in Figure 3-3.

Figure 3-3 Scope of Settings

scope
indicators

• GLOBAL—The entry was created using a global form in the CAM web admin console and applies
to all Clean Access Servers in the CAM’s domain.
• <IP Address>—The entry was created using a local form from the CAS management pages and
applies only for the CAS with this IP address.
In general, pages that display global settings (referenced by GLOBAL) also display local settings
(referenced by CAS IP address) for convenience. These local settings can usually be edited or deleted
from global pages; however, they can only be added from the local CAS management pages for a
particular Clean Access Server.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

Global and Local Settings

Global (defined in CAM for all CASes) and local (CAS-specific) settings often coexist on the same CAS.
If a global and local setting conflict, the local setting always overrides the global setting. Note the
following:
• For device/subnet filter policies (which bypass authentication/certification requirements), local
(CAS-specific) settings override global (CAM) settings.
• For other settings, such as traffic control policies, the priority of the policy (higher or lower)
determines which global or local policy is enforced.
• Some features must be enabled both on the CAS (via the CAS management pages) and/or configured
in the CAM console, for example:
L3 support (for multi-hop L3 deployments) is enabled per CAS, but may require login
page/Agent configuration on CAM
Bandwidth Management is enabled per CAS, but can be configured for all roles on the CAM
Active Directory SSO is configured per CAS, but requires Auth Provider on CAM
Cisco VPN Concentrator SSO is configured per CAS, but requires Auth Provider on CAM
• Clean Access requirements and network scanning plugins are configured globally from the CAM
and apply to all CASes.

Global Device and Subnet Filtering

This section describes the following:
• Overview
• Device Filters and User Count License Limits
• Adding Multiple Entries
• Corporate Asset Authentication and Posture Assessment by MAC Address
• Device Filters for In-Band Deployment
• Device Filters for Out-of-Band Deployment
• Device Filters and IPSec/L2TP/PPTP Connections to CAS
• Device Filters and Gaming Ports
• Global vs. Local (CAS-Specific) Filters
• Configure Device Filters, page 3-12
• Configure Subnet Filters, page 3-20

Overview
By default, Cisco NAC Appliance forces user devices on the untrusted side of the CAS to authenticate
when attempting to access the network.
If you need to allow devices on the untrusted side to bypass authentication and posture assessment
(referred to as “Clean Access certification” in this document), you can configure device or subnet filters.
There are two ways to bypass Clean Access: Filter lists and Exempt list:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

• Filter lists (configured under Device Management > Filters) can be set by MAC, IP or subnet, and
can auto-set role assignment. Filters allow users (or devices) to bypass both authentication and
Clean Access certification (posture assessment). This section describes how to configure device
and subnet filters.
• The Exempt list is set by MAC address (under Device Management > Clean Access > Certified
Devices > Add Exempt Device) and allows users to bypass Clean Access certification (posture
assessment) only. See Add Exempt Device, page 10-27 for further details on the Exempt list.
Device filters are specified by MAC address (and optionally IP) of the device, and can be configured for
either in-band (IB) or out-of-band (OOB) deployments. The MAC addresses are input and authenticated
through the CAM, but the CAS is the device that performs the actual filtering action. For OOB, the use
of device filters must also be enabled in the Port Profile (see Add Port Profile, page 4-28). For both IB
and OOB, authentication and certification is bypassed for the devices put in the filter list.
Subnet filters can be configured for IB deployments only and are specified by subnet address and subnet
mask (in CIDR format).
You can configure device or subnet filters to do the following:
• IB: Bypass login/certification and allow all traffic for the device/subnet.
OOB: Bypass login/certification and assign the Default Access VLAN to the device.
• IB: Block network access to the device/subnet.
OOB: Block network access and assign the Auth VLAN to the device.
• IB: Bypass login/certification and assign a user role to the device/subnet.
OOB: Bypass login/certification and assign the Out-of-Band User Role VLAN to the device (the
Access VLAN configured in the user role)

Note Because a device in a Filter entry is allowed/denied access without authentication, the device will not
appear on the Online Users list (see Online Users List, page 14-3 for details).

Some uses of device filters include:

• For printers on user VLANs, you can set up an “allow” device filter for the printer's MAC address
to allow the printer to communicate with Windows servers. Note that it is recommended to configure
device filters for printers in OOB deployment also. This prevents a user from connecting to a printer
port in order to bypass authentication.
• For in-band Cisco NAC Appliance L3/VPN concentrator deployment, you can configure a device or
subnet filter to allow traffic from an authentication server on the trusted network to communicate
with the VPN concentrator on the untrusted network.

Device Filters and User Count License Limits

• MAC addresses specified with the “ALLOW” option in the Device Filter list (bypass
authentication/posture assessment/remediation) do not count towards the user count license limit.
• MAC addresses specified with the “CHECK” option in the Device Filter list (bypass authentication
but go through posture assessment/remediation) do count towards the user count license limit.

Note The maximum number of (non-user) devices that can be filtered is based on memory limitations and is
not directly connected to user count license restrictions. A CAS can safely support approximately 5,000
MAC addresses.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

Adding Multiple Entries

You can enter a large number of MAC addresses into the device filter list by:
1. Specifying wildcards and MAC address ranges when configuring device filters.
2. Copying and pasting individual MAC addresses (one per line) into the New Device Filter form and
adding all of them with one click.
3. Using the API (cisco_api.jsp) addmac function to add the MAC addresses programmatically. See
API Support, page 15-36 for details.

Corporate Asset Authentication and Posture Assessment by MAC Address

Cisco NAC Appliance can perform MAC-based authentication and posture assessment (Clean Access
certification) of client machines without requiring the user to log into Cisco Clean Access. This feature
is implemented through the “CHECK” device filter control for global and local device filters, and the
Clean Access Agent (see Clean Access Agent Sends IP/MAC for All Available Adapters, page 11-8 for
additional details).
The following Device Filter configuration options are available
• CHECK and IGNORE device filter options
• ROLE and CHECK filters require choosing a User Role from the dropdown menu.
• IGNORE is for OOB only. For IB, checking this option has no effect.
• IGNORE is for global filters only. It does not appear on CAS New/Edit filter pages.
• IGNORE device filters are intended to replace “allow” device filters that were specified for IP
phones in previous releases.

Note Administrators should reconfigure their device filters for IP phones to use the IGNORE
option in order to avoid creating unnecessary MAC-notification traps. For more information,
see Device Filters for Out-of-Band Deployment Using VoIP Phones, page 3-11.

Device filter policies have different applicability in L2 deployments (deployments where the CAS is in
L2 proximity to the end points/user devices) versus L3 deployments (where the CAS may be one or more
hops away from the end points/user devices). Note that in an L3 deployment, the endpoint needs to
access the network using a web browser (Applet/ActiveX) or the Clean Access Agent for Clean Access
to be able to obtain the end point's MAC address. The behavior in L2 and L3 deployments is different,
as described in Table 3-1.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

Table 3-1 CAM L2/L3 Device Filter Options

Option L2
ALLOW Allows all traffic from the end-point - no
authentication or posture assessment is
required
DENY Denies all traffic from the end-point
ROLE Allows traffic from the end-point without
any authentication or posture assessment
as specified by role traffic policies (for
backward compatibility with CCA 3.x, this
will continue to behave the same way)
CHECK Performs posture assessment as specified
for the Role following which traffic is
allowed as per role traffic policies
IGNORE For OOB only - ignores SNMP traps from For OOB only - ignores SNMP traps from
managed switch ports for the specified managed switch ports for the specified
MAC address(es) MAC address(es)
L3
Allows all traffic from the end-point once
the MAC address is known until which
time traffic from the end-point is subject to
policies in Unauthenticated Role - no au-
thentication or posture assessment is
required
Denies all traffic from the end-point once
the MAC address is known until which
time traffic from the end-point is subject to
policies in Unauthenticated Role
Once MAC address is known, posture as-
sessment is performed if configured
following which traffic is allowed as per
role traffic policies
Same as above

Device Filters for In-Band Deployment

Cisco NAC Appliance assigns user roles to users either by means of authentication attributes, or through
device/subnet filter policies. As a result, a key feature of device/subnet filter policy configuration is the
ability to assign a system user role to a specified MAC address or subnet. Cisco NAC Appliance
processing uses the following order of priority for role assignment:
1. MAC address
2. Subnet / IP address
3. Login information (login ID, user attributes from auth server, VLAN ID of user machine, etc.)
Therefore, if a MAC address associates the client with “Role A,” but the user’s login ID associates him
or her to “Role B,” “Role A” is used.
For complete details on user roles, see Chapter 6, “User Management: Configuring User Roles and Local
Users.”

Note • For management of Access Points (APs) from the trusted side, you can ensure the APs are reachable
from the trusted side (i.e. through SNMP, HTTP, or whatever management protocol is used) by
configuring a filter policy through Device Management > Filters > Devices.
• When upgrading to 4.1(x), device filters added by the EOLed AP Management feature will not be
lost.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

Device Filters for Out-of-Band Deployment

The Clean Access Manager respects the global Device Filters list for out-of-band deployments. As is the
case for In-Band deployments, for OOB, the rules configured for MAC addresses on the global Device
Filter list will have the highest priority for user/device processing. For OOB, the order of priority for
rule processing is as follows:
1. Device Filters (if configured with a MAC address, and if enabled for OOB)
2. Certified Devices List
3. Out-of-Band Online User List
MAC address device filters configured for OOB have the following options and behavior:
• ALLOW—bypass login and posture assessment (certification) and assign Default Access VLAN to
the port
• DENY—bypass login and posture assessment (certification) and assign Auth VLAN to the port
• ROLE—bypass login and L2 posture assessment (certification) and assign User Role VLAN to the
port
• CHECK—bypass login, apply posture assessment, and assign User Role VLAN to the port
• IGNORE—ignore SNMP traps from managed switches (IP Phones)

Note • To use device filters for OOB, you must enable the “Change VLAN according to global device
filter list” option for the Port Profile (under Switch Management > Profiles > Port > New or Edit).
See Add Port Profile, page 4-28 for details.
• This feature applies to global device filters only (does not apply to CAS-specific device filters).
• See Out-of-Band User Role VLAN, page 6-10 for details on VLAN assignment via the user role.

For further details, see Chapter 4, “Switch Management: Configuring Out-of-Band (OOB) Deployment.”

Device Filters for Out-of-Band Deployment Using VoIP Phones

You must create a Global Device filter list of MAC Addresses designed to ignore IP phones through
which client machines connect to your network. You can define a list of MAC Addresses by compiling
a collection of individual MAC addresses (Cisco recommends this method only for small deployments),
specify a range of MAC addresses using range delimiters and/or wildcard characters, and you can also
extract a list of MAC addressees from an existing IP phone management application like Cisco
CallManager.
Once you build a list of the applicable IP phone MAC addresses, ensure that Cisco Clean Access ignores
them by enabling the Change VLAN according to global device filter list option for the Port Profile
(under Switch Management > Profiles > Port > New or Edit) when you configure your Cisco Clean
Access system for OOB. This ensures that the IP phones MAC-notification behavior cannot initiate a
switch from one VLAN to another (from Access to Authentication VLAN, for example), thus
inadvertently terminating the associated client machine’s connection. See Configure OOB Switch
Management in the CAM, page 4-18 for details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

Device Filters and IPSec/L2TP/PPTP Connections to CAS

Devices allowed in the MAC filter list cannot establish IPSec/L2TP/PPTP connections to the Clean
Access Server (CAS). Only users logging in via web login or Clean Access Agent can establish
IPSec/L2TP/PPTP connections to the CAS.
See “User Traffic Encryption” in the Cisco NAC Appliance - Clean Access Server Installation and
Administration Guide for how to configure secure connections between the Clean Access Server and the
end user device.

Warning IPSec/L2TP/PPTP and roaming are deprecated in release 4.1(0) and will be removed in future
releases.

Device Filters and Gaming Ports

To allow gaming services, such as Microsoft Xbox Live, it is recommended to create a gaming user role
and to add a filter for the device MAC addresses (under Device Management > Filters > Devices >
New) to place the devices into that gaming role. You can then create traffic policies for the role to allow
traffic for gaming ports. For additional details, see:
• Allowing Gaming Ports, page 9-24
• http://www.cisco.com/warp/customer/707/ca-mgr-faq2.html#q16
• Add New Role, page 6-6

Global vs. Local (CAS-Specific) Filters

You can add device/subnet filter policies at a global level, for all Clean Access Servers in the Clean
Access Manager Filters pages, or for a specific Clean Access Server through the CAS management
pages. The CAM stores both types of access filters and distributes the global filter policies to all Clean
Access Servers and the local filter policies to the relevant CAS.
Note that for device/subnet filter policies, if a global and local setting conflict, the local setting overrides
any global settings. (Refer to Global and Local Administration Settings, page 3-6.)
This section describes the forms and the steps to add global access filter policies. See the Cisco NAC
Appliance - Clean Access Server Installation and Administration Guide for how to add a local access
filter policies.

Note The CAM respects the global Device Filters list (not CAS-specific filters) for OOB deployments.

Configure Device Filters

This section describes the following:
• Add Global Device Filter
• Display / Search Device Filter Policies
• Edit Device Filter Policies

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

• Delete Device Filter Policies

Add Global Device Filter

If there is a MAC address entry in the Device Filter list, the machine can also be checked per Clean
Access policies (e.g.Agent-based checks, network scanner checks). The device is authenticated based on
MAC address but will still have to go through scanning (network and/or Agent).
A device filter set up as described in the following steps will apply across all Clean Access Servers in
the CAM domain.
1. Go to Device Management > Filters > Devices > New.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

Figure 3-4 New Device Filter

2. In the New Device Filter form, enter the MAC address of the device(s) for which you want to create
a policy in the text field. Type one entry per line using the following format:
<MAC>/<optional_IP> <optional_entry_description>
Note the following:
You can use wildcards “*” or a range “-” to specify multiple MAC addresses
Separate multiple devices with a return.
As an option, you can enter an IP address with the MAC to make sure no one spoofs the MAC
address to gain network access. If you enter both a MAC and an IP address, the client must
match both for the rule to apply.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

You can specify a description by device or for all devices. A description specific to a particular
device (in the MAC Address field) supersedes a description that applies all devices in the
Description (all entries) field. There cannot be spaces within the description in the device entry
(see Figure 3-4).
3. Choose the policy for the device from the Access Type choices:
ALLOW —
IB - bypass login, bypass posture assessment, allow access
OOB - bypass login, bypass posture assessment, assign Default Access VLAN
DENY —
IB - bypass login, bypass posture assessment, deny access
OOB - bypass login, bypass posture assessment, assign Auth VLAN
ROLE—
IB - bypass login, bypass L2 posture assessment, assign role
OOB - bypass login, bypass L2 posture assessment, assign User Role VLAN. The Out-of-Band
User Role VLAN is the Access VLAN configured in the user role. See Chapter 6, “User
Management: Configuring User Roles and Local Users” for details.
CHECK—
IB - bypass login, apply posture assessment, assign role
OOB - bypass login, apply posture assessment, assign User Role VLAN
IGNORE—
OOB (only) - ignore SNMP traps from managed switches (IP Phones)

Note For OOB, you must also enable the use of global device filters at the Port Profile level under
Switch Management > Profiles > Port > New or Edit. See Add Port Profile, page 4-28 for
details.

4. Click Add to save the policy.

5. The List page under the Devices tab appears.
The following examples are all valid entries (that can be entered at the same time):
00:16:21:11:4D:67/10.1.12.9 pocket_pc
00:16:21:12:* group1
00:16:21:13:4D:12-00:16:21:13:E4:04 group2

Note If bandwidth management is enabled, devices allowed without specifying a role will use the bandwidth
of the Unauthenticated Role. See Control Bandwidth Usage, page 9-13 for details.

Note Troubleshooting Tip: If you see ERROR: “Adding device MAC failed” and you are unable to add any
devices in the filter list (regardless of which option is checked, or whether an IP address/description is
included), check the Event Logs. If you see “xx:xx:xx:xx:xx:xx could not be added to the MAC list”,
this can indicate that one of the CASes is disconnected.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

Display / Search Device Filter Policies

• Priorities can be defined for ranges (via the Order page)
• A single MAC address device filter (e.g. 00:14:6A:6B:6C:6D) always takes precedence on the filter
List over a wildcard/range device filter (e.g. 00:14:6A:6B:*, or 00:14:6A:*).
• New wildcard/range device filters are always put at the end of the List page. To change the priority,
go to the Order page.
• The role assignment for a single MAC address device filter always takes precedence over other
filters. You can check the role assignment to be used for a MAC address using the Test page.
• The Test page shows which filter will take effect for the MAC address entered.
1. You can narrow the number of devices displayed in the filter list (under Device Management >
Filters > Devices > List) using the following search criteria:
Clean Access Server: Any CAS, GLOBAL, or <CAS IP address>
Access: Any Access, allow, deny, use role
MAC Address
IP Address
Description
For MAC Address, IP Address and Description searches, you can select equals (exact match), starts
with, ends with, or contains operators for text entered in the search text field.
2. Click the View button after entering the search criteria to display the desired search.

Figure 3-5 Device Filters List

filtered
devices
indicator

3. Clicking Reset View resets the list to display all entries (default). Use the First, Previous, Next,
and Last links to navigate the pages. A maximum of 25 entries are shown per page.
The Clean Access Server column in the list shows the scope of the policy. If the policy was configured
locally in the CAS management pages, this field displays the IP address of the originating Clean Access
Server. If the policy was configured globally for all Clean Access Servers in the Device Management >
Filters module of the admin console, the field displays GLOBAL.
The filter list can be sorted by column by clicking on the column heading label (MAC Address, IP
Address, Clean Access Server, Description, Access Type).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

See Global and Local Administration Settings, page 3-6 and the Cisco NAC Appliance - Clean Access
Server Installation and Administration Guide for further details.

Order Device Filter Wildcard/Range Policies

The Order page is for wildcard/range device filters only. The Order page is used to change the priority
of wildcard/range device filters.
For example:
• If the Order page is configured with filters as follows:
1. 00:14:6A:* — Access Type: DENY
2. 00:14:6A:6B:* — Access Type: IGNORE
A device with MAC address 00:14:6A:6B:60:60 will be denied.
• If the Order page is configured as follows:
1. 00:14:6A:6B:* — Access Type: IGNORE
2. 00:14:6A:* — Access Type: DENY
A device with MAC address 00:14:6A:6B:60:60 will have access type IGNORE.
However, if a device filter exists for the exact MAC address 00:14:6A:6B:60:60, the rules of that filter
apply instead, and any existing wildcard/range filters are not used.
1. Go to Device Management > Filters > Devices > Order

Figure 3-6 Order

2. Click the arrows in the Priority column to move the priority of the wildcard/range filter up or down.
3. Click Commit to apply the changes. (Click Reset to cancel the changes.)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

Test Device Filter Policies

The Test page control allows administrators to determine which device filter and access type will be
applied to the specified MAC for the specified Clean Access Server.
1. Go to Device Management > Filters > Devices > Test
2. Type the MAC address of the device MAC Address field.
3. Choose the Clean Access Server from the dropdown menu.
4. Click Submit. The Access Type specified for the corresponding device filter appears in the list
below.

Figure 3-7 Test

View Active L2 Device Filter Policies

The Active L2 In-Band Device Filters list displays all clients currently connected to the CAS, sending
packets, and with their MAC addresses in a device filter. This list is especially useful in cases where
users are configured to bypass authentication (via device filters) and/or posture assessment (such as
when no requirements are enforced). Though by definition these users will not appear in the Online
Users List or Certified Device List , they can still be tracked on the in-band network through the Active
L2 Device Filters List.
To view active L2 devices in filter policies across all Clean Access Servers:
1. Go to Device Management > Filters > Devices > Active
2. Click the Show All button first to populate the Active page with the information from all clients
currently connected to the CAS, sending packets, and with their MAC addresses in a device filter.
3. You can also perform a Search on a client IP or MAC address to populate the page with the result.
By default, the Search parameter performed is equivalent to “contains” for the value entered in the
Search IP/MAC Address field.
Note that for performance considerations, the Active page only displays the most current device
information when you refresh the page by clicking Show All or Search.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

Figure 3-8 Active

Note To view active devices for an individual CAS, go Device Management > CCA Servers > Manage
[CAS_IP] > Filter > Devices > Active.

Edit Device Filter Policies

1. Clicking the Edit button next to device filter policy in the filter list. The Edit page appears.
.
2. You can edit the IP Address, Description, Access Type, and role used. Click Save to apply the
changes.
3. Note that the MAC address is not an editable property of the filter policy. To modify a MAC address,
create a new filter policy and delete the existing policy (as described below).

Delete Device Filter Policies

There are two ways to delete a device access policy or policies:
1. Select the checkbox next to it in the List and click the delete ( ) button. Up to 25 device access
policies per page can be selected and deleted in this way.
2. Use the search criteria to select the desired device filter policies and click Delete List. This removes
all devices filtered by the search criteria across the number of applicable pages. Devices can be
selectively removed using any of the search criteria used to display devices. The “filtered devices
indicator” shown in Figure 3-5 displays the total number of filtered devices that will be removed
when Delete List is clicked.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

Configure Subnet Filters

The Subnets tab (Figure 3-9) allows you to specify authentication and access filter rules for an entire
subnet. All devices accessing the network on the subnet are subject to the filter rule.

To set up subnet-based access controls:

1. Go to Device Management > Filters > Subnets.

Figure 3-9 Subnet Filters

2. In the Subnet Address/Netmask fields, enter the subnet address and subnet mask in CIDR format.
3. Optionally, type a Description of the policy or device.
4. Choose the network Access Type for the subnet:
allow – Enables devices on the subnet to access the network without authentication.
deny – Blocks devices on the subnet from accessing the network.
use role – Allows access without authentication and applies a role to users accessing the
network from the specified subnet. If you select this option, also select the role to apply to these
devices. See Chapter 6, “User Management: Configuring User Roles and Local Users” for
details on user roles.
5. Click Add to save the policy.
The policy takes effect immediately and appears at the top of the filter policy list.

Note If bandwidth management is enabled, devices allowed without specifying a role will use the bandwidth
of the Unauthenticated Role. See Control Bandwidth Usage, page 9-13 for details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

After a subnet filter is added, you can remove it using the Delete ( ) button or edit it by clicking the
Edit button ( ). Note that the subnet address is not an editable property of the filter policy. To modify
a subnet address, you need to create a new filter policy and delete the existing one.
The Clean Access Server column in the list of policies shows the scope of the policy. If the policy was
configured as a local setting in a Clean Access Server, this field identifies the CAS by IP address. If the
policy was configured globally in the Clean Access Manager, the field displays GLOBAL.
The filter list can be sorted by column by clicking on the column heading label (Subnet, Clean Access
Server, Description, Access Type).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 4
Switch Management: Configuring Out-of-Band
(OOB) Deployment

This chapter describes how to configure Cisco NAC Appliance for out-of-band (OOB) deployment.
Topics include:
• Overview, page 4-1
• Deployment Modes, page 4-4
• Configuring Your Network for Out-of-Band, page 4-12
• Configure Your Switches, page 4-12
• Configure OOB Switch Management in the CAM, page 4-18
• Out-of-Band User List Summary, page 4-50
• OOB Troubleshooting, page 4-51
See Cisco NAC Appliance - Clean Access Server Installation and Administration Guide for additional
information on L3 OOB deployment.

Overview
In a traditional in-band Cisco NAC Appliance deployment, all network traffic to or from clients goes
through the Clean Access Server. For high throughput or highly routed environments, a Cisco NAC
Appliance Out-of-Band (OOB) deployment allows client traffic to pass through the Clean Access
network only in order to be authenticated and certified before being connected directly to the access
network. This section discusses the following topics:
• In-Band Versus Out-of-Band, page 4-2
• Out-of-Band Requirements, page 4-2
• SNMP Control, page 4-4

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Overview

In-Band Versus Out-of-Band

Table 4-1 summarizes different characteristics of each type of deployment.
Table 4-1 In-Band vs. Out-of-Band Deployment

In-Band Deployment Characteristics Out-of-Band Deployment Characteristics

The Clean Access Server (CAS) is always inline
with user traffic (both before and following
authentication, posture assessment and
remediation). Enforcement is achieved through
being inline with traffic.
The CAS can be used to securely control
authenticated and unauthenticated user traffic by
using traffic policies (based on port, protocol,
subnet), bandwidth policies, and so on.
Does not provide switch port level control.
In-Band deployment is required when deploying
for wireless networks.
In-Band deployment is compatible with 802.1x
The Clean Access Server (CAS) is inline with user
traffic only during the process of authentication,
assessment and remediation. Following that, user
traffic does not come to the CAS. Enforcement is
achieved through the use of SNMP to control
switches and VLAN assignments to ports.
The CAS can control user traffic during the
authentication, assessment and remediation phase,
but cannot do so post-remediation since the traffic
is out-of-band.
Provides port-level control by assigning ports to
specific VLANs as necessary.
OOB deployment model does not apply to
wireless networks.
It is not recommended to use 802.1x with OOB
deployment, as conflict will exist between Cisco
NAC Appliance OOB and 802.1x to set the VLAN
on the interface/port.

Out-of-Band Requirements
Out-of-band implementation of Cisco NAC Appliance requires the following to be in place:
• Controlled switches must be supported models (or service modules) that use at least the minimum
supported version of IOS or CatOS (supporting mac-notification or linkup/linkdown SNMP traps).
Supported switch models include:
Cisco Catalyst Express 500 Series
Cisco Catalyst 2900 XL
Cisco Catalyst 2940/2950/2950 LRE/2955/2960
Cisco Catalyst 3500 XL
Cisco Catalyst 3550/3560/3750
Cisco Catalyst 4000/4500
Cisco Catalyst 6000/6500
Supported 3750 service modules for Cisco 2800/3800 Integrated Services Router (ISR) include:
NME-16ES-1G
NME-16ES-1G-P
NME-X-23ES-1G
NME-X-23ES-1G-P

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Overview

NME-XD-24ES-1S-P
NME-XD-48ES-2S-P
• Your Cisco NAC Appliance product license must enable OOB.
• It is recommended for clients to be physically connected to the ports of managed switches.

Note With release 4.1(0)+, administrators can update the object IDs (OIDs) of supported switches through
CAM updates (under Device Management > Clean Access > Updates > Summary | Settings). For
example, if a new switch (such as C3750-XX-NEW) of a supported model (Catalyst 3750 series) is
released, administrators only need to perform Cisco Updates on the CAM to obtain support for the
switch OIDs, instead of performing a software upgrade of the CAM/CAS.
The update switch OID feature only applies to existing models. If a new switch series is introduced,
administrators will still need to upgrade to ensure OOB support for the new switches. See Download
Cisco Updates, page 10-14.

Note • With IOS release 12.2.25(SEG) for CE500, MAC-NOTIFICATION SNMP traps are supported on
all Smartport roles (including DESKTOP and IPPHONE roles). After upgrading to 12.2.25(SEG),
customers can configure MAC-NOTIFICATION for CE500 under Switch Management > Devices
> List > Config [Switch IP] > Config > Advanced on the CAM. For CCA 3.6.2, 3.6.3, 4.0.0, 4.0.1,
4.0.2, CE500 supports linkup/linkdown SNMP notifications by default and the “OTHER role”
warning message can be ignored when changing to MAC-NOTIFICATION traps. Note that in future
CCA releases, this warning message will removed and the default control method for CE500 will be
MAC-NOTIFICATION traps.
• If running an IOS version lower than 12.2(25) SEG, the CE500 switch ports must be assigned to the
OTHER role (not Desktop or IP phone) on the switch's Smartports configuration, otherwise,
mac-notification will not be sent out.

Note Cisco NAC Appliance OOB supports Cisco Catalyst 3750 StackWise technology. With stacks, when
mac-notification is used and there are more than 252 ports on the stack, mac-notification cannot be
set/unset for the 252nd port using the CAM. There are two workarounds: 1) Use linkup/linkdown SNMP
notifications only. 2) If using mac-notification, do not use the 252nd port and ignore the error; other ports
will work fine.
Clusters are not supported.

Note For the most current details on switch model/IOS/CatOS version support, refer to Switch Support for
Cisco NAC Appliance.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Deployment Modes

SNMP Control
With out-of-band deployment, you can add switches to the Clean Access Manager’s domain and control
particular switch ports using the Simple Network Management Protocol (SNMP). SNMP is an
application layer protocol used by network management tools to exchange management information
between network devices. Cisco NAC Appliance supports the following SNMP versions:

Read Operations Write Operations

• SNMP V1 • SNMP V1
• SNMP V2c • SNMP V2c
(V2 with community string.) (V2 with community string.)
• SNMP V3

You first need to configure the switch to send and receive SNMP traffic to/from the Clean Access
Manager, then configure matching settings on the Clean Access Manager to send and receive traffic
to/from the switch. This will enable the Clean Access Manager to get VLAN and port information from
the switch and set VLANs for managed switch ports.

Deployment Modes
This section describes out-of-band deployment for Virtual Gateway and Real-IP/NAT Gateway. For all
gateway modes, to incorporate Cisco NAC Appliance Out-of-Band in your network, you must add an
Authentication VLAN to your network and trunk all Auth VLANs to the untrusted interface of the Clean
Access Server.
• Basic Connection, page 4-4
• Out-of-Band Virtual Gateway Deployment, page 4-6
• Out-of-Band Real-IP/NAT Gateway Deployment, page 4-9
• L3 Out-of-Band Deployment, page 4-12

Basic Connection
The following diagrams show basic “before” and “after” VLAN settings for a client attached to an
out-of-band deployment. Figure 4-1 illustrates the in-band client and Figure 4-2 illustrates the client
when out-of-band.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Deployment Modes

Figure 4-1 Before — Client is In-Band for Authentication / Certification

Clean Access
Server

Internet
Untrusted
(eth1) Managed Switch

Auth (quarantine)
VLAN Access VLAN
Managed port

Unmanaged
port

130782
Unauthenticated Client

When an unauthenticated client first connects to a managed port on a managed switch (Figure 4-1), the
CAM instructs the switch to change the client port from the authentication (quarantine) VLAN specified
in the Port Profile for the port. The switch then sends all traffic from the Auth VLAN client to the
untrusted interface of the Clean Access Server (CAS). The client authenticates through the CAS, and/or
goes through Clean Access certification/posture assessment as configured for the role or device. Because
the client is on the authentication VLAN, all the client’s traffic must go through the CAS and the client
is considered to be in-band.

Figure 4-2 After — Client is Out-of-Band After Being Certified

Clean Access
Server

Internet
Untrusted
(eth1) Managed Switch
Auth (quarantine)
VLAN
Access VLAN
Managed
port

Unmanaged
port
130783

Authenticated Client

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Deployment Modes

Once the client is authenticated and certified (i.e. on the Certified List), the CAM instructs the switch to
change the VLAN of the client port to the Access VLAN specified in the Port Profile of the port
(Figure 4-2). Once the client is on the Access VLAN, the switch no longer directs the client’s traffic to
the untrusted interface of the CAS. At this point the client is on the trusted network and is considered to
be out-of-band.
In the event the user reboots the client machine, unplugs it from the network, or the switch port goes
down, this triggers the switch to send a linkdown trap to the CAM. Thereafter, the client port behavior
depends on the Port profile settings for the specific port (see Add Port Profile, page 4-28 for details).

Note You can configure the Initial VLAN of the port to be the Access VLAN. See Add Port Profile, page 4-28
for details.

Out-of-Band Virtual Gateway Deployment

An out-of-band Virtual Gateway deployment provides the following benefits:
• The client never needs to change its IP address from the time it is acquired to the time the client
gains actual network access on the Access VLAN.
• For L2 users, static routes are not required.
In out-of-band Virtual Gateway mode, the Clean Access Server uses the VLAN mapping feature to retag
the unauthenticated client’s allowed traffic (such as DNS or DHCP requests) from the Authentication
VLAN to the Access VLAN and vice versa. In this way, no new client IP address is needed when the
client is eventually switched to the Access VLAN, because the DHCP-acquired IP address is already
paired with the Access VLAN ID.

Note In an environment where there is an 802.1q trunk to the CAS, the CAS will bridge two VLANs together.
This “retagging” is the rewriting of the 802.1q Ethernet header with a new VLAN ID. This feature does
not apply when there is only one Authentication VLAN and one Access VLAN, as no frames are tagged.

Figure 4-3 illustrates out-of-band Virtual Gateway mode using an L3 router/switch. The router/switch
receives traffic from the Auth VLAN as Layer 2 traffic and forwards it to the untrusted side of the Clean
Access Server. The Virtual Gateway Clean Access Server performs VLAN mapping for allowed traffic
(DNS, DHCP) from the Auth VLAN (untrusted interface) to the Access VLAN (trusted interface) and
vice versa. The router/switch receives traffic from the Access VLAN as Layer 3 traffic and routes it
accordingly. Figure 4-3 illustrates the client authentication and access path for the OOB Virtual Gateway
example described below. In this example, the Authentication VLAN is 100, and the Access VLAN is 10.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Deployment Modes

Figure 4-3 Out-of-Band VGW Mode: Catalyst 6500 Series Core Router Example

Clean Access
Server
(VGW, with VLAN
mapping)

Trusted Untrusted

VLAN Trunk VLAN Trunk

(Access) (Auth)
VLAN 10, 20 VLAN 100, 200
650X L2/L3
Switch/Router

Clean Access
Manager
VLAN Trunk VLAN Trunk
(Auth, Access) (Auth, Access)
VLAN 10, 100 VLAN 20, 200

Edge Edge
Switch Switch

Access VLAN: 10 Access VLAN: 20

Client Auth VLAN: 100 Auth VLAN: 200 Client
VLAN Trunk
VLAN Trunk (Auth)
Auth VLAN
Auth VLAN port

650x (L2) forwards Auth VLAN traffic

(650x (L3) routes Access VLAN traffic)
130703

Clean Access Server VLAN Mapping = untrusted trusted

e.g. 100 10

Flow for OOB VGW Mode

1. The unauthenticated user connects the client machine to the network through an access layer switch.
2. The switch sends mac-notification or linkup/linkdown SNMP traps for the client to the CAM.
Because the client is not on the Certified List/Online Users List yet, the CAM sends an SNMP SET
trap to the switch instructing it to change the client port to the Auth VLAN specified in the Port
Profile (100), and the CAM places the client on the out-of-band Discovered Clients list (Switch
Management > Devices > Discovered Clients).
3. The client attempts to acquire a DHCP address. The core L2 switch forwards all Auth VLAN traffic
to the out-of-band Virtual Gateway CAS.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Deployment Modes

4. The CAS receives the VLAN 100 traffic on its untrusted interface (via the 802.1q trunk).
5. With VLAN mapping rules already configured to map the Auth VLAN to the Access VLAN (under
Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping), the
CAS retags the allowed DHCP traffic from VLAN 100 on its untrusted side to VLAN 10 on its
trusted side and forwards the retagged traffic on its trusted interface to the L3 router/DHCP server.

Note When the CAS is a Virtual Gateway, it can only be in DHCP Passthrough mode. When VLAN
mapping is used for out-of-band, the default permissions on the filters transparently allow DNS
and DHCP traffic from the untrusted interface, and no additional traffic control policies need to
be configured. See the Cisco NAC Appliance - Clean Access Server Installation and
Administration Guide for details on VLAN mapping.

6. From the router’s point of view, this is a request from VLAN 10. The router returns the DHCP
response to VLAN 10 on the CAS.
7. With VLAN mapping rules enabled, the CAS retags the allowed traffic (on the 802.1q trunk) from
VLAN 10 to VLAN 100 and forwards the DHCP response to the initiating client.
8. The client authenticates through the Clean Access Server via web login or the Clean Access Agent.
If Clean Access is enabled, the client goes through the Clean Access process, all the while
transmitting and receiving traffic on the Auth VLAN (100) to the CAS. All traffic that is permitted
for remediation is allowed to pass through the CAS, and is placed on VLAN 10. If the traffic is not
permitted, it is dropped. When certified, the client is placed on the Certified List.
9. At this point, CAM sends an SNMP SET trap to the switch instructing it to change the client port
from the Auth VLAN (100) to the Access VLAN (10) (as specified in the Port Profile), and puts the
MAC address of the client in the OOB Online Users list (Monitoring > Online Users > View
Online Users > Out-of-Band).
10. Because this is an OOB Virtual Gateway deployment, and the client already has an IP address
associated with the Access VLAN, the client port is not bounced after it is switched to the Access
VLAN.
11. Once the client is on the Access VLAN, the client is on the trusted network and the client’s traffic
no longer goes through the Clean Access Server.
12. For certified clients, the Port Profile form (Switch Management > Profiles > Port > New or Edit)
provides the following options (see Add Port Profile, page 4-28 for details). You can switch the
client to:
The Access VLAN specified in the Port Profile form.
The Access VLAN specified for the user role of the client, if you choose to use a role-based
port profile (see Figure 4-9 on page 4-20 for details).
The initial VLAN of the port. For this configuration, the client port is switched to the Auth
VLAN for authentication/certification, then when the client is certified, the port is switched
back to the initial VLAN of the port saved by the CAM when the switch was added.
Note also that:
If the client’s MAC address is on the Certified List, but not on the out-of-band Online Users list
(in other words, the client is certified but logged off the network), you can keep the client on
the Access VLAN at the next login (allowing trusted network access), or you can put the client
on the Auth VLAN at the next login to force the user to re-authenticate through the CAS.
Because the client is already certified, the client does not go through Clean Access certification,
only authentication.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Deployment Modes

Removing an OOB client from the Certified List removes the out-of-band user from the
Out-of-Band Online Users List. You can optionally configure the port also to be bounced.
Client machine shutdown/reboot will trigger a linkdown trap (if set up on the switch) sent from
the switch to the CAM. The behavior of the client (Agent or web login) depends on the Port
Profile setting for that specific port.
For additional configuration information, see the following sections of the Cisco NAC Appliance - Clean
Access Server Installation and Administration Guide:
• Understanding VLAN Settings
• VLAN Mapping in Virtual Gateway Mode

Out-of-Band Real-IP/NAT Gateway Deployment

In out-of-band Real-IP or NAT gateway deployment, the client IP address has to change when the port
is changed from the Auth VLAN to the Access VLAN.

Note NAT Gateway mode (In-Band or OOB) is not supported for production deployment.

Figure 4-4 illustrates the sequence described below. In this example, the Authentication VLAN is 100,
and the Access VLAN is 10.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Deployment Modes

Figure 4-4 Out-of-Band Real-IP / NAT Gateway Deployment

L3 Core/
Distribution

Clean Access
Manager
(L3 for Access VLANs)
x.x.10.1
x.x.20.1
Trusted
Real IP or NAT GW
Clean Access Server
(L3 for Auth VLANs)
e.g. x.x.100.1
x.x.200.1 Untrusted VLAN Trunk
(Access)
VLAN Trunk VLAN 10, 20
(Auth)
VLAN 100, 200

Core L2 switch
with VLAN

VLAN Trunk VLAN Trunk

(Auth, Access) (Auth, Access)
VLAN 10, 100 VLAN 20, 200

Edge Edge
Switch Switch

Access VLAN: 10 Access VLAN: 20

Auth VLAN: 100 Auth VLAN: 200
Client Client
Access Subnet: x.x.10.x Access Subnet: x.x.20.x
Auth Subnet: x.x.100.x Auth Subnet: x.x.200.x

VLAN Trunk
VLAN Trunk (Auth)
Auth VLAN
Auth VLAN port
Authentication path (Auth IP)
130704

Access path (Access IP)

Flow for OOB Real-IP/NAT Mode

1. The unauthenticated user connects the client machine to the network through an edge switch.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Deployment Modes

2. The switch sends mac-notification or linkup/linkdown SNMP traps for the client to the CAM.
Because the client is not on the Certified List/Online Users List yet, the CAM sends an SNMP SET
trap to the switch instructing it to change the client port to the Auth VLAN specified in the Port
Profile (100), and the CAM places the client on the out-of-band Discovered Clients list (Switch
Management > Devices > Discovered Clients).
3. The unauthenticated client requests and receives an IP address on the Auth VLAN (x.x.100.x).
4. The client authenticates through the CAS via web login or the Clean Access Agent. If Clean Access
is enabled, the client goes through the Clean Access process, all the while transmitting and receiving
traffic on the Auth VLAN (100) to the CAS. When clean, the client is placed on the Certified List.
The CAS acts as the default gateway while the client remediates. Only permitted traffic is allowed
to pass through from the untrusted to trusted interface.
5. At this point, the CAM instructs the switch to change the client switch port from the Auth VLAN
(100) to the Access VLAN (10) (according to the Port Profile), and puts the client MAC address on
the out-of-band Online Users list (Monitoring > Online Users > View Online Users >
Out-of-Band).
6. The client port is switched to the Access VLAN and is bounced (as set in the Port Profile). When
the port is bounced, the client acts as if the network cable is unplugged, thus releasing its DHCP
binding on the interface. Once the port is brought back up from the shutdown state, the client
performs a DHCP renewal or discovery, as if it was connecting to the network for the first time.
Since the switchport is now on a different VLAN, the client receives a new IP address that is valid
for the access subnet.
7. With an IP address on the Access VLAN (x.x.10.x), the client now transmits traffic on the trusted
network, on the Access VLAN specified in the Port Profile.
8. Once the client is on the Access VLAN, the client’s traffic no longer goes through the CAS.
9. For certified clients, the Port Profile form (Switch Management > Profiles > Port > New or Edit)
provides the following options (see Add Port Profile, page 4-28). You can switch the client to:
The Access VLAN specified in the Port Profile form.
The Access VLAN specified for the user role of the client, if you choose to use a role-based
port profile (see Figure 4-9 on page 4-20 for details).
The initial VLAN of the port. For this configuration, the client port is switched to the Auth
VLAN for authentication/certification, then when the client is certified, the port is switched
back to the initial VLAN of the port saved by the CAM when the switch was added.
Note also that:
If the client’s MAC address is on the Certified List, but not on the out-of-band Online Users list
(in other words, the client is certified but logged off the network), you can keep the client on
the Access VLAN at the next login (allowing trusted network access), or you can put the client
on the Auth VLAN at the next login to force the user to re-authenticate through the CAS.
Because the client is already certified, the client does not go through Clean Access certification,
only authentication.
Removing an OOB client from the Certified List removes the out-of-band user from the
Out-of-Band Online Users List and bounces the port. You can optionally configure the Port
Profile not to bounce the port.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configuring Your Network for Out-of-Band

L3 Out-of-Band Deployment
For details on L3 OOB, refer to the following sections:
• Enable Web Client for Login Page, page 5-6
• “Configuring Layer 3 Out-of-Band (L3 OOB)” in the Cisco NAC Appliance - Clean Access Server
Installation and Administration Guide.

Configuring Your Network for Out-of-Band

The Clean Access Manager (CAM) manages out-of-band Clean Access Servers (CASes) and switches
through the admin network. The trusted interface of the Clean Access Server is connected to the switch
port on the admin/access VLAN or to the admin network directly, and the untrusted interface is
connected to the switch port on the Authentication VLAN. When a client connects to a managed port on
a managed switch, the port is set to the Authentication VLAN and the traffic to/from the client goes
through the Clean Access Server. After the client is authenticated and certified through the Clean Access
Server, the port connected to the client is changed to the Access VLAN. In this way, traffic from/to
certified clients bypasses the Clean Access Server. For Real-IP/ NAT-Gateway setup, the client port is
also bounced to prompt the client to acquire a new IP address from the admin/access VLAN.

Note • NAT Gateway mode (In-Band or OOB) is not supported for production deployment.
• If configuring the CAS as an OOB Virtual Gateway, do not connect the untrusted interface to the
switch until VLAN mapping has been configured correctly under Device Management > CCA
Servers > Manage [CAS_IP_address] > Advanced > VLAN Mapping. See the Cisco NAC
Appliance - Clean Access Server Installation and Administration Guide for details.

Configure Your Switches

This section describes the steps needed to set up switches to be used with Cisco NAC Appliance
Out-of-Band.
• Configuration Notes, page 4-12
• OOB Network Setup / Configuration Worksheet, page 4-17
• Example Switch Configuration Steps, page 4-13

Configuration Notes
The following considerations should be taken into account when configuring switches for OOB:
• Because Cisco NAC Appliance OOB can control switch trunk ports, ensure the uplink ports for
managed switches are configured as “unmanaged” ports after upgrade to 4.1(x). This can be done in
one of two ways:
Before upgrade, change the Default Port Profile for the entire switch to “unmanaged” (see
Config Tab, page 4-47), or

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure Your Switches

After upgrade, change the Profile for the applicable uplink ports of the switch to “unmanaged”
(see Ports Tab, page 4-40).
This will prevent unnecessary issues when the Default Port Profile for the switch has been
configured as a managed/controlled port profile.
• Cisco NAC Appliance OOB supports 3750 StackWise technology. With stacks, when
mac-notification is used and there are more than 252 ports on the stack, mac-notification cannot be
set/unset for the 252nd port using the CAM. There are two workarounds: 1) Use linkup/linkdown
SNMP notifications only. 2) If using mac-notification, do not use the 252nd port and ignore the
error; other ports will work fine.
• Switch clusters are not supported. As a workaround, assign an IP address to each switch.
• It is recommended to enable ifindex persistence on the switches.
• It is recommended to turn on portfast on access ports (those directly connected to client machines).
• It is recommended to set the mac-address aging-time to a minimum of 3600 seconds.
• On some models of Cisco switches (e.g. 4507R, IOS Version 12.2(18) EW), the MAC address(es)
connected to a particular port may not be available after Port Security is enabled.
• If implementing High-Availability, do not enable Port Security on the switch interfaces to which the
CAS and CAM are connected. This can interfere with CAS HA and DHCP delivery.
• You must ensure your switch has the Access VLAN in its VLAN database to ensure proper
switching behavior. On some models of Cisco switches (e.g. 6506, IOS Version 12.2(18) SXD3),
MAC address(es) connected to a particular port may not be available when the Access VLAN of the
port does not exist in the VLAN database.

• Only Ethernet (Fa, Gi, fiber) port types (reported by SNMP) are displayed.
• If no healthy Clean Access Manager is in service, ports remain in the VLAN they are in until
connectivity to the CAM is restored.

Example Switch Configuration Steps

1. Connect the machines and switches. Write down the admin VLAN, Access VLAN, Authentication
VLAN and other information (see Table 4-2).
2. The following example illustrates a sample out-of-band Virtual Gateway setup.

Clean Access Manager (CAM): 10.201.2.15

CAM management VLAN 2
Clean Access Server (CAS): 10.201.5.15
CAS management VLAN 5
Access VLANs: 10, 20
Authentication VLANs: 31, 41
Switch (Catalyst 2950): 10.201.3.16

The trusted interface of the CAS is connected to the trunk port for Access VLANs 10, 20.
The untrusted interface of the CAS is connected to the trunk port for Auth VLANs 31, 41.
Refer the switch documentation for details on configuring your specific switch model.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure Your Switches

3. Configure the IP address (10.201.3.16) and Access VLANs (10, 20).

4. When using Virtual Gateway with VLAN mapping, make sure there is no VLAN interface for any
of the Auth VLANs on your existing Layer 3 switch or router (e.g. CAT 6500). For example, for an
Access VLAN 10 and Auth VLAN 31 for which VLAN mapping has been configured on the CAS,
and if an interface already exists on the L3 switch/router for the Auth VLAN, you can turn it off
using the following commands:
(config)# no int vlan 31
(config)# vlan 31

The first command turns off the interface and the second ensures VLAN 31 (Auth VLAN) is in the
VLAN database table.You will also need to Enable VLAN Mapping in the CAS as described in
Figure 4-8 on page 4-20.
5. For Real-IP Gateways, add static routes on the L3 switch or router to route traffic for the managed
subnets to the trusted interface of the respective CASes.
6. Configure SNMP miscellaneous settings:
(config)# snmp-server location <location_string>
(config)# snmp-server contact <admin_contact_info>

Note When configuring SNMP settings on switches, never use the “@” character in the community string.

7. Configure the SNMP read community string used in Configure Switch Profiles, page 4-24. The
SNMP read-only community string is “c2950_read:”
(config)# snmp-server community c2950_read RO

8. Configure the SNMP write community string (V1/V2c) or username/password (V3) used in
Configure Switch Profiles, page 4-24.
SNMP V1/V2c settings (SNMP read-write community string is “c2950_write”):
(config)# snmp-server community c2950_write RW

SNMP V3 settings (username: “c2950_user;” password: “c2950_auth”):

(config)# snmp-server group c2950_group v3 auth read v1default write v1default
(config)# snmp-server user c2950_user c2950_group v3 auth md5 c2950_auth

9. Enable MAC-Notification/Linkup/Linkdown SNMP traps and set MAC address table aging-time
when necessary for the switch. If enabling MAC notification traps, the MAC address table
aging-time must be set to a non-zero value. Cisco recommends setting the MAC address table
aging-time to at least 3600 seconds for switches that have limited space for MAC addresses, and to
a higher value (e.g. 1000000) if your switches support a sufficiently large number of MAC entries.
If a switch supports mac-notification traps, Cisco NAC Appliance uses the mac-notification trap by
default, in addition to linkdown traps (to remove users). If the switch does not support the
mac-notification trap, the Clean Access Manager uses linkup/linkdown traps only.
(config)# snmp-server enable traps mac-notification
(config)# snmp-server enable traps snmp linkup linkdown
(config)# mac-address-table aging-time 3600

10. Enable the switch to send SNMP mac-notification and linkup traps to the Clean Access Manager.
The switch commands used here depend on the SNMP version used in the SNMP trap settings in
Configure SNMP Receiver, page 4-32.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure Your Switches

Note For better security, it is recommended for administrators to use SNMP V3 and define ACLs to
limit SNMP write access to the switch.

SNMP v1 (SNMP community string is “cam_v1”):

(config)# snmp-server host 10.201.2.15 traps version 1 cam_v1 udp-port 162
mac-notification snmp

SNMP V2c (SNMP community string is “cam_v2”):

(config)# snmp-server host 10.201.2.15 traps version 2c cam_v2 udp-port 162
mac-notification snmp

SNMP v3 (SNMP username/password is “cam_user”/“cam_auth”). The group command should

be run after the user and host commands:
(config)# snmp-server user cam_user cam_group v3 auth md5 cam_auth
(config)# snmp-server host 10.201.2.15 traps version 3 auth cam_user udp-port 162
mac-notification snmp
(config)# snmp-server group cam_group v3 auth read v1default write v1default
notify v1default

11. Enable the Port Fast command to bring a port more quickly to a Spanning Tree Protocol (STP)
forwarding state. You can do this at the switch configuration level for all interfaces, or at the
interface configuration level for each interface:
Switch configuration level:
(config)# spanning-tree portfast default

Interface configuration level:

(config-if)# spanning-tree portfast

Figure 4-5 Example Physical Setup

PIX
Internet

172.16.1.1

CAT 3550 F 0/1

172.16.1.61
VLAN 2 VLAN 3,10,20 10.60.3.2
eth0 F 0/2 F 0/8 eth0
CAS6
CAM6
eth1
F 0/17
10.60.3.2

VLAN 2,10,20
F 0/17
VLAN 31,41
F 0/18
CAT 2950
F 0/24 Note: CAS interfaces should be on a separate VLAN from
Manager VLAN and access VLANs
172.16.1.64
VLAN 2

VLAN 10,20

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure Your Switches

Figure 4-6 Example L3 Switch Configuration

!To PIX
interface FastEthernet0/1 !
switchport access vlan 2 interface VLAN1
ip address 192.168.1.61 255.255.255.0
switchport mode access
shutdown
! To Manager
!
interface FastEthernet0/2
interface VLAN2
switchport access vlan 2 ip address 172.16.1.60 255.255.255.0
switchport mode access !
! interface VLAN3
interface FastEthernet0/3 ip address 10.60.3.1 255.255.255.0
switchport access vlan 2
switchport mode access interface VLAN10
ip address 10.60.10.1 255.255.255.0
!
!
interface FastEthernet0/8
interface VLAN20
switchport trunk encapsulation dot1q ip address 10.60.20.1 255.255.255.0
switchport trunk native vlan 999 !!
switchport trunk allowed vlan 3,10,20 ip default-gateway 172.16.1.1
switchport mode trunk ip classless
! ip route 0.0.0.0 0.0.0.0 172.16.1.1
interface FastEthernet0/10 ip http server

switchport access vlan 10 !

switchport mode access

spanning-tree portfast
!
interface FastEthernet0/17
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,10,20
Note: No int vlan 31 or 41
switchport mode trunk

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure Your Switches

OOB Network Setup / Configuration Worksheet

Table 4-2 summarizes information needed to configure switches and the Clean Access Manager.
Table 4-2 Configuration Worksheet

Configuration Settings Value

Switch Configuration
Switch IP Address:
Access VLANs:
Auth VLANs:
location_string:
admin_contact_info:
SNMP version used:
SNMP (V1/V2c) read community string:
SNMP (V1/V2c) write community string:
SNMP (V3) auth method/ username/password:
mac-notification or linkup:
SNMP Trap V1/V2c community string, or SNMP Trap
V3 auth method/usr/pwd (to send traps to CAM):
CAM/ CAS Configuration
CAM IP address:
CAS Trusted IP address:
CAS Untrusted IP address:
CAM VLAN (management):
CAS VLAN (management):
CAM SNMP Trap Receiver:
Community string for SNMP Trap V1 switches:
Community string for SNMP Trap V2c switches:
Auth method/username/password for SNMP Trap V3
switches:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Configure OOB Switch Management in the CAM

This section describes the web admin console configuration steps to implement out-of-band. In general,
you first configure Group, Switch, and Port profiles, as well as the Clean Access Manager’s SNMP
Receiver settings, under Switch Management > Profiles. After profiles are configured, add the switches
you want to control to the Clean Access Manager’s domain under Switch Management > Devices, and
apply the profiles to the switches.
After switches are added, the ports on the switch are discovered, and the Port and Config buttons and
pages for each switch appear on Switch Management > Devices > Switches > List.
Clicking the manage Ports button brings up the Ports tab. The Ports page is where you apply a managed
Port Profile to a specific port(s) to configure how a client’s traffic is temporarily routed through the CAS
for authentication/ certification before being allowed on the trusted network.
The configuration sequence is as follows:

Step 1 Plan your settings and configure the switches to be managed, as described in previous section Configure
Your Switches, page 4-12.
Step 2 Add Out-of-Band Clean Access Servers and Configure Environment, page 4-19
Step 3 Configure Global Device Filters to Ignore IP Phone MAC Addresses, page 4-22
Step 4 Configure Group Profiles, page 4-22
Step 5 Configure Switch Profiles, page 4-24
Step 6 Configure Port Profiles, page 4-27
Step 7 Configure SNMP Receiver, page 4-32
Step 8 Add Managed Switch, page 4-36
Step 9 Manage Switch Ports, page 4-40

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Add Out-of-Band Clean Access Servers and Configure Environment

Almost all the CAM/CAS configuration for Out-of-Band deployment is done directly in the Switch
Management module of the web admin console. Apart from the Switch Management module
configuration, OOB setup is almost exactly the same as traditional in-band setup, except for the
following differences:
1. Choose an Out-of-Band gateway type when you add your Clean Access Server(s).

Figure 4-7 Add New OOB Server

The out-of-band Server Types appear in the dropdown menu to add a new Clean Access Server (see
Figure 4-7):
Out-of-Band Virtual Gateway
Out-of-Band Real-IP Gateway
Out-of-Band NAT Gateway
The Clean Access Server itself must be either in-band or out-of-band. The Clean Access Manager
can control both in-band and out-of-band CASes in its domain.

Note NAT Gateway mode (In-Band or OOB) is not supported for production deployment.

Note • For Virtual Gateway (In-Band or OOB), do not connect the untrusted interface (eth1) of the CAS to
the switch until after the CAS has been added to the CAM via the web console.
• For Virtual Gateway with VLAN mapping (In-Band or OOB), do not connect the untrusted interface
(eth1) of the CAS to the switch until VLAN mapping has been configured correctly under Device
Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping. See the Cisco
NAC Appliance - Clean Access Server Installation and Administration Guide for details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

2. For OOB Virtual Gateways, you must enable and configure VLAN mapping (Figure 4-8) on the
CAS for each Auth/Access VLAN pair configured on the switch. This is required in order to retag
an unauthenticated client’s allowed traffic (e.g. DHCP/DNS) from the Auth VLAN to the Access
VLAN (and vice-versa). See the Cisco NAC Appliance - Clean Access Server Installation and
Administration Guide for further details on VLAN mapping.

Figure 4-8 Enable VLAN Mapping for Out-of-Band Virtual Gateways

Enable VLAN
Mapping
(Click Update)

Add Auth to
Access VLAN
Mapping

Verify settings

3. If you plan to use role-based port profiles (see Configure Port Profiles, page 4-27), specify the
Access VLAN in the Out-of-Band User Role VLAN field when you create a new user role
(Figure 4-9). See Add New Role, page 6-6 for details.

Figure 4-9 Configure User Role with Access VLAN

Add Access VLAN here to use role-based port profiles

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Note You can specify VLAN Name or VLAN ID in the Port Profile or for the -of-Band User Role VLAN. You
can specify only numbers for VLAN ID. VLAN Name is case-sensitive, but you can specify wildcards
for VLAN Name. The switch will use the first match for the wildcard VLAN Name.

4. When out-of-band is enabled, the Monitoring > View Online Users page displays links for both
In-Band and Out-of-Band users and display settings (Figure 4-10). See Out-of-Band Users, page
14-7 for details.

Figure 4-10 View Out-of-Band Online Users

Out-of-band user
display settings

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Configure Global Device Filters to Ignore IP Phone MAC Addresses

An important feature of any OOB configuration is to ensure IP Phones through which client machines
connect to the network do not inadvertently terminate the client connection when MAC-notification
events from the IP phone initiate a change in the network connection like a VLAN switch. Use global
Device Filters (Device Management > Filters > Devices > New or Edit) to ensure Cisco Clean Access
ignores SNMP trap events from the IP phones by specifically calling out and ignoring the IP phone MAC
address and enable the Change VLAN according to global device filter list option when you follow
the configuration steps in Add Port Profile, page 4-28.
For more information, see Device Filters for Out-of-Band Deployment Using VoIP Phones, page 3-11.
For detailed configuration instructions, see Add Global Device Filter, page 3-13.

Configure Group Profiles

When you first add a switch to the Clean Access Manager’s domain (under Switch Management >
Devices), a Group profile must be applied to add the new switch. There is a predefined Group profile
called default, shown in Figure 4-11. All switches are automatically put in the default group when you
add them. You can leave this default Group profile setting, or you can create additional Group profiles
as needed. If you are adding and managing a large number of switches, creating multiple Group profiles
allows you filter which sets of devices to display from the list of switches (under Switch Management
> Devices > Switches > List).

Figure 4-11 Group Profiles List

Add Group Profile

1. Go to Switch Management > Profiles > Group > New.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

2. Enter a single word for the Group Name. You can use digits and underscores, but no spaces.
3. Enter an optional Description.
4. Click Add. The new Group profile appears under Switch Management > Profiles > Group > List.

Edit Group Profile

1. To edit the profile later, after actual switches are added, go to Switch Management > Profiles >
Group > List and click the Edit ( ) button for the new Group profile.
2. The Edit page appears.

3. You can toggle the switches that belong in the Group profile by selecting the IP address of the switch
from the Member Switches or Available Switches columns and clicking the Join or Remove
buttons as applicable.
4. Click the Update button when done to save your changes.

Note To delete a group profile, you must first remove the joined switches from the profile.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Configure Switch Profiles

A Switch profile must first be created under Switch Management > Profiles >Switch> New, then
applied when a new switch is added. A Switch profile classifies switches of the same model and SNMP
settings, as shown in Figure 4-12. The Switch profile configures how the CAM will read/write/change
port settings (such as Access/Auth VLAN) on a switch of this particular type.

Figure 4-12 Switch Profiles List

The Switch profiles list under Switch Management > Profiles > Switch > List provides three buttons:
• Switches — Clicking this button brings up the list of added switches under Switch
Management > Devices > Switches > List (see Figure 4-19).
• Edit — Clicking this button brings up the Edit Switch profile form (see Figure 4-14).
• Delete — Clicking this icon deletes the Switch profile (a confirmation dialog will appear first).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Add Switch Profile

Use the following steps to add a Switch profile.
1. Go to Switch Management > Profiles > Switch > New.

Figure 4-13 New Switch Profile

2. Enter a single word for the Profile Name. You can use digits and underscores, but no spaces.

Tip It is a good idea to enter a Switch Profile name that identifies the switch model and SNMP read
and write versions, for example “2950v2v3.”

3. Choose the Switch Model for the profile from the dropdown menu.
4. Enter the SNMP Port configured on the switch to send/receive traps. The default port is 161.
5. Enter an optional Description.
6. Configure SNMP Read Settings to match those on the switch.
Choose the SNMP Version: SNMP V1 or SNMP V2C.
Type the Community String configured for the switch.
7. Configure SNMP Write Settings to match those on the switch.
Choose the SNMP Version: SNMP V1, SNMP V2C, or SNMP V3
Type the Community String for SNMP V1 or SNMP V2C configured for the switch.
8. If SNMP v3 is used for SNMP write settings on the switch, configure the following settings to match
those on the switch:
Choose a Security Method from the dropdown menu: NoAuthNoPriv, AuthNoPriv(MD5),
AuthNoPriv(SHA), AuthPriv(MD5+DES-CBC), or AuthPriv(SHA+DES-CBC)
Type the User Name

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Type the User Auth

Type the User Priv
9. Click Add to add the Switch profile to Switch Management > Profiles > Switch > List
(Figure 4-19).
Figure 4-14 illustrates a switch profile defining Cisco Catalyst 2950 switches with the same SNMP
settings: SNMP V2c with read community string “c2950_read” and write community string
“c2950_write.”

Figure 4-14 Example Switch Profile

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Configure Port Profiles

The Port profile determines whether a port is managed or unmanaged, the Authentication and Access
VLANs to use when switching the client port, and other behavior for the port (see Ports Tab, page 4-40).
There are four types of port profiles for switch ports (shown in Figure 4-15):
• Unmanaged – For uncontrolled switch ports that are not connected to clients (such as printers,
servers, switches, etc.). This is typically the default Port profile.
• Managed with Auth VLAN/Default Access VLAN – Controls client ports using the Auth VLAN and
Default Access VLAN defined in the Port profile.
• Managed with Auth VLAN/User Role VLAN – Controls client ports using the Auth VLAN defined
in the Port profile and the Access VLAN defined in the user role (see Figure 4-9 on page 4-20).
• Managed with Auth VLAN/ Initial Port VLAN– Controls client ports using the Auth VLAN defined
in the Port profile and the Access VLAN defined as the initial port VLAN of the switch port.
Regular switch ports that are not connected to clients use the unmanaged Port profile. Client-connected
switch ports use managed Port profiles. When a client connects to a managed port, the port is set to the
authentication VLAN. After the client is authenticated and certified, the port is set to the access VLAN
specified in the Port profile (Default Access VLAN, or User Role VLAN, or Initial Port VLAN).
In OOB Real-IP/NAT gateway modes, the CAM enables port bouncing to help clients acquire a new IP
address after successful authentication and certification. In OOB Virtual Gateway mode, port bouncing
is not necessary as the client uses the same IP address after successful authentication and certification.

Figure 4-15 Port Profiles List

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Add Port Profile

You will need to add a Port profile for each set of Auth/Access VLANs you configure on the switch.

Note For OOB Virtual Gateways, you must enable and configure VLAN mapping on the CAS for each
Auth/Access VLAN pair configured on the switch. See Figure 4-8 on page 4-20 for more details.

1. Go to Switch Management > Profiles > Port > New.

Figure 4-16 New Port Profile

2. Type a single word for the Profile Name. You can use digits and underscores, but no spaces. The
name should reflect whether the Port profile is managed or unmanaged.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Note In addition to providing a Port Profile name that reflects whether the port to which this
profile is applied is managed or unmanaged, Cisco recommends you also provide
information about the nature of the port profile if the purpose is to ensure reliable client
machine connection through a network IP phone.

3. Type an optional Description for the Port profile.

4. Click the checkbox for Manage this port to enable configuration of this Port Profile. This enables
the port management options on the page.
5. For Auth VLAN, choose either VLAN ID (default) or VLAN Name from the dropdown menu and
type the corresponding authentication/quarantine VLAN ID or name to be used for this port profile:
If choosing VLAN ID—you can specify only numbers in the text field.
If choosing VLAN Name—the text field is case-sensitive. You can specify wildcards for the
VLAN name, such as: abc, *abc, abc*, or *abc*. The switch will use the first match for the
wildcard VLAN name. You can also use special characters in the name.
6. For Default Access VLAN, choose either VLAN ID (default) or VLAN Name from the dropdown
and type the corresponding VLAN ID or name to be used as the default access VLAN for this port
profile.
If choosing VLAN ID—you can specify only numbers in the text field.
If choosing VLAN Name—the text field is case-sensitive. You can specify wildcards for the
VLAN name, such as: abc, *abc, abc*, or *abc*. The switch will use the first match for the
wildcard VLAN name. You can also use special characters in the name.

Note If the switch cannot find the VLAN specified (e.g. VLAN Name is mistyped), the error will appear on
the perfigo.log (not the Event Log).

7. For Access VLAN, choose one of the following options from the dropdown menu:
Default Access VLAN—The CAM will put authenticated users with certified devices on the
Default Access VLAN specified in the Port Profile.
User Role VLAN—The CAM will put authenticated users with certified devices on the Access
VLAN specified in the User Role (for details, see Figure 4-9: Configure User Role with Access
VLAN, page 4-20and Out-of-Band User Role VLAN, page 6-10).
Initial Port VLAN—The CAM will put authenticated users with certified devices on the Initial
VLAN specified for the port in the Ports configuration page (see Ports Tab, page 4-40 for
details). The initial VLAN is the value saved by the CAM for the port when the switch is added.
Instead of using a specified Access VLAN, the client is switched from the initial port VLAN to
an Auth VLAN for authentication and certification, then switched back to the initial port VLAN
when the client is certified.

Port Profile Options when Device is Connected to Port

The CAM discovers the device connected to the switch port from SNMP mac-notification or linkup traps
received. The port is assigned the Auth VLAN if the device is not certified, or Access VLAN if the
device is certified and user is authenticated. You can additionally configure the following options:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

8. Change VLAN according to global device filter list (device must be in list)
Click this option if you have configured a global Device Filter to ignore MAC addresses for IP
phones in your network or if you want to use the CAM’s global Device Filter rules to set the VLAN
of the port. You must have device filters added under Device Management > Filters > Devices for
this feature to work. For OOB, the device filter rules are as follows:
ALLOW—bypass login and posture assessment (certification) and assign Default Access
VLAN to the port.
DENY—bypass login and posture assessment (certification) and assign Auth VLAN to the
port.
ROLE—bypass login and L2 posture assessment (certification) and assign User Role VLAN
to the port (see Out-of-Band User Role VLAN, page 6-10).
CHECK—bypass login, apply posture assessment, and assign User Role VLAN to the port
(see Out-of-Band User Role VLAN, page 6-10).
IGNORE—ignore SNMP traps from managed switches (IP Phones)

Note Rules configured for MAC addresses on the global Device Filter list have the highest priority for
user/device processing in both OOB and IB deployments. See Device Filters for Out-of-Band
Deployment, page 3-11 for further details.

9. Change to [Auth VLAN | Access VLAN] if the device is certified, but not in the out-of-band
user list
This option is automatically enabled when a port is managed. Choose which VLAN to use when the
device is certified and the user is reconnecting to the port:
Default Auth VLAN—Force Access VLAN clients on this port to re-authenticate on the Auth
VLAN the next time they connect to the network.
Default Access VLAN—Allow clients to stay on the trusted network without having to login
again the next time they connect to the network.
10. Bounce the port after the VLAN is changed
For Real-IP or NAT gateways, check this box to prompt the client to get a new IP address once
switched to the Access VLAN.
For Virtual gateways, leave this box unchecked.

Note If using the 4.1.0.0 Clean Access Agent, or ActiveX Control, or Java Applet to refresh client DHCP IP
addresses the Bounce the switch port after VLAN is changed option in the Port profile can be left
disabled. Refer to DHCP Release/Renew with Clean Access Agent/ActiveX/Applet, page 5-6 and see
Advanced Settings, page 4-33 for additional details on configuring DHCP Release, VLAN Change, and
DHCP Renew delays.

11. Generate event logs when there are multiple MAC addresses detected on the same switch port
You can check this box to generate event logs when multiple MAC addresses are found on the same
switch port.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Port Profile Options when Device is Disconnected from Port

A device is considered disconnected after one of the following events:
• SNMP linkdown trap received
• Administrator removes user
You can additionally configure the following options:
12. Remove out-of-band online user when SNMP linkdown trap is received
Click this checkbox to ensure an Access VLAN client is removed from the OOB Online User list
when disconnecting or reconnecting to same port. (See Advanced, page 4-48 for details on linkdown
traps.)
If checked, and the client is on the Certified List, when the client disconnects (causing a
linkdown trap to be sent) then reconnects to the port, the client is put on the VLAN configured
in the Change to [Auth VLAN | Access VLAN] if the device is certified, but not in the
out-of-band user list setting.
If unchecked, and the client is on the Certified List, the client remains on the OOB online user
list when disconnecting/reconnecting to the network and remains on the same Access VLAN.
If unchecked, and the client is not on the Certified List, the client will be switched to the Auth
VLAN the next time the client connects to the network.
13. Remove other out-of-band online users on the switch port when a new user is detected on the
same port.
This is a new feature with release 4.1(0) that enables administrators to remove other online
out-of-band users on the switch port when a new user is detected on the same port. It also allows for
the modification of the port profile if an existing user is seen on a different switchport.
Checking this option ensures that only one valid user is allowed on one switch port at the same time.
If an online user (e.g.”user1”) is currently on a switch port (e.g. “fa0/1” on switch “c2950”) and this
option is enabled for the Port Profile applied to that port, “user1” will be removed if another user
(e.g “user2”) signs in from the same switch port or moves to this port from another location.
14. Remove out-of-band online user without bouncing the port
When any user is removed from the OOB Online User list, the port is changed from the Access
VLAN to the Auth VLAN. Also note that users removed from the Certified Device list are also
always removed from the Online User list (IB or OOB). If the Remove out-of-band online user
without bouncing the port option is checked, the port will not be bounced when a user is removed
from the OOB Online User list. If this option is not checked, the port will be bounced when a user
is removed from the OOB Online User list.
This option is intended to prevent bouncing of a switch port when a client machine is connected to
the switch port through a VoIP phone. The feature allows Cisco NAC Appliance to
authenticate/assess/quarantine/remediate a client machine (laptop/desktop) without affecting the
operation of a VoIP phone connected to the switch port. When this option is checked for OOB
Virtual Gateways, the client port will not be bounced when:
Users are removed from the Out-of-Band Online Users List, or
Devices are removed from the Certified Devices list
Instead, the port Access VLAN will be changed to the Auth VLAN.
15. Click Add to add the port profile to the Switch Management > Profiles > Port > List.
See Manage Switch Ports, page 4-40 for further details on Port profiles and the Ports config page.
See Online Users List, page 14-3 for further details on monitoring online users.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Configure SNMP Receiver

The SNMP Receiver form configures how the SNMP Receiver running on the Clean Access Manager
receives and responds to SNMP trap notifications from all managed switches when mac-notification or
linkup/linkdown user events occur (such as when a user plugs into the network). The configuration on
the switch must match the CAM's SNMP Receiver configuration in order for the switch to send traps to
the CAM.

SNMP Trap
This page configures settings for the SNMP traps the CAM receives from all switches. The Clean Access
Manager SNMP Receiver can support simultaneous use of different versions of SNMP (V1, V2c, V3)
when controlling groups of switches in which individual switches may be using different versions of
SNMP.
1. Go to Switch Management > Profiles > SNMP Receiver > SNMP Trap.

Figure 4-17 CAM SNMP Receiver

2. Use the default Trap Port on Clean Access Manager (162) or enter a new port number here.
3. For SNMP V1 Settings, type the Community String used on switches using SNMP V1.
4. For SNMP V2c Settings, type the Community String used on switches using SNMP V2c.
5. For SNMP V3 Settings, configure the following fields used on switches using SNMP V3:
Choose the Security Method from the dropdown menu: NoAuthNoPriv, AuthNoPriv(MD5),
AuthNoPriv(SHA), AuthPriv(MD5+DES-CBC), or AuthPriv(SHA+DES-CBC)
Type the User Name.
Type the User Auth.
Type the User Priv
6. Click Update to save settings.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Advanced Settings
This page configures advanced timeout and delay settings for the SNMP traps received and sent by the
Clean Access Manager (CAM). To change the default settings, use the following steps. You can use the
Advanced Settings page to fine-tune settings from their defaults once switches are added and
configured.

To Change Default SNMP Advanced Settings

1. Go to Switch Management > Profiles > SNMP Receiver > Advanced Settings.

Figure 4-18 SNMP Receiver Advanced Settings

2. MAC-NOTIFICATION Trap Timeout (default is 60 seconds)

The CAM timestamps the mac-notification traps it receives, and examines the timestamp when the
trap is processed. If the time difference between the timestamp and the current time is greater than
the MAC-NOTIFICATION Trap Timeout, the trap is dropped. This configuration fields ensures
the CAM only processes timely traps.
3. Linkup Trap Bounce Timeout (default is 180 seconds)
When the CAM receives a linkup trap, it tries to resolve the MAC address connected to the port. The
MAC address may not be available at that time. If the CAM cannot get the MAC address, it makes
another attempt after the number of seconds specified in the Linkup Trap Retry Query Interval
field. In order to keep the port controlled and limit the number of times the CAM tries to resolve the
MAC address, the CAM bounces the port after the number of seconds specified in the Linkup Trap
Bounce Timeout to force the switch to generate a new linkup trap.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

4. Linkup Trap Retry Query Interval (default is 4 seconds)

When the CAM receives a linkup trap, it needs to query the switch for the MAC address connected
to the port. If the MAC address is not yet available, the CAM waits the number of seconds specified
in the Linkup Trap Retry Query Interval field, then tries again.
5. Port-Security Delay (default is 3 seconds)
If port-security is enabled on the switch, after the VLAN is switched, the CAM must wait the
number of seconds specified in the Port-Security Delay field before setting the port-security
information on the switch.

Note To refresh DHCP IP address, typically the 4.1.0.0 Agent or ActiveX/Applet will perform a DHCP release
before the VLAN change, and followed by a DHCP renew after the VLAN change. With release 4.1, the
delays to perform DHCP Release, VLAN Change, DHCP Renew are configurable. See DHCP
Release/Renew with Clean Access Agent/ActiveX/Applet, page 5-6 for additional details.

6. DHCP Release Delay (default is 1 second)

This field configures the delay between user login and DHCP release.
7. VLAN Change Delay (default is 2 seconds)
This field configures the delay between user login and VLAN Change. This value should be greater
than the DHCP Release Delay.
8. Port Bounce Interval (default is 5 seconds)
The Port Bounce Interval is the time delay between turning off and turning on the port. This delay
is inserted to help client machines issue DHCP requests.
9. DHCP Renew Delay (default is 3 seconds)
This field configures the delay between DHCP release and DHCP renew. This value should be
greater than the VLAN Change Delay minus the DHCP Release Delay.
10. Redirection Delay without Bouncing (default is 1 second)
This field configures the delay between VLAN change and webpage redirection (after client posture
assessment) for ports with no port bouncing in the Port Profile. This allows you to minimize
redirection time if no port bouncing is required. When the Port Profile does not require bouncing the
port after the VLAN is changed (e.g Virtual Gateway), configuring this option will redirect the user
page after the number of seconds specified here (e.g. 1 second).
When the port is not bounced, the total redirection interval that the user experiences is the value of
the Redirection Delay without Bouncing field.

Note When the user continues to be redirected to the login page after login/posture assessment, this
typically means the web page redirection is occurring before the switch is able to change the
VLAN of the port (from Auth to Access). In this case, increase the Redirection Delay to 2 or 3
seconds to resolve this issue.

11. Redirection Delay with Bouncing (default is 15 seconds)

This field configures the delay between port bouncing and webpage redirection (after client posture
assessment) for ports with the “Bounce the port after VLAN is changed” option checked on the
Port Profile. This allows you to configure the time needed for port bouncing.
When the port is bounced, the total redirection interval that the user experiences is the sum of 2
fields: Redirection Delay with Bouncing and Port Bounce Interval.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

If the Port Profile requires bouncing the port after the VLAN is changed, then after user login, the
user will see “Renewing IP address” page after the sum of the number of seconds specified in this
field and the number of seconds specified in the Port Bounce Interval. For example:
Port Bounce (5 seconds) + Redirection Delay (15 seconds) = Redirection interval (20 seconds total)
12. Click Update to save settings.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Add Managed Switch

The pages under the Switch Management > Devices > Switches tab are used to discover and add new
managed switches within an IP range, add new managed switches by exact IP address, and administer
the list of managed switches. There are two methods to add new managed switches
• Add New Switch, page 4-36
• Search New Switches, page 4-38

Figure 4-19 List of Switches

The list of switches under Switch Management > Devices > Switches > List displays all switches added
from the New or Search forms. Switch entries in the list include the switch’s IP address, MAC address,
Description, and Switch Profile. You can sort the entries on the list by Switch Group, Switch Profile,
or Port Profile dropdowns, or you can simply type a Switch IP and hit Enter to search for a switch by
its address. Additionally the List provides one control and three buttons:
• Profile—Clicking the Profile link brings up the Switch Profile (Figure 4-13).
• Config — Clicking the Config button brings up the Config Tab, page 4-47 for the switch.
• Ports — Clicking the Ports button brings up the Ports Tab, page 4-40 for the switch.
• Delete — Clicking the Delete button deletes the switch from the list (a confirmation dialog will
appear first).

Add New Switch

The New page allows you to add switches when exact IP addresses are already known.
1. Go to Switch Management > Devices > Switches> New.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Figure 4-20 Add New Switch

2. Choose the Switch Profile from the dropdown menu to apply to the switches to be added.
3. Choose the Switch Group for the switches from the dropdown menu.
4. Choose the Default Port Profile from the dropdown menu. Typically, the default port profile should
be uncontrolled.
5. Type the IP Addresses of the switch(es) you want to add. Separate each IP address by line.
6. Enter an optional Description of the new switch.
7. Click the Add button to add the switch.
8. Click the Reset button to reset the form.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Search New Switches

The Search page allows you to discover and add unmanaged switches within an IP range.

1. Go to Switch Management > Devices > Switches> Search.

Figure 4-21 Search Switches

2. Select a Switch Profile from the dropdown list. The read community string of the selected Switch
Profile is used to find switches with matching read settings.
3. Type an IP Range in the text box. Note that the maximum IP range is 256 for a search.
4. By default, the Don’t list switches already in the database checkbox is already checked. If you
uncheck this box, the resulting search will include switches you have already added. Note, however,
that the Commit checkboxes to the left of each entry will be disabled for switches that are already
managed.
5. Choose a Switch Group from the dropdown to apply to the unmanaged switches found in the search.
6. Choose a Default Port Profile from the dropdown to apply to the unmanaged switches found in the
search.
7. Click the checkbox to the left of each unmanaged switch you want to manage through the CAM.
Alternatively, click the checkbox at the top of the column to add all unmanaged switches found from
the search.

Note While all switches matching the read community string of the Switch Profile used for the search
are listed, only those switches matching the read SNMP version and community string can be
added using the Commit button. A switch cannot be controlled unless its write SNMP settings
match those configured for its Switch Profile in the Clean Access Manager.

8. Click the Commit button to add the new switches. These switches are listed under Switch
Management > Devices > Switches> List.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Discovered Clients
Figure 4-22 shows the Switch Management > Devices > Discovered Clients page. The Discovered
Clients page lists all clients discovered by the Clean Access Manager via SNMP mac-notification and
linkup/linkdown traps. The page records the activities of out-of-band clients (regardless of VLAN),
based on the SNMP trap information that the Clean Access Manager receives.
When a client connects to a port on the Auth VLAN, a trap is sent and the Clean Access Manager creates
an entry on the Discovered Clients page. The Clean Access Manager adds a client’s MAC address,
originating switch IP address, and switch port number to the out-of-band Discovered Clients list.
Thereafter, the CAM updates the entry as it receives new SNMP trap information for the client.
Removing an entry from the Discovered Clients list clears this status information for the out-of-band
client from the CAM.

Note An entry must exist in the Discovered Clients list in order for the CAM to determine the switch port for
which to change the VLAN. If the user is logging in at the same time that an entry in the Discovered
Clients list is deleted, the CAM will not be able to detect the switch port.

Figure 4-22 Discovered Clients

Elements of the page are as follows:

• Show clients connected to switch with IP—Leave the default of ALL switches displayed, or
choose a specific switch from the dropdown menu. The menu will be populated with all managed
switches in the system.
• Show client with MAC—Type a specific MAC address and press Enter to display a particular client.
• Clients/Page—Leave the default of 25 entries displayed per page, or choose from the dropdown
menu to displays 50, 100, 200, or ALL entries on the page.
• Delete All Clients—This button removes all clients on the list.
• Delete Selected—This button only removes the clients selected in the check column to the far right
of the page.
• Note that you can click any of the following column headings to sort results by that column:
MAC—MAC address of discovered client

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

IP— IP address of the client

Switch— IP of the originating managed switch. Clicking the IP address brings up the Switch
Management > Devices > Switch [IP] > Config > Basic page for the switch.
Switch Port—Switch port of the client. Clicking the port number brings up the Switch
Management > Devices > Switch [IP] > Ports configuration page for the switch.
Auth VLAN—Authentication (quarantine) VLAN
A value of “N/A” in this column indicates that either the port is unmanaged or the VLAN ID
for this MAC address is unavailable from the switch.
Access VLAN—Access VLAN of the client.
A value of “N/A” in this column indicates the Access VLAN ID is unavailable for the client.
For example, if the user is switched to the Auth VLAN but has never successfully logged into
Cisco NAC Appliance (due to wrong user credentials), this machine will never have been to the
Access VLAN.
Last Update—The last time the CAM updated the information of the entry.
See Out-of-Band User List Summary, page 4-50 for additional details on monitoring out-of-band users.

Manage Switch Ports

Switch ports that are not connected to clients typically use the unmanaged port profile. Switch ports
connected to clients use managed port profiles. After switch ports are configured and the settings are
saved by clicking the “Update” button, the switch ports need to be initialized by clicking the “Setup”
button when the switch supports mac-notification.
Cisco NAC Appliance provides OOB support for Cisco IP Phone deployments where the port is a trunk
port and the native VLAN is the data VLAN. The CAM can manage switch trunk ports in addition to
switch access ports.

Note Because Cisco NAC Appliance can control switch trunk ports for OOB (starting from release 3.6(1)+),
make sure the uplink ports for managed switches are configured as “uncontrolled” ports after upgrade.
This can be done in one of two ways:
• Before upgrading, change the Default Port Profile for the entire switch to “uncontrolled” under
Switch Management > Devices > Switches > List > Config[Switch_IP] > Default Port Profile |
uncontrolled, or
• After upgrading, change the Profile to “uncontrolled” for the applicable uplink ports of the switch
under Switch Management > Devices > Switches > List > Ports [Switch_IP] | Profile
This prevents unnecessary issues when the Default Port Profile for the switch has been configured as a
managed/controlled port profile.

Ports Tab
The Ports and Config tabs only appear after a switch is added to the Switch Management > Devices >
Switches > List. When the Ports tab first appears (Figure 4-23, Figure 4-24), one entry per Ethernet port
displays and corresponding fields for the entry are populated according to the information the Clean
Access Manager receives from direct SNMP queries. For example, if a switch added to the CAM has 24

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Fast Ethernet ports and 2 Gigabit Ethernet uplinks, the Ports tab will display 26 rows, with one entry
per port. Trunk ports configured on the switch are distinguished by blue background on the Ports page,
and VLAN values for these ports refer to the trunk port native VLAN.
If the switch does not support mac-notification traps, the Setup button (Set up mac-notification on
managed switch ports) and MAC Not. column are not displayed on the page. In this case,
Linkup/Linkdown traps must be supported and configured on the switch and Clean Access Manager. See
Ports—Linkup/Linkdown, page 4-45 for how the Ports page displays in this case.

Ports —MAC Notification

Figure 4-23 Ports Tab

3
4
2
1

Reflects Dynamic; Reflects values

values reflects values in CAM DB
in CAM DB on switch

After adding a new switch, set up the Ports configuration page (Figure 4-23) for the switch ports as
follows:
1. Choose the Profile (page 4-45) to use for the port, either managed or unmanaged.
2. Click Update (page 4-43) to save the Port Profile for the port to the CAM.
3. Click Setup (page 4-42) to initialize mac-notification on switch ports (if available on the switch).
4. Click Save (page 4-42) to save the switch running configuration to the switch stored (startup)
configuration.

Description
The buttons and dropdown menus for the Ports configuration page are detailed below:
• Reset All (Initial VLAN Port Profiles only)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Clicking Reset All copies the switch’s Current VLAN values (page 4-44) for all ports and sets
these as the Initial VLAN settings (for access ports) and trunk native VLAN settings (for trunk
ports) (page 4-43) on the CAM and on the running configuration of the switch. This button allows
you to change the Initial VLAN for all ports at the same time on the switch. Click OK in the
confirmation to reset the values:

• Set New Ports (Initial VLAN Port Profiles only)

Clicking Set New Ports (Figure 4-23) preserves settings for existing ports, but copies the switch’s
Current VLAN values for new ports and sets these as Initial VLAN settings (for access ports) and
trunk native VLAN settings (for trunk ports) on the CAM and on the switch running configuration.
This is useful when new ports are added to a switch, such as when adding a new blade in a Catalyst
4500 series rack. In this case, when the new ports are added, the Initial VLAN column displays
“N/A.” Clicking Set New Ports copies the values from Current VLAN column to the Initial VLAN
column for all “N/A” ports and sets these values on the CAM and switch. The Initial VLAN values
for existing ports on the switch (i.e. not “N/A”) will not change. Click OK in the confirmation to set
the new values.

• Setup Button (MAC Notification Switches Only) (3)

For switches that support mac-notification traps, click the Setup button after updating the CAM to
set up mac-notification on managed switch ports and save the running configuration of the switch.
Click OK to initialize ports on the switch.

• Save (4)
Click the Save button to save the running configuration into non-volatile memory (startup
configuration) on the switch. Click OK in the confirmation.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Note The VLAN assignment of the port will not be changed in the startup configuration of the switch unless
you click the Save button.

• Update (2)
After you configure managed ports by choosing the applicable Port Profile, you must click the
Update button to save these settings on the CAM. Clicking Update does the following:
– Saves the Profile for the port to the CAM database.
– Saves any Notes for the port to the CAM database.
If the Port profile is configured with the Initial Port VLAN as the Access VLAN and set to “Change
to Access VLAN if the device is certified and in the out-of-band user list,” clicking Update also
does the following:
– Saves values in the Initial VLAN column for the port to the CAM database.
– If the Current VLAN value of the port is changed, saves the new VLAN ID for the port to the
running configuration of the switch.
• Name
Port name, for example: Fa0/1, Fa0/24, Gi0/1, Gi0/21 (for Cisco switches)
• Index
The port number on the switch, for example: 1, 24, 25, 26
• Description
Type of port, for example: FastEthernet0/1, FastEthernet0/24, GigabitEthernet0/1,
GigabitEthernet0/2
• Status
Connection status of the port.
– A green button indicates a device is connected to the port.
– A red button means no device is connected to the port.
• Bounce
Clicking this button bounces an initialized, managed port. A confirmation appears before the port is
bounced. Note that this feature is only available for managed ports. A port that is connected but not
managed cannot be bounced. By default, this feature is disabled for trunk ports.

• Initial VLAN (Initial VLAN Port Profiles only)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 4-43
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

The Initial VLAN value saved by the CAM for this port. This column is only enabled for managed
Port profiles configured with the Initial Port VLAN as the Access VLAN and set to “Change to
Access VLAN if the device is certified and in the out-of-band user list” (see Add Port Profile, page
4-28). When a switch is added, this column is identical to the Current VLAN column. When new
ports are added to a switch, this column displays “N/A” for these ports until the Set New Ports
button is clicked (page 4-42).
To change the Initial VLAN of a port on-the-fly:
a. Make sure the port’s Port profile is configured with the Initial Port VLAN as the Access VLAN
and set to “Change to Access VLAN if the device is certified and in the out-of-band user list”
b. Type the modified VLAN for the port in the Initial VLAN field.
c. Click the Update button to save the changed configuration on the CAM.
See also: Reset All (Initial VLAN Port Profiles only), page 4-41, Set New Ports (Initial VLAN Port
Profiles only), page 4-42, and Save (4), page 4-42.
• Current VLAN
The Current VLAN ID assigned to the port. When a new switch is added, the Current VLAN column
reflects the VLAN assignments already configured on the switch by the network administrator.
Thereafter, the values in this column are dynamic and reflect the current VLAN assignments on the
switch (not necessarily the stored VLAN assignment). For trunk ports, the Current VLAN refers to
the native VLAN of the trunk port.
To change the Current VLAN assignment for a port on-the-fly:
a. Type the modified value for the port in the Current VLAN field.
b. Click the Update button to save the changed configuration to the CAM and to the running
configuration of the switch.
c. Click the Save button to save the switch running configuration to the startup configuration of
the switch.
See also Reset All (Initial VLAN Port Profiles only), page 4-41, Set New Ports (Initial VLAN Port
Profiles only), page 4-42, and Save (4), page 4-42.
• MAC Not.
MAC Notification capability. The presence of this column indicates the switch is using SNMP
mac-notification traps. If the switch does not support mac-notification traps, or if Linkup
notification is chosen in the Advanced configuration page (see Advanced, page 4-48), the MAC Not.
column and Setup button are not displayed on the Ports config page. In this case, Linkup/Linkdown
traps must be used.
– A green check in the MAC Not. column means the corresponding port on the switch is
enabled for this trap.
– A grey x means the port has not been enabled for this trap, or is not managed.
– A red exclamation point next to either a green check or a grey x means an inconsistency
exists between the port configuration on the switch and the port configuration in the Clean
Access Manager. Exclamation points will appear after clicking Update and before clicking
Setup to prompt the user to resolve the inconsistencies before attempting to save the settings to
the switch.
• Client MAC

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
4-44 OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Clicking this button brings up a dialog with the MAC address of the client attached to this port, the
IP address of the switch, and the Name of the port to which the client is connected. For a managed
port, only one MAC address displays for the attached client device. For unmanaged ports, this dialog
displays all the MAC addresses associated with this port, but will not indicate where the MAC
addresses are located (could be on other switches).

Note The MAC address(es) connected to a particular port may not be available when the Access
VLAN of the port does not exist in the VLAN database. This occurs on some models of Cisco
switches (e.g. 6506, IOS Version 12.2(18) SXD3).

• Profile (1)
To control a port from the CAM, select a managed port profile from the dropdown menu, then click
Update and Setup. Apply managed port profiles to ports on which clients are attached in order to
get and set the SNMP traps from those ports. Profiles can also be applied to trunk ports. All other
ports should be unmanaged. Port Profiles must already be configured under Switch Management >
Profiles > Port > New (see Configure Port Profiles, page 4-27). There are always two default
dropdown options: uncontrolled, and Default []. All ports are initially assigned the
Default[uncontrolled] Port Profile. You can change the Default [] Port Profile assignment from the
Switch Management > Devices > Config tab.

Note Because Cisco NAC Appliance OOB can control switch trunk ports, when upgrading to 4.1(x),
make sure uplink ports for managed switches are configured as “uncontrolled” ports. You can
do this before upgrade by making sure the Default Port Profile for the entire switch is
“uncontrolled” under Switch Management > Devices > Switches > List > Config[Switch_IP]
> Default Port Profile (see Config Tab, page 4-47), or, after upgrade, you can change the Profile
here in the Ports config page to “uncontrolled” for the applicable uplink ports of the switch.This
will prevent unnecessary issues when the Default Port Profile for the switch has been configured
as a managed/controlled port profile.

• Note
This field allows you enter an optional description for ports you configure. Clicking Update saves
the note for the port on the CAM.

Ports—Linkup/Linkdown

If the switch does not support mac-notification traps, the MAC Not. column and Setup button are not
displayed on this page (Figure 4-24). In this case, Linkup/Linkdown traps must be supported and
configured on the switch and Clean Access Manager.
See Advanced, page 4-48 for additional information on the use of Linkup/Linkdown traps.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Figure 4-24 Ports Tab — Linkup/Linkdown

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Config Tab
The Config tab allows you to modify Basic, Advanced, and Group profile settings for a particular switch.

Basic

The Basic tab shows the following values configured for the switch.

Figure 4-25 Basic Config

• The first values come from the initial configuration done on the switch itself:
IP Address
MAC Address
Location
Contact
System Info (translated from the MIB for the switch)
• Switch Profile — Shows the Switch Profile you are using for this Switch configured under Switch
Management > Profiles > Switch. The Switch Profile sets the model type, the SNMP port on which
to send SNMP traps, SNMP version for read and write and corresponding community strings, or
authentication parameters (SNMP V3 Write).
• Default Port Profile — Shows the default Port profile applied to unconfigured ports on the switch
on the Ports tab. The “uncontrolled” port profile is the initial default profile for all ports, unless you
change the setting here.

Note Because Cisco NAC Appliance OOB can control switch trunk ports, when upgrading, make sure
uplink ports for managed switches are configured as “uncontrolled” ports. You can do this before
upgrade by making sure the Default Port Profile for the entire switch is “uncontrolled” here, or,
after upgrade you can change the Profile to “uncontrolled” for the applicable uplink ports of the
switch under Switch Management > Devices > Switches > List > Ports [Switch_IP] | Profile
(see Ports Tab, page 4-40). This will prevent unnecessary issues when the Default Port Profile
for the switch has been configured as a managed/controlled port profile

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

• Description—Optional description of the switch.

Advanced

Use the Advanced Config page (Figure 4-26) to view or configure which SNMP trap notification type
the CAM SNMP Receiver will use for a particular switch.
• If a switch supports MAC Notification, the CAM automatically enables this option.
• If a switch does not support MAC Notification, the CAM enables the Linkup Notification option.
In this case the administrator can optionally enable Port Security on the switch if the switch supports
this feature.
• If a switch supports both MAC Notification and Linkup, the administrator can optionally disable
mac-notification by selecting Linkup Notification instead and clicking Update.

Figure 4-26 Advanced Config

Linkup/Linkdown is a global system setting on the switch that tracks whether a connection has
non-operating or operating status. With the Linkup/Linkdown trap method, the Clean Access Manager
must poll each port to determine the number of MACs on the port.

Linkdown Traps
A client machine shutdown or reboot will trigger a linkdown trap sent from the switch to the CAM (if
linkdown traps are set up on the switch and configured on the CAM via the Port profile). Thereafter, the
client port behavior depends on the Port profile settings for that specific port.
Whether the SNMP Receiver is configured for mac-notification or Linkup, the CAM uses the linkdown
trap to remove users. For example, the linkdown trap is used if:
• An OOB online user is removed and the Port Profile is configured with the option “Kick
Out-of-Band online user when linkdown trap is received.”
• Port Security is enabled on the switch.

Note The port VLAN setting is not changed upon Linkdown. As a result, the port remains in the same state
left by the last machine connected to the port.

Port Security
If the switch additionally supports Port Security, the Port Security option will also appear on the
Advanced Page (Figure 4-27). When using Linkup notification, the Port Security feature can provide
additional security by causing the port to only allow one MAC address when a user authenticates. So
even if the port is connected to a hub, only the first MAC that is authenticated is allowed to send traffic.
Note that availability of the Port Security feature is dependent on the switch model and OS being used.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Configure OOB Switch Management in the CAM

Figure 4-27 Advanced Config — Port Security

Note • Port Security can only be enabled on a port set to Access mode (i.e not Trunk mode).
• The MAC address(es) connected to a particular port may not be available after Port Security is
enabled. This occurs on some models of Cisco switches (e.g. 4507R, IOS Version 12.2(18) EW).
• If implementing High-Availability, ensure that Port Security is not enabled on the switch interfaces
to which the CAS and CAM are connected. This can interfere with CAS HA and DHCP delivery.

Group

This page displays all the Group Profiles configured in the Clean Access Manager, and the Group
Profiles to which the switch currently belongs. You can add the switch to other Groups, or you can
remove the switch from a Group Joined. To changed the Group membership for all switches, go to
Switch Management > Profiles > Group (see Configure Group Profiles, page 4-22).

Figure 4-28 Config Group

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
Out-of-Band User List Summary

Out-of-Band User List Summary

For additional details, see also Online Users List, page 14-3 and Manage Certified Devices, page 10-26.
Table 4-3 Out-of-Band User List Summary

User List Description

In-Band • The In-Band Online Users list (Figure 14-2 on page 14-6) tracks in-band users logged into the network.
Online Users • The CAM adds a client IP/MAC address (if available) to this list after a user logs into the network either
through web login or the Clean Access Agent.
• Removing a user from this Online Users list logs the user off the in-band network.
Certified List • The Certified List (Figure 10-10 on page 10-28) lists the MAC addresses of all “certified” client devices
— whether out-of-band or in-band — that have met your Clean Access requirements.
• The CAM adds a client MAC address to the Certified List after a client device goes through the Clean
Access process and meets Clean Access requirements.
• Removing a client from the Certified List:
Removes an in-band user from the In-Band Online Users list
Removes an OOB user from the Out-of-Band Online Users list (causing the port to be changed from
the Access VLAN to the Auth VLAN) and bounces the port, unless Remove out-of-band online
user without bouncing the port is checked for the Port profile.
Discovered • The Discovered Clients list (Figure 4-22 on page 4-39) records the activities of out-of-band clients
Clients (regardless of VLAN), based on the SNMP trap information that the CAM receives.
• The CAM adds a client’s MAC address, originating switch IP address, and switch port number to the
out-of-band Discovered Clients list after receiving SNMP trap information for the client from the switch.
The CAM updates the entry as it receives SNMP trap information for the client.
• Removing an entry from the Discovered Clients list clears this status information for the OOB client from
the CAM. However, note that an entry must exist in the Discovered Clients list in order for the CAM to
determine the switch port for which to change the VLAN. If the user is logging in at the same time that
an entry in the Discovered Clients list is deleted, the CAM will not be able to detect the switch port.
Out-of-Band • The Out-of-Band Online Users list (Figure 14-3 on page 14-8) tracks all authenticated out-of-band
Online Users users that are on the Access VLAN (on the trusted network).
• The CAM adds a client MAC address to the Out-of-Band Online Users list after a client is switched to
the Access VLAN.
• When a user is removed from the Out-of-Band Online Users list, the CAM instructs the switch to change
the VLAN of the port from the Access VLAN to the Auth VLAN.
• Additionally, if Bounce the port after VLAN is changed is checked for the Port profile (Real-IP/NAT
gateways), the following occurs:
1. The CAM bounces the switch port (off and on).
2. The switch resends SNMP traps to the CAM.
3. The CAM discovers the device connected to the switch port from SNMP mac-notification or linkup
traps received.
4. The port is assigned the Auth VLAN if the device is not certified.
5. The CAM changes the VLAN of the port according to the Port Profile configuration

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
OOB Troubleshooting

OOB Troubleshooting
• OOB Switch Trunk Ports After Upgrade, page 4-51
• Unable to Control <Switch IP>, page 4-51
• OOB Error: connected device <client_MAC> not found, page 4-52

OOB Switch Trunk Ports After Upgrade

Because Cisco NAC Appliance can control switch trunk ports for OOB (starting from release 3.6(1) and
above), uplink ports for managed switches need configured as “uncontrolled” ports either before or after
upgrade (see “Settings That May Change With Upgrade” in the Release Notes for Cisco NAC Appliance
(Cisco Clean Access), Version 4.1(0) at
http://www.cisco.com/en/US/products/ps6128/prod_release_note09186a008070866a.html#wp42679).
This can be done in one of two ways:
• Before upgrading, change the Default Port Profile for the entire switch to “uncontrolled” under
Switch Management > Devices > Switches > List > Config[Switch_IP] > Default Port Profile |
uncontrolled, or
• After upgrading, change the Profile to “uncontrolled” for the applicable uplink ports of the switch
under Switch Management > Devices > Switches > List > Ports [Switch_IP] | Profile
This will prevent unnecessary issues when the Default Port Profile for the switch has been configured as
a managed/controlled port profile
If for some reason the above steps are omitted and the switch becomes disconnected, use the following
procedure:
1. Delete the switch from the List of Switches in the CAM (under Switch Management > Devices >
Switches > List).
2. Configure the switch using its CLI to reverse the changes made to the uplink port by the CAM (trunk
native vlan and mac-notification), for example:
(config-if)# switchport trunk native vlan xxx
(config-if)# no snmp trap mac-notification added

3. Add the switch back to the CAM (under Switch Management > Devices > Switches > New or
Search), applying “uncontrolled” as the Default Port Profile.
4. Specifically assign the “uncontrolled” port Profile to the uplink port and other uncontrolled ports
(under Switch Management > Devices > Switches [x.x.x.x] > Ports).
5. Reset the Default Port Profile for the switch (under Switch Management > Devices > Switches
[x.x.x.x] > Config).
Initialize the switch ports (under Switch Management > Devices > Switches [x.x.x.x] > Ports).

Unable to Control <Switch IP>

If the error message Unable to control “<Switch_IP>” displays on the console when attempting to add
a switch under Switch Management > Devices > Switches > New:
• Make sure the switch profile matches the switch type. For example, if switch is a 3750, but you
specified it as a 2950 in the switch profile, the CAM will fail when it tries to add the 3750 using
2950 profile. Changing the profile to 3750 will resolve this issue.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 4 Switch Management: Configuring Out-of-Band (OOB) Deployment
OOB Troubleshooting

• Make sure SNMP traps are enabled and that SNMP community strings are properly configured on
the switch. See Example Switch Configuration Steps, page 4-13 for details.

OOB Error: connected device <client_MAC> not found

Client connection errors can result from incorrect configuration of the switch profile. If attempting to
log into the network using the Clean Access Agent, and the Agent provides the following error: “Login
Failed! OOB Error: connected device <client_MAC> not found. Please contact your network
administration.”
• Make sure the switch profile matches the switch type under Switch Management > Devices >
Switches > New
For example, if the switch is a 3750, but you specified it a 2950 switch profile when adding the
switch, when the CAM receives the SNMP linkup trap from the switch for the client that is
connecting (with the MAC address specified in the Agent error message), the CAM will attempt to
contact that switch to find that MAC address. If the wrong profile is specified for the switch, or the
switch is not yet configured in the CAM, the CAM will not be able to contact that switch. Changing
the switch profile to 3750 will resolve this issue.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 C H A P T E R 5
Configuring User Login Page and Guest Access

This chapter explains how to add the default login page needed for all users to authenticate and
customize the login page for web login users. It also describes how to configure Guest User Access, page
5-16. Topics include:
• User Login Page, page 5-2
• Add Default Login Page, page 5-3
• Change Page Type (to Frame-Based or Small-Screen), page 5-5
• Enable Web Client for Login Page, page 5-6
• Customize Login Page Content, page 5-9
• Customize Login Page Styles, page 5-13
• Upload a Resource File, page 5-12
• Create Content for the Right Frame, page 5-11
• Configure Other Login Properties, page 5-14
• Guest User Access, page 5-16
For details on configuring the User Agreement Page for web login users, see Customize the User
Agreement Page, page 13-16.
For details on configuring an Acceptable Use Policy page for Clean Access Agent users, see Configure
Network Policy Page (Acceptable Use Policy) for Agent Users, page 11-6.
For details on configuring user roles and local users, see Chapter 6, “User Management: Configuring
User Roles and Local Users.”
For details on configuring authentication servers, see Chapter 7, “User Management: Configuring Auth
Servers.”
For details on configuring traffic policies for user roles, see Chapter 9, “User Management: Traffic
Control, Bandwidth, Schedule.”

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 5-1
 Chapter 5 Configuring User Login Page and Guest Access
User Login Page

User Login Page

The login page is generated by Cisco NAC Appliance and shown to end users by role. When users first
try to access the network from a web browser, an HTML login page appears prompting the users for a
user name and password. Cisco NAC Appliance submits these credentials to the selected authentication
provider, and uses them determine the role in which to put the user. You can customize this web login
page to target the page to particular users based on a user’s VLAN ID, subnet, and operating system.

Caution A login page must be added and present in the system in order for both web login and Clean Access
Agent users to authenticate. If a default login page is not present, Clean Access Agent users will see an
error dialog when attempting login (“Clean Access Server is not properly configured, please report to
your administrator.”). To quickly add a default login page, see Add Default Login Page, page 5-3.

Cisco NAC Appliance detects a number of client operating system types, including Windows, MAC,
Linux, Solaris, Unix, Palm, Windows CE, and others. Cisco NAC Appliance determines the OS the client
is running from the OS identification in the HTTP GET request, the most reliable and scalable method.
When a user makes a web request from a detected operating system, such as Windows XP, the CAS can
respond with the page specifically adapted for the target OS.
When customizing the login page, you can use several styles:
• Frame-based login page (in which the login fields appear in a left-hand frame). This allows logos,
files, or URLs to be referenced in the right frame of the page.
• Frameless login page (shown in Figure 5-6)
• Small screen frameless login page. The small page works well with Palm and Windows CE devices.
The dimensions of the page are about 300 by 430 pixels.
Additionally, you can customize images, text, colors, and most other properties of the page.
This section describes how to add and customize the login page for all Clean Access Servers using the
global forms of the Clean Access Manager. To override the global settings and customize a login page
for a particular Clean Access Server, use the local configuration pages found under Device Management
> CCA Servers > Manage [CAS_IP] > Misc > Login Page. For further details, see the Cisco NAC
Appliance - Clean Access Server Installation and Administration Guide.

Unauthenticated Role Traffic Policies

If a login page is customized to reference an external URL or server resource, a traffic policy must be
created for the Unauthenticated role to allow users HTTP access to that URL or server. For details on
configuring traffic policies for user roles, see Chapter 9, “User Management: Traffic Control,
Bandwidth, Schedule.”

Note If Unauthenticated role policies are not configured to allow access to the elements referenced by the
login page, or if a referenced web page becomes unavailable for some reason, you may see errors such
as the login page continuing to redirect to itself after login credentials are submitted.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 5 Configuring User Login Page and Guest Access
Add Default Login Page

Proxy Settings
By default, the Clean Access Server redirects client traffic on ports 80 and 443 to the login page. If users
on your untrusted network are required to use a proxy server and/or different ports, you can configure
the CAS with corresponding proxy server information in order to appropriately redirect HTTP/HTTPS
traffic client traffic to the login page (for unauthenticated users) or HTTP/HTTPS/FTP traffic to allowed
hosts (for quarantine or Temporary role users). You can specify:
• Proxy server ports only (for example, 8080, 8000)—this is useful in environments where users may
go through a proxy server but not know its IP address (e.g. university).
• Proxy server IP address and port pair (for example, 10.10.10.2:80) — this is useful in environments
where the IP and port of the proxy server to be used are known (e.g. corporate/enterprise).

Note Proxy settings are local policies configured on the CAS under Device Management > Clean Access
Servers > Manage [CAS_IP_address] > Advanced > Proxy. For complete details, see the Cisco NAC
Appliance - Clean Access Server Installation and Administration Guide.

See also Proxy Servers and Host Policies, page 9-12 for related information.

Add Default Login Page

A default login page must be added to the system to enable users to log in. For initial testing, you can
follow the steps below leaving all default settings (*) to add a default login page. You can later define
specialized login pages for target subnets and user operating systems. The following steps describe how
to add a login page to the Clean Access Manager for all Clean Access Servers.
1. Go to Administration > User Pages > Login Page
2. Click the Add submenu link.
3. Specify a VLAN ID, Subnet (IP/Mask), or Operating System target for the page. To specify any
VLAN ID or subnet, use an asterisk (*) in the field. For any OS, select ALL.

Figure 5-1 Add Login Page

4. Click Add.
5. The new page will appear under Administration > User Pages > Login Page > List.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 5 Configuring User Login Page and Guest Access
Add Default Login Page

Figure 5-2 Login Page List

6. After the login page is added, you must Edit it to configure all of its other properties. For details see:
Change Page Type (to Frame-Based or Small-Screen), page 5-5
Enable Web Client for Login Page, page 5-6
Customize Login Page Content, page 5-9
Create Content for the Right Frame, page 5-11
Customize Login Page Styles, page 5-13
Configure Other Login Properties, page 5-14

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 5 Configuring User Login Page and Guest Access
Change Page Type (to Frame-Based or Small-Screen)

Change Page Type (to Frame-Based or Small-Screen)

After adding a login page, you edit its General properties to enable/disable it, change the target VLAN
ID/ subnet or operating system, change the page type to frame-based or small screen, or enable the use
of Active X/ Java Applet controls (see Enable Web Client for Login Page, page 5-6 for details).
To change the format of the page from the default frameless format, use the following steps:
1. From Administration > User Pages > Login Page > List, click the Edit button next to the page to
be customized.
2. The General subtab page appears by default.

Figure 5-3 General Login Page Properties—Configuring Page Type

3. From the Page Type dropdown menu, choose one of the following options:
Frameless (default)
Frame-based—This sets the login fields to appear in the left frame of the page, and allows you
to configure the right frame with your own customized content (such as organizational logos,
files, or referenced URLs). See Create Content for the Right Frame, page 5-11 for further
details.
Small Screen (frameless)— This sets the login page as a small page works well with Palm and
Windows CE devices. The dimensions of the page are about 300 by 430 pixels.
4. Leave other settings at their defaults.
5. Click Update to save your changes.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 5 Configuring User Login Page and Guest Access
Enable Web Client for Login Page

Enable Web Client for Login Page

The web client option can be enabled for all deployments, but is required for L3 OOB.
To set up the Cisco NAC Appliance for L3 out-of-band (OOB) deployment, you must enable the login
page to distribute either an ActiveX control or Java Applet to web login users who are multiple L3 hops
away from the CAS. The ActiveX control/Java Applet is downloaded when the user performs web login
and is used to obtain the correct MAC address of the client. In OOB deployment, the CAM needs the
correct client MAC address to control the port according to Certified List and/or device filter settings of
the Port Profile.

Note When the Clean Access Agent is installed, the Agent automatically sends the MAC address of all
network adapters on the client to the CAS. See Clean Access Agent Sends IP/MAC for All Available
Adapters, page 11-8.

DHCP Release/Renew with Clean Access Agent/ActiveX/Applet

With release 4.1, DHCP IP addresses can be refreshed for client machines using the 4.1.0.0+ Clean
Access Agent, or ActiveX Control/Java Applet without requiring port bouncing after authentication and
posture assessment. This feature is intended to facilitate NAC Appliance OOB deployment in VoIP
environments.
In most OOB deployments (except L2 OOB Virtual Gateway where the Default Access VLAN is the
Access VLAN in Port profile), the client, after posture assessment, needs to acquire a different IP
address from the Access VLAN.
There are two approaches to enable the client to get the new IP address:
• Enabling the “Bounce the port after VLAN is changed” Port profile option (required for releases
prior to 4.1). In this case, the switch port connected to the client is bounced after it is assigned to
the Access VLAN, and the client using DHCP will try to refresh the IP address. This approach has
the following limitations:
In VoIP deployments, because the port bouncing will disconnect and reconnect the IP Phone
connected to the same switch port, any ongoing communication is interrupted.
Some client operating systems do not automatically refresh their DHCP IP addresses even if the
switch port is bounced.
The process of shutting down and bringing back the switch port, and of client operating systems
detecting the port bounce and refreshing their IP addresses can take time.
• Using the 4.1.0.0 Clean Access Agent, ActiveX Control, or Java Applet to refresh client DHCP IP
addresses without port bouncing. This allows clients to acquire a new IP address in the Access
VLAN and the Bounce the switch port after VLAN is changed option in the Port profile can be
left disabled.

Agent Login
If the client uses Clean Access Agent (from 4.1.0.0) to login, the Agent will automatically refresh the
DHCP IP address if the client needs a new IP address in the Access VLAN.

Web Login
In order for the ActiveX/Applet to refresh the IP address for the client when necessary, use of the web
client must be enabled in the User Login Page configuration under:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 5 Configuring User Login Page and Guest Access
Enable Web Client for Login Page

• Administration > User Pages > Login Page > Edit > General, or
• Device Management > CCA Servers > Authentication > Login Page > Edit > General
In the Login Page configuration, two options need to be checked to use the ActiveX/Applet webclient to
refresh the client’s IP address:
• Use web client to detect client MAC address and Operating System.
• Use web client to release and renew IP address when necessary (OOB)
In the same configuration page, the network administrator can set the webclient preferences. Normally
the Linux/MacOS clients are prompted for the root/admin password to refresh their IP address if the
client user does not have the privilege to do so. To avoid the root/admin password prompt to refresh the
IP address for Linux/MacOS clients, another option is used, the Install DHCP Refresh tool into
Linux/MacOS system directory option.

Note See Advanced Settings, page 4-33 for additional details on configuring DHCP Release, VLAN Change,
and DHCP Renew Delays for OOB.

1. Go to Administration > User Pages > Login Page > Edit | General

Figure 5-4 Enable Web Client (ActiveX/Java Applet)

2. From the Web Client (ActiveX/Applet) dropdown menu, choose one of the following options. For
“Preferred” options, the preferred option is loaded first, and if it fails, the other option is loaded.
With Internet Explorer, Active X is preferred because it runs faster than the Java Applet.
ActiveX Only—Only runs Active X. If Active X fails, does not attempt to run Java Applet.
Java Applet Only—Only runs Java Applet. If Java Applet fails, does not attempt to run Active
X.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 5 Configuring User Login Page and Guest Access
Enable Web Client for Login Page

ActiveX Preferred—Runs Active X first. If Active X fails, attempts to run Java Applet.
Java Applet Preferred—Runs Java Applet first. If Java Applet fails, attempts to run Active X.
ActiveX on IE, Java Applet on non-IE Browser (Default)—Runs Active X if Internet
Explorer is detected, and runs Java Applet if another (non-IE) browser is detected. If Active X
fails on IE, the CAS attempts to run a Java Applet. For non-IE browsers, only the Java Applet
is run.
Two options need to be checked to use the ActiveX/Applet webclient to refresh the client’s IP address:
3. Click the checkbox for “Use web client to detect client MAC address and Operating System.”
4. Click the checkbox for “Use web client to release and renew IP address when necessary (OOB)”
to release/renew the IP address for the OOB client after authentication without bouncing the switch
port.
5. When use of the web client is enabled for IP address release/renew, for Linux/Mac OS X clients,
you can optionally click the checkbox for “Install DHCP Refresh tool into Linux/MacOS system
directory.” This will install a DHCP refresh tool on the client to avoid the root/admin password
prompt when IP address is refreshed.
6. Click Update to save settings.

Note To use this feature. “Enable L3 support” must be enabled under Device Management > CCA Servers
> Manage[CAS_IP] > Network > IP.

For further details, see “Configuring Layer 3 Out-of Band (L3 OOB) in the Cisco NAC Appliance - Cisco
Clean Access Server Installation and Administration Guide.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 5 Configuring User Login Page and Guest Access
Customize Login Page Content

Customize Login Page Content

After adding a login page, you can edit the content that appears on the page as described below.
1. From Administration > User Pages > Login Page > List, click the Edit button next to the page to
be customized.
2. Click the Content submenu link. The Login Page Content form appears:

Figure 5-5 Login Page Content

3. Configure the login page controls on the page using the following text fields and options.
Image – An image file, such as a logo, that you want to appear on the login page. To refer to
your own logo, first upload the logo image. See Upload a Resource File, page 5-12.
Title – The title of the page as it will appear in the title bar of the browser window and above
the login field.
Username Label – The label for the username input field.
Password Label – The label for the password input field.
Login Label – The label of the button for submitting login credentials.
Provider Label – The label beside the dropdown list of authentication providers.
Default Provider – The default provider presented to users.
Available Providers – Use the checkboxes to specify the authentication sources to be available
from the Providers dropdown menu on the login page. If neither the Provider Label nor these
options are selected, the Provider menu does not appear on the login page and the Default
Provider is used.
Instructions – The informational message that appears to the user below the login fields.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 5 Configuring User Login Page and Guest Access
Customize Login Page Content

Guest Label – Determines whether a guest access button appears on the page, along with its
label. This allows users who do not have a login account to access the network as guest users.
By default the “guest” user account is a local user in the Unauthenticated Role. In its default
configuration, this role has narrowly defined access privileges. See Guest User Access, page
5-16 for details.
Help Label – Determines if a help button appears on the page, along with its label.
Help Contents – The text of the popup help window, if a help button is enabled. Note that only
HTML content can be entered in this field (URLs cannot be referenced).
Root CA Label – Places a button on the page users can click to install the root CA certificate
file. When installed, the user does not have to explicitly accept the certificate when accessing
the network.
Root CA File – The root CA certificate file to use.
4. Click Update to save your changes.
5. After you save your changes, click View to see how your customized page will appear to users.
Figure 5-6 illustrates how each field correlates to elements of the generated login page.

Figure 5-6 Login Page Elements

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 5 Configuring User Login Page and Guest Access
Create Content for the Right Frame

Create Content for the Right Frame

1. From Administration > User Pages > Login Page > List, click the Edit button next to the page to
be customized. If you have set the login page to be frame-based (as described in Change Page Type
(to Frame-Based or Small-Screen), page 5-5), and additional Right Frame submenu link will appear
for the page.
2. In the Edit form, click Right Frame sublink bring up the Right Frame Content form (Figure 5-7)

Figure 5-7 Login Page—Right Frame Content

3. You can enter either a URL or HTML content for the right frame as described below:
a. Enter URL: (for a single webpage to appear in the right frame)
For an external URL, use the format http://www.webpage.com.
For a URL on the Clean Access Manager, use the format:
https://<CAM_IP>/upload/file_name.htm
where <CAM_IP> is the domain name or IP listed on the certificate.

Note If you specify an external URL or Clean Access Manager URL, make sure you have created a
traffic policy for the Unauthenticated role that allows the user HTTP access to the CAM or
external server. In addition, if you change or update the external URLs referenced by the login
page, make sure to update the Unauthenticated role policies as well. See Unauthenticated Role
Traffic Policies, page 5-2 and Adding Traffic Policies for Default Roles, page 9-27 for details.

b. Enter HTML: (to add a combination of resource files, such as logos and HTML links)
Type HTML content directly into the Right Frame Content field.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 5 Configuring User Login Page and Guest Access
Upload a Resource File

To reference any resource file you have already uploaded in the File Upload tab as part of the
HTML content (including images, JavaScript files, and CSS files) use the following formats:
To reference a link to an uploaded HTML file:
<a href=”file_name.html”> file_name.html </a>
To reference an image file (such as a JPEG file) enter:
<img src=”file_name.jpg”>
See also Upload a Resource File, page 5-12 for details.
4. Click Update to save your changes.
5. After you save your changes, click View to see how your customized page will appear to users.

Upload a Resource File

Use the following steps to add a resource file, such as a logo for the Image field in the Content form,
or to add resources for a frame-based login page such as HTML pages, images, logos, JavaScript files,
and CSS files.
1. Go to Administration > User Pages > File Upload

Figure 5-8 File Upload

2. Browse to a logo image file or other resource file from your PC and select it in the Filename field.
3. Optionally enter text in the Description field.
4. Click Upload. The file should appear in the resources list.

Note • Files uploaded to the Clean Access Manager using Administration > User Pages > File Upload
are available to the Clean Access Manager and all Clean Access Servers. These files are located
under /perfigo/control/tomcat/normal-webapps/upload in the CAM.
• Files uploaded to the CAM prior to 3.6(2)+ are not removed and continue to be located under
/perfigo/control/tomcat/normal-webapps/admin.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 5 Configuring User Login Page and Guest Access
Customize Login Page Styles

• Files uploaded to a specific Clean Access Server using Device Management > CCA Servers >
Manage [CAS_IP] > Misc > Login Page > File Upload are available to the Clean Access Manager
and the local Clean Access Server only. On the Clean Access Server, uploaded files are located under
/perfigo/access/tomcat/webapps/auth . See the Cisco NAC Appliance - Clean Access Server
Installation and Administration Guide for further information.

For further details on uploading content for the User Agreement Page (for web login/network scanning
users), see also Customize the User Agreement Page, page 13-16.
For details on configuring traffic policies to allow client access to files stored on the CAM, see Adding
Traffic Policies for Default Roles, page 9-27.

Customize Login Page Styles

1. Go to Login Page > Edit > Style to modify the CSS properties of the page.

Figure 5-9 Login Page Style

2. You can change the background (BG) and foreground (FG) colors and properties. Note that Form
properties apply to the portion of the page containing the login fields (shaded gray in Figure 5-6 on
page 5-10).
Left Frame Width: Width of the left frame contain login fields.
Body BG_Color, Body FG_Color: Background and foreground colors for body areas of the
login page.
Form BG_Color, Form FG_Color: Background and foreground colors for form areas.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 5 Configuring User Login Page and Guest Access
Configure Other Login Properties

Misc BG_Color, Misc FG_Color: Background and foreground colors for miscellaneous areas of
the login page.
Body CSS: CSS tags for formatting body areas of the login page.
Title CSS: CSS tags for formatting title areas of the login page.
Form CSS: CSS tags for formatting form areas of the login page.
Instruction CSS: CSS tags for formatting instruction areas of the login page.
Misc CSS: CSS tags for formatting miscellaneous areas of the login page.
3. Click Update to commit the changes made on the Style page, then click View to view the login page
using the updated changes.

Configure Other Login Properties

• Redirect the Login Success Page, page 5-14
• Specify Logout Page Information, page 5-15

Redirect the Login Success Page

By default, the CAM takes web login users who are authenticated to the originally requested page. You
can specify another destination for authenticated users by role. To set the redirection target:
1. Go to User Management > User Roles > List of Roles.
2. Click the Edit button ( ) next to the role for which you want to set a login success page
(Figure 5-10).

Figure 5-10 Edit User Role Page

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 5 Configuring User Login Page and Guest Access
Configure Other Login Properties

3. For the After Successful Login Redirect to option, click “this URL” and type the destination URL
in the text field, making sure to specify “http://” in the URL. Make sure you have created a traffic
policy for the role to allow HTTP access so that the user can get to the web page (see Add Global
IP-Based Traffic Policies, page 9-4).
4. Click Save Role when done.

Note Typically, a new browser is opened when a redirect page is specified. If pop-up blockers are enabled on
the client, Cisco NAC Appliance will use the main browser window as the Logout page in order to show
login status, logout information and VPN information (if any).

Note High encryption (64-bit or 128-bit).is required for client browsers for web login and Clean Access Agent
authentication.

Specify Logout Page Information

After a successful login, the logout page pops up in its own browser on the client machine (Figure 5-11),
usually behind the login success browser.

Figure 5-11 Logout Page

User info

Logout button

You can specify the information that appears on the logout page by role as follows:
1. Go to the User Management > User Roles > List of Roles page.
2. Click the Edit button next to the role for which you want to specify logout page settings.
3. In the Edit Role page (Figure 5-10), click the corresponding Show Logged on Users options to
display them on the Logout page:
IPSec info – The IPSec key for the user. If the dynamic IPSec key option is enabled, the user is
notified of their one-time, 128-bit key. If the dynamic IPSec key option is disabled on the role
properties page, the user is given the default preshared key.
PPP info – The password for Point-to-Point Protocol (PPP) access on the network.
User info – Information about the user, such as the username.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 5 Configuring User Login Page and Guest Access
Guest User Access

Logout button – A button for logging off the network.

Note If no options are selected, the logout page will not appear.

See Create Local User Accounts, page 6-14 for further details.

Guest User Access

Guest access makes it easy to provide visitors or temporary users limited access to your network. At
installation, the Clean Access Manager includes a built-in guest user account. By default, the local user
“guest” belongs to the Unauthenticated Role, and is validated by the Clean Access Manager itself
(Provider: LocalDB). You should specify a different role for the guest user and configure that role with
login redirection, traffic control, and timeout policies as appropriate for guest users on your network.
With the guest account method for guest access, guest users share the network with authenticated users.
The Event Log displays all guest users with username “guest” but will differentiate each guest user by
login timestamp and MAC/IP address (if L2) or IP address (if L3).

Note Local authentication must be enabled to use the built-in guest access account.

The following are two methods to implement guest access.

Enable Login Page “Guest Access”

With this method, the Guest Access button is enabled on the user login page. When a visitor clicks the
button, the username and password guest/guest are sent to the CAM for authentication, and the guest
user can be immediately redirected to the desired web page. Note that you must configure a new user
role to which to associate the guest user.

General Steps
1. Create Guest User Role, page 5-16
2. Associate Guest User to Role, page 5-16
3. Configure Traffic Policies for Guest Role, page 5-17
4. Enable Guest Access Button on Login Page, page 5-17

Create Guest User Role

1. Go to User Management > User Roles > New Role
2. Type a new Role Name (e.g. “Guest Role”)
3. In the After Successful Login Redirect to field, click the option for “this URL:” and type a
redirection URL (e.g. http://www.cisco.com/).
4. Click Create Role.

Associate Guest User to Role

1. Go to User Management > Local Users > List of Local Users
2. Click the Edit button for user guest.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 5 Configuring User Login Page and Guest Access
Guest User Access

3. Choose the guest role you created from the Role dropdown list.
4. Click Save User.

Configure Traffic Policies for Guest Role

1. Go to User Management > User Roles > List of Roles and click the Policies button for the Guest
role (the Traffic Control page for the role appears).
2. Click the Host sublink tab. The Host policies page for the role appears.
3. For Trusted DNS Server, click the Add button to add a trusted DNS server to the role.
4. Add a policy for the redirection URL you configured for the user role, by typing an Allowed Host,
(e.g. www.cisco.com), selecting a Match option(e.g. contains) and clicking Add.
5. Configure any other traffic policies needed for the role in the IP or Host configuration pages.
6. Set a session timeout for the role if desired under User Management > User Roles > Schedule >
Session Timer > Edit [user role].
See Chapter 9, “User Management: Traffic Control, Bandwidth, Schedule” for further details.

Enable Guest Access Button on Login Page

1. Go to Administration > User Pages > Login Page > List and click the Edit button next to the login
page on which you want to provide guest access.
2. Click the Content sublink to edit the page (Click the checkbox for Guest Label. Modify, if desired,
the label that appears on the guest access button.
3. Optionally, disable other user-input login fields, and type relevant instructions to the guest user in
the Instructions text field. To configure a left-pane login screen, set the page to be Frame-based
under the General sublink. See Customize Login Page Content, page 5-9 for details.
4. Click Update.

Enable Guest Users with Any Credential

With this method, guest users do not use the Guest Access button to login but can enter any identifier as
a login credential. This method allows guest users to submit their email addresses. The identifier the user
submits in the login page (e.g. email address) will appear as the User Name in the Online Users page
while the user is logged in.

General Steps
1. Create Guest User Role, page 5-16
2. Associate Guest User to Role, page 5-16
3. Configure Traffic Policies for Guest Role, page 5-17
4. Map Allow All Auth Provider to Guest Role, page 5-17
5. Configure Login Page, page 5-18

Map Allow All Auth Provider to Guest Role

1. Go to User Management > Auth Servers > New and choose Allow All from the Authentication
Type dropdown menu.
2. For the Default Role, choose the “Guest” user role you already created for the guest user.
3. Click Add Server (see Allow All, page 7-13 for further details).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 5 Configuring User Login Page and Guest Access
Guest User Access

Configure Login Page

1. Go to Administration > User Pages > Login Page > List > Edit [login page] | Content
2. In the login page, rename the Username Label to Email Address, or hide the username label if you
do not want users to provide an identifier. (The implicit username and password for the Allow All
auth provider is guest/guest.)
3. On the login page, hide the Password Label, Provider Label, and Guest Label buttons.
4. Set the default provider to the Allow All authentication provider you set up in the first step of this
procedure.
Guests can now access the network without login credentials. If the user submits an identifier in the login
page, such as an email address, the identifier appears in the Online Users page while the user is logged in.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 6
User Management: Configuring User Roles and
Local Users

This chapter describes the following topics:

• Overview, page 6-1
• Create User Roles, page 6-1
• Create Local User Accounts, page 6-14
For details on configuring authentication servers, see Chapter 7, “User Management: Configuring Auth
Servers.”
For details on creating and configuring the web user login page and guest users, see Chapter 5,
“Configuring User Login Page and Guest Access.”
For details on configuring traffic policies for user roles, see Chapter 9, “User Management: Traffic
Control, Bandwidth, Schedule.”

Overview
This chapter describes the user role concept in Cisco NAC Appliance. It describes how user roles are
assigned and how to create and configure them. It also describes how to create local users that are
authenticated internally by the CAM (used primarily for testing).

Create User Roles

Roles are integral to the functioning of Cisco NAC Appliance and can be thought of in the following
ways:
• As a classification scheme for users that persists for the duration of a user session.
• As a mechanism that determines traffic policies, bandwidth restrictions, session duration, Clean
Access vulnerability assessment, and other policies within Cisco NAC Appliance for particular
groups of users.
In general, roles should be set up to reflect the shared needs of distinct groups of users in your network.
Before creating roles, you should consider how you want to allocate privileges in your network, apply
traffic control policies, or group types of client devices. Roles can frequently be based on existing groups

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles

within your organization (for example, students/faculty/staff, or engineering/sales/HR). Roles can also
be assigned to groups of client machines (for example, gaming boxes). As shown in Figure 6-1, roles
aggregate a variety of user policies including:
• Traffic policies
• Bandwidth policies
• VLAN ID retagging
• Clean Access network port scanning plugins
• Clean Access Agent client system requirements

Figure 6-1 Normal Login User Roles

User Role Types

The system puts a user in a role when the user attempts to log in. There are four default user role types
in the system: Unauthenticated Role, Normal Login Role, Clean Access Agent Temporary Role, and
Clean Access Quarantine Role.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles

Unauthenticated Role
There is only one Unauthenticated Role and it is the system default role. If a configured normal login
role is deleted, users in that role are reassigned to the Unauthenticated Role (see Delete Role, page 6-13).
You can configure traffic and other policies for the Unauthenticated Role, but the role itself cannot be
edited or removed from the system.
Users on the untrusted (managed) side of the Clean Access Server are in the Unauthenticated role prior
to the initial web login or Clean Access Agent login. When using web login/network scanning only, users
remain in the Unauthenticated role until clients pass scanning (and are transferred to a normal login
role), or fail scanning (and are either blocked or transferred to the quarantine role).

Normal Login Role

There can be multiple normal login roles in the system. A user is put into a normal login role after a
successful login. You can configure normal login roles to associate users with the following:
• Network access traffic control policies — what parts of the network and which application ports can
users can access while in the role.
• VLAN ID:
For in-band users, retag traffic (to/from users in the role) destined to the trusted network to
differentiate priority to the upstream router
For out-of-band (OOB) users, set the Access VLAN ID for users in the role if using role-based
configuration.
• Clean Access network scanning plugins—the Nessus port scanning to perform, if any
• Clean Access Agent requirements—the software package requirements client systems must have.
• End-user HTML page(s) displayed after successful or unsuccessful web logins —the pages and
information to show to web login users in various subnets/VLANs/roles. See Chapter 5,
“Configuring User Login Page and Guest Access” for further details.
Typically, there are a number of normal login roles in a deployment, for example roles for Students,
Faculty, and Staff (or Engineering, HR, Sales). You can assign normal login roles to users in several
ways:
• By the MAC address or subnet of a client device.
You can assign a role to a device or subnet through Device Management > Filters. See Global
Device and Subnet Filtering, page 3-7 for details.
• By local user attributes. Local users are primarily used for testing and are authenticated internally
by the Clean Access Manager rather than an external authentication server. You can assign a role to
a local user through User Roles > Local Users. See Create Local User Accounts, page 6-14.
• By external authentication server attributes. For users validated by an external authentication server,
the role assigned can be based on:
The untrusted network VLAN ID of the user.
This allows you to use untrusted network information to map users into a user role.
The authentication attributes passed from LDAP and RADIUS authentication servers.
This allows you to use authentication attributes to map different users to different roles within
Cisco NAC Appliance. If no mapping rules are specified, users are assigned the default role
specified for the authentication server, after login. VLAN mapping and attribute mapping is
done through User Management > Auth Servers > Mapping Rules.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles

For details, see Adding an Authentication Provider, page 7-4 and Map Users to Roles Using
Attributes or VLAN IDs, page 7-17.

Role Assignment Priority

Note that the order of priority for role assignment is as follows:

1. MAC address
2. Subnet / IP Address
3. Login information (login ID, user attributes from auth server, VLAN ID of user machine, etc.)
Therefore, if a MAC address associates the client with “Role A”, but the user’s login ID associates him
or her to “Role B”, “Role A” is used.
For additional details, see also Global Device and Subnet Filtering, page 3-7 and Device Filters for
Out-of-Band Deployment, page 3-11.

Clean Access Roles

The Clean Access process can be implemented on your network as network scanning only (see
Figure 10-4 on page 10-5), Clean Access Agent only, or Clean Access Agent with network scanning (see
Figure 10-3 on page 10-4). With Clean Access enabled, two types of roles are used specifically for Clean
Access:
• Clean Access Agent Temporary Role
When the Clean Access Agent is used, the Clean Access Agent Temporary role is assigned to users
after authentication to allow the user limited network access to download and install required
packages that will prevent the user’s system from becoming vulnerable. The user is prevented from
normal login role access to the network until the Clean Access Agent requirements are met.
There is only one Clean Access Agent Temporary role in the system. This role is only in effect when
the user is required to use Clean Access Agent to login and pass Clean Access requirements.
The Clean Access Agent Temporary role is assigned to users for the following time periods:
a. From the login attempt until successful network access. The client system meets Clean Access
Agent requirements and is not found with vulnerabilities after network scanning. The user
transfers from the Clean Access Agent Temporary role into the user’s normal login role.
b. From the login attempt until Clean Access Agent requirements are met. The user has the amount
of time configured in the Session Timer for the role to download and install required packages.
If the user cancels or times out, the user is removed from the Clean Access Agent Temporary
role and must restart the login process. If the user downloads requirements within the time
allotted, the user stays in the Clean Access Agent Temporary role and proceeds to network
scanning (if enabled).
c. From the login attempt until network scanning finds vulnerabilities on the user system. If the
client system meets Clean Access Agent requirements, but is found to have vulnerabilities
during network scanning, the user is transferred from the Clean Access Agent Temporary role
into the quarantine role.
• Quarantine Role
With network scanning enabled, the purpose of the Clean Access quarantine role is to allow the user
limited network access to resources needed to fix vulnerabilities that already exist on the user
system. The user is prevented from normal login role access to the network until the vulnerabilities
are fixed.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles

There can be one or multiple quarantine roles in the system. A user is put into a quarantine role if:
The user attempts to log in using the web login page, and Clean Access network scanning finds
a vulnerability on the user system.
The user logs in using Clean Access Agent and meets Clean Access Agent requirements but
Clean Access network scanning finds a vulnerability on the user system.
The user has the amount of time configured in the Session Timer for the role to access resources to
fix vulnerabilities. If the user cancels or times out, the user is logged out of the quarantine role and
must restart the login process. At the next login attempt, the client again goes through the Clean
Access process.
When the user fixes vulnerabilities within the time allotted, if Clean Access Agent is used to log in,
the user can go through network scanning again during the same session. If web login is used, the
user must log out or time out then login again for the second network scanning to occur.

Note When using web login, the user should be careful not to close the Logout page (see Figure 5-11 on
page 5-15). If the user cannot not log out but reattempts to login before the session times out, the user is
still considered to be in the original quarantine role and is not redirected to the login page.

Only when the user has met requirements and fixed vulnerabilities is the user allowed network access in
the corresponding normal login role. You can map all normal login roles to a single quarantine role, or
you can create and customize different quarantine roles. For example, multiple quarantine roles can be
used if different resources are required to fix vulnerabilities for particular operating systems. In either
case, a normal login role can only be mapped to one quarantine role. After the roles are created, the
association between the normal role and quarantine role is set up in the Device Management > Clean
Access > General Setup form. See General Setup Summary, page 10-17 for details.

Session Timeouts
You can limit network access for Clean Access roles with brief session timeouts and restricted traffic
policy privileges. The session timeout period is intended to allow users only a minimum amount of time
to complete Clean Access checks and get required software packages. A minimal timeout period for
Clean Access-related roles:
• Limits the exposure of vulnerable users to the network.
• Prevents users from full network access in the Temporary role
This is to limit users from circumventing rechecks if they fail a particular check, install the required
package, restart their computers, but do not manually log out.
Factors in determining the timeout period appropriate for your environment include the network
connection speed available to users and the download size of packages you will require.
You can additionally configure a Heartbeat Timer to log off all users if the CAS cannot connect to the
clients after a configurable number of minutes. See Configure User Session and Heartbeat Timeouts,
page 9-15 for further details.
You can configure Max Sessions per User Account for a user role. This allows administrators to limit
the number of concurrent machines that can use the same user credentials. The feature allows you to
restrict the number of login sessions per user to a configured number. If the online login sessions for a
username exceed the value specified (1 – 255; 0 for unlimited), the web login page or the Clean Access
Agent will prompt the user to end all sessions or end the oldest session at the next login attempt. See
Role Properties, page 6-8 for details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles

Default Login Page

A default login page must be added and present in the system in order for both web login and Clean
Access Agent users to authenticate.
The login page is generated by Cisco NAC Appliance and shown to end users by role. When users first
try to access the network from a web browser, an HTML login page appears prompting the users for a
user name and password. Cisco NAC Appliance submits these credentials to the selected authentication
provider, and uses them determine the role in which to put the user. You can customize this web login
page to target the page to particular users based on a user’s VLAN ID, subnet, and operating system.

Caution If a default login page is not present, Clean Access Agent users will see an error dialog when attempting
login (“Clean Access Server is not properly configured, please report to your administrator.”).

Note For L3 OOB deployments, you must also Enable Web Client for Login Page, page 5-6.

For details on creating and configuring the web user login page, see Chapter 5, “Configuring User Login
Page and Guest Access.” To quickly add a default login page, see Add Default Login Page, page 5-3.

Traffic Policies for Roles

When you first create a role, it has a default traffic filtering policy of “deny all” for traffic moving from
the untrusted side to the trusted side, and “allow all” for traffic from the trusted side to the untrusted side.
Therefore, after creating the role, you need to create policies to permit the appropriate traffic. See
Chapter 9, “User Management: Traffic Control, Bandwidth, Schedule” for details on how to configure
IP-based and host-based traffic policies for user roles.
In addition, traffic policies need to be configured for the Clean Access Agent Temporary Role and the
quarantine role to prevent general access to the network but allow access to web resources or remediation
sites necessary for the user to meet requirements or fix vulnerabilities.See Configure Policies for Agent
Temporary and Quarantine Roles, page 9-19 for details.

Add New Role

The Clean Access Agent Temporary role and a Quarantine role already exist in the system and only need
to be configured, However, normal login roles (or any additional quarantine roles) must first be added.
Once a new role is created, it can then be associated to the traffic policies and other properties you
customize in the web console for your environment.

Note For new roles, traffic policies must be added to allow traffic from the untrusted to the trusted network.
See Chapter 9, “User Management: Traffic Control, Bandwidth, Schedule” next for details.

1. Go to User Management > User Roles > New Role (Figure 6-2).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles

Figure 6-2 Add New User Role

2. If you want the role to be active right away, leave Disable this role cleared.
3. Type a unique name for the role in the Role Name field.
4. Type an optional Role Description.
5. For the role type, choose either:
Normal Login Role – Assigned to users after a successful login. When configuring mapping
rules for authentication servers, the attributes passed from the auth server are used to map users
into normal login roles. Network scan plugins and Clean Access Agent requirements are also
associated to a normal login role. When users log in, they are scanned for plugins and/or
requirements met (while in the unauthenticated/Temporary role). If users meet requirements and
have no vulnerabilities, they gain access to the network in the normal login role.

Note Form fields that only apply to normal login roles are marked with an asterisk (*).

Quarantine Role – Assigned to users to quarantine them when Clean Access network scanning
finds a vulnerability on the user system. Note that a system Quarantine role already exists and
can be configured. However, the New Role form allows you to add additional quarantine roles
if needed.
6. See Role Properties, page 6-8 for configuration details on each role setting.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles

Note If planning to use role-based profiles with an OOB deployment, you must specify the Access
VLAN in the Out-of-Band User Role VLAN field when you create the user role. For further
details see Out-of-Band User Role VLAN, page 6-10 and Add Port Profile, page 4-28.

7. When finished, click Create Role. To restore default properties on the form click Reset.
8. The role now appears in the List of Roles tab.
9. If creating a role for testing purposes, the next step is to create a local user to associate to the role.
See Create Local User Accounts, page 6-14 next.

Role Properties
Table 6-1 details all the settings in the New Role (Figure 6-2) and Edit Role (Figure 6-4) forms.
Table 6-1 Role Properties

Control Description
Disable this role Stops the role from being assigned to new users.
Role Name A unique name for the role.
Role Description An optional description for the role.
Role Type Whether the role is a Normal Login Role or a Clean Access-related role:
Quarantine Role or Clean Access Agent Temporary Role. See User Role
Types, page 6-2 for details, and Chapter 10, “Clean Access Implementation
Overview”for further information.
VPN Policy Note IPSec/L2TP/PPTP and roaming are deprecated in release 4.1(0) and
will be removed in future releases.

Whether users in the role and authenticated by the provider are required to use
IPSec/L2TP/PPTP encryption for connection to the CAS. Options are:
• Deny (default)– Encryption is not permitted. If this level of security is not
required for your environment, you can deny IPSec/L2TP/PPTP encryption
to avoid burdening the network infrastructure with traffic.
• Optional – Encryption may be used at the client’s choice.
• Enforce – The client must use IPSec/L2TP/PPTP encryption.
Note The IPSec/L2TP/PPTP encryption policy must also be enabled (Optional
or Enforce) on the CAS (Device Management > CCA Servers >
Manage [CAS_IP] > Network > IPSec). The CAS policy setting takes
precedence over the role policy setting. This allows you to control
encryption use based on which CAS (or subnet) the user accessed. See the
Cisco NAC Appliance - Clean Access Server Installation and
Administration Guide for details.

Note If an Optional or Enforce VPN Policy is enabled for both CAS and user
role, the Clean Access Agent displays VPN information as a link from the
login success dialog (see Figure 12-69 on page 12-61). For web login
users, you must configure the logout page to display VPN information
fields (see Show Logged-on Users, page 6-11).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles

Table 6-1 Role Properties (continued)

Control Description
Dynamic IPSec If enabled, each user is assigned a distinct, one-time preshared key upon logging
Key in. The user should use this key as the preshared key in their IPSec client to create
the IPSec connection. If disabled, the user will need to use the default key (shared
by all users) for the IPSec connection. Web login users are given the key in the
logout page if you select IPSec info in Show Logged-on Users, page 6-11.
Max Sessions per The Max Sessions per User Account option allows administrators to limit the
User Account number of concurrent machines that can use the same user credentials. The
feature allows you to restrict the number of login sessions per user to a configured
(Case-Insensitive)
number. If the online login sessions for a username exceed the value specified (1
– 255; 0 for unlimited), the web login page or the Clean Access Agent will prompt
the user to end all sessions or end the oldest session at the next login attempt.
The Case-Insensitive checkbox allows the administrator to allow/disallow
case-sensitive user names towards the max session count. For example, if the
administrator chooses to allow case-sensitivity (box unchecked; default), then
jdoe, Jdoe, and jDoe are all treated as different users. If the administrator chooses
to disable case-sensitivity (box checked), then jdoe, Jdoe, and jDoe are treated
as the same user.
Retag Trusted-side In-Band Configuration—Retag Trusted-side Traffic with VLAN ID
Egress Traffic with When the CAS is deployed inline with traffic, the value entered in this field is
VLAN (In-Band) used to retag user traffic as it exits the trusted side of the CAS. For example, if
two users connect to the same Access Point with the same SSID, depending on
their roles, their traffic can be tagged with different VLAN IDs as their traffic
flows through the CAS to the trusted side of the network (see Figure 6-1 on
page 6-2).
Type a value in this field to assign a VLAN ID to outgoing traffic from users in
the role. Incoming traffic with the VLAN ID value is reassigned the value
originally used by the role, if any. For in-band configuration, trusted-side VLAN
retagging is only performed in Real-IP and NAT Gateway modes. In-band Virtual
Gateways do not perform VLAN retagging based on role assignment.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles

Table 6-1 Role Properties (continued)

Control Description
Out-of-Band User Out-of-Band (OOB) Configuration —Retag Trusted-side Traffic with Role VLAN
Role VLAN Once a user has finished posture assessment and remediation, if needed, and the
client device is deemed to be “certified,” the switch port to which the client is
connected can be assigned to a different Access VLAN based on the value
specified in the Out-of-Band User Role VLAN field. Hence, users connecting to
the same port (at different times) can be assigned to different Access VLANs
based on this setting in their user role.
For OOB deployment, if configuring role-based VLAN switching for a controlled
port, you must specify an Access VLAN ID when you create the user role. When
an out-of-band user logs in from a managed switch port, the CAM will:
• Determine the role of the user based on the user's login credentials.
• Check if role-based VLAN switching is specified for the port in the Port
Profile.
• Switch the user to the Access VLAN, once the client is certified, according
to the value specified in the Out-of-Band User Role VLAN field for the
user's role.
Admins can specify VLAN Name or VLAN ID on the New/Edit User Role
form. VLAN Name is case-sensitive. If specifying wildcards for VLAN Name,
you can use: abc, *abc, abc*, *abc*. The switch will use the first match for
wildcard VLAN Name.
You can only specify numbers for VLAN ID
If the switch cannot find the VLAN specified (e.g. VLAN Name is mistyped), the
error will appear on the perfigo.log (not the Event Log).
For additional details, see Global Device and Subnet Filtering, page 3-7 and
Chapter 4, “Switch Management: Configuring Out-of-Band (OOB)
Deployment.”
After Successful When successfully logged in, the user is forwarded to the web page indicated by
Login Redirect to this field. You can have the user forwarded to:
• previously requested URL – (default) The URL requested by the user
before being redirected to the login page.
• this URL– To redirect the user to another page, type “http://” and the desired
URL in the text field. Note that “http://” must be included in the URL.
Note Typically, a new browser is opened when a redirect page is specified. If
pop-up blockers are enabled, Cisco NAC Appliance will use the main
browser window as the Logout page in order to show login status, logout
information and VPN information (if any).
See also Redirect the Login Success Page, page 5-14.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles

Table 6-1 Role Properties (continued)

Control Description
Redirect Blocked If the user is blocked from accessing a resource by a “Block” IP traffic policy for
Requests to the role, users are redirected when they request the blocked page. You can have
the user forwarded to:
• default access blocked page – The default page for blocked access.
• this URL or HTML message– A particular URL or HTML message you
specify in the text field.
See also Adding Traffic Policies for Default Roles, page 9-27.
Roam Policy Note IPSec/L2TP/PPTP and roaming are deprecated in release 4.1(0) and
will be removed in future releases.

With roaming support enabled, determines whether users in this role are allowed
to roam. See Chapter 17, “Device Management: Roaming (Deprecated)” for
details.
Show Logged-on The information that should be displayed to web users in the Logout page. After
Users the web user successfully logs in, the Logout page pops up in its own browser and
displays user status based on the combination of options you select:
• IPSec info – The IPSec key assigned to the user. If the dynamic IPSec key
option is enabled, this is the one-time, 128-bit key. If disabled, this is the
default preshared key.
• PPP info – The password for PPP access on the network.
• User info – Information about the user, such as the user name.
• Logout button – A button for logging the user off the network (web Logout
page only).
See Specify Logout Page Information, page 5-15 for an example of a Logout
page.
Note For Agent users, a link to a VPN Info dialog is provided in the success
login and taskbar menu if an Optional or Enforce VPN Policy is enabled
for both the CAS and user role. See Figure 12-69 on page 12-61.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles

Modify Role
From the List of Roles tab (Figure 6-3), you can configure traffic and bandwidth policies for any user
role. You can also edit the Clean Access Agent Temporary role, Quarantine role, and any normal login
role you have created.

Figure 6-3 List of Roles

Operations you can perform from the List of Roles tab are as follows:
• The Policies button ( ) links to the Traffic Control tab and lets you set traffic filter policies for
the role. For details, see Chapter 9, “User Management: Traffic Control, Bandwidth, Schedule.”
• The BW button ( ) links to the Bandwidth tab and lets you set upstream and downstream bandwidth
restrictions by role. For details, see Control Bandwidth Usage, page 9-13.
• The Edit button ( ) links to the Edit Role tab and lets you modify role properties. See Edit a Role,
page 6-12 below.
• The Delete button ( ) removes the role and all associated polices from the system and assigns users
to the Unauthenticated role. See Delete Role, page 6-13
• Specify a network access schedule for the role. For details, see Configure User Session and
Heartbeat Timeouts, page 9-15

Edit a Role
1. Go to User Management > User Roles > List of Roles.
2. Roles listed will include the following:
Clean Access Agent Temporary Role – Assigned to users to force them to meet Clean Access
Agent packages or requirements when Clean Access Agent is required to be used for login and
Clean Access vulnerability assessment. There is only one Clean Access Agent Temporary Role
which is already present in the system. This role can be edited but not added.
Quarantine Role – Assigned to users to quarantine them when Clean Access network scanning
finds a vulnerability on the user system. You can configure the system Quarantine role only or
add additional quarantine roles if needed.
User-defined role – The user roles you have created.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles

Note You can configure traffic and bandwidth policies for the Unauthenticated Role, but otherwise
this system default role cannot be edited or removed.

3. Click the Edit button next to a role to bring up the Edit Role form

Figure 6-4 Edit Role

4. Modify role settings as desired. See Role Properties, page 6-8 for details.
5. Click Save Role.

Delete Role
To delete a role, click the Delete button ( ) next to the role in the List of Roles tab of the User
Management > User Roles page. This removes the role and associated polices from the system and
assigns users to the Unauthenticated role.
Users actively connected to the network in the deleted role will be unable to use the network. However,
their connection will remain active. Such users should be logged off the network manually, by clicking
the Kick User ( ) button next to the user in the Monitoring > Online Users > View Online Users page.
The users are indicated in the online user page by a value of Invalid in the Role column.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 6 User Management: Configuring User Roles and Local Users
Create Local User Accounts

Create Local User Accounts

A local user is one who is validated by the Clean Access Manager itself, not by an external authentication
server. Local user accounts are not intended for general use (the users cannot change their password
outside of the web admin console). Local user accounts are primarily intended for testing or for guest
user accounts. For testing purposes, a user should be created immediately after creating a user role.

Create a Local User

1. Go to User Management > Local Users > New Local User.

Figure 6-5 New Local User

2. If you want the user account to be active immediately, be sure to leave the Disable this account
check box cleared.
3. Type a unique User Name for the user. This is the login name by which the user is identified in the
system.
4. Type a password in the Password field and retype it in the Confirm Password field. The password
value is case-sensitive.
5. Optionally, type a Description for the user.
6. Choose the default role for the user from the Role list. All configured roles appear in the list. If the
role you want to assign the user does not exist yet, create the role in the User Roles page and modify
the user profile with the new role.
7. When finished, click Create User.
The user now appears in the List of Local Users tab. From there, you can view user information, edit
user settings such as the name, password, role, or remove the user.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 7
User Management: Configuring Auth Servers

This chapter describes how to set up external authentication sources, configure Active Directory Single
Sign-On (SSO), VLAN ID or attribute-based auth server mapping rules, and RADIUS accounting.
Topics are as follows:
• Overview, page 7-1
• Adding an Authentication Provider, page 7-4
• Configuring Authentication Cache Timeout (Optional), page 7-14
• Authenticating Against Backend Active Directory, page 7-15
• Map Users to Roles Using Attributes or VLAN IDs, page 7-17
• Auth Test, page 7-25
• RADIUS Accounting, page 7-27
For details on AD SSO, see Chapter 8, “Configuring Active Directory Single Sign-On (AD SSO).”
For details on creating and configuring the web user login page, see Chapter 5, “Configuring User Login
Page and Guest Access.”
For details on configuring user roles and local users, see Chapter 6, “User Management: Configuring
User Roles and Local Users.”
For details on configuring traffic policies for user roles, see Chapter 9, “User Management: Traffic
Control, Bandwidth, Schedule.”

Overview
By connecting the Clean Access Manager to external authentication sources, you can use existing user
data to authenticate users in the untrusted network. Cisco NAC Appliance supports several
authentication provider types for the following two cases:
• When you want to work with an existing backend authentication server(s)
• When you want to enable any of the transparent authentication mechanisms provided by Cisco NAC
Appliance

Working with Existing Backend Authentication Servers

When working with existing backend authentication servers, Cisco supports the following authentication
protocol types:
• Kerberos

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Overview

• RADIUS (Remote Authentication Dial-In User Service)

• Windows NT (NTLM Auth Server)
• LDAP (Lightweight Directory Access Protocol)
When using this option, the CAM is the authentication client which communicates with the backend auth
server. Figure 7-1 illustrates the authentication flow.

Figure 7-1 Cisco NAC Appliance Authentication Flow with Backend Auth Server

Auth Server
End user CAS CAM (RADIUS, LDAP,
WindowsNT, Kerberos)

User provides CAS provides CAM verifies

credentials to credentials to credentials with
CAS via web CAM backend auth
login or Clean server
Access Agent

Currently, it is required to use RADIUS, LDAP, Windows NT, or Kerberos auth server types if you want
to enable Cisco NAC Appliance system features such as:
• Network scanning policies
• Clean Access Agent requirements
• Attribute-based auth mapping rules

Note For Windows NT only, the CAM must be on the same subnet as the domain controllers.

Working with Transparent Auth Mechanisms

When using this option, Cisco supports the following authentication protocol types:
• Active Directory SSO
• Cisco VPN SSO
• Windows NetBIOS SSO (formerly known as “Transparent Windows”)
• S/Ident (Secure/Identification)
Depending on the protocol chosen, the Clean Access Server sniffs traffic relevant to the authentication
source flowing from the end user machine to the auth server (for example, Windows logon traffic for the
Windows NetBIOS SSO auth type). The CAS then uses or attempts to use that information to
authenticate the user. In this case, the user does not explicitly log into the Cisco NAC Appliance system
(via web login or Clean Access Agent).

Note S/Ident and Windows NetBIOS SSO can be used for authentication only —posture assessment,
quarantining, and remediation do not currently apply to these auth types.

Local Authentication
You can set up any combination of local and external authentication mechanisms. Typically, external
authentication sources are used for general users, while local authentication (where users are validated
internally to the CAM) is used for test users, guests, or other types of users with limited network access.
For details on using local authentication for guest access, see Guest User Access, page 5-16.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 7 User Management: Configuring Auth Servers
Overview

Providers
A provider is a configured authentication source. You can configure the providers you set up to appear
in the Provider dropdown menu of the web login page (Figure 7-2) and Clean Access Agent to allow
users to choose the domain in which to be authenticated.

Figure 7-2 Provider Field in Web Login Page

Mapping Rules
You can set up role assignment for users based on the authentication server. For all auth server types,
you can create mapping rules to assign users to roles based on VLAN ID. For LDAP and RADIUS auth
servers, you can additionally map users into roles based on attribute values passed from the
authentication server.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Adding an Authentication Provider

Adding an Authentication Provider

The following are the general steps to add an authentication server to the Clean Access Manager.

Step 1 Go to User Management > Auth Servers > New.

Step 2 From the Authentication Type list, choose the authentication provider type.
Step 3 For Provider Name, type a name that is unique for authentication providers. If you intend to offer your
users the ability to select providers from the login page, be sure to use a name that is meaningful or
recognizable for your users, since this name will be used.
Step 4 Choose the Default Role (user role) to be assigned to users authenticated by this provider. This default
role is used if not overridden by a role assignment based on MAC address or IP address. The default role
is also assigned in the case that LDAP/RADIUS mapping rules do not result in a successful match.
Step 5 Enter an optional Description for the authentication server.
Step 6 Complete the fields specific to the authentication type you chose, as described in the following sections.
Step 7 When finished, click Add Server.

The new authentication source appears under User Management > Auth Servers > List of Servers.
• Click the Edit button ( ) next to the auth server to modify settings.
• Click the Mapping button ( ) next to the auth server to configure VLAN-based mapping rules for
any server type, or attribute-based mapping rules for LDAP, RADIUS, and Cisco VPN SSO auth
types.
Specific parameters to add each auth server type are described in the following sections:
• Kerberos, page 7-5
• RADIUS, page 7-6
• Windows NT, page 7-8
• LDAP, page 7-9
• Active Directory Single Sign-On (SS0), page 7-10
• Windows NetBIOS SSO, page 7-10
• Cisco VPN SSO, page 7-12
• Allow All, page 7-13
Specific parameters to add each auth server type are described in the following sections:
• Authenticating Against Backend Active Directory, page 7-15

Note To set a default auth provider for users configure the Default Provider option under Administration >
User Pages > Login Page > Edit > Content. See Chapter 5, “Configuring User Login Page and Guest
Access.”

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Adding an Authentication Provider

Kerberos
1. Go to User Management > Auth Servers > New.
2. From the Authentication Type dropdown menu, choose Kerberos.

Figure 7-3 Add Kerberos Auth Server

3. Provider Name — Type a unique name for this authentication provider. Enter a meaningful or
recognizable name if web login users will be able to select providers from the web login page.
4. Domain Name – The domain name for your Kerberos realm in UPPER CASE, such as
CISCO.COM.
5. Default Role — Choose the user role assigned to users authenticated by this provider. This default
role is used if not overridden by a role assignment based on MAC address or IP address.
6. Server Name – The fully qualified host name or IP address of the Kerberos authentication server,
such as auth.cisco.com.
7. Description —Enter an optional description of this auth server for reference.
8. Click Add Server.

Note When working with Kerberos servers, keep in mind that Kerberos is case-sensitive and that the realm
name must be in UPPER CASE. The clock must also be synchronized between the CAM and DC.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Adding an Authentication Provider

RADIUS
The RADIUS authentication client in the Clean Access Manager can support failover between two
RADIUS servers. Basically, this allows the CAM to attempt to authenticate against a pair of RADIUS
servers, trying the primary server first and then failing over to the secondary server if it is unable to
communicate with the primary server. See the Enable Failover and Failover Peer IP field descriptions
below for details.
1. Go to User Management > Auth Servers > New.
2. From the Authentication Type dropdown menu, choose Radius.

Figure 7-4 Add RADIUS Auth Server

3. Provider Name — Type a unique name for this authentication provider. Enter a meaningful or
recognizable name if web login users will be able to select providers from the web login page.
4. Server Name – The fully qualified host name (e.g., auth.cisco.com) or IP address of the RADIUS
authentication server.
5. Server Port – The port number on which the RADIUS server is listening.
6. Radius Type – The RADIUS authentication method. Supported methods include: EAPMD5, PAP,
CHAP, MSCHAP, and MSCHAP2
7. Timeout (sec) – The timeout value for the authentication request.
8. Default Role — Choose the user role assigned to users authenticated by this provider. This default
role is used if not overridden by a role assignment based on MAC address or IP address, or if
RADIUS mapping rules do not result in a successful match.
9. Shared Secret – The RADIUS shared secret bound to the specified client’s IP address.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 7 User Management: Configuring Auth Servers
Adding an Authentication Provider

10. NAS-Identifier – The NAS-Identifier value to be sent with all RADIUS authentication packets.
Either a NAS-Identifier or a NAS-IP-Address must be specified to send the packets.
11. NAS-IP-Address – The NAS-IP-Address value to be sent with all RADIUS authentication packets.
Either a NAS-IP-Address or a NAS-Identifier must be specified to sent the packets.
12. NAS-Port – The NAS-Port value to be sent with all RADIUS authentication packets.
13. NAS-Port-Type –The NAS-Port-Type value to be sent with all RADIUS authentication packets.
14. Enable Failover – This enables sending a second authentication packet to a RADIUS failover peer
IP if the primary RADIUS authentication server’s response times out.
15. Failover Peer IP – The IP address of the failover RADIUS authentication server.
16. Accept RADIUS packets with empty attributes from some old RADIUS servers – This option
enables the RADIUS authentication client to allow RADIUS authentication responses that are
malformed due to empty attributes, as long as the responses contain a success or failure code. This
may be required for compatibility with older RADIUS servers.
17. Description —Enter an optional description of this auth server for reference.
18. Click Add Server.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Adding an Authentication Provider

Windows NT

Note • If the CAM is not in the same subnet as the domain controllers, then the CAM DNS settings must
be able to resolve the DCs.
• Currently, only NTLM v1 is supported.

1. Go to User Management > Auth Servers > New.

2. From the Authentication Type dropdown menu, choose Windows NT.

Figure 7-5 Add Windows NT Auth Server

3. Provider Name — Type a unique name for this authentication provider. Enter a meaningful or
recognizable name if web login users will be able to select providers from the web login page.
4. Domain Name – The host name of the Windows NT environment.
5. Default Role — Choose the user role assigned to users authenticated by this provider. This default
role is used if not overridden by a role assignment based on MAC address or IP address.
6. Description —Enter an optional description of this auth server for reference.
7. Click Add Server.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 7 User Management: Configuring Auth Servers
Adding an Authentication Provider

LDAP
An LDAP auth provider in the Clean Access Manager can be used to authenticate users against a
Microsoft Active Directory server. See Authenticating Against Backend Active Directory, page 7-15 for
details.

Note Cisco NAC Appliance performs standard search and bind authentication. For LDAP, if Search(Admin)
Full DN/Search(Admin) Password is not specified, anonymous bind is attempted.

1. Go to User Management > Auth Servers > New.

2. From the Authentication Type dropdown menu, choose LDAP.

Figure 7-6 Add LDAP Auth Server

3. Provider Name—Type a unique name for this authentication provider. Enter a meaningful or
recognizable name if web login users will be able to select providers from the web login page.
4. Server URL—The URL of the LDAP server, in the form:
ldap://<directory_server_name>:<port_number>
If no port number is specified, 389 is assumed.
5. Server version—The LDAP version. Supported types include Version 2 and Version 3. Leave as
Auto (default) to have the server version automatically detected.
6. Search(Admin) Full DN—If access to the directory is controlled, the LDAP user ID used to connect
to the server in this field (e.g. cn= jane doe, cn=users, dc=cisco, dc=com).
7. Search(Admin) Password – The password for the LDAP user.
8. Search Base Context—The root of the LDAP tree in which to perform the search for users (e.g.
dc=cisco, dc=com)
9. Search Filter—The attribute to be authenticated (e.g., uid=$user$, or sAMAccountName=$user$ ).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Adding an Authentication Provider

10. Referral—Whether referral entries are managed (in which the LDAP server returns referral entries
as ordinary entries) or returned as handles (Handle(Follow)). The default is Manage(Ignore).
11. DerefLink—If ON, object aliases returned as search results are de-referenced, that is, the actual
object that the alias refers to is returned as the search result, not the alias itself. The default is OFF.
12. DerefAlias—Options are Always (default), Never, Finding, Searching
13. Security Type—Whether the connection to the LDAP server uses SSL. The default is None.

Note If the LDAP server uses SSL, be sure to import the certificate from the SSL Certificate tab of
the Administration > Clean Access Manager page.

14. Default Role—Choose the user role assigned to users authenticated by this provider. This default
role is used if not overridden by a role assignment based on MAC address or IP address, or if LDAP
mapping rules do not result in a successful match.
15. Description—Enter an optional description of this auth server for reference.
16. Click Add Server.

Active Directory Single Sign-On (SS0)

See Chapter 8, “Configuring Active Directory Single Sign-On (AD SSO).” for complete details.

Windows NetBIOS SSO

Note The Windows NetBIOS SSO authentication feature is deprecated. Cisco recommends Configuring
Active Directory Single Sign-On (AD SSO), page 8-1 instead.

In Windows NetBIOS SSO authentication (formerly known as “Transparent Windows”), the CAS sniffs
relevant Windows login packets from the end-user machine to the domain controller to determine
whether or not the user is logged in successfully. If Windows NetBIOS SSO authentication is enabled
and the CAS successfully detects login traffic, the user is logged into the Cisco NAC Appliance system
without having to explicitly login through the web login page or Clean Access Agent.
With Windows NetBIOS SSO, only authentication can be done— posture assessment, quarantining,
remediation, do not apply. However, the user only needs to perform Ctrl-Alt-Dlt to login.

Note For Windows NetBIOS SSO login, it is not required for the CAM to be on the same subnet as the domain
controller. The list of Windows NetBIOS SSO DC is published from the CAM.

Implementing Windows NetBIOS SSO

Implementing Windows NetBIOS SSO login involves the following steps:
1. Add a Windows NetBIOS SSO auth server through User Management > Auth Servers > New
Server (see Add Windows NetBIOS SSO Auth Server, page 7-11).
2. From Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Windows
Auth > NetBIOS SSO:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Adding an Authentication Provider

a. Click the option for Enable Transparent Windows Single Sign-On with NetBIOS on the
specific CAS and click Update.
b. Enter each Windows Domain Controller IP and click Add Server.
See section “Enable Windows NetBIOS SSO” of the Cisco NAC Appliance - Clean Access Server
Installation and Administration Guide for details.
3. Add IP traffic control policies for the Unauthenticated role to allow users on the untrusted side
access to the domain controllers on the trusted network. Typical policies may include allowing TCP,
and UDP traffic for each controller (IP address and 255.255.255.255 mask) for ports 88(Kerberos),
135 (DCE endpoint resolution), 139 (netbios-ssn), 389 (LDAP), 445(smb-tcp). See Chapter 9, “User
Management: Traffic Control, Bandwidth, Schedule.”

Note Because the CAS attempts to authenticate the user by sniffing Windows logon packets on the network,
if the end device does not send such traffic (i.e. authenticates from cache) the CAS cannot authenticate
the user. In order to cause such login traffic to be generated, you can use a login script to establish
network shares/shared printers. You can also login as a different user from the same machine to cause
the machine to communicate to the domain controller (typically a different user’s credentials will not be
cached).

Add Windows NetBIOS SSO Auth Server

1. Go to User Management > Auth Servers > New Server.

2. From the Authentication Type dropdown menu, choose Windows NetBIOS SSO.

Figure 7-7 Add Windows NetBIOS SSO Auth Server

3. Provider Name—The Provider Name value defaults to ntlm.

4. Domain Name—The domain name for your Windows NT realm, such as cisco.com.
5. Default Role—Choose the user role assigned to users authenticated by this provider. This default
role is used if not overridden by a role assignment based on MAC address or IP address.
6. Description—Enter an optional description of this auth server for reference.
7. Click Add Server.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Adding an Authentication Provider

Cisco VPN SSO

Note Cisco NAC Appliance supports Single Sign-On (SSO) for the following:
• Cisco VPN Concentrators
• Cisco ASA 5500 Series Adaptive Security Appliances
• Cisco Airespace Wireless LAN Controllers
• Cisco SSL VPN Client (Full Tunnel)
• Cisco VPN Client (IPSec)

Cisco NAC Appliance provides integration with Cisco VPN concentrators and can enable SSO capability
for VPN users, using RADIUS Accounting information. The Clean Access Server can acquire the client's
IP address from either Framed_IP_address or Calling_Station_ID RADIUS attributes for SSO purposes.
• Single Sign-On (SSO) for Cisco VPN concentrator users—VPN users do not need to login to the
web browser or the Clean Access Agent because the RADIUS accounting information sent to the
CAS/CAM by the VPN concentrator provides the user ID and IP address of users logging into the
VPN concentrator (RADIUS Accounting Start Message).
• Single Sign-On (SSO) for Cisco Airespace Wireless LAN Controller users — For SSO to work, the
Cisco Airespace Wireless LAN Controller must send the Calling_Station_IP attribute as the client's
IP address (as opposed to the Framed_IP_address that the VPN concentrator uses).
• Accurate Session Timeout/Expiry—Due to the use of RADIUS accounting, the VPN concentrator
informs the Clean Access Server exactly when the user has logged out (RADIUS Accounting Stop
Message). See OOB (L2) and Multihop (L3) Sessions, page 9-16 for additional details.

Add Cisco VPN SSO Auth Server

To enable SSO for Cisco VPN concentrator users, add a Cisco VPN SSO auth server:
1. Go to User Management > Auth Servers > New.
2. From the Authentication Type dropdown menu, choose Cisco VPN SSO.

Figure 7-8 Add Cisco VPN Auth Server

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Adding an Authentication Provider

3. Provider Name — The Provider Name value defaults to CiscoVPN.

4. Default Role — Choose the user role assigned to users authenticated by the Cisco VPN
concentrator. This default role is used if not overridden by a role assignment based on MAC address
or IP address, or if RADIUS mapping rules do not result in a successful match.
5. Description —Enter an optional description of the Cisco VPN concentrator for reference.
6. Click Add Server.
Make sure you have completed configuration under Device Management > CCA Servers > List of
Servers > Manage [CAS_IP] > Authentication > VPN Auth. For complete details on configuring the
Clean Access Server for VPN concentrators, see the Cisco NAC Appliance - Clean Access Server
Installation and Administration Guide.

Allow All
The AllowAll option is a special authentication type that is intended to provide an alternative to the
Guest Access login button feature. It allows users to type in any credential to login(e.g., an email address
for user name and/or password) but does not validate the credentials. This option can be used when
administrators want to capture very limited information on who is logging in (such as a list of email
addresses). The identifier the user submits in the login page will appear as the User Name in the Online
Users page while the user is logged in. In this case, administrators should also modify the Username
Label button label on the login page to reflect the type of value they want users to enter as a credential.
See Guest User Access, page 5-16 for additional details.

Note The AllowAll auth type can be applied to users other than “guest.” Any normal login role (e.g. one
configured for posture assessment) can be specified as the Default Role for the AllowAll auth type.

1. Go to User Management > Auth Servers > New.

2. From the Authentication Type dropdown menu, choose Allow All.

Figure 7-9 Allow All Auth Server Type

3. Provider Name — Type a unique name for this authentication provider. Enter a meaningful or
recognizable name if web login users will be able to select providers from the web login page.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Configuring Authentication Cache Timeout (Optional)

4. Default Role — Choose the user role assigned to users authenticated by this provider. This default
role is used if not overridden by a role assignment based on MAC address or IP address.
5. Description —Enter an optional description of this auth server for reference.
6. Click Add Server.

Configuring Authentication Cache Timeout (Optional)

For performance reasons, the Clean Access Manager caches the authentication results from user
authentication for 2 minutes by default. The Authentication Cache Timeout control on the Auth Server
list page allows administrators to configure the number of seconds the authentication result will be
cached in the CAM. When a user account is removed from the authentication server (LDAP, RADIUS,
etc.), administrators can restrict the time window a user can login again into CCA by configuring the
Authentication Cache Timeout.
1. Go to User Management > Auth Servers > Auth Servers > List.

Figure 7-10 List Auth Servers

2. Type the number of seconds you want user authentication results to be cached in the CAM. The
default is 120 seconds; minimum is 1 second, maximum is 86400 seconds,
3. Click Update.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Authenticating Against Backend Active Directory

Authenticating Against Backend Active Directory

Several types of authentication providers in the Clean Access Manager can be used to authenticate users
against an Active Directory server, Microsoft’s proprietary directory service. These include Windows
NT (NTLM), Kerberos, and LDAP (preferred).
If using LDAP to connect to AD, the Search(Admin) Full DN (distinguished name) must be the DN of
an AD user account and the first CN (common name) entry should be an AD user with read privileges.

Note The search filter, “sAMAccountName,” is the user login name in the default AD schema.

AD/LDAP Configuration Example

The following illustrates a sample configuration using LDAP to communicate with the backend Active
Directory:
1. Create a Domain Admin user within Active Directory Users and Computers. Place this user into the
Users folder.
2. Within Active Directory Users and Computers, select Find from the Actions menu. Make sure that
your results show the Group Membership column for the created user. Your search results should
show the user and the associated Group Membership within Active Directory. This information is
what you will need to transfer into the Clean Access Manager.

Figure 7-11 Find Group Membership within Active Directory

3. From the Clean Access Manager web console, go to the User Management > Auth Servers > New
Server form.
4. Choose LDAP as the Server Type.
5. For the Search(Admin) Full DN and Search Base Context fields, input the results from the Find
within Active Directory Users and Computers.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Authenticating Against Backend Active Directory

Figure 7-12 Example New LDAP Server for AD

6. The following fields are all that is necessary to properly set up this auth server within the CAM:
a. ServerURL: ldap://192.168.137.10:389 – This is the domain controller IP address and LDAP
listening port.
b. Search(Admin) Full DN: CN=sheldon muir, CN=Users, DC=domainname, DC=com
c. Search Base Context: DC=domainname, DC=com
d. Default Role: Select the default role a user will be put into once authenticated.
e. Description: Used just for reference.
f. Provider Name: This is the name of the LDAP server used for User Page setup on the CAM.
g. Search Password: sheldon muir’s domain password
h. Search Filter: SAMAccountName=$user$
7. Click Add Server.
8. At this point, an authentication test using the Auth Test feature should work (see Auth Test, page
7-25).

Note You can also use an LDAP browser (e.g. http://www.tucows.com/preview/242937) to validate your
search credentials first.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 7 User Management: Configuring Auth Servers
Map Users to Roles Using Attributes or VLAN IDs

Map Users to Roles Using Attributes or VLAN IDs

The Mapping Rules forms can be used to map users into user role(s) based on the following parameters:
• The VLAN ID of user traffic originating from the untrusted side of the CAS (all auth server types)
• Authentication attributes passed from LDAP and RADIUS auth servers (and RADIUS attributes
passed from Cisco VPN Concentrators)
For example, if you have two sets of users on the same IP subnet but with different network access
privileges (e.g. wireless employees, and students), you can use an attribute from an LDAP server to map
one set of users into a particular user role. You can then create traffic policies to allow network access
to one role and deny network access to other roles. (See Chapter 9, “User Management: Traffic Control,
Bandwidth, Schedule” for details on traffic policies.)
Cisco NAC Appliance performs the mapping sequence as shown in Figure 7-13.

Figure 7-13 Mapping Rules

user enters valid yes mapping yes match rules &

credentials? rules?
credentials assign role

no
no

assign default
role for auth
server

Note For an overview of how mapping rules fit into the scheme of user roles, see Figure 6-1Normal Login
User Roles, page 6-2

Cisco NAC Appliance allows the administrator to specify complex boolean expressions when defining
mapping rules for Kerberos, LDAP and RADIUS authentication servers. Mapping rules are broken down
into conditions and you can use boolean expressions to combine multiple user attributes and multiple
VLAN IDs to map users into user roles. Mapping rules can be created for a range of VLAN IDs, and
attribute matches can be made case-insensitive. This allows multiple conditions to be flexibly configured
for a mapping rule.
A mapping rule comprises an auth provider type, a rule expression, and the user role into which to map
the user. The rule expression comprises one or a combination of conditions the user parameters must
match to be mapped into the specified user role. A condition is comprised of a condition type, a source
attribute name, an operator, and the attribute value against which the particular attribute is matched.
To create a mapping rule you first add (save) conditions to configure a rule expression, then once a rule
expression is created, you can add the mapping rule to the auth server for the specified user role.
Mapping rules can be cascading. If a source has more than one mapping rule, the rules are evaluated in
the order in which they appear in the mapping rules list. The role for the first positive mapping rule is
used. Once a rule is met, other rules are not tested. If no rule is true, the default role for that
authentication source is used.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Map Users to Roles Using Attributes or VLAN IDs

Configure Mapping Rule

1. Go to User Management > Auth Servers > Mapping Rules and click the Add Mapping Rule link
for the authentication server,
2. Or, click the Mapping button ( ) for the auth server under User Management > Auth Servers >
List of Servers (Figure 7-14), then click the Add Mapping Rule link for the auth
server(Figure 7-15).

Figure 7-14 List of Auth Servers

Figure 7-15 Mapping for Cisco VPN Auth Type

3. The Add Mapping Rule form appears.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 7 User Management: Configuring Auth Servers
Map Users to Roles Using Attributes or VLAN IDs

Figure 7-16 Example Add Mapping Rule (Cisco VPN)

Configure Conditions for Mapping Rule (A)

• Provider Name—The Provider Name sets the fields of the Mapping Rules form for that
authentication server type. For example, the form only allows VLAN ID mapping rule configuration
for Kerberos, Windows NT, Windows NetBIOS SSO, and S/Ident auth server types. The form allows
VLAN ID or Attribute mapping rule configuration for RADIUS, LDAP, and Cisco VPN SSO auth
types.
• Condition Type—Configure and add conditions first (step A in Figure 7-16) before adding the
mapping rule. Choose one of the following from the dropdown menu to set the fields of the
Condition form:
Attribute—For LDAP, RADIUS, Cisco VPN SSO auth providers only.
VLAN ID—All auth server types.
Compound—This condition type only appears after you have at least one condition statement
already added to the mapping rule (see Figure 7-20 on page 7-22). It allows you to combine
individual conditions using boolean operators. You can combine VLAN ID conditions with
operators: equals, not equals, belongs to. You can combine Attribute conditions alone, or mixed
VLAN ID and Attribute conditions with operators: AND, OR, or NOT. For compound
conditions, instead of associating attribute types to attribute values, you choose two existing
conditions to associate together, which become Left and Right Operands for the compound
statement.
4. Attribute Name—
For a condition type of VLAN ID (Figure 7-17), this field is called Property Name and is populated
by default with “VLAN ID” (and disabled for editing).
For LDAP servers (Figure 7-18), Attribute Name is a text field into which you type the source
attribute you want to test. The name must be identical (case-sensitive) to the name of the attribute
passed by the authentication source, unless you choose the equals ignore case operator to create the
condition.
For Cisco VPN servers, Attribute Name is a dropdown menu (Figure 7-21) with the following
options: Class, Framed_IP_Address, NAS_IP_Address, NAS_Port, NAS_Port_Type, User_Name,
Tunnel_Client_Endpoint, Service_Type, Framed_Protocol, Acct_Authentic

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Map Users to Roles Using Attributes or VLAN IDs

5. For RADIUS servers (Figure 7-19), the Condition fields are populated differently:
Vendor—Choose Standard, Cisco, Microsoft, or WISPr (Wireless Internet Service Provider
roaming) from the dropdown menu.
Attribute Name—Choose from the set of attributes for each Vendor from the dropdown menu.
For example, Standard has 253 attributes (Figure 7-22), Cisco has 30 attributes (Figure 7-23),
Microsoft has 32 attributes (Figure 7-24), and WISPr has 11 attributes (Figure 7-24).

Note For RADIUS servers, only attributes returned in the “access-accept” packet are used for
mapping.

Data Type— (Optional) You can optionally specify Integer or String according to the value
passed by the Attribute Name. If no data type is specified, Default is used.
6. Attribute Value—Type the value to be tested against the source Attribute Name.
7. Operator (Attribute) — Choose the operator that defines the test of the source attribute string.
equals – True if the value of the Attribute Name matches the Attribute Value.
not equals – True if the value of the Attribute Name does not match the Attribute Value.
contains– True if the value of the Attribute Name contains the Attribute Value.
starts with – True if the value of the Attribute Name begins with the Attribute Value.
ends with – True if the value of the Attribute Name ends with the Attribute Value.
equals ignore case– True if the value of the Attribute Name matches the Attribute Value
string, regardless of whether the string is uppercase or lowercase.
8. Operator (VLAN ID) — If you choose VLAN ID as the Condition Type, choose one of the
following operators to define a condition that tests against VLAN ID integers.
equals – True if the VLAN ID matches the VLAN ID in the Property Value field.
not equals – True if the VLAN ID does not match the VLAN ID in the Property Value field.
belongs to – True if the VLAN ID falls within the range of values configured for the Property
Value field. The value should be one or more comma separated VLAN IDs. Ranges of VLAN
IDs can be specified by hyphen (-), for example, [2,5,7,100-128,556-520]. Only integers can be
entered, not strings. Note that brackets are optional.

Note For the Cisco VPN SSO type, VLAN IDs may not be available for mapping if there are multiple
hops between the CAS and the VPN concentrator.

9. Add Condition (Save Condition)— Make sure to configure the condition, then click Add
Condition to add the condition to the rule expression (otherwise your configuration is not saved).

Add Mapping Rule to Role (B)

Add the mapping rule (step B in Figure 7-16) after you have configured and added the condition(s).
10. Role Name — After you have added at least one condition, choose the user role to which you will
apply the mapping from the dropdown menu.
11. Priority—Select a priority from the dropdown to determine the order in which mapping rules are
tested. The first rule that evaluates to true is used to assign the user a role.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 7 User Management: Configuring Auth Servers
Map Users to Roles Using Attributes or VLAN IDs

12. Rule Expression— To aid in configuring conditional statements for the mapping rule, this field
displays the contents of the last Condition to be added. After adding the condition(s), you must click
Add Mapping Rule to save all the conditions to the rule.
13. Description— An optional description of the mapping rule.
14. Add Mapping (Save Mapping) — Click this button when done adding conditions to create the
mapping rule for the role. You have to Add or Save the mapping for a specified role, or your
configuration and your conditions will not be saved.

Figure 7-17 Example Add VLAN ID Mapping Rule

Figure 7-18 Example Add LDAP Mapping Rule (Attribute)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Map Users to Roles Using Attributes or VLAN IDs

Figure 7-19 Example Add RADIUS Mapping Rule (Attribute)

.

Figure 7-20 Example Compound Condition Mapping Rules

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Map Users to Roles Using Attributes or VLAN IDs

Editing Mapping Rules

Priority—To change the priority of a mapping rule later, click the up/down arrow next to the entry in
the User Management > Auth Servers > List of Servers. The priority determines the order in which
the rules are tested. The first rule that evaluates to true is used to assign the user to a role.
Edit—Click the Edit button next to the rule to modify the mapping rule, or delete conditions from the
rule. Note that when editing a compound condition, the conditions below it (created later) are not
displayed. This is to avoid loops.
Delete—Click the delete button next to the Mapping Rule entry for an auth server to delete that
individual mapping rule. Click the delete button next to a condition on the Edit mapping rule form to
remove that condition from the Mapping Rule. Note that you cannot remove a condition that is dependent
on another rule in a compound statement. To delete an individual condition, you have to delete the
compound condition first.

Figure 7-21 CiscoVPN—Standard Attribute Names

Figure 7-22 RADIUS—Standard Attribute Names

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Map Users to Roles Using Attributes or VLAN IDs

Figure 7-23 RADIUS—Cisco Attribute Names

Figure 7-24 RADIUS—Microsoft Attribute Names

Figure 7-25 RADIUS—WISPr (Wireless Internet Service Provider roaming) Attribute Names

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 7 User Management: Configuring Auth Servers
Auth Test

Auth Test
The Auth Test tab is intended to allow you to test Kerberos, RADIUS, Windows NT, and LDAP
authentication providers you configured against actual user credentials, and will list the role assigned to
the user. Error messages are provided to assist in debugging authentication sources, particularly LDAP
and RADIUS servers.

Tip When creating or making changes to an existing authentication provider, create a new Auth Server entry
that points to the staging or development setup. You can then use Auth Test to test the setup prior to
production deployment.

Note You cannot use Auth Test to test SSO. A client machine is needed to test SSO.

To test authentication:
1. From User Management > Auth Servers > Auth Test tab, select the provider against which you
want to test credentials in the Provider list. If the provider does not appear, make sure it is correctly
configured in the List of Servers tab.
2. Type the username and password for the user and if needed a VLAN ID value.
3. Click Authenticate. The test results appear at the bottom of the page.

Figure 7-26 Auth Test

Authentication Successful
For any provider type, the Result “Authentication successful” and Role of the user are displayed when
the auth test succeeds.
For LDAP/RADIUS servers, when authentication is successful and mapping rules are configured, the
attributes/values specified in the mapping rule are also displayed if the auth server (LDAP/RADIUS)
returns those values. For example:
Result: Authentication successful

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
Auth Test

Role: <role name>

Attributes for Mapping:
<Attribute Name>=<Attribute value>

Authentication Failed
When authentication fails, a Message displays along with the “Authentication failed” result. Table 7-1
illustrates some example authentication test failure messages.
Table 7-1 Example “Authentication Failed” Results

Message
Message: Invalid User Credential
Message: Unable to find the full DN
for user <User Name>
Message: Client Receive Exception:
Packet Receive Failed (Receive timed
out)
Message: Invalid Admin(Search)
Credential
Message: Naming Error (x.x.x.x: x)
Description
Correct user name, incorrect password
Correct password, incorrect user name (LDAP provider)
Correct password, incorrect user name (RADIUS
provider)
Correct user name, correct password, incorrect value
configured in the Search(Admin) Full DN field of the
Auth provider (e.g. incorrect CN configured for LDAP
Server)
Correct user name, correct password, incorrect value
configured in the Server URL field of the Auth provider
(e.g. incorrect port or URL configured for LDAP)

Note The Auth Test feature does not apply to S/Ident, Windows NetBIOS SSO, and Cisco VPN SSO
authentication provider types.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
RADIUS Accounting

RADIUS Accounting
The Clean Access Manager can be configured to send accounting messages to a RADIUS accounting
server. The CAM sends a Start accounting message when a user logs into the network and sends a Stop
accounting message when the user logs out of the system (or is logged out or timed out). This allows for
the accounting of user time and other attributes on the network.
You can also customize the data to be sent in accounting packets for login events, logout events, or shared
events (login and logout events).

Enable RADIUS Accounting

1. Go to User Management > Auth Servers > Accounting > Server Config

Figure 7-27 RADIUS Accounting Server Config Page

2. Select Enable RADIUS Accounting to enable the Clean Access Manager to send accounting
information to the named RADIUS accounting server.
3. Enter values for the following form fields:
Server Name – The fully qualified host name (e.g. auth.cisco.com) or IP address of the
RADIUS accounting server.
Server Port – The port number on which the RADIUS server is listening. The Server Name and
Server Port are used to direct accounting traffic to the accounting server.
Timeout(sec) – Specifies how long to attempt to retransmit a failed packet.
Shared Secret—The shared secret used to authenticate the Clean Access Manager accounting
client with the specified RADIUS accounting server.
NAS-Identifier – The NAS-Identifier value to be sent with all RADIUS accounting packets.
Either a NAS-Identifier or a NAS-IP-Address must be specified to send the packets.
NAS-IP-Address – The NAS-IP-Address value to be sent with all RADIUS accounting packets.
Either a NAS-IP-Address or a NAS-Identifier must be specified to sent the packets.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
RADIUS Accounting

NAS-Port – The NAS-Port value to be sent with all RADIUS accounting packets.
NAS-Port-Type –The NAS-Port-Type value to be sent with all RADIUS accounting packets.
Enable Failover – This enables sending a second accounting packet to a RADIUS failover peer
IP if the primary RADIUS accounting server’s response times out.
Failover Peer IP – The IP address of the failover RADIUS accounting server.
4. Click Update to update the server configuration.

Restore Factory Default Settings

The Clean Access Manager can be restored to the factory default accounting configuration as follows:
1. Go to Administration > Backup to backup your database before restoring default settings.
2. Go to User Management > Auth Servers > Accounting > Server Config
3. Click the Reset Events to Factory Default button to remove the user configuration and replace it
with the Clean Access Manager default accounting configuration.
4. Click OK in the confirmation dialog that appears.

Add Data to Login, Logout or Shared Events

For greater control over the data that is sent in accounting packets, you can add or customize the
RADIUS accounting data that is sent for login events, logout events, or shared events (data sent for both
login and logout events).

Data Fields
The following data fields apply to all events (login, logout, shared):
• Current Time (Unix Seconds)—The time the event occurred
• Login Time (Unix Seconds)—The time the user logged on.
• CA Manager IP—IP address of the Clean Access Manager
• Current Time (DTF)— Current time in date time format (DTF)
• OS Name— Operating system of the user
• Vlan ID— VLAN ID with which the user session was created.
• User Role Description—Description of the user role of the user
• User Role Name—Name of the user role of the user
• User Role ID—Role ID that uniquely identifies the user role.
• CA Server IP— IP of the Clean Access Server the user logged into.
• CA Server Description— Description of the Clean Access Server the user logged into.
• CA Server Key— Key of the Clean Access Server.
• Provider Name— Authentication provider of the user
• Login Time (DTF)—Login time of the user in date time format (DTF)
• User MAC—MAC address of the user
• User IP—IP address of the user

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
RADIUS Accounting

• User Key—Key with which the user logged in.

Note For out-of-band users only, user_key= IP address.

• User Name—User account name

Logout Event Data Fields

The following four data fields apply to logout events only and are not sent for login or shared events:
• Logout Time (Unix Seconds)—Logout time of the user in Unix seconds
• Logout Time (DTF)—Logout time of the user in date time format
• Session Duration (Seconds)—Duration of the session in seconds
• Termination Reason—Output of the Acct_Terminate_Cause RADIUS attribute

Add New Entry (Login Event, Logout Event, Shared Event)

To add new data to a RADIUS attribute for a shared event:
The following steps describe how to configure a RADIUS attribute with customized data. The steps
below describe a shared event. The same process applies for login and logout events.
1. Go to User Management > Auth Servers > Accounting.
2. Click the Shared Event (or Login Event, Logout Event) link to bring up the appropriate page.
3. Click the New Entry link at the right-hand side of the page to bring up the add form.

Figure 7-28 New Shared Event

4. From the Send RADIUS Attribute dropdown menu, choose a RADIUS attribute.
5. Click the Change Attribute button to update the RADIUS Attribute type. The type, such as
“String” or “Integer,” will display in this field.
6. Configure the type of data to send with the attribute. There are three options:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
RADIUS Accounting

Send static data—In this case, type the text to be added in the Add Text text box and click the
Add Text button. Every time a user logs in/logs out, the RADIUS attribute selected will be sent
with the static data entered.
Send dynamic data—In this case, select one of the 18 dynamic data variables (or 22 for logout
events) from the dropdown menu and click the Add Data button. Every time a user logs in/logs
out, the dynamic data selected will be replaced with the appropriate value when sent.
Send static and dynamic data—In this case, a combination of static and dynamic data is sent.
For example:
User: [User Name] logged in at: [Login Time DTF] from CA Server [CA Server Description]
See also Figure 7-29, Figure 7-30, and Figure 7-31 show examples of Login, Logout, and Shared
events, respectively. for additional details.
7. As data is added, the Data to send thus far: field displays all the data types selected to be sent with
the attribute, and the Sample of data to be sent: field illustrates how the data will appear.
8. Click Commit Changes to save your changes.
9. Click the Reset Element button to reset the form.
10. Click Undo Last Addition to remove the last entry added to the Data to send thus far: field.
Figure 7-29, Figure 7-30, and Figure 7-31 show examples of Login, Logout, and Shared events,
respectively.

Figure 7-29 Login Events

Figure 7-30 Logout Events

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 7 User Management: Configuring Auth Servers
RADIUS Accounting

Figure 7-31 Shared Events

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 7 User Management: Configuring Auth Servers
RADIUS Accounting

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 8
Configuring Active Directory Single Sign-On (AD
SSO)

This chapter describes how to configure Active Directory (AD) Single Sign-On (SSO) for the Cisco NAC
Appliance. Topics include:
• AD SSO Overview, page 8-2
• AD SSO Configuration Step Summary, page 8-4
• Add Active Directory SSO Auth Server, page 8-6
• Configure Traffic Policies for Unauthenticated Role, page 8-7
• Configure AD SSO on the CAS, page 8-9
• Configure the AD Server and Run KTPass Command, page 8-12
• Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos), page 8-21
• Confirm AD SSO Service Is Started, page 8-22
• Enable GPO Updates, page 8-23
• Enabling a Login Script (Optional), page 8-24
• Add LDAP Lookup Server for Active Directory SSO (Optional), page 8-27
• Troubleshooting, page 8-30

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
AD SSO Overview

AD SSO Overview
You can configure Cisco NAC Appliance to automatically authenticate Clean Access Agent users who
are already logged into a Windows domain. AD SSO allows users logging into AD on their Windows
systems to automatically go through posture assessment/Clean Access certification without ever having
to login through the Agent. Cisco NAC Appliance supports Windows Single Sign-On (SSO) on Windows
XP/2000 client machines and AD on Windows 2000/2003 servers, as shown in Table 8-1
Table 8-1 Windows Active Directory SSO Support

Active Directory (AD) Servers Client Machines 1

• Windows 2000 Server SP4 • Windows 2000 SP4
• Windows 2003 Enterprise SP1 • Windows XP (Home/ Pro) SP1, SP2 and later
• Windows 2003 Enterprise R2
• Windows 2003 Standard SP12
1. AD SSO requires the Clean Access Agent to be installed on client systems (e.g. you cannot use a Linux kerberos client for
AD SSO with CCA.)
2. Windows 2003 without SP1 is NOT supported.

Note You can configure AD SSO for all deployment types (L2/L3,in-band/out-of-band). For OOB, client ports
are put on the Auth VLAN first prior to Windows domain authentication.

With AD SSO, Cisco NAC Appliance authenticates the user with Kerberos, but authorizes the user with
LDAP. Cisco NAC Appliance leverages the cached credentials/Kerberos ticket from the client machine
login and uses it to validate the user authentication with the backend Windows 2000/2003 server Active
Directory. After the user authentication is validated, authorization (role-mapping) is then performed as
a separate lookup in Active Directory using LDAP.

Note The administrator must be able to provide a “Search DN/ Password” that can be used to perform any
attribute lookup.

Windows SSO Process (Kerberos Ticket Exchange)

Windows SSO is the ability for CCA to automatically authenticate users already authenticated to a
backend Kerberos Domain Controller (Active Directory server). Figure 8-1 shows the general process
for Kerberos ticket exchange.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
AD SSO Overview

Figure 8-1 General Process for Kerberos Ticket Exchange

Key Distribution
1. Center (KDC)
I am user Sam and need
a Ticket to Get Tickets
(TGT)
2.
Here is a TGT-If you can decrypt Authentication Ticket
this response with your Service Granting
password hash (AS) Service (TGS)

3.
Here is my TGT, give me a
Service Ticket 4. Here is your
User logs in Service Ticket Network
to gain network Services
access 5. Here is my Service Ticket,
Authenticate me

180336
6. Client/Server session

When the Clean Access Server is configured for AD SSO, it essentially replaces the “Network Services”
component shown in Figure 8-1. The general sequence is as follows:
• Client and the CAS both have an account on the Active Directory server.
• Client logs onto Windows AD (or uses cached credentials)
• Credentials are sent to the AD. The AD authenticates and give a Ticket Granting Ticket (TGT) to
the client.
The Clean Access Agent on the client asks the client for a Service Ticket (ST) with the CAS
username to communicate with the CAS.
The client requests a Service Ticket from the AD.
The AD gives the ST to the client, the client give this ST to the Agent.
The Agent is now able to communicate with the CAS.
• The CAS sends back packets and mutually authenticates the client.
• The CAS uses this information to sign the client onto Clean Access and hence SSO authentication
takes place.
• For additional user role mapping (for Clean Access certification/posture assessment), an LDAP
lookup server with attribute mapping can be configured.

CAS Communication with AD Server

Figure 8-2 illustrates the general setup for Clean Access Server communication with the AD server for
Active Directory SSO.
The CAS reads user login traffic only to the AD servers under the root domain. As shown in Figure 8-2,
the sales domain (sales.name.domain.com) and the engineering domain (eng.name.domain.com) are
configured under different Clean Access Servers. Taking the sales domain as an example, the CAS user
only needs to be created and configured on the kdc1.sales.name.domain.com AD server. Users under

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
AD SSO Configuration Step Summary

sales.name.domain.com can log into any AD server in the domain. In addition, the ktpass command
(described in Configure the AD Server and Run KTPass Command, page 8-12) only needs to be executed
on the kdc1.sales.name.domain.com server.

Figure 8-2 Configuring the CAS User Account on the AD Server

name.domain.com (Root domain)

superuser

sales.name.domain.com eng.name.domain.com

AD domain server AD domain server

(domain controller) (domain controller)
10.201.152.11 10.201.152.12
AD domain AD domain
kdc1.sales.name.domain.com kdc.eng.name.domain.com
server (kdc3) server (kdc2)

Clean Access Server layer Clean Access Server layer

sales.user.01 sales.user.51 sales.user.101 eng.user.01

. . . .
. . . .
. . . .
sales.user.100

180217
sales.user.50 sales.user.150 eng.user.100

AD SSO Configuration Step Summary

Administrators should start with a good understanding of their network layout with respect to their AD
servers prior to configuring Active Directory SSO.

Configuration Prerequisites
To configure Active Directory SSO, you will need to have the following:
• The number of AD servers (domain controllers) to be configured. Typically, the CAS will
correspond to one AD server.
• Ensure you obtain and install the most current version of ktpass.exe.
• The Windows 2000 or Windows 2003 server installation CD for the AD server. This is needed to
install support tools for the ktpass command. The ktpass command is required to be run only on the
AD server (domain controller) to which the CAS is logging in.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
AD SSO Configuration Step Summary

• The IP address of each AD server (to configure Unauthenticated role traffic policies). You will need
to allow traffic to the CAS for every AD server (domain controller) that is in charge of that domain.
For example, if users can log into multiple DCs in the domain, you should allow traffic to all the
multiple DCs for the Unauthenticated role.
• The FQDN of the Active Directory server that the CAS logs into (for CAS configuration).
• DNS server settings correctly configured on the CAS (under Device Management > CCA Servers
> Manage [CAS_IP] > Network > DNS) to resolve the FQDN for the AD server on the CAS.
• The date and time of the CAM,CAS and AD server must be all synchronized within 3 minutes of
each other. The time on the DC and the CAS must be synchronized to not more than 300 seconds
clock skew (Kerberos is sensitive to time).
• The Active Directory Domain Name in Kerberos format (Windows 2000 and above). This is needed
for both CAS configuration and CLI configuration of the AD server.

Note The host principal name in the ktpass command (i.e. “<AD_DomainServer>”) must exactly
match the case of the “Full computer name” of the AD server (under Control Panel > System
> Computer Name | Full computer name.) See Run ktpass.exe Command, page 8-17 for
details.

• Client systems must already have the Clean Access Agent installed.

Configuration Step Summary

Step 1 Add Active Directory SSO Auth Server
On the CAM, add a new auth server of type Active Directory SSO and specify a default role for users.
Step 2 Configure Traffic Policies for Unauthenticated Role
Open ports on the CAS to allow client authentication traffic to pass through the CAS to/from the Active
Directory server.
Step 3 Configure AD SSO on the CAS
From the CAS management pages, configure the Active Directory server settings, CAS user account
settings, and auth server settings for the CAS corresponding to the domain of the users.
Step 4 Configure the AD Server and Run KTPass Command
Add a CAS account on the Windows 2000/2003 AD server with which the CAS will communicate, and
configure encryption parameters to support the Linux operating system of the CAS.
Step 5 Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos)
Step 6 Confirm AD SSO Service Is Started
Step 7 Enable GPO Updates (New for 4.1.0.0+ Agent)
Step 8 Add LDAP Lookup Server for Active Directory SSO (Optional)
Optionally configure LDAP lookup servers to map users to multiple roles after authentication.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Add Active Directory SSO Auth Server

Add Active Directory SSO Auth Server

This step creates an AD SSO auth server on the CAM, and maps the AD server to a default role for users
and a secondary LDAP lookup server (if configured).
1. Go to User Management > Auth Servers > New.
2. From the Authentication Type dropdown menu, choose Active Directory SSO.

Figure 8-3 Active Directory SSO

3. Choose a Default Role from the dropdown menu. If no additional lookup is required to map users
to roles, all users performing authentication via Active Directory single sign-on will be assigned to
the default role. Posture assessment/Clean Access certification should be configured for this role.
4. Type a Provider Name that will identify the AD SSO auth server on the list of authentication
providers. Do not use spaces or special characters in the name.
5. You can leave the LDAP Lookup Server dropdown menu at the default NONE setting if you plan
to assign your users to one default role, and no additional lookup is required. If you plan on mapping
Windows domain SSO users to multiple roles, the CAM will need to perform a second-level lookup
using the LDAP Lookup server you configure as described in Add LDAP Lookup Server for Active
Directory SSO (Optional), page 8-27. In this case, select the LDAP Lookup server you have already
configured from the LDAP Lookup Server dropdown.
6. Click Add Server.

Note For AD SSO users, the Online Users and Certified Devices pages will display AD_SSO in the Provider
field and both the username and domain of the user (for example, [email protected].) in the
User/User Name field.

Note The Auth Test feature cannot be used to test SSO Auth providers (e.g. AD SSO or VPN SSO)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure Traffic Policies for Unauthenticated Role

Configure Traffic Policies for Unauthenticated Role

A user in the domain logging into his/her Windows machine sends credentials to the root domain
controller to perform the first portion of Kerberos ticket exchange (as shown in Figure 8-1). Once the
machine receives a Service Ticket, the Agent uses it to validate the client authentication through the
CAS. Only when the CAS validates the authentication is the user allowed network access, and there is
no need for a separate user login through the Clean Access Agent.
As Figure 8-2 illustrates, the CAS is configured to read the login credentials of user machines as they
authenticate to the Active Directory server. Ports must be opened on the CAS to allow the authentication
traffic to pass to through the CAS to/from the Active Directory server. The administrator can open either
TCP or UDP ports, depending on what the Active Directory server uses. Configure traffic policies for
the Unauthenticated role to allow these ports on the trusted-side IP address of the AD server.

Note This will allow the client to authenticate to the AD and for GPO and scripts to run.
Cisco recommends that you install Cisco Security Agent (CSA) on the AD/DMZ AD.

Required TCP Ports

If the Active Directory server is using Kerberos, the following TCP ports must be opened on the CAS.
• TCP 88 (Kerberos)
• TCP 135 (RPC)
• TCP 389 (LDAP) or TCP 636 (LDAP with SSL)
• TCP 1025 (RPC)–non-standard
• TCP 1026 (RPC)–non-standard

Alternative UDP Ports

If it is not known whether the Active Directory server is using Kerberos, you must open the following
UDP ports instead:
• UDP 88 (Kerberos)
• UDP 389 (LDAP) or UDP 636 (LDAP with SSL)

Note Typically, the LDAP protocol uses plain text when sending traffic on TCP/UDP port 389. If encryption
is required for LDAP communications, use TCP / UDP port 636 (LDAP with SSL encryption) instead.

To Add Policies for AD Server

1. Go to User Management > User Roles > List of Roles > Policies [Unauthenticated Role]. This
brings up the IP traffic policy form for the Unauthenticated Role.
2. With the direction dropdown set for Untrusted ->Trusted, click the Add Policy link. The Add Policy
form appears (Figure 8-4).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure Traffic Policies for Unauthenticated Role

Figure 8-4 Configure Traffic Policy for CAS to AD Server

3. Leave the following fields at their defaults:

Action: Allow
State: Enabled
Category: IP
Protocol: TCP 6
Untrusted (IP/Mask:Port):* / * / *
4. For Trusted (IP/Mask:Port), type:
IP address of the Active Directory server
255.255.255.255 as the subnet mask (for just the AD server)
Ports (using commas to separate port numbers).
For example: 10.201.152.12 / 255.255.255.255 / 88,135,389,1025,1026

5. Type an optional Description.

6. Click Add Policy.

Note When testing, it is recommended to open complete access to the AD server/DC first, then restrict ports
as outlined above once AD SSO is working. When logging into the client PC, make sure to log into the
domain using Windows domain credentials (not Local Account).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure AD SSO on the CAS

Configure AD SSO on the CAS

This step configures the CAS corresponding to the domain of the users.
1. Go to Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Windows
Auth > Active Directory SSO.

Figure 8-5 Active Directory SSO

2. Do NOT click the checkbox for Enable Agent-Based Windows Single Sign-On with Active
Directory (Kerberos) yet. The service should only be enabled after you Configure the AD Server
and Run KTPass Command, page 8-12. You can configure the other fields of this page and click
Update as described below.

Note Until you perform the configuration on the AD server, the following message will appear:
Error: Could not start the SSO service. Please check the configuration.

3. For Active Directory Server (FQDN), type the fully qualified domain name of the AD server
(including domain name) for the domain. This field cannot be an IP address, and must exactly match
CASE-BY-CASE the name of the DC it appears under Control Panel > System > Computer Name
| Full computer name on the DC (see Figure 8-6).

Note If there are multiple AD servers (DCs) for the domain, you only need to choose one AD server.
Make sure to type the FQDN of the Active Directory server (not the IP address), for example:
cca-eng-test.cca-eng-domain.cisco.com

Note Make sure the CAS can resolve the name you type in the Active Directory Server (FQDN) field
via DNS. A DNS server must be correctly configured on the CAS (under Device Management
> CCA Servers > Manage [CAS_IP] > Network > DNS) so that the CAS can resolve the FQDN
for the AD server.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure AD SSO on the CAS

Figure 8-6 Control Panel > System > Computer Name | Full computer name

4. For Active Directory Port, leave the default of 88 for Kerberos.

5. For Active Directory Domain, type the name of the domain for the KDC/Active Directory server
in UPPER CASE (see Figure 8-6). The “Active Directory Domain” is equivalent to “Kerberos
Realm”. For example:
CCA-ENG-DOMAIN.CISCO.COM

6. For Account Name for CAS, type the name of the Clean Access Server user you have created on
the AD server, for example: casuser.
The CAS user account allows the CAS to log into the AD server.
7. For Account Password for CAS, type the password for the CAS user on the AD server.

Note The password is case sensitive. From the CAS side, there is no limitation on the number of
characters, and standard characters are allowed. Since this password is based of the mapping
created using the KTPASS command, observe any limitations from the Windows server side (e.g.
password policies).

Caution Do not use special characters, such as apostrophe/single quote, when creating the password for the CAS
account, as this can cause DHCP and even SSO to stop working on the CAS. Changing the password and
restarting the CAS will remedy this issue.

8. From the Active Directory SSO Auth Server dropdown, choose the Active Directory SSO Server
you configured on the CAM. This field maps the auth provider created on the CAM to the CAS
(along with the Default Role, and secondary LDAP Lookup server, if configured).
9. Click Update.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure AD SSO on the CAS

Note If the Active Directory server is not reachable from the CAS at the time of CAS startup, AD SSO service
is not started. If this occurs, the administrator must go to Device Management > CCA Servers >
Manage [CAS_IP] > Authentication > Windows Auth > Active Directory SSO and click the Update
button to restart the AD SSO service.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure the AD Server and Run KTPass Command

Configure the AD Server and Run KTPass Command

Both the GUI and CLI interfaces are used to configure the Active Directory server:
• Create the CAS User, page 8-12
• Install Support Tools, page 8-16
• Run ktpass.exe Command, page 8-17

Create the CAS User

1. Login as the administrator on the Active Directory server machine.
2. Open the Active Directory Management console from All Programs > Admin Tools > Active
Directory Users and Computers.
3. From the left-hand pane of the Active Directory Users and Computers window, navigate to the
domain for which you want to configure the CAS, for example, cca-eng-domain.cisco.com

Figure 8-7 Create New User on AD Server

4. Right-click the Users folder. In the menu that appears, select New > User (Figure 8-7)
5. In the first New Object - User dialog(Figure 8-8), configure the fields for the Clean Access Server
user as follows:
Type the name you want the CAS to use in the First name field, for example: casuser. This
automatically populates the Full name and User logon name fields. Note that the User logon
name must be one word. Make sure First name= Full name = User name for the user account.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure the AD Server and Run KTPass Command

Figure 8-8 Configure the CAS User

6. Click Next to bring up the second New Object - User dialog.

7. In the second New Object - User dialog (Figure 8-9), configure the following:
Type and retype the password for the CAS user in the Password and Confirm Password fields.
Make sure the Password never expires option is CHECKED.
Make sure the User must check password at next login option is UNCHECKED.

Caution Do not use special characters, such as apostrophe/single quote, when creating the password for the CAS
account, as this can cause DHCP and even SSO to stop working on the CAS. Changing the password and
restarting the CAS will remedy this issue.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure the AD Server and Run KTPass Command

Figure 8-9 Configure Password for CAS User

8. Click Next to bring up the confirmation New Object - User dialog (Figure 8-10).

Figure 8-10 Confirm CAS User Properties

9. Confirm the properties for the CAS user and click Finish to conclude, or click Back if you need to
make corrections.
10. The CAS user is successfully added to the AD domain (Figure 8-11).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure the AD Server and Run KTPass Command

Figure 8-11 CAS User is Added

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure the AD Server and Run KTPass Command

Install Support Tools

The ktpass.exe tool is available as part of the Windows 2000/2003 Server support tools. Ktpass.exe is
not installed by default and must be retrieved from the installation CD.
1. Insert the Windows Server installation CD into the CD drive of the Active Directory server machine.
2. Browse to the \SUPPORT\TOOLS folder on the CD (Figure 8-11).
For Windows 2000 the support tools are at (CD)/SUPPORT/TOOLS/Setup.exe
For Windows 2003 the support tools are at (CD)/SUPPORT/TOOLS/Suptools.msi

Figure 8-12 Support Tools for Windows 2003 Server

3. Double-click and install the Support Tools executable or MSI file. By default, this will install the
support tools to C:\Program Files\Support Tools (Figure 8-13).

Figure 8-13 Support Tools —ktpass.exe

Note Do not double-click the ktpass.exe command; it must be run from a command tool.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure the AD Server and Run KTPass Command

Run ktpass.exe Command

Note To ensure successful ktpass operation, obtain and install the most current version of ktpass.exe.

Every domain controller configured under the CAS to login need to run the ktpass command, even
multiple domain controllers used by multiple CAS servers under a single domain. The CAS user account
(e.g. casuser) will be replicated but the mapuser functionality will not. Therefore, the command must be
run on all DCs to which the CAS servers log in.
Linux supports DES (a widely used encryption type) but does not support the default encryption of
Active Directory (RC4) which is specific to Microsoft. Because the Clean Access Server is a Linux
machine, the ktpass.exe command must be run to ensure that the CAS user uses DES instead of the
default encryption for compatibility when logging into AD.
See Table 8-1 on page 8-2, “Windows Active Directory SSO Support” for a list of the Windows server
versions supported.

Note When running ktpass.exe, it is very important to observe the following case sensitivity (see Figure 8-14)
• The computer name that is entered between “/” and “@” in the command (e.g. “AD_DomainServer”)
must exactly match CASE-BY-CASE the name of the AD server as it appears under Control Panel
> System > Computer Name | Full computer name on the AD server.
• The realm name that is entered after “@” (e.g. “AD_DOMAIN”) must always be in UPPER CASE.
You must convert the Domain name that appears under Control Panel > System > Computer Name
| Domain on the AD server to UPPER CASE when entering it in the ktpass command.

Figure 8-14 Control Panel > System > Computer Name | Full computer name

• No warnings should appear after the ktpass.exe command is executed.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure the AD Server and Run KTPass Command

• Execution of the command must display the following output:

Account <CAS user> has been set for DES-only encryption

1. Open a command prompt and cd to C:\Program Files\Support Tools\. The ktpass.exe command
should be in the folder.
2. Execute the following command:
ktpass.exe -princ <CAS_username>/<AD_DomainServer>@<AD_DOMAIN> -mapuser
<CAS_username> -pass <CAS_password> -out c:\<CAS_username>.keytab -ptype
KRB5_NT_PRINCIPAL +DesOnly
For example (see also Figure 8-15):
C:\Program Files\Support Tools>ktpass.exe -princ
casuser/[email protected] -mapuser
casuser -pass Cisco123 -out c:\casuser.keytab -ptype KRB5_NT_PRINCIPAL +DesOnly

3. The output of the command should be as follows (see also Figure 8-16):
Targeting domain controller: cca-eng-test.cca-eng-domain.cisco.com
Successfully mapped casuser/cca-eng-test.cca-eng-domain.cisco.com to casuser.
Key created.
Output keytab to c:\casuser.keytab:
Keytab version: 0x502
keysize 97 casuser/[email protected]
ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8
(0xbc5120bcfeda01f8)
Account casuser has been set for DES-only encryption.

Note The “Successfully mapped casuser/cca-eng-test.cca-eng-domain.cisco.com to

casuser” response confirms that the casuser account is mapped correctly.

4. Save the exact command you executed and the output to a text file (you do not need to save the CAS
user password). For troubleshooting purposes, this will facilitate TAC support.

Figure 8-15 Execute ktpass.exe Command

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure the AD Server and Run KTPass Command

Figure 8-16 ktpass.exe Command Output

Table 8-2 provides further parameter details.

Table 8-2 ktpass.exe Parameters

Parameter Description
-princ Principal
<CAS_username> UserName
<AD_DomainServer> FQDN machine name of the AD server. This parameter must
EXACTLY match (including the case) the name of the AD server
under Control Panel > System > Computer Name | Full computer
name.
<AD_DOMAIN> Domain name (must be in UPPER CASE)
-mapuser Maps the CAS user to the domain
-pass CAS user password
-out Outputs the “c:\<CAS_user_name>.keytab” key to generate a key tab
(similar to a certificate) for this user
c:\<CAS_user_name>.keytab Required parameter
-ptype Principal type (required parameter)
KRB5_NT_PRINCIPAL The Principal provided is of this type. By default DCs should use this
type, but some do not.
+DesOnly Flag for DES encryption

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Configure the AD Server and Run KTPass Command

Example KTPass Command Execution

Figure 8-17 shows how parameters are derived from the CAS user account properties and AD server
computer name to run the KTPass command. Note that the values in this figure are example values only,
and do not match the configuration example steps outlined in this chapter.

Figure 8-17 Example of How KTPass is Run—SAMPLE VALUES

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Enable Agent-Based Windows Single Sign-On with Active Directory (Kerberos)

Enable Agent-Based Windows Single Sign-On with Active

Directory (Kerberos)
After the AD server configuration is completed, perform the final step.
1. Go to Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Windows
Auth > Active Directory SSO.

Figure 8-18 Active Directory SSO

2. Click the checkbox for Enable Agent-Based Windows Single Sign-On with Active Directory
(Kerberos).
3. Click Update.

Note See Configure AD SSO on the CAS, page 8-9 for further details on Active Directory SSO page fields.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Confirm AD SSO Service Is Started

Confirm AD SSO Service Is Started

Once you have performed all the configuration outlined in AD SSO Configuration Step Summary, page
8-4, make sure the AD SSO service starts on the Clean Access Server.
1. Go to Device Management > CCA Servers > Manage [CAS_IP] > Status (Figure 8-19).

Figure 8-19 AD SSO Service Is Started

2. Make sure Active Directory SSO is listed with a Status of Started.

Note You can also confirm that the CAS is listening on TCP port 8910 (used for Windows SSO) via SSH
command: netstat -a | grep 8910.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Enable GPO Updates

Enable GPO Updates

When a user is not yet authenticated/certified by the Cisco Clean Access (or is on the Authentication
VLAN), access to the Windows Domain Controller is limited; and as a result, a complete group policy
update might not finish. In addition, the next refresh for group policies occurs every 90 minutes by
default. In order to accomplish a GPO update, administrators can force a group policy refresh for Agent
users immediately after AD SSO login by enabling the Refresh Windows domain group policy after
login option.
Administrators can configure the Cisco Clean Access Agent to retrigger a Group Policy Object (GPO)
update after the AD SSO user login finishes. If configured in the CAM web console, the Agent calls the
“gpupdate” command to re-trigger the Group Policy update after users are logged in.
Login scripts are controlled by the Domain Controller and require a login event to run. For more
information about how to use login script in a Windows environment, see Enabling a Login Script
(Optional), page 8-24.

Note Because Microsoft Group Policies are only available since the advent of Active Directory (Windows
2000 and later), the GPO trigger update feature is only available on Windows Vista/XP/2000 machines.

To enable GPO update

1. Go to Device Management > Clean Access > General Setup > Agent Login

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Enabling a Login Script (Optional)

Figure 8-20 Agent Login—General Setup

2. From the User Role dropdown, choose the role to which to apply the GPO update.
3. From the Operating System dropdown, choose the OS to which to apply the GPO update (must be
Windows 2000 or later)
4. Click the checkbox for Refresh Windows domain group policy after login (for Windows)
5. Click Update.

Enabling a Login Script (Optional)

GPO update objects, such as login scripts, require an event to trigger them, such as login, or they fail.
Running a script in a Windows environment prior to NAC login fails because users do not have access
to drive mappings to the Domain Controller (DC) or drive resources.
Network-based login scripts and local login scripts are handled differently:
• Local login scripts run on locally on a client machine. If you introduce an artificial delay with a
script, they work correctly.
• Network-based scripts require continuous access to a DC for initialization. Depending on your
network deployment, you can use a combination of steps to use them. Network-based scripts
typically reside on the DC in the %Sysvol%\scripts folder.
Table 8-3 lists the options for handling network-based scripts.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Enabling a Login Script (Optional)

Table 8-3 Network-Based Login Script Options

Deployment Option
In Band Open access to the DC port in the Temporary or Unauthenticated
user role and introduce a delay in the body of the script.
Out-of-Band without IP change Open access to the DC port in the Temporary or Unauthenticated
user role and introduce a delay in the body of the script.
Out-of-Band with IP change Use a combination of scripts to copy a script that introduces delay
locally, run it, and then delete it.
Note A security concern exists while the script resides on the
client machine because it can be viewed or copied.

In any type of deployment, you need to create an artificial delay script to run during authentication in
order for local or network-based scripts to work correctly. See Introducing a Delay to Allow Script Use,
page 8-25.
For network-based script use in Out-of-Band deployments with IP address changes, you must also:
• Append the delete command to the end of the “delay” script.
• Use a reference script that copies the “delay” script to the client machine and then launches it.
For more information, see Using Network-Based Scripts in Out-of-Band Mode with IP Address
Changes, page 8-26.

Introducing a Delay to Allow Script Use

You can introduce delay by calling a persistent check action that fails until authentication finishes. For
example, you can use ping, Telnet, nslookup, or another action that requires network connectivity to
succeed. The following example is a .bat script, but you can use other types of scripts.
When using ping, remember:
• You can ping any IP address that is reachable after Clean Access login succeeds.
• The IP address used for the ping and the DC do not have to be the same.

Caution If you ping a protected device that has a real IP address, the user will be able to see the IP address while
the delay script runs. You can add a statement to the script to hide the DOS window.

• You only need one IP address.

• All of your mappings can be assigned after the ping succeeds.

Example
:CHECK
@echo off
echo Please wait...
ping -n 1 -l 1 192.168.88.128
if errorlevel 1 goto CHECK
@echo on
netuse L:\\192.168.88.128\Scripttest

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Enabling a Login Script (Optional)

In the example, ping runs in the background until it succeeds. After succeeding, the loop is broken; the
system maps to drive L:\ on the same node, where the network-based script resides, and then that script
runs. The user sees a DOS window in the background.

Note You can enhance the script with statements to hide or minimize the DOS window from the user.

Table 8-4 lists the script statements and meanings.

Table 8-4 Reference Script Statements and Meaning

Statement Meaning
:CHECK Begin the script.
@echo off Only display the command output.
echo Please wait... Show the words “Please wait...” to the end user.
ping -n 1 -l 1 192.168.88.128 Use the ping utility to check if the IP address
192.168.88.128 is reachable:
-n—do not look up a hostname.
1—send one packet.
-l—use the ODBC driver or library.
1—wait one second.
if errorlevel 1 goto CHECK If the ping utility did not reach 192.168.88.128
successfully, then start again from :CHECK.
@echo on Display debug messages.
netuse L:\\192.168.88.128\Scripttest Map the file share at 192.168.88.128 to the L: drive.

Using Network-Based Scripts in Out-of-Band Mode with IP Address Changes

In Out-of-Band mode with an IP address change, you need to create and run two scripts before calling
the targeted network-based script:
• A reference script to copy over and launch the local copy of the script.
• A delay script with a line added to delete the network script after it runs.

Caution Copying a network script to a user machine that has not been granted network access is a security
concern. While the script resides on the user machine, the user can copy or view the script.

Reference Script
Create a script similar to the following example. The script is named “refer.bat”, and it copies over a
delay script named “actual.bat” and then launches it.
@echo off
echo Please wait...
copy \\192.168.88.228\notlogon\actual.bat actual.bat
actual.bat

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Add LDAP Lookup Server for Active Directory SSO (Optional)

Table 8-5 lists the script statements and the meaning of each line.

Table 8-5 Reference Script Statements and Meaning

Statement Meaning
@echo off Only display the command output.
echo Please wait... Show the words “Please wait...” to the end user.
copy \\192.168.88.228\notlogon\actual.bat Copy the script “actual.bat” from the “notlogon”
actual.bat folder on the DC at IP address 192.168.88.228.
actual.bat Launch the script named “actual.bat”.

Delay Script with Delete Command

To create a script that delays script initialization, refer to the “Introducing a Delay to Allow Script Use”
section on page 8-25. As shown in the following example add the del command and the name of the
script that you want to delete to the end of the delay script. The script is named “actual.bat”.

Caution We recommend that you reduce network vulnerability by deleting the local copy of the script residing
on the end user machine. The last line of the sample script performs the deletion or clean up function.

Example
:CHECK
@echo off
echo Please wait...
ping -n 1 -l 1 192.168.88.128
if errorlevel 1 goto CHECK
@echo on
netuse L:\\192.168/88/128/Scripttest
del actual.bat

Add LDAP Lookup Server for Active Directory SSO (Optional)

Note The LDAP Lookup server is only needed if you want to configure mapping rules so that users are placed
into user roles based on AD attributes after AD SSO authentication. For basic AD SSO without role
mapping, or for testing purposes, it is not necessary to configure an LDAP Lookup Server.

If you plan on mapping Windows domain SSO users to multiple user roles, you will need to configure a
secondary LDAP Lookup server so that the CAM can perform the mapping. You then specify this LDAP
Lookup server for the Active Directory SSO auth provider, as described in Add Active Directory SSO
Auth Server, page 8-6.
To configure an LDAP Lookup server:
6. Go to User Management > Auth Servers > Lookup Servers.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Add LDAP Lookup Server for Active Directory SSO (Optional)

Figure 8-21 Lookup Server (LDAP)

7. Server Type is set to LDAP Lookup.

Note There is no Default Role dropdown menu on the LDAP Lookup server form, because the role is already
assigned to the Active Directory SSO auth server. If the LDAP lookup fails, users are mapped to the
Default Role of the AD auth server.

8. Provider Name — Type a unique name for this lookup server.

9. Server URL – Type the URL of the LDAP lookup server, in the form:
ldap://<directory_server_name>:<port_number>
If no port number is specified, 389 is assumed.
10. Server version – The LDAP version. Leave as Auto (default) to have the server version
automatically detected. Supported types include Version 2 and Version 3.
11. Search(Admin) Full DN – REQUIRED—Type the full domain name (DN) of the administrator user
of the LDAP server. For example, for a domain of ENG.CCA.CISCO.COM, the Search DN is:
CN=<username>, CN=Users, DC=ENG, DC=CCA, DC=CISCO, DC=COM
12. Search(Admin) Password – REQUIRED—Type the password for the administrator user.
13. Search Base Context – The Base Context (root of the LDAP tree) in which to perform the search
for users, for example:
CN=Users, DC=ENG, DC=CCA, DC=CISCO, DC=COM
14. Search Filter – The attribute to be authenticated. The search attribute to be matched with any user
in the base of the LDAP tree. For example:
CN=$user$ , or
uid=$user$, or
sAMAccountName=$user$

15. Referral – The default is Manage(Ignore). Sets whether referral entries are managed (in which the
LDAP server returns referral entries as ordinary entries) or returned as handles (Handle(Follow)).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Add LDAP Lookup Server for Active Directory SSO (Optional)

16. DerefLink – The default is OFF. If ON, object aliases returned as search results are de-referenced,
that is, the actual object that the alias refers to is returned as the search result, not the alias itself.
17. DerefAlias – Options are Always (default), Never, Finding, Searching
18. Security Type – The default is None. Sets whether the connection to the LDAP server uses SSL.

Note If the LDAP server uses SSL, be sure to import the certificate to the CAM from Administration
> CCA Manager > SSL Certificate | Import Certificate.

19. Description – (Optional) If desired, type a description of the LDAP Lookup server.
20. Click Add Server.
21. Once the lookup server is added, make sure to configure the AD SSO auth server accordingly:
a. Go to User Management > Auth Servers > List.
b. Click the Edit button for the Active Directory SSO auth server you configured.
c. In the Edit form, choose the lookup server from the LDAP Lookup Server dropdown menu.
d. Click Update Server.

Note Once the LDAP Lookup Server is configured, role mapping using mapping rules is configured the same
way as for any other LDAP server. See Map Users to Roles Using Attributes or VLAN IDs, page 7-17m
for further details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Troubleshooting

Troubleshooting
General

• Make sure the date and time of the CAM,CAS and AD server are all synchronized within 3 minutes
of each other or AD SSO will not work. You will have to delete the account on AD, synchronize the
times and recreate the account. If the AD server still keeps a record of the old account even though
you have deleted it, you may need to create a new account with a different name.
• When setting up the CAS account on the AD server, make sure that the CAS account does NOT
require Kerberos pre-authentication.

Note Perform a service perfigo restart on the CAS to make sure it is not using old cached credentials.

KTPass Command

• Make sure the computer name that is entered between “/” and “@” in the ktpass command (e.g.
“AD_DomainServer”) must exactly match CASE-BY-CASE the name of the AD server as it appears
under Control Panel > System > Computer Name | Full computer name on the AD server. See
Run ktpass.exe Command, page 8-17 for details.
• Make sure the realm name that is entered after “@” (e.g. “AD_DOMAIN”) in the ktpass command
must always be in UPPER CASE. You must convert the Domain name that appears under Control
Panel > System > Computer Name | Domain on the AD server to UPPER CASE when entering it
in the ktpass command.

Cannot Start AD SSO Service on CAS

If the AD SSO service cannot start on the CAS, this typically indicates a communication issue between
the AD server and the CAS.
• If the Active Directory server is not reachable from the CAS at the time of CAS startup, AD SSO
service is not started. As a workaround, the administrator must go to Device Management > CCA
Servers > Manage [CAS_IP] > Authentication > Windows Auth > Active Directory SSO and
click the Update button to restart the AD SSO service.
• Check that the KTPass command is run correctly. Verify the fields are correct as described in Run
ktpass.exe Command, page 8-17. If KTPass was run incorrectly, delete the account, create a new
account on the AD server, and run KTPass again.
• Make sure the time on the CAS is synchronized with the AD server (DC). This can be done by
pointing them both to the same time server (or, in lab setups by just pointing the CAS to the DC
itself for time (DC runs Windows time)). Kerberos is sensitive to clock timing and the clock skew
cannot be greater than 5 minutes (300 seconds).
• Make sure the Active Directory Domain is in UPPERCASE (Realm) and that the CAS can resolve
the FQDN in DNS. (For lab setups you can point to a DC that runs DNS, as AD requires at least one
DNS server)
• Make sure the following are correct: CAS username on the AD server, CAS password (do not use
special characters such as single quotes), Active Directory Domain (Kerberos Realm) on the CAS
(uppercase), Active Directory Server (FQDN) on the CAS.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Troubleshooting

• When creating a TAC support case, login to CAS directly at https://<CAS-IP-address>/admin, click
on Support Logs and change the logging level for Active Directory communication logging to
“INFO”. Recreate the problem and download support logs. Make sure to restart the CAS or change
the log level back to the default after the support logs are downloaded. See the Cisco NAC Appliance
- Clean Access Server Installation and Administration Guide for further details.

AD SSO Service Starts, but Client Not Performing SSO

If AD SSO service is started on the CAS, but the client machine is not performing Windows Single
Sign-On, this typically indicates a communication issue between the AD server and client PC or between
the client PC and the CAS. Check that:
• The client does have Kerberos keys,
• Ports are open in the Unauthenticated role to the AD server so that the client can connect.

Note When testing, it is recommended to open complete access to the AD server/DC first, then restrict
ports once AD SSO is working. When logging into the client PC, make sure to log into the
domain using Windows domain credentials (not Local Account).

• The client PC time/clock is synchronized with the AD server.

• The CAS is listening on TCP port 8910. A sniffer trace on the client PC can help.
• The user is logged in using the Windows domain account and not the local account.

Note The Clean Access Agent used must be version 4.0.0.1 or higher

Note The CAS/Clean Access Agent do not support the use of multiple NICs on the client PC. The client PC’s
Wireless NIC must be turned OFF when the Wired NIC is turned ON.

Kerbtray

Kerbtray is a free tool available from Microsoft Support Tools that can be used to confirm that the client
has obtained the Kerberos Tickets (TGT and ST), and can also be used to purge Kerberos Tickets on a
client machine. The ST (Service Ticket) is of concern for the CAS user account that is created on the AD
Server (DC). A green Kerbtray icon on the system tray indicates that the client has active Kerberos
tickets. However the ticket needs to be verified as correct (valid) for the CAS user account.

CAS Log Files

Note The log file of interest on the CAS is /perfigo/logs/perfigo-redirect-log0.log.0

If AD SSO Service does not start on CAS, this indicates a CAS-DC communication issue:
• Clock is not synchronized between CAS and the Domain Controller:
SEVERE: startServer - SSO Service authentication failed. Clock skew too great (37)
Aug 3, 2006 7:52:48 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC

• Username is incorrect. Note the wrong username “ccass,” error code 6 and the last warning:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 8 Configuring Active Directory Single Sign-On (AD SSO)
Troubleshooting

Aug 21, 2006 3:39:11 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC

INFO: GSSServer - SPN : [ccass/[email protected]]
Aug 21, 2006 3:39:11 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC
SEVERE: startServer - SSO Service authentication failed. Client not found in Kerberos
database (6)
Aug 21, 2006 3:39:11 PM com.perfigo.wlan.jmx.admin.GSSServer startServer
WARNING: GSSServer loginSubject could not be created.

• Password is incorrect or Realm is invalid (e.g. not uppercase, bad FQDN, KTPASS run incorrectly).
Note error code 24 and last warning:
Aug 21, 2006 3:40:26 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC
INFO: GSSServer - SPN : [ccasso/[email protected]]
Aug 21, 2006 3:40:26 PM com.perfigo.wlan.jmx.admin.GSSServer loginToKDC
SEVERE: startServer - SSO Service authentication failed. Pre-authentication
information was invalid (24)
Aug 21, 2006 3:40:26 PM com.perfigo.wlan.jmx.admin.GSSServer startServer
WARNING: GSSServer loginSubject could not be created.

The following error indicates a client-CAS communication issue, seen when the client PC’s time is not
synchronized with DC. (Note the difference between this error and the one in which the CAS time is not
synchronized with DC).
Aug 3, 2006 10:03:05 AM com.perfigo.wlan.jmx.admin.GSSHandler run
SEVERE: GSS Error: Failure unspecified at GSS-API level (Mechanism level: Clock skew
too great (37))

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 9
User Management: Traffic Control, Bandwidth,
Schedule

This chapter describes how to configure role-based traffic control policies, bandwidth management,
session and heartbeat timers. Topics include:
• Overview, page 9-1
• Add Global IP-Based Traffic Policies, page 9-4
• Add Global Host-Based Traffic Policies, page 9-8
• Control Bandwidth Usage, page 9-13
• Configure User Session and Heartbeat Timeouts, page 9-15
• Configure Policies for Agent Temporary and Quarantine Roles, page 9-19
• Example Traffic Policies, page 9-24
• Troubleshooting Host-Based Policies, page 9-29
For details on configuring user roles and local users, see Chapter 6, “User Management: Configuring
User Roles and Local Users.”
For details on configuring authentication servers, see Chapter 7, “User Management: Configuring Auth
Servers.”
For details on creating and configuring the web user login page, see Chapter 5, “Configuring User Login
Page and Guest Access.”

Overview
You can control the in-band user traffic that flows through the Clean Access Server with a variety of
mechanisms. This section describes the Traffic Control, Bandwidth, and Scheduling policies configured
by user role.
For new deployments of Cisco NAC Appliance, by default all traffic from the trusted to the untrusted
network is allowed, and traffic from the untrusted network to the trusted network is blocked for the
default system roles (Unauthenticated, Temporary, Quarantine) and new user roles you create. This
allows you to expand access as necessary for traffic sourced from the untrusted network.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Overview

Cisco NAC Appliance offers two types of traffic policies: IP-based policies, and host-based policies.
IP-based policies are fine-grained and flexible and can stop traffic in any number of ways. IP-based
policies are intended for any role and allow you to specify IP protocol numbers as well as source and
destination port numbers. For example, you can create an IP-based policy to pass through IPSec traffic
to a particular host while denying all other traffic.
Host-based policies are less flexible than IP-based policies, but have the advantage of allowing traffic
policies to be specified by host name or domain name when a host has multiple or dynamic IP addresses.
Host-based policies are intended to facilitate traffic policy configuration primarily for Clean Access
Agent Temporary and quarantine roles and should be used for cases where the IP address for a host is
continuously changing or if a host name can resolve to multiple IPs.
Traffic control policies are directional. IP-based policies can allow or block traffic moving from the
untrusted (managed) to the trusted network, or from the trusted to the untrusted network. Host-based
policies allow traffic from the untrusted network to the specified host and trusted DNS server specified.
By default, when you create a new user role:
• All traffic from the untrusted network to the trusted network is blocked.
• All traffic from the trusted network to the untrusted network is allowed.
You must create policies to allow traffic as appropriate for the role. Alternatively, you can configure
traffic control policies to block traffic to a particular machine or limit users to particular activities, such
as email use or web browsing. Examples of traffic policies are:
deny access to the computer at 191.111.11.1, or
allow www communication from computers on subnet 191.111.5/24

Traffic Policy Priority

Finally, the order of the traffic policy in the policy list affects how traffic is filtered. The first policy at
the top of the list has the highest priority. The following examples illustrate how priorities work for
Untrusted->Trusted traffic control policies.
Example 1:
1. Deny Telnet
2. Allow All
Result: Only Telnet traffic is blocked and all other traffic is permitted.
Example 2 (priorities reversed):
1. Allow All
2. Deny Telnet
Result: All traffic is allowed, and the second policy blocking Telnet traffic is ignored.
Example 3:
1. Allow TCP *.* 10.10.10.1/255.255.255.255
2. Block TCP *.* 10.10.10.0/255.255.255.0
Result: Allow TCP access to 10.10.10.1 while blocking TCP access to everything else in the subnet
(10.10.10.*).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-2 OL-12214-01
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Overview

Global vs. Local Scope

This chapter describes global traffic control policies configured under User Management > User Roles
> Traffic Control. For details on local traffic control policies configured under Device Management >
CCA Servers > Manage [CAS_IP] > Filter > Roles, see the Cisco NAC Appliance - Clean Access
Server Installation and Administration Guide.

Note A local traffic control policy in a specific CAS takes precedence over a global policy if the local policy
has a higher priority.

Traffic policies you add using the global forms under User Management > User Roles > Traffic
Control apply to all Clean Access Servers in the CAM’s domain and appear with white background in
the global pages.
Global traffic policies are displayed for a local CAS under Device Management > CCA Servers >
Manage [CAS_IP] > Filter > Roles and appear with yellow background in the local list.
To delete a traffic control policy, use the global or local form you used to create it.
Pre-configured default host-based policies apply globally to all Clean Access Servers and appear with
yellow background in both global and local host-based policy lists. These default policies can be enabled
or disabled, but cannot be deleted. See Enable Default Allowed Hosts, page 9-9 for details.

View Global Traffic Control Policies

Click the IP subtab link to configure IP-based traffic policies under User Management > User Roles >
Traffic Control > IP (Figure 9-2).
Click the Host subtab link to configure Host-based traffic policies under User Management > User
Roles > Traffic Control > Host. (Figure 9-7).

By default, IP-based traffic policies for roles are shown with the untrusted network as the source and the
trusted network as the destination of the traffic. To configure policies for traffic traveling in the opposite
direction, choose Trusted->Untrusted from the source-to-destination direction field and click Select.
You can view IP or Host based policies for “All Roles” or a specific role by choosing from the role
dropdown menu and clicking the Select button (Figure 9-1).

Figure 9-1 Trusted -> Untrusted Direction Field

Host form link

IP form link
Source-to-destination
Role direction field
dropdown
menu

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-3
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Add Global IP-Based Traffic Policies

Add Global IP-Based Traffic Policies

You can configure traffic policies for all the default roles already present in the system (Unauthenticated,
Temporary, Quarantine). You will need to create normal login user roles first before you can configure
traffic policies for them (see Chapter 6, “User Management: Configuring User Roles and Local Users.”)
This section describes the following:
• Add IP-Based Policy, page 9-4
• Edit IP-Based Policy, page 9-7

Add IP-Based Policy

You can specify individual ports, a port range, a combination of ports and port ranges, or wildcards when
configuring IP-based traffic policies.
1. Go to User Management > User Roles > Traffic Control > IP. The list of IP-based policies for all
roles displays (Figure 9-2).

Figure 9-2 List of IP-Based Policies

Enable/
disable
policy
Change
priority

2. Select the source-to-destination direction for which you want the policy to apply. Chose either
Trusted->Untrusted or Untrusted->Trusted, and click Select.
3. Click the Add Policy link next to the user role to create a new policy for the role, or click Add Policy
to All Roles to add the new policy to all roles (except the Unauthenticated role) at once.

Note The Add Policy to All Roles option adds the policy to all roles except the Unauthenticated role.
Once added, traffic policies are modified individually and removed per role only.

4. The Add Policy form for the role appears (Figure 9-3).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-4 OL-12214-01
Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Add Global IP-Based Traffic Policies

Figure 9-3 Add IP-Based Policy

Direction
of traffic

Source

Destination

5. Set the Priority of the policy from the Priority dropdown menu. The IP policy at the top of the list
will have the highest priority in execution. By default, the form displays a priority lower than the
last policy created (1 for the first policy, 2 for the second policy, and so on). The number of priorities
in the list reflects the number of policies created for the role. The built-in Block All policy has the
lowest priority of all policies by default.

Note To change the Priority of a policy later, click the Up or Down arrows for the policy in the Move
column of the IP policies list page (Figure 9-2).

6. Set the Action of the traffic policy as follows:

– Allow (default)– Permit the traffic.
– Block – Drop the traffic.
7. Set the State of the traffic policy as follows:
– Enabled (default)– Enable this traffic policy immediately for any new traffic for the role.
– Disabled – Disable this traffic policy for the role, while preserving the settings of the policy for
future use.

Note To enable/disable traffic policies at the role level, click the corresponding checkbox in Enable
column of the IP policies list page (Figure 9-2).

8. Set the Category of the traffic as follows:

– ALL TRAFFIC (default) – The policy applies to all protocols and to all trusted and untrusted
source and destination addresses.
– IP—If selected, the Protocol field displays as described below.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-5
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Add Global IP-Based Traffic Policies

– IP FRAGMENT – By default, the Clean Access Manager blocks IP fragment packets, since
they can be used in denial-of-service (DoS) attacks. To permit fragmented packets, define a role
policy allowing them with this option.
9. The Protocol field appears if the IP Category is chosen, displaying the options listed below:
– CUSTOM:—Select this option to specify a different protocol number than the protocols listed
in the Protocol dropdown menu.
– TCP (6)—Select for Transmission Control Protocol. TCP applications include HTTP, HTTPS,
and Telnet.
– UDP (17)—Select for User Datagram Protocol, generally used for broadcast messages.
– ICMP (1)—Select for Internet Control Message Protocol. If selecting ICMP, also choose a
Type from the dropdown menu.
– ESP (50)—Select for Encapsulated Security Payload, an IPsec subprotocol used to encrypt IP
packet data typically in order to create VPN tunnels.
– AH (51)—Select for Authentication Header, an IPSec subprotocol used to compute a
cryptographic checksum to guarantee the authenticity of the IP header and packet.
10. In the Untrusted (IP/Mask:Port) field, specify the IP address and subnet mask of the untrusted
network to which the policy applies. An asterisk in the IP/Mask:Port fields means the policy applies
for any address/application.
If you chose TCP or UDP as the Protocol, also type the TCP/UDP port number for the application
in the Port text field.

Note You can specify individual ports, a port range, a combination of ports and port ranges, or
wildcards when configuring TCP/UDP ports. For example, you can specify port values such as:
“*” or “21, 1024-1100” or “1024-65535” to cover multiple ports in one policy. Refer to
http://www.iana.org/assignments/port-numbers for details on TCP/UDP port numbers.

11. In the Trusted (IP/Mask:Port) field, specify the IP address and subnet mask of the trusted network
to which the policy applies. An asterisk in the IP/Mask:Port fields means the policy applies for any
address/application. If you chose TCP or UDP as the Protocol, also type the TCP/UDP port number
for the application in the Port text field.

Note The traffic direction you select for viewing the list of policies (Untrusted -> Trusted or Trusted ->
Untrusted) sets the source and destination when you open the Add Policy form:
• The first IP/Mask/Port entry listed is the source.
• The second IP/Mask/Port entry listed is the destination.

12. Optionally, type a description of the policy in the Description field.

13. Click Add Policy when finished. If modifying a policy, click the Update Policy button.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-6 OL-12214-01
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Add Global IP-Based Traffic Policies

Edit IP-Based Policy

1. Go to User Management > User Roles > Traffic Control > IP.
2. Click the Edit button for the role policies you want to edit (Figure 9-4).

Figure 9-4 Edit IP Policy

3. The Edit Policy form for the role policy appears (Figure 9-5).

Figure 9-5 Edit IP Policy Form

4. Change properties as desired.

Note You can specify individual ports, a port range, a combination of ports and port ranges, or
wildcards such as: “*” or “21, 1024-1100” or “1024-65535” for TCP/UDP ports. See
http://www.iana.org/assignments/port-numbers for details on TCP/UDP ports.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-7
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Add Global Host-Based Traffic Policies

5. Click Update Policy when done.

Note that you cannot change the policy priority directly from the Edit form. To change a Priority, click
the Up or Down arrows for the policy in the Move column of the IP policies list page.

Add Global Host-Based Traffic Policies

Default host policies for the Unauthenticated, Temporary, and Quarantine roles are automatically
retrieved and updated after a Clean Access Agent Update or Clean Update is performed from the CAM
(see Retrieving Updates, page 10-11 for complete details on Updates).
You can configure custom DNS host-based policies for a role by host name or domain name when a host
has multiple or dynamic IP addresses. Allowing DNS addresses to be configured per user role facilitates
client access to the Windows or antivirus update sites that enable clients to fix their systems if Clean
Access Agent requirements are not met or network scanning vulnerabilities are found. Note that to use
any host-based policy, you must first add a Trusted DNS Server for the user role.

Note • After a software upgrade, new default host-based policies are disabled by default but enable/disable
settings for existing host-based policies are preserved.
• After a Clean Update, all existing default host-based policies are removed and new default
host-based policies are added with default disabled settings.

This section describes the following:

• Add Trusted DNS Server for a Role, page 9-8
• Enable Default Allowed Hosts, page 9-9
• Add Allowed Host, page 9-10
• Proxy Servers and Host Policies, page 9-12

Add Trusted DNS Server for a Role

To enable host-based traffic policies for a role, add a Trusted DNS Server for the role.
1. Go to User Management > User Roles > Traffic Control and click the Host link.
1. Select the role for which to add a trusted DNS server.
2. Type an IP address in the Trusted DNS Server field, or an asterisk “*” to specify any DNS server.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-8 OL-12214-01
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Add Global Host-Based Traffic Policies

Figure 9-6 Add Trusted DNS Server

New
DNS
server

3. Optionally type a description for the DNS server in the Description field.
4. The Enable checkbox should already be selected.
5. Click Add. The new policy appears in the Trusted DNS Server column.

Note • When a Trusted DNS Server is added on the Host form, an IP-based policy allowing DNS/UDP
traffic to that server is automatically added for the role (on the IP form).
• When you add a specific DNS server, then later add Any (“*”) DNS server to the role, the previously
added server becomes a subset of the overall policy allowing all DNS servers, and will not be
displayed. If you later delete the Any (“*”) DNS server policy, the specific trusted DNS server
previously allowed is again displayed.

Enable Default Allowed Hosts

Cisco NAC Appliance provides default host policies for the Unauthenticated, Temporary, and
Quarantine roles. Default Host Policies are initially pulled down to your system, then dynamically
updated, through performing a Clean Access Update or Clean Update. Newly added Default Host
Policies are disabled by default, and must be enabled for each role under User Management > User
Roles > Traffic Control > Hosts.

To Enable (Automatic-Update) Default Host Policies

1. Go to Device Management > Clean Access > Updates. (see Figure 10-5 on page 10-14)
2. Click Update or Clean Update to get the latest Default Host Policies (along with Clean Access
updates).
3. Go to User Management > User Roles > Traffic Control > Host. (see Figure 9-7 on page 9-10)
4. Choose the role (Unauthenticated, Temporary, or Quarantine) for which to enable a Default Host
Policy from the dropdown menu and click Select.
5. Click the Enable checkbox for each default host policy you want to permit for the role.
6. Make sure a Trusted DNS server is added (see Add Trusted DNS Server for a Role, page 9-8).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-9
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Add Global Host-Based Traffic Policies

7. To add additional custom hosts for the roles, follow the instructions for Add Allowed Host, page
9-10.

Note See Retrieving Updates, page 10-11, for complete details on configuring Updates,.

Add Allowed Host

The Allowed Host form allows you to supplement Default Host Policies with additional update sites for
the default roles, or create custom host-based traffic policies for any user role.
1. Go to User Management > User Roles > Traffic Control and click the Host link.

Figure 9-7 Add Allowed Host

Click to Enable
Default Host
Policies (after Update)

Add
allowed
host

2. Select the role for which to add a DNS host.

3. Type the hostname in the Allowed Host field (e.g. “allowedhost.com”).
4. In the Match dropdown menu, select an operator to match the host name: equals, ends, begins, or
contains.
5. Type a description for the host in the Description field (e.g. “Allowed Update Host”).
6. The Enable checkbox should already be selected.
7. Click Add. The new policy appears above the Add field.

Note You must add a Trusted DNS Server to the role to enable host-based traffic policies for the role.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-10 OL-12214-01
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Add Global Host-Based Traffic Policies

View IP Addresses Used by DNS Hosts

You can view the IP addresses used for the DNS host when clients connect to the host to update their
systems. Note that these IP addresses are viewed per Clean Access Server from the CAS management
pages.
1. Go to Device Management > CCA Servers > Manage [CAS_IP] > Filter > Roles > Allowed
Hosts.
2. To view all IP addresses for DNS hosts accessed across all roles, click the View Current IP
addresses for All Roles at the top of the page.
3. To view the IP addresses for DNS hosts accessed by clients in a specific role, click the View Current
IP addresses link next to the desired role.
4. The IP Address, Host Name, and Expire Time will display for each IP address accessed. Note that
the Expire Time is based on the DNS reply TTL. When the IP address for the DNS host reaches the
Expire Time, it becomes invalid.

Figure 9-8 View Current IP Addresses for All Roles

Tip To troubleshoot host-based policy access, try performing an ipconfig /flushdns from a command
prompt of the test client machine. Cisco NAC Appliance needs to see DNS responses before putting
corresponding IP addresses on the allow list.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-11
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Add Global Host-Based Traffic Policies

Proxy Servers and Host Policies

You can allow users to access only the host sites enabled for a role (e.g. Temporary or quarantine users
that need to meet requirements) when a proxy server specified on the CAS is used.
Note that proxy settings are local policies configured on the CAS using the CAS management pages, and
the following pages must be configured to enable this feature:
• Device Management > Clean Access Servers > Manage [CAS_IP] > Advanced > Proxy
• Device Management > CCA Servers > Manage [CAS_IP] > Filter > Roles > Allowed Hosts
(“Parse Proxy Traffic for Roles other than Unauthenticated Role” must be checked)
For complete details, see the Cisco NAC Appliance - Clean Access Server Installation and
Administration Guide.
See also Proxy Settings, page 5-3 for related information.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-12 OL-12214-01
Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Control Bandwidth Usage

Control Bandwidth Usage

Cisco NAC Appliance lets you control how much network bandwidth is available to users by role. You
can independently configure bandwidth management using global forms in the CAM as needed for
system user roles, or only on certain Clean Access Servers using local forms. However, the option must
first be enabled on the CAS for this feature to work. You can also specify bandwidth constraints for each
user within a role or for the entire role.
For example, for a CAM managing two CASes, you can specify all the roles and configure bandwidth
management on some of the roles as needed (e.g. guest role, quarantine role, temporary role, etc.). If
bandwidth is only important in the network segment where CAS1 is deployed and not on the network
segment where CAS2 is deployed, you can then turn on bandwidth management on CAS1 but not CAS2.
With bursting, you can allow for brief deviations from a bandwidth constraint. This accommodates users
who need bandwidth resources intermittently (for example, when downloading and reading pages),
while users attempting to stream content or transfer large files are subject to the bandwidth constraint.
By default, roles have a bandwidth policy that is unlimited (specified as -1 for both upstream and
downstream traffic).

To configure bandwidth settings for a role:

1. First, enable bandwidth management on the CAS by going to Device Management > CCA Servers
> Manage [CAS_IP] > Filter > Roles > Bandwidth.
2. Select Enable Bandwidth Management and click Update.

Note See the Cisco NAC Appliance - Clean Access Server Installation and Administration Guide for
details on local bandwidth management.

3. From User Management > User Roles > Bandwidth, click the Edit button ( ) next to the role
for which you want to set bandwidth limitations. The Bandwidth form appears as follows:

Figure 9-9 Bandwidth Form for User Role

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-13
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Control Bandwidth Usage

Note Alternatively, you can go to User Management > User Roles > List of Roles and click the BW button
next to the role.

4. Set the maximum bandwidth in kilobits per second for upstream and downstream traffic in
Upstream Bandwidth and Downstream Bandwidth. Upstream traffic moves from the untrusted to
the trusted network, and downstream traffic moves from the trusted to the untrusted network.
5. Enter a Burstable Traffic level from 2 to 10 to allow brief (one second) deviations from the
bandwidth limitation. A Burstable Traffic level of 1 has the effect of disabling bursting.
The Burstable Traffic field is a traffic burst factor used to determine the “capacity” of the bucket.
For example, if the bandwidth is 100 Kbps and the Burstable Traffic field is 2, then the capacity of
the bucket will be 100Kb*2=200Kb. If a user does not send any packets for a while, the user would
have at most 200Kb tokens in his bucket, and once the user needs to send packets, the user will be
able to send out 200Kb packets right away. Thereafter, the user must wait for the tokens coming in
at the rate of 100Kbps to send out additional packets. This can be thought of as way to specify that
for an average rate of 100Kbps, the peak rate will be approximately 200Kbps. Hence, this feature is
intended to facilitate bursty applications such as web browsing.
6. In the Shared Mode field, choose either:
– All users share the specified bandwidth – The setting applies for all users in the role. In this
case, the total available bandwidth is a set amount. In other words, if a user occupies 80 percent
of the available bandwidth, only 20 percent of the bandwidth will be available for other users in
the role.
– Each user owns the specified bandwidth – The setting applies to each user. The total amount
of bandwidth in use may fluctuate as the number of online users in the role increases or
decreases, but the bandwidth for each user is the same.
7. Optionally, type a Description of the bandwidth setting.
8. Click Save when finished.
The bandwidth setting is now applicable for the role and appears in the Bandwidth tab.

Note If bandwidth management is enabled, devices allowed via device filter without specifying a role will use
the bandwidth of the Unauthenticated Role. See Global Device and Subnet Filtering, page 3-7 for details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-14 OL-12214-01
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Configure User Session and Heartbeat Timeouts

Configure User Session and Heartbeat Timeouts

Timeout properties enhance the security of your network by ensuring that user sessions are terminated
after a configurable period of time. The are three main mechanisms for automated user timeout:
• Session Timer
• Heartbeat Timer
• Certified Device Timer (see Configure Certified Device Timer, page 10-29)
This section describes the Session and Heartbeat Timers.

Session Timer
The Session Timer is an absolute timer that is specific to the user role. If a Session Timer is set for a role,
a session for a user belonging to that role can only last as long as the Session Timer setting. For example,
if user A logs in at 1:00pm and user B logs in at 1:30pm, and if both belong to role Test with Session
Timer set for 2 hours, user A will be logged out at 3:00pm and user B will be logged out at 3:30pm. With
session timeouts, the user is dropped regardless of connection status or activity.

Heartbeat Timer
The Heartbeat Timer sets the number of minutes after which a user is logged off the network if
unresponsive to ARP queries from the Clean Access Server. This feature enables the CAS to detect and
disconnect users who have left the network (e.g. by shutting down or suspending the machine) without
actually logging off the network. Note that the Heartbeat Timer applies to all users, whether locally or
externally authenticated.
The connection check is performed via ARP query rather than by pinging. This allows the heartbeat
check to function even if ICMP traffic is blocked. The CAS maintains an ARP table for its untrusted side
which houses all the machines it has seen or queried for on the untrusted side. ARP entries for machines
are timed out through normal ARP cache timeout if no packets are seen from the particular machine. If
packets are seen, their entry is marked as fresh. When a machine no longer has a fully resolved entry in
the CAS’s ARP cache and when it does not respond to ARPing for the length of the Heartbeat Timer
setting, the machine is deemed not to be on the network and its session is terminated.

In-Band (L2) Sessions

For in-band configurations, a user session is based on the client MAC and IP address and persists until
one of the following occurs:
• The user logs out of the network through either the web user logout page or the Clean Access Agent
logout option.
• An administrator manually removes the user from the network.
• The session times out, as configured in the Session Timer for the user role.
• The CAS determines that the user is no longer connected using the Heartbeat Timer and the CAM
terminates the session.
• The Certified Device list is cleared (automatically or manually) and the user is removed from the
network.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-15
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Configure User Session and Heartbeat Timeouts

OOB (L2) and Multihop (L3) Sessions

The Session Timer works the same way for multi-hop L3 In-Band deployments as for L2 (In-Band or
Out-of-Band) deployments.
For L3 deployments, user sessions are based on unique IP address rather than MAC address.
The Heartbeat Timer behaves as inactivity/idle timer for L3 deployments in addition to L2 deployments.
For L3 deployments, the Heartbeat Timer now behaves as described in the following cases:
• L3 deployments where routers do not perform proxy ARP:
If the Clean Access Servers sees no packets from the user for the duration of time that the heartbeat
timer is set to, then the user will be logged out. Even if the user's machine is connected to the
network but does not send a single packet on the network that reaches the CAS, it will be logged
out. Note that this is highly unlikely because modern systems send out many packets even when the
user is not active (e.g. chat programs, Windows update, AV software, ads on web pages, etc.)
• L3 deployments where the router/VPN concentrator performs proxy ARP for IP addresses on
the network:
In this scenario, if a device is connected to the network the router will perform proxy ARP for the
device’s IP address. Otherwise, if a device is not connected to the network, the router does not
perform proxy ARP. Typically only VPN concentrators behave in this way. In this case, if the Clean
Access Server sees no packets, the CAM/CAS attempts to perform ARP for the user. If the router
responds to the CAS because of proxy ARP, the CAM/CAS will not logout the user. Otherwise, if
the router does not respond to the CAS, because the device is no longer on the network, the
CAM/CAS will log out the user.
• L3 deployments where the router/VPN concentrator performs proxy ARP for the entire
subnet:
In this scenario, the router/VPN concentrator performs proxy ARP irrespective of whether
individual devices are connected. In this case, the Heartbeat Timer behavior is unchanged, and the
CAM/CAS never log out the user.

Note • The Heartbeat Timer does not apply to Out-of-Band users.

• When the Single Sign-On (SSO) feature is configured for multi-hop L3 VPN concentrator
integration, if the user’s session on the CAS times out but the user is still logged in on the VPN
concentrator, the user will be able to log back into the CAS without providing a username/password,
due to SSO.

Session Timer / Heartbeat Timer Interaction

• If the Session Timer is zero and the Heartbeat Timer is not set—the user is not dropped from the
Online Users list and will not be required to re-logon.
• If the Session Timer is zero and the Heartbeat Timer is set— the Heartbeat Timer takes effect.
• If the Session Timer is non-zero and the Heartbeat Timer is not set— the Session Timer takes effect.
• If both timers are set, the first timer to be reached will be activated first.
• If the user logs out and shuts down the machine, the user will be dropped from the Online Users list
and will be required to re-logon.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-16 OL-12214-01
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Configure User Session and Heartbeat Timeouts

• If the DHCP lease is much longer than the session timeout, DHCP leases will not be reused
efficiently.
For additional details, see Interpreting Active Users, page 14-4.

Configure Session Timer (per User Role)

1. Go to User Management > User Roles > Schedule > Session Timer.

Figure 9-10 Session Timer

2. Click the Edit button next to the role for which you want to configure timeout settings.
3. Select the Session Timeout check box and type the number of minutes after which the user’s session
times out. The timeout clock starts when the user logs on, and is not affected by user activity. After
the session expires, the user must log in again to continue using the network.
4. Optionally, type a description of the session length limitation in the Description field.
5. Click Update when finished.

Configure Heartbeat Timer (User Inactivity Timeout)

1. Open the Heartbeat Timer form in the Schedule tab.

Figure 9-11 Heartbeat Timer

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-17
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Configure User Session and Heartbeat Timeouts

2. Click the Enable Heartbeat Timer checkbox.

3. Set the number of minutes after which a user is logged off the network if unreachable by connection
attempt in the Log Out Disconnected Users After field.
4. Click Update to save your settings.
Note that logging a user off the network does not remove them from the Certified List. However,
removing a user from the Certified List also logs the user off the network. An administrator can drop
users from the network individually or terminate sessions for all users at once. For additional details see
Certified List, page 10-7 and Online Users List, page 14-3.

Note The Clean Access Agent will not send a logout request to the CAS when the client machine is shut down
based on Clean Access session-based connection setup.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-18 OL-12214-01
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Configure Policies for Agent Temporary and Quarantine Roles

Configure Policies for Agent Temporary and Quarantine Roles

This section demonstrates typical traffic policy and session timeout configuration needed to:
• Configure Clean Access Agent Temporary Role, page 9-19
• Configure Network Scanning Quarantine Role, page 9-21
See Chapter 10, “Clean Access Implementation Overview” for further information.

Configure Clean Access Agent Temporary Role

Users who fail a system check are assigned to the Clean Access Agent Temporary role. This role is
intended to restrict user access to only the resources needed to comply with the Clean Access Agent
requirements.
Unlike quarantine roles, there is only one Clean Access Agent Temporary role (Agent Temp Role) in the
system. The role can be fully edited, and is intended as single point for aggregating the traffic control
policies that allow users to access required installation files. If the Temporary role is deleted, the
Unauthenticated role is used by default. The name of the role that is used for the Temporary role (in
addition to the version of the Agent) is displayed under Device Management > Clean Access> Clean
Access Agent > Distribution.
Both session timeout and traffic policies need to be configured for the Temporary role. The Temporary
role has a default session timeout of 4 minutes, which can be changed as described below. The
Temporary and quarantine roles have default traffic control policies of Block All traffic from the
untrusted to the trusted side. Keep in mind that while you associate requirements (required packages) to
the normal login roles that users attempt to log into, clients will need to meet those requirements while
still in the Temporary role. Therefore, traffic control policies need to be added to the Temporary role to
enable clients to access any required software installation files from the download site(s).
Chapter 12, “Configuring Clean Access Agent Requirements” provides complete details on Clean
Access Agent configuration. See also User Role Types, page 6-2 for additional information.

Configure Session Timeout for the Temporary Role

1. Go to User Management > User Roles> Schedule.
2. The Session Timer list appears.

Figure 9-12 Schedule Tab

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-19
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Configure Policies for Agent Temporary and Quarantine Roles

3. Click the Edit button ( ) for the Temporary Role.

4. The Session Timer form for the Temporary Role appears (Figure 9-13).

Figure 9-13 Session Timer—Temporary Role

5. Click the Session Timeout checkbox.

6. Type the number of minutes for the user session to live (default is 4 minutes). Choose a value that
allows users to download required files to patch or configure their systems.
7. Optionally, type a Description for the session timeout requirement.
8. Click Update. The Temporary role will display the new time in the Session Timer list.

Configure Traffic Control Policies for the Temporary Role

9. From User Management > User Roles, click the Traffic Control tab. This displays IP traffic policy
list by default.
10. Choose Temporary Role from the role dropdown and leave Untrusted->Trusted for the direction
and click Select. This displays all IP policies for the Temporary role.

Figure 9-14 IP Traffic Policies—Temporary Role

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-20 OL-12214-01
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Configure Policies for Agent Temporary and Quarantine Roles

11. To configure an IP policy, click the Add Policy link next to the Temporary role. For example, if you
are providing required software installation files yourself (e.g. via a File Distribution requirement
for a file on the CAM), set up an Untrusted->Trusted IP-based traffic policy that allows the
Temporary role access to port 80 (HTTP) of the CAM (for example, 10.201.240.11
/255.255.255.255:80). If you want users to be able to correct their systems using any other external
web pages or servers, set up permissions for accessing those web resources. For further details on
the Add Policy page, see Add IP-Based Policy, page 9-4.
12. To configure Host policies, click the Host link at the top of the Traffic Control tab. Configure
host-based traffic policies enabling access to the servers that host the installation files, as described
in the following sections:
– Enable Default Allowed Hosts, page 9-9
– Add Allowed Host, page 9-10
– Adding Traffic Policies for Default Roles, page 9-27

Configure Network Scanning Quarantine Role

See Chapter 13, “Configuring Network Scanning” for complete details on network scanning
configuration.
Clean Access can assign a user to a quarantine role if it discovers a serious vulnerability in the client
system. The role is a mechanism intended to give users temporary network access to fix their machines.
Note that quarantining vulnerable users is optional. Alternatives include blocking the user or providing
them with a warning. If you do not intend to quarantine vulnerable users, you can skip this step.

Create Additional Quarantine Role

By default, the system provides a default Quarantine role with a session time out of 4 minutes that only
needs to be configured with traffic policies. The following describes how to create an additional
quarantine role, if multiple quarantine roles are desired.
1. Go to User Management > User Roles > New Role.
2. Type a Role Name and Role Description of the role. For a quarantine role that will be associated
with a particular login role, it may be helpful to reference the login role and the quarantine type in
the new name. For example, a quarantine role associated with a login role named “R1” might be
“R1-Quarantine.”
3. In the Role Type list, choose Quarantine Role.
4. Configure any other settings for the role as desired. Note that, other than name, description, and role
type, other role settings can remain at their default values. (See Add New Role, page 6-6 for details.)
5. Click the Create Role button. The role appears in the List of Roles tab.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-21
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Configure Policies for Agent Temporary and Quarantine Roles

Configure Session Timeout for Quarantine Role

By default, the system provides a default Quarantine role with a session time out of 4 minutes. The
following steps describe how to configure the session timeout for a role.
1. Go to User Management > User Roles > Schedule > Session Timer.
2. Click the Edit button next to the desired quarantine role.
3. The Session Timer form for the quarantine role appears:

Figure 9-15 Session Timer—Quarantine Role

4. Click the Session Timeout check box.

5. Type the number of minutes for the user session to live. Choose an amount that allows users enough
time to download the files needed to fix their systems.
6. Optionally, type a Description for the session timeout requirement.
7. Click Update. The new value will appear in the Session Timeout column next to the role in the List
of Roles tab.
Setting these parameters to a relatively small value helps the CAS detect and disconnect users who have
restarted their computers without logging out of the network. Note that the Session Timer value you enter
here may need to be refined later, based on test scans and downloads of the software you will require.

Note The connection check is performed by ARP message; if a traffic control policy blocks ICMP traffic to
the client, heartbeat checking still works.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-22 OL-12214-01
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Configure Policies for Agent Temporary and Quarantine Roles

Configure Traffic Control Policies for the Quarantine Role

1. From User Management > User Roles > List of Roles, click the Policies button next to the role (or
you can click the Traffic Control tab, choose the quarantine role from the dropdown menu and click
Select).
2. Choose the Quarantine Role from the role dropdown, leave Untrusted->Trusted for the direction
and click Select. This displays all IP policies for the Quarantine role.
3. To configure an IP policy, click the Add Policy link next to the Quarantine role.

Figure 9-16 Add Policy—Quarantine Role

4. Configure fields as described in Add IP-Based Policy, page 9-4.

– If you are providing required software installation files from the CAM (e.g. via network
scanning Vulnerabilities page), set up an Untrusted->Trusted IP-based traffic policy that allows
the Quarantine role access to port 80 (HTTP) of the CAM (for example, 10.201.240.11
/255.255.255.255:80).
– If you want users to be able to correct their systems using any other external web pages or
servers, set up permissions for accessing those web resources. See also Adding Traffic Policies
for Default Roles, page 9-27.
5. To configure Host policies, click the Host link for the Quarantine role at the top of the Traffic
Control tab. Configure host-based traffic policies enabling access to the servers that host the
installation files, as described in the following sections:
– Enable Default Allowed Hosts, page 9-9
– Add Allowed Host, page 9-10
– Adding Traffic Policies for Default Roles, page 9-27
After configuring the quarantine role, you can apply it to users by selecting it as their quarantine role in
the Block/Quarantine users with vulnerabilities in role option of the General Setup tab. For details,
see General Setup Summary, page 10-17.
When finished configuring the quarantine role, load the scan plugins as described in Load Nessus
Plugins into the Clean Access Manager Repository, page 13-3.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-23
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Example Traffic Policies

Example Traffic Policies

This section describes the following:
• Allowing Authentication Server Traffic for Windows Domain Authentication, page 9-24
• Allowing Traffic for Enterprise AV Updates with Local Servers, page 9-24
• Allowing Gaming Ports, page 9-24
• Adding Traffic Policies for Default Roles, page 9-27

Allowing Authentication Server Traffic for Windows Domain Authentication

If you want users on the network to be able to authenticate to a Windows domain prior to authenticating
to the Cisco NAC Appliance, the following minimum policies allow users in the Unauthenticated role
access to AD (NTLM) login servers:
Allow TCP *:* Server/255.255.255.255: 88
Allow UDP *:* Server/255.255.255.255: 88
Allow TCP *:* Server/255.255.255.255: 389
Allow UDP *:* Server/255.255.255.255: 389
Allow TCP *:* Server/255.255.255.255: 445
Allow UDP *:* Server/255.255.255.255: 445
Allow TCP *:* Server/255.255.255.255: 135
Allow UDP *:* Server/255.255.255.255: 135
Allow TCP *:* Server/255.255.255.255: 3268
Allow UDP *:* Server/255.255.255.255: 3268
Allow TCP *:* Server/255.255.255.255: 139
Allow TCP *:* Server/255.255.255.255: 1025

Allowing Traffic for Enterprise AV Updates with Local Servers

In order to allow definition updates for enterprise antivirus products, such as Trend Micro OfficeScan,
the Temporary role needs to be configured to allow access to the local server for automatic AV definition
updates.
For Trend Micro OfficeScan, the Temporary role policy needs to allow access to the local server with
AutoPccP.exe. The Agent will call the Trend client locally, and the Trend client in turn runs the
AutoPccP.exe file either on a share drive (located at \\<trendserverip\ofcscan\Autopccp.exe) or through
HTTP (depending on your TrendMicro configuration) and downloads the AV patches.

Allowing Gaming Ports

To allow gaming services, such as Microsoft Xbox Live, it is recommended to create a gaming user role
and to add a filter for the device MAC addresses (under Device Management > Filters > Devices >
New) to place the devices into that gaming role. You can then create traffic policies for the role to allow
traffic for gaming ports.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-24 OL-12214-01
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Example Traffic Policies

Microsoft Xbox
The following are suggested policies to allow access for Microsoft Xbox ports:
• Kerberos-Sec (UDP); Port 88; UDP; Send Receive
• DNS Query (UDP); Port 53; Send 3074 over UDP/tcp
• Game Server Port (TCP): 22042
• Voice Chat Port (TCP/UDP): 22043-22050
• Peer Ping Port (UDP): 13139
• Peer Query Port (UDP): 6500

Other Game Ports

Table 9-1 shows suggested policies to allow access for other game ports (such as PlayStation).
Table 9-1 Traffic Policies for Other Gaming Ports 1

Protocol Port Protocol

2300-2400 UDP
4000 TCP, UDP
4000 TCP, UDP
80 TCP
2300 UDP
6073 UDP
2302-2400 UDP
33334 UDP
33335 TCP
6667 TCP
3783 TCP
27900 TCP
28900 TCP
29900 TCP
29901 TCP
27015 TCP
2213 + 1 for each client (i.e. first computer is TCP
2213, second computer is 2214, third computer is
2215, etc.)
6073 TCP
2302-2400 UDP
27999 TCP
28000 TCP
28805-28808 TCP
9999 TCP

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-25
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Example Traffic Policies

Table 9-1 Traffic Policies for Other Gaming Ports 1

Protocol Port Protocol

47624 TCP
2300-2400 TCP
2300-2400 UDP
6073 UDP
2302-2400 UDP
47624 TCP
2300-2400 TCP
2300-2400 UDP
5120-5300 UDP
6500 UDP
27900 UDP
28900 UDP
3782 TCP
3782 UDP
27910 TCP, UDP
6073 UDP
2302-2400 UDP
47624 TCP
2300-2400 TCP
2300-2400 UDP
4000 TCP
7777 TCP, UDP
4000 TCP
27015-27020 TCP
6667 TCP
28800-29000 TCP
1. See also http://www.us.playstation.com/support.aspx?id=installation/networkadaptor/415013907.html for additional
details.

For additional details, see:

• Device Filters and Gaming Ports, page 3-12
• http://www.cisco.com/warp/customer/707/ca-mgr-faq2.html#q16
• Add New Role, page 6-6

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-26 OL-12214-01
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Example Traffic Policies

Adding Traffic Policies for Default Roles

Create Untrusted -> Trusted traffic policies for the default roles (Unauthenticated, Temporary, and
Quarantine) to allow users access to any of the resources described below.

Unauthenticated Role
If customizing the web login page to reference logos or files on the CAM or external URL, create IP
policies to allow the Unauthenticated role HTTP (port 80) access to the CAM or external server. (See
also Upload a Resource File, page 5-12 and Create Content for the Right Frame, page 5-11 for details.)

Clean Access Agent Temporary Role

• If providing definition updates for enterprise antivirus products, allow access to the local update
server so that the Clean Access Agent can trigger a live update (see Allowing Traffic for Enterprise
AV Updates with Local Servers, page 9-24)
• If providing required software packages from the CAM (e.g, via File Distribution), create IP policies
to allow Temporary role access to port 80 (HTTP) of the CAM. Make sure to specify IP
address/subnet mask to allow access only to the CAM (for example,
10.201.240.11/255.255.255.255:80).
• Enable Default Host Policies and Trusted DNS Server and/or create new allowed Host policies to
allow users access to update sites (see Enable Default Allowed Hosts, page 9-9).
• Set up any additional traffic policies to allow users in the Temporary role access to external web
pages or servers (for example, see Configure Network Policy Page (Acceptable Use Policy) for
Agent Users, page 11-6).

Quarantine Role
• If providing required software packages from the CAM (e.g. via network scanning Vulnerabilities
page), create IP policies to allow the Quarantine role access to port 80 (HTTP) of the CAM. Make
sure to specify the IP address and subnet mask to allow access only to the CAM (for example,
10.201.240.11 /255.255.255.255:80).
• Enable Default Host Policies and Trusted DNS Server and/or create new allowed Host policies to
allow users access to update sites (see Enable Default Allowed Hosts, page 9-9).
• Set up any additional traffic policies to allow users in the Quarantine role access to external web
pages or servers for remediation.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-27
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Example Traffic Policies

Table 9-2 summarize resources, roles and example traffic policies for system roles
Table 9-2 Typical Traffic Policies for Roles

Resource Role Example Policies (Untrusted -> Trusted)

Logo/right-frame content for
Login page (logo.jpg,
file.htm)
User Agreement Page
(UAP.htm)
Redirect URL after blocked
access (block.htm) — optional
Network Policy Page
(AUP.htm)
File Distribution Requirement
file (Setup.exe)
Vulnerability Report file
(fixsteps.htm; stinger.exe)
Enable Trusted DNS Server
Link Distribution
Requirement (external
website)
Vulnerability Report (link to
external website)
Proxy server in environment
IP-Based Traffic Policies
Unauthenticated IP (Files on CAM or External Server):
Allow TCP *.* <CAM_IP or external-server-IP> /
255.255.255.255: http (80)
Temporary
Quarantine
Host-Based Traffic Policies
All roles using Trusted DNS Server: e.g. 63.93.96.20, or * (Any
Host policies DNS Server)
Temporary Default Host: windowsupdate.com, or
Custom Host: database.clamav.net (equals)
Quarantine
Other
Any role with IP: <proxy-IP>/255.255.255.255:http(80)
access via proxy Host: proxy-server.com (equals)

Full network access Normal Login Allow ALL TRAFFIC * /*

Role

For further details, see:

• Upload a Resource File, page 5-12
• Create Content for the Right Frame, page 5-11
• User Page Summary, page 10-22 for a list of user pages/configuration locations in the web console.
• Create File Distribution /Link Distribution / Local Check Requirement, page 12-31
• Configure Vulnerability Handling, page 13-10

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-28 OL-12214-01
Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Troubleshooting Host-Based Policies

Figure 9-17 Example Traffic Policies for File Distribution Requirement (File is on CAM)

CAM IP

Troubleshooting Host-Based Policies

For host-based policies, the CAS needs to see DNS responses in order to allow the traffic. If having
trouble with host-based policies, check the following:
• Make sure allowed hosts are enabled.
• Make sure a DNS server has been correctly added to the list of DNS servers to track (you can also
add an asterisk (“*”) to track any DNS server).
• Make sure the DNS server is on the trusted interface of the CAS. If the DNS server is on the
untrusted side of the CAS, the CAS never sees the DNS traffic.
• Make sure DNS reply traffic is going through the CAS. For example, ensure there is no alternate
route for return traffic (i.e. trusted to untrusted) where traffic goes out through CAS but does not
come back through the CAS. This can be tested by adding a “Block ALL” policy to the “Trusted to
Untrusted” direction for the Unauthenticated or Temporary Role. If DNS, etc. still succeeds, then
there is an alternate path.
• Make sure the DNS server listed for the client is correct.
• Make sure proxy settings are correct for the client (if proxy settings are required)
• Check Device Management > CCA Servers > Manage [CAS_IP] > Filters > Roles > Allowed
Hosts > View Current IP Address List to see the list of current IPs that are being tracked through
the host based policies. If this list is empty, users will see a security message.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 9-29
 Chapter 9 User Management: Traffic Control, Bandwidth, Schedule
Troubleshooting Host-Based Policies

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
9-30 OL-12214-01
 C H A P T E R 10
Clean Access Implementation Overview

This chapter is an introduction to Clean Access configuration for the Cisco NAC Appliance. Topics
include:
• Clean Access Overview, page 10-1
• Retrieving Updates, page 10-11
• General Setup Summary, page 10-17
• User Page Summary, page 10-22
• Manage Certified Devices, page 10-26
For complete details on network scanning configuration, see Chapter 13, “Configuring Network
Scanning.”
For complete details on Clean Access Agent configuration, see Chapter 12, “Configuring Clean Access
Agent Requirements.”

Clean Access Overview

Clean Access compliance policies reduce the threat of computer viruses, worms, and other malicious
code on your network. Clean Access is a powerful tool that enables you to enforce network access
requirements, detect security threats and vulnerabilities on clients, and distribute patches, antivirus and
anti-spyware software. It lets you block access or quarantine users who do not comply with your security
requirements, thereby stopping viruses and worms at the edge of the network, before they can do harm.
Clean Access evaluates a client system when a user tries to access the network. Almost all aspects of
Clean Access are configured and applied by user role and operating system. This allows you to customize
Clean Access as appropriate for the types of users and devices that will be accessing your network. Clean
Access provides two different methods for finding vulnerabilities on client systems and allowing users
to fix vulnerabilities or install required packages.
• Clean Access Agent—This method provides local-machine agent-based vulnerability assessment
and remediation. Users must download and install the Clean Access Agent, which allows for
visibility into the host registry, process checking, application checking, and service checking. The
Agent can be used to perform AV/AS definition updates, distribute files uploaded to the Clean
Access Manager, or distribute links to websites in order for users to fix their systems.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-1
 Chapter 10 Clean Access Implementation Overview
Clean Access Overview

• Network Scanner—This method provides network-based vulnerability assessment and web-based

remediation. The network scanner in the local Clean Access Server performs the actual network
scanning and checks for well-known port vulnerabilities to which a particular host may be prone. If
vulnerabilities are found, web pages configured in the Clean Access Manager can be pushed to users
to distribute links to websites or information on how users can fix their systems.
Clean Access can be implemented on your network as:
• Clean Access Agent only
• Network scanning only
• Clean Access Agent with network scanning

Clean Access Agent Download

Figure 10-1 illustrates the general user sequence for the initial download and install of the Clean Access
Agent, if the administrator has required use of the Clean Access Agent for the user’s role and OS.

Figure 10-1 Downloading Clean Access Agent

The Clean Access Agent software is always included as part of the Clean Access Manager software.
When the CAM is installed, the Clean Access Agent Setup Installation file and Patch Upgrade file are
already present and automatically published from the CAM to the CASes. To distribute the Agent to
clients, you simply require the use of the Clean Access Agent in the CAM web console for the desired
user role/operating system. Once downloaded and installed, the Agent performs checks on the client
according the Clean Access Agent requirements you have configured in the CAM.
First-time users can download and install the Clean Access Agent by opening a web browser to log into
the network. If the user’s login credentials associate the user to a role that requires the Agent, the user
will be redirected to the Clean Access Agent download page. After the Clean Access Agent is
downloaded and installed, the user is immediately prompted to log into the network using the Agent
dialogs, and is scanned for Agent requirements and Nessus plugin vulnerabilities (if enabled). After
successfully meeting the requirements configured for the user’s role and operating system and passing
scanning (if enabled), the user is allowed access to the network.
You can distribute Agent Patch Upgrades to clients by configuring auto-upgrade options in the web
console. Agent Upgrade Patches are retrieved on the CAM via Clean Access Updates, page 10-6.
See Chapter 11, “Distributing the Clean Access Agent” for additional details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-2 OL-12214-01
 Chapter 10 Clean Access Implementation Overview
Clean Access Overview

Clean Access Agent for VPN Users

Cisco NAC Appliance enables administrators to deploy the CAS in-band behind a VPN concentrator, or
router, or multiple routers. Cisco NAC Appliance supports multi-hop Layer 3 in-band deployment by
allowing the CAM and CAS to track user sessions by unique IP address when users are separated from
the CAS by one or more routers. With layer 2-connected users, the CAM/CAS continue to manage these
user sessions based on the user MAC addresses, as before. Figure 10-4 illustrates the Clean Access
Agent download and scanning process for a VPN concentrator user using the Clean Access Agent with
Single Sign-On.

Figure 10-2 Clean Access Agent with SSO for VPN Concentrator Users

See Cisco VPN SSO, page 7-12 and “Integrating with Cisco VPN Concentrators” in the Cisco NAC
Appliance - Clean Access Server Installation and Administration Guide for further details.

Clean Access Agent for L3 OOB Users

Cisco NAC Appliance enables multi-hop L3 support for out-of-band (wired) deployments, enabling
administrators to deploy the CAS out-of-band centrally (in core or distribution layer) to support users
behind L3 switches (e.g. routed access) and remote users behind WAN routers in some instances. With
L3 OOB, users more than one L3 hop away from the CAS are supported and their traffic only has to go
through Cisco NAC Appliance for authentication/posture assessment.
The MAC detection mechanism of the Clean Access Agent will automatically acquire the client MAC
address in L3 OOB deployments.
Users performing web login will download and execute either an Active X control (for IE browsers) or
Java applet (for non-IE browsers) to the client machine prior to user login to determine the user
machine’s MAC address. This information is then reported to the CAS and the CAM to provide the IP
address/ MAC address mapping.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-3
 Chapter 10 Clean Access Implementation Overview
Clean Access Overview

Clean Access Agent Client Assessment Process

Figure 10-3 details the Clean Access client assessment process (with or without network scanning) when
a user authenticates via Clean Access Agent.

Figure 10-3 Clean Access Agent Client Assessment

The following user roles are used for Clean Access and must be configured with traffic policies and
session timeout:
• The Unauthenticated role applies to unauthenticated users behind a Clean Access Server and is
assigned to users performing web login/network scanning.
• The Clean Access Agent Temporary Role is assigned to users performing Clean Access Agent login.
• The Quarantine role is assigned to a user when network scanning determines that the client machine
has vulnerabilities.
If a user meets Clean Access Agent requirement and/or has no network scanning vulnerabilities, the user
is allowed access to the network in the normal login user role. See Clean Access Roles, page 6-4 for
additional details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-4 OL-12214-01
 Chapter 10 Clean Access Implementation Overview
Clean Access Overview

Network Scanning Client Assessment

Figure 10-4 illustrates the general network scanning client assessment process when a user authenticates
via web login. If both the Clean Access Agent and network scanning are enabled for a user role, the user
follows the sequence shown in Figure 10-3 then in Figure 10-4 for the network scanning portion. In this
case, the Clean Access Agent dialogs provide the user information where applicable.

Figure 10-4 Network Scanning Client Assessment (Web Login)

Clean Access Agent

The Clean Access Agent is read-only, easy-to-use client software that resides on Windows systems and
can check if an application or service is running, whether a registry key exists, or the value of a registry
key. The Agent can ensure that users have necessary software installed (or not installed) to keep their
machines from becoming vulnerable or infected.

Note There is no client firewall restriction with Clean Access Agent vulnerability assessment. The Agent can
check client registry, services, and applications even if a personal firewall is installed and running.

The Clean Access Agent provides the following support:

• Easy download and installation of the Agent on the client via initial one-time web login. The Agent
installs by default for the current user and all other users on the client PC.
• Windows and MacOS X (authentication-only) versions of the Agent (4.1.0.0+)
• Flexible installation options for direct or stub installation of the Agent on client machines (4.1.0.0+)
• Agent language template support for localized Agent user dialogs for supported locales/language
OS platforms (4.1.0.0+)
• Auto-upgrade. Once the Agent is installed on a client, it can automatically detect, download, and
upgrade itself to next version. The Agent checks for a new Agent Patch Upgrade file at every login
request. The administrator can configure Agent auto-upgrade to be mandatory or optional for all
users, or can disable Patch Upgrade notification altogether.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-5
 Chapter 10 Clean Access Implementation Overview
Clean Access Overview

• Built-in AV/AS checking support for major antivirus (AV) and antispyware (AS) vendors. AV/AS
Rule and Requirement configuration facilitates the most common type of checking administrators
need to perform on clients and allows the Agent to automatically detect and update AV and AS
definition files on the client machine. AV/AS product support is kept up-to-date on the CAM through
the use of Clean Access Updates, page 10-6.
• Ability to launch qualified/digitally signed executable programs when a client fails a requirement
(4.1.0.0+). See Configure Launch Programs Requirement, page 12-19 for details.
• Custom rule and check configuration. Administrators can configure requirements to check clients
for specific applications, services, or registry keys using pre-configured Cisco checks and rules or
by creating their own custom checks and rules.
• Multi-hop L3 in-band (IB) and out-of-band (OOB) deployment support and VPN concentrator/L3
access. You can configure the CAM/CAS/Agent to enable clients to discover the CAS when the
network configuration puts clients one or more L3 hops away from the CAS (instead of in L2
proximity). Single Sign-On (SSO) is also supported when Clean Access is integrated (in-band)
behind Cisco VPN concentrators. For details, see Enable L3 Deployment Support, page 11-8 and
“Integrating with Cisco VPN Concentrators,” or “Configuring Layer 3 Out-of-Band (L3 OOB)” in
the Cisco NAC Appliance - Clean Access Server Installation and Administration Guide.
• Windows Domain Active Directory Single Sign-On. When Windows AD SSO is configured for the
Cisco NAC Appliance, users with the Clean Access Agent already installed can automatically log
into Cisco NAC Appliance when they log into their Windows domain. The client system will be
automatically scanned for requirements with no separate Agent login required. See Chapter 8,
“Configuring Active Directory Single Sign-On (AD SSO)” for details.
• Automatic DHCP Renew/Release. When the 4.1.0.0+ Clean Access Agent is used for login in OOB
deployments, the Agent will automatically refresh the DHCP IP address if the client needs a new IP
address in the Access VLAN. See DHCP Release/Renew with Clean Access Agent/ActiveX/Applet,
page 5-6 for details.
• Agent logoff with Windows logoff/shutdown. Administrators can enable or disable the Agent to log
off from the Cisco NAC Appliance network when a user logs off the Windows domain or shuts down
a Windows machine. This feature does not apply for OOB deployments.
For complete details on the Agent configuration features mentioned above, see Chapter 12, “Configuring
Clean Access Agent Requirements.”
For details on the features of each version of the Agent, see “Clean Access Agent Version Summary” in
the latest release notes.

Clean Access Updates

Regular updates of pre-packaged policies/rules can be used to check the up-to-date status of operating
systems, antivirus/antispyware software, and other client software. Cisco NAC Appliance provides
built-in support for major AV and AS vendors. For complete details, see Retrieving Updates, page 10-11.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-6 OL-12214-01
 Chapter 10 Clean Access Implementation Overview
Clean Access Overview

Network Scanner
Network scans are implemented with Nessus plugins. Nessus (http://www.nessus.org) is an open-source
vulnerability scanner. Nessus plugins check client systems for security vulnerabilities over the network.
If a system is scanned and is found to be vulnerable or infected, Clean Access can take immediate action
by alerting vulnerable users, blocking them from the network, or assigning them to a quarantine role in
which they can fix their systems.

Note If a personal firewall is installed on the client, network scanning will most likely respond with a timeout
result. You can decide how to treat the timeout result by quarantining, restricting, or allowing network
access (if the personal firewall provides sufficient protection) to the client machine.

As new Nessus plugins are released, they can be loaded to your Clean Access Manager repository.
Plugins that you have loaded are automatically published from the CAM repository to the Clean Access
Servers, which perform the actual scanning. The CAM distributes the plugin set to the Clean Access
Servers as they start up, if the CAS version of the plugin set differs from the CAM version.
Clean Access Agent checking and network scanning can be coordinated, so that the Agent checks for
software to fix vulnerabilities prior to network scanning. For example, if a Microsoft Windows update
is required to address a vulnerability, you can specify it as a required package in the Clean Access Agent.
This allows the Agent to help users pass network vulnerability scanning before it is performed.

Note • You can use Nessus 2.2 plugins to perform scans in Cisco NAC Appliance. The filename of the
uploaded Nessus plugin archive must be plugins.tar.gz.
• Due to a licensing requirement by Tenable, Cisco is no longer able to bundle pre-tested Nessus
plugins or automated plugin updates to Cisco NAC Appliance, effective Release 3.3.6/3.4.1.
Customers can still download Nessus plugins selectively and manually through the Nessus site. For
details on available plugins, see http://www.nessus.org/plugins/index.php?view=all.
For details on Nessus plugin feeds, see http://www.nessus.org/plugins/index.php?view=feed.
• Cisco recommends using no more than 5-8 plugins for network scanning of a client system. More
plugins can cause the login time to be long if the user has a firewall, as each plugin will have to
timeout.

For complete details, see Chapter 13, “Configuring Network Scanning.”

Certified List
The web console of the Clean Access Manager provides two important lists that manage users and their
devices: Online Users and Certified List.
The Online Users list displays logged in users by IP address and login credentials (see Online Users
List, page 14-3). There are separate In-Band and Out-of-Band online user lists.
The Certified List is device-based and displays:
• MAC addresses of devices that met Clean Access Agent requirements
• MAC addresses of devices that passed network scanning with no vulnerabilities

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-7
 Chapter 10 Clean Access Implementation Overview
Clean Access Overview

Users within L2 proximity of the CAS, and all Agent users, are tracked by MAC address and IP address
on both lists. Web login users that are one or more L3 hops away from the CAS are tracked by IP address
only, unless the Active X/Java applet web client is enabled for the login page (to obtain the MAC address
of the client). For further details on L3 deployment, see also Clean Access Agent Sends IP/MAC for All
Available Adapters, page 11-8.
For both Agent and web login users, the Certified List only records the first user that logged in with the
device. This helps to identify the authenticating user who accepted the User Agreement Page (for web
login users) or the Network Policy Page (for Agent users) if either page was configured for the role. See
Table 10-2 “Web Login— General Setup Configuration Options” and User Page Summary, page 10-22
for details on these pages.
A certified device remains on the Certified List until:
• The list is automatically cleared using a Certified Devices Timer.
• The administrator manually clears the entire list.
• The administrator manually drops the client from the list.
• The user logs out or is removed from the network, and the “Require users to be certified at every
web login” option is checked for the role from the General Setup > Web Login page.
When implementing network scanning, once devices have passed scanning and are on the Certified List
they are not re-scanned at the next login unless the devices are removed from the Certified List.
For network scanning users, dropping a client from the Certified List forces the user to repeat
authentication and the device to repeat network scanning to be readmitted to the network. You can make
sure that a device is always removed from the Certified List when a network scanning user logs off by
enabling the option “Require users to be certified at every web login” in the General Setup > Web
Login tab (see General Setup Summary, page 10-17.)
For Clean Access Agent users, devices always go through Clean Access Agent requirements at each
login, even if the device is already on the Certified List.
Once off the Certified List, the client must pass network scanning and meet Clean Access Agent
requirements again to be readmitted to the network. You can add floating devices that are certified only
for the duration of a user session. Alternatively, you can exempt devices from Clean Access certification
altogether by manually adding them to the Certified List.
Dropping a user from the Online Users list does not remove the client device from the Certified List.
However, manually dropping a client from the Certified List removes the user from the network and from
the Online Users list (IB or OOB).
If using a Certified Devices timer, you can configure whether or not a user is removed when the list is
cleared by enabling/disabling the Keep Online Users option for the timer. See Configure Certified
Device Timer, page 10-29 for further details.
For additional information, see also:
• Manage Certified Devices, page 10-26
• Interpreting Active Users, page 14-4.
• Out-of-Band Users, page 14-7
• Out-of-Band User List Summary, page 4-50

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-8 OL-12214-01
 Chapter 10 Clean Access Implementation Overview
Clean Access Overview

Role-Based Configuration
Clean Access network protection features are configured for users by role and operating system.The
following roles are employed when users are in the Clean Access network (i.e.during the time they are
in-band) and must be configured with traffic policies and session timeout:
• Unauthenticated Role – Default system role for unauthenticated users (Agent or web login) behind
a Clean Access Server. Web login users are in the unauthenticated role while network scanning is
performed.
• Clean Access Agent Temporary Role – Clean Access Agent users are in the Temporary role while
Clean Access Agent requirements are checked on their systems.
• Quarantine Role – Both web login and Agent users are put in the quarantine role when network
scanning determines that the client machine has vulnerabilities.
Note that the Temporary and Quarantine roles are intended to have limited session time and network
access in order for users to fix their systems.
When a user authenticates, either through the web login page or Clean Access Agent, Clean Access
determines the normal login role of the user and the requirements and/or network scans to be performed
for the role. Clean Access then performs requirement checking and/or network scanning as configured
for the role and operating system.
Note that while the role of the user is determined immediately after the initial login (in order to
determine the scans or system requirements associated with the user), a user is not actually put into a
normal login role until requirements are met, scanning has occurred and no vulnerabilities are found. If
the client has not met requirements, the user stays in the Clean Access Agent Temporary role until
requirements are met or the session times out. If the user has met requirements but is found with network
scanning vulnerabilities, the user can be assigned to a quarantine role or simply blocked, depending on
the configuration.
For additional details, see User Role Types, page 6-2.

Clean Access Setup Steps

The general summary of steps to set up Clean Access is as follows:

Step 1 Download Updates.

Retrieve general updates for Clean Access Agent and other deployment elements. See Retrieving
Updates, page 10-11
Step 2 Configure Clean Access Agent or Network Scanning per user role and OS in the General Setup tab.
Require use of the Clean Access Agent for a role, enable network scanning web pages for web login
users, and block or quarantine users with vulnerabilities. See General Setup Summary, page 10-17
Step 3 Configure the Clean Access-related user roles with session timeout and traffic policies (in-band).
Traffic policies for the quarantine role allow access to the User Agreement Page and web resources for
quarantined users who failed network scanning. Traffic policies for the Clean Access Agent Temporary
role allow access to the resources from which the user can download required software packages. See
Configure Policies for Agent Temporary and Quarantine Roles, page 9-19.
Step 4 Configure network scanning, or Clean Access Agent scanning, or both.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-9
 Chapter 10 Clean Access Implementation Overview
Clean Access Overview

Step 5 If configuring network scanning. Load Nessus plugins to the Clean Access Manager repository. To
enable network scanning, select the Nessus plugins to participate in scanning, then configure scan result
vulnerabilities for the user roles and operating systems. Customize the User Agreement page. See
Network Scanning Implementation Steps, page 13-2. Note that the results of network scanning may vary
due to the prevalence of personal firewalls which block any network scanning from taking place.
Step 6 If configuring Clean Access Agent. Require use of the Clean Access Agent for the user role in the
General Setup > Agent Login tab. Plan and define your requirements per user role. Configure AV Rules
or create custom rules from checks. Map AV Rules to an AV Definition Update requirement, and/or map
custom rules to a custom requirement (File Distribution/Link Distribution/Local Check). Map
requirements to each user role. See Configuration Steps for Clean Access Agent Requirements, page
12-2.
Step 7 Test your configurations for user roles and operating systems by connecting to the untrusted network
as a client. Monitor the Certified List, Online Users page, and Event Logs during testing. Test network
scanning by performing web login, checking the network scanning process, the logout page, and the
associated client and administrator reports. Test Clean Access Agent by performing the initial web login
and Clean Access Agent download, Clean Access Agent login, requirement checks and scanning, and
view the associated client and administrator reports.
Step 8 If needed, manage the Certified List by configuring other devices, such as floating or exempt devices.
Floating devices must be certified at the start of every user session. Exempt devices are excluded from
Clean Access requirements. See Manage Certified Devices, page 10-26.

For further details, see:

• Network Scanning Implementation Steps, page 13-2
• Configuration Steps for Clean Access Agent Requirements, page 12-2

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-10 OL-12214-01
 Chapter 10 Clean Access Implementation Overview
Retrieving Updates

Retrieving Updates
A variety of updates are available from the Clean Access Updates server, available under Device
Management > Clean Access > Updates. You can perform updates manually as desired or schedule
them to be performed automatically:

Cisco Checks and Rules

Cisco provides a variety of pre-configured rules (“pr_”) and checks (“pc_”) for standard client checks
such as hotfixes, Windows update, and various antivirus software packages. Cisco checks and rules are
a convenient starting point if you need to manually create your own custom checks and rules.

Supported AV/AS Product List

This list is a versioned XML file distributed from a centralized update server that provides the most
current matrix of supported AV and AS vendors and product versions used to configure AV or AS Rules
and AV or AS Definition Update requirements. This list is updated regularly to add support for new
products. Note that the list provides version information only. When the CAM downloads the Supported
AV/AS Product List it is downloading the information about what the latest versions are for AV/AS
products; it is not downloading actual patch files or virus definition files. Based on this information, the
Agent can then trigger the native AV/AS application to perform updates. For the latest details on
products and versions supported, see Device Management > Clean Access > Clean Access Agent >
Rules > AV/AS Support Info, or see the “Clean Access Supported Antivirus/Antispyware Product List”
in the latest release notes: http://www.cisco.com/en/US/products/ps6128/prod_release_notes_list.html

AV Rules and Requirements

To facilitate standard tasks for administrators, the Clean Access Agent provides built-in support for 28+
major antivirus (AV) vendors through the Supported AV/AS Product List, and pre-defined AV Rules and
AV Definition Update Requirements. The Agent checks for installed AV software and up-to-date virus
definitions and can automatically update these packages on client systems. The list of supported AV
vendor packages includes:

• AhnLab, Inc. • Kaspersky Labs

• ALWIL Software • Kingsoft Corp
• America Online, Inc • McAfee, Inc.
• Authentium, Inc. • Microsoft Corp.
• Beijing Rising Technology Corp. Ltd • MicroWorld
• ClamWin • Norman ASA
• Computer Associates International, Inc. • Panda Software
• EarthLink, Inc. • SalD Ltd.
• Eset Software • SOFTWIN
• Frisk Software International • Sophos Plc.
• F-Secure Corp. • Symantec Corp.
• GData Software AG • Trend Micro, Inc.
• Grisoft, Inc. • Yahoo!, Inc.
• H+BEDV Datentechnik GmbH • Zone Labs LLC

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-11
 Chapter 10 Clean Access Implementation Overview
Retrieving Updates

AS Rules and Requirements

Cisco NAC Appliance integrates the following Anti-Spyware (AS) product support for 20+ AS vendors
Windows XP/2000 in the Supported AV/AS Product List and pre-defined AS Rules and AS Definition
Update Requirements.

• AhnLab, Inc. • Microsoft Corp.

• America Online, Inc • PC Tools Software
• Anonymizer, Inc • Prevx Ltd.
• Bullet Proof Soft • Safer Networking Ltd.
• Computer Associates International, Inc • SOFTWIN
• EarthLink, Inc. • Sunbelt Software
• Face Time Communications, Inc • Symantec Corp.
• Javacool Software LLC • Trend Micro Inc.
• Lavasoft, Inc. • Webroot Software, Inc.
• McAfee, Inc. • Yahoo!, Inc.
• MicroSmarts LLC

Default Host Policies

Clean Access provides automatic updates for the default host-based policies (for Unauthenticated,
Temporary, and Quarantine roles). Note that Default Allowed Hosts are disabled by default, and must be
enabled for each role under User Management > User Roles > Traffic Control > Hosts. See Enable
Default Allowed Hosts, page 9-9 for details.

OS Detection Fingerprint:
By default, the system uses the User-Agent string from the HTTP header to determine the client OS. In
addition, platform information from JavaScript or the OS fingerprinting from the TCP/IP handshake can
also be compared against the OS signature information in the CAM database to determine the client OS.
This information can be updated in the CAM when new OS signatures become available in order to
verify an OS fingerprint as a Windows machine. This enhanced OS fingerprinting feature is intended to
prevent users from changing identification of their client operating systems through manipulating HTTP
information. Note that this is a “passive” detection technique (accomplished without Nessus) that only
inspects the TCP handshake and is not impacted by the presence of a personal firewall. See also Device
Management > CCA Servers > Manage [CAS_IP] > Authentication > OS Detection in the CAS
management pages of the web console, and the Cisco NAC Appliance - Clean Access Server Installation
and Administration Guide for further details.

Note The OS detection/fingerprinting feature uses both browser user-agent string and TCP/IP stack
information to try to determine the OS of the client machine. While the detection routines will attempt
to find the best match, it is possible that the OS may be detected incorrectly if the end-user modifies the
TCP/IP stack on the client machine and changes the user-agent string on the browser. If there is concern
regarding malicious users evading the OS fingerprinting/detection mechanisms, then administrators are
advised to use network scanning in order to confirm the OS on the machine. If, for any reason, it is not
possible or not desirable to use network scanning, then network administrators should consider
pre-installing the Clean Access Agent on machines.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-12 OL-12214-01
Chapter 10 Clean Access Implementation Overview
Retrieving Updates

Supported Out-of-Band Switch OIDs

With release 4.1(0)+, updates to the object IDs (OIDs) of supported switches are downloaded and
published as they are made available. For example, if a new switch (such as C3750-XX-NEW) of a
supported model (Catalyst 3750 series) is released, administrators only need to perform Cisco Updates
on the CAM to obtain support for the switch OIDs, instead of performing a software upgrade of the
CAM/CAS.
Note that the update switch OID feature only applies to existing models. If a new switch series is
introduced, administrators will still need to upgrade to ensure OOB support for the new switches.See
Chapter 4, “Switch Management: Configuring Out-of-Band (OOB) Deployment” for details on OOB.

Windows Clean Access Agent Upgrade Patch

Agent upgrade patches are automatically downloaded to the CAM, pushed to the CAS, and downloaded
and installed on the client (if auto-upgrade is configured). See Configure Clean Access Agent
Auto-Upgrade, page 11-25 for details.

L3 Java Applet/ L3 ActiveX web client:

The L3 Java Applet and L3 ActiveX web client are needed for client MAC Address detection when users
perform web login in L3 OOB deployments. The MAC detection mechanism of the Clean Access Agent
will automatically acquire the client MAC address in L3 OOB deployments (see Clean Access Agent
Sends IP/MAC for All Available Adapters, page 11-8).
Users performing web login will download and execute either an Active X control (for IE browsers) or
Java applet (for non-IE browsers) to the client machine prior to user login to determine the user
machine’s MAC address. This information is then reported to the CAS and the CAM to provide the IP
address/ MAC address mapping.

ActiveX/Java Applet and Browser Compatibility

• ActiveX is supported on IE 6.0 for Windows XP and Windows 2000 systems.
• IE 7.0 is supported starting from Agent version 4.1.0.0.

Note Support for any future Windows OS or IE releases will only be added after testing and
certification has been performed on those releases.

• Java applets are supported for major browsers including Safari 1.2+, Mozilla (Camino, Opera), and
Internet Explorer on Windows XP, Windows 2000, MacOS 10, and Linux operating systems.
• Due to Firefox issues with Java, Java applets are not supported for Firefox on Mac OS X. See the
Firefox release notes (http://www.mozilla.com/firefox/releases/1.5.0.3.html) for details.

Note • To ensure Clean Access checks include the latest Microsoft Windows hotfixes, always get the latest
Updates of Cisco Checks and Rules (by Clean Update if needed) and ensure appropriate host-based
traffic policies are in place (see Add Global Host-Based Traffic Policies, page 9-8 for details.)
• When upgrading your CAM/CAS to the latest release of Cisco NAC Appliance, all Perfigo/Cisco
pre-configured checks/ rules will be automatically updated.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-13
 Chapter 10 Clean Access Implementation Overview
Retrieving Updates

Download Cisco Updates

1. Go to Device Management > Clean Access > Updates.
2. The Summary page appears by default.

Figure 10-5 Updates Summary

3. The Current Versions of Updates will display all the latest Cisco Updates versions on your CAM:
– Cisco Checks & Rules
– Supported AV/AS Product List
– Default Host Policies
– OS Detection Fingerprint
– Supported Out-of-Band Switch OIDs (new for release 4.1)
– Windows CCA Agent Upgrade Patch
– L3 Java Applet Web Client
– L3 ActiveX Web Client
4. Click the Settings sublink to configure how Cisco Updates are downloaded to your CAM:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-14 OL-12214-01
Chapter 10 Clean Access Implementation Overview
Retrieving Updates

Figure 10-6 Updates Settings

5. To configure automatic updates on your CAM, click the checkbox for Automatically check for
updates starting from [] every [] hours, type a start time in 24-hour format (such as 13:00:00), and
type a “repeat” interval (1 hour is recommended).
6. Click the Check for Windows CCA Agent upgrade patches option to ensure the CAM always
downloads the latest version of the Agent Upgrade Patch. This must be enabled for Agent
auto-upgrade.
7. Click the Check for CCA L3 Java Applet/ActiveX web client updates option to ensure the CAM
always downloads the latest versions of the L3 Java Applet and ActiveX web clients. Web login
users need to download these helper controls from the login page to enable the CAS to obtain MAC
information in L3 deployments (particularly for L3 OOB). When the Agent is used, the MAC
information is automatically sent to the CAS.
8. Click the “Use an HTTP proxy server to connect to the update server” option if your CAM goes
through a proxy server to get to the Internet, and configure the Proxy server information.
9. Click Update to manually update your existing database with the latest Cisco checks and rules,
Agent upgrade patch, Supported AV/AS Product List, and default host policies, or
10. Click Clean Update to remove all previous items from the database first (including checks, rules,
Agent patch, Supported AV/AS Product List, and default host policies) before downloading all the
new updates. Note that Clean Update will delete all existing default host policies (along with
enable/disable settings) and add new default host policies (disabled by default). See Enable Default
Allowed Hosts, page 9-9 for details.
11. When you retrieve updates, the following status messages are displayed at the bottom of the page:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-15
 Chapter 10 Clean Access Implementation Overview
Retrieving Updates

– Cisco auto-update schedule (if enabled)

– Latest version of Cisco Checks & Rules:
This shows the version of Cisco checks and rules downloaded. The latest update of Cisco
pre-configured checks (“pc_”) and rules (“pr_”) will populate the Check List and Rule List,
respectively (under Device Management > Clean Access > Clean Access Agent > Rules).
– Latest version of Windows Clean Access Agent Installer (Agent Upgrade Patch) (if
available)
– Latest version of Supported AV/AS Product List:
This shows the latest version of the Supported AV/AS Product List. When creating a New AV
Rule or requirement of type AV Definition Update, the matrix of supported vendors and
product versions will be updated accordingly.
– Latest version of default host policies:
This shows the latest version of default host-based policies provided for the Unauthenticated,
Temporary, and Quarantine roles.
– Latest version of OS detection fingerprint:
Updates to OS Detection Fingerprints (or signatures) will be made as new operating systems
become available for Windows machines.
– Latest version of L3 Java Applet web client:
Updates to the L3 Java Applet web client will be downloaded and published as they are made
available.
– Latest version of L3 ActiveX web client:
Updates to the L3ActiveX web client will be downloaded and published as they are made
available.
– Latest version of OOB switch OIDs:
Updates to the object IDs (OIDs) of supported switches will be downloaded and published as
they are made available.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-16 OL-12214-01
 Chapter 10 Clean Access Implementation Overview
General Setup Summary

General Setup Summary

Clean Access Agent scanning and/or network scanning must first be enabled under Device Management
> Clean Access > General Setup before configuring posture assessment.
• The Agent Login subpage enables Clean Access Agent controls per user role/OS.
• The Web Login subpage enables network scanning controls per user role/OS.
In addition to dialog/web page content, you can specify whether pages appear when the user logs in with
a specific user role and OS. If you want to enable both Clean Access Agent and network scanning for a
role, make sure to set role/OS options on both the Agent Login and Web Login configuration pages.

Note Clean Access Agent/network scanning pages are always configured by both user role and client OS.

Agent Login
Clean Access Agent users see the web login page and the Clean Access Agent download page the first
time they perform initial web login in order to download and install the Clean Access Agent setup
installation file. After installation, Clean Access Agent users should login through the Clean Access
Agent dialog which automatically pops up when “Popup Login Window” is selected from the system
tray icon menu (default setting). Clean Access Agent users can also bring up the login dialog by
right-clicking the Clean Access Agent system tray icon and selecting “Login.”

Note Agent Login/Logout is disabled (greyed out) for special logins, such as VPN SSO, AD SSO and
Mac-Based logins. The Logout option is not needed for these deployments, since the machine always
attempts to log back in immediately.

Clean Access Agent users will not see quarantine role pages or popup scan vulnerability reports, as the
Agent dialogs perform the communication. You can also configure a Network Policy page (Acceptable
Use Page) that Agent users must accept after login and before accessing the network.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-17
 Chapter 10 Clean Access Implementation Overview
General Setup Summary

Figure 10-7 Agent Login—General Setup

Table 10-1 Agent Login—General Setup Configuration Options

Control Description
User Role Choose a user role from the dropdown menu, which shows all roles in the system. Configure
Agent Login settings for each role for which the Clean Access Agent will be required. (See Add
New Role, page 6-6 for how to create new user roles.)
Operating System Choose the client OS for the specified user role.
ALL settings apply by default to all client operating systems if no OS-specific settings are
specified.
WINDOWS_ALL apply to all Windows operating systems if no Windows-OS specific settings
are specified.
Require use of Clean Click this checkbox to redirect clients in the selected user role and OS to the Clean Access
Access Agent (for Agent Download Page Message (or URL) after the initial web login. Users will be prompted
Windows & Macintosh to download, install, and use the Clean Access Agent to log into the network. To modify the
OSX only) default download instructions, type HTML text or enter a URL. See Create Clean Access Agent
Requirements, page 12-3.
Note Clean Access Agent requirement configuration must also be completed as described in
Chapter 12, “Configuring Clean Access Agent Requirements.”
Allow restricted network Click this optional checkbox to allow users to have restricted network access if they bypass
access in case user cannot download of the Clean Access Agent. This feature is intended primarily to allow access for users
use Clean Access Agent logging into a user role that requires the Clean Access Agent, but who have systems on which
they cannot download and install the Agent (as in the case of non-admin privileges on the
machine). For details, see Configure Restricted Network Access for Agent Users, page 11-5

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-18 OL-12214-01
 Chapter 10 Clean Access Implementation Overview
General Setup Summary

Table 10-1 Agent Login—General Setup Configuration Options (continued)

Control Description
Show Network Policy to Click this checkbox if you want to display a link in the Clean Access Agent to a Network Policy
Clean Access Agent users (Acceptable Use Policy) web page to Clean Access Agent users. You can use this option to
[Network Policy Link:] provide a policies or information page that users must accept before they access the network.
This page can be hosted on an external web server or on the Clean Access Manager itself.
• To link to an externally-hosted page, type the URL in the Network Policy Link field, in the
format http://mysite.com/helppages.
• To put the network policy page on the CAM, for example “helppage.htm,” upload the page
using Administration > User Pages > File Upload, then point to the page by typing the
URL http://<CAM_IP_address>/upload/helppage.htm in the Network Policy Link field.
Note The Network Policy page is only shown to the first user that logs in with the device. This
helps to identify the authenticating user who accepted the Network Policy Page.
Clearing the device from the Certified List will force the user to accept the Network
Policy again at the next login.

For details, see Figure 10-3 on page 10-4 and Configure Network Policy Page (Acceptable Use
Policy) for Agent Users, page 11-6.
Logoff Clean Access Click this option to enable logoff of the Agent from the Clean Access network when a user logs
Agent users from off the Windows domain (Start->Shutdown->Log off current user) or shuts down a Windows
network on their machine workstation. If this option is not checked, the user remains logged in to Clean Access after
logoff or shutdown (for machine logoff or shutdown/restart. Enabling this feature ensures that Auto-Upgrade checks for
Windows & In-Band updates on the Agent at machine restart. If this feature is not enabled, the client will only be
only) checked for updates at the next user login.
Note This feature does not apply for OOB deployments.
After being enabled, this feature takes effect immediately for new user logins only.
If Windows terminates the Agent prior to successful log off from the Clean Access
environment, the user may remain logged in.
Refresh Windows domain (New for 4.1) Click this checkbox to automatically refresh the Windows domain group policy
group policy after login (perform GPO update) after the user login (for Windows only). This features is intended to
(for Windows only) facilitate GPO update when Windows AD SSO is configured for Agent users. See Enable GPO
Updates, page 8-23 for further details.
Automatically close login (New for 4.1) Click this checkbox and set the time to configure the Login success dialog to close
success screen after [] automatically after the user is successfully certified/logged into normal login role (otherwise
secs (for Windows only) user has to click OK button). Setting the time to zero seconds prevents display of the Agent
Login success screen (see Figure 12-69 on page 12-61). Valid range is 0 - 300 seconds.
Automatically close (New for 4.1) Click this checkbox and set the time to configure the Logout success dialog to
logout success screen close automatically when the user manually logs out (otherwise user has to click OK button).
after [] secs (for Windows Setting the time to zero seconds prevents display of the logout success screen (see Figure 12-70
only) on page 12-61). Valid range is 0 - 300 seconds.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-19
 Chapter 10 Clean Access Implementation Overview
General Setup Summary

Web Login
Figure 10-8 Web Login—General Setup

Web login users see the login and logout pages, quarantine role or blocked access pages and Nessus scan
vulnerability reports, if enabled. You can also configure a User Agreement Page that appears to web
login users before accessing the network.
Table 10-2 explains the General Setup > Web Login configuration options shown in Figure 10-8. For
examples and descriptions of all user pages, see Table 10-3 on page 10-22.

Table 10-2 Web Login— General Setup Configuration Options

Control Description
User Role Choose the user role for which to apply Clean Access General Setup controls. The dropdown
list shows all roles in the system. Configure user roles from User Management > User Role
(see Add New Role, page 6-6.)
Operating System Choose the client OS for the specified user role. By default, 'ALL' settings apply to all client
operating systems if no OS-specific settings are specified.
Show Network Scanner Click this checkbox to present the User Agreement Page (“Virus Protection Information”) after
User Agreement Page to web login and network scanning. The page displays the content you configure in the User
web login users Agreement configuration form. Users must click the Accept button to access the network.
Note The User Agreement page is only shown to the first user that logs in with the device.
This helps to identify the authenticating user who accepted the UAP. Clearing the device
from the Certified List will force the user to accept the UAP again at the next login.

If choosing this option, be sure to configure the page as described in Customize the User
Agreement Page, page 13-16.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-20 OL-12214-01
 Chapter 10 Clean Access Implementation Overview
General Setup Summary

Table 10-2 Web Login— General Setup Configuration Options (continued)

Control Description
Enable pop-up scan Click this checkbox to enable web login users to see the results of their network scan from a
vulnerability reports popup browser window. If popup windows are blocked on the client computer, the user can view
from User Agreement the report by clicking the Scan Report link on the Logout page.
Page
Require users to be • Click this checkbox to force user to go through network scanning every time they access
certified at every web the network.
login
• If disabled (default), users only need to be certified the first time they access the network,
or until their MAC address is cleared from the Certified List.
Exempt certified devices Click this checkbox to place the MAC address of devices that are on the Clean Access Certified
from web login List into the authentication passthrough list. This allows devices to bypass authentication and
requirement by adding to the Clean Access process altogether the next time they access the network.
MAC filters
Block/Quarantine users • Click this checkbox and select a quarantine role from the dropdown menu to put the user
with vulnerabilities in in the quarantine role if found with vulnerabilities after network scanning. If quarantined,
role the user must correct the problem with their system and go through network scanning again
until no vulnerabilities are found in order to access the network.
• Click this checkbox and select Block Access from the dropdown menu to block the user
from the network if found with vulnerabilities after network scanning. If a user is blocked,
the Blocked Access page is shown with the content entered in the Message (or URL) for
Blocked Access Page: field.
Note The role session expiration time appears in parentheses next to the quarantine role name.
This session time will also appears on the User Agreement Page, if display of the page
is enabled for a quarantined user.
Show quarantined users If Quarantine is selected for “Block/Quarantine users with vulnerabilities in role,” this
the User Agreement Page option appears below. It lets you present a User Agreement Page specific to the quarantine role
of chosen for users who fail scanning. Alternatively, Clean Access can present the page associated
with the user’s normal login role, or no page. See Customize the User Agreement Page, page
13-16 for further information.
Message (or URL) for If Block Access is selected for “Block/Quarantine users with vulnerabilities in role”, this
Blocked Access Page: option appears. To modify the default message, type HTML text or enter a URL for the message
that should appear when a user is blocked from the network for failing Clean Access
certification.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-21
 Chapter 10 Clean Access Implementation Overview
User Page Summary

User Page Summary

Table 10-3 summarizes the web pages that appear to users during the course of login and Clean Access
certification, and lists where they are configured in the web admin console.

Table 10-3 User Page Summary

Page Configured in: Purpose

Web Login Pages
Login Page Administration > User Pages The Login page is configured separately from web pages for Clean Access
> Login Page Agent/network scanning, and is the network authentication interface when
using network scanning only. Clean Access Agent users only need to use
it once to initially download the Agent installation file. Login pages can
See User Login Page, page 5-2 be configured per VLAN, subnet and client OS. The user enters his/her
for details. credentials to authenticate, and the CAM determines the user’s role
assignment based on local user/user role configuration.

Logout Page User Management > User The Logout page appears only for users that use web login to authenticate.
Roles > New Role or Edit Role After the user successfully logs in, the Logout page pops up in its own
(web login
users only) browser and displays user status based on the combination of options you
select.
See Specify Logout Page
Information, page 5-15 for
details.

Note Users (especially users in a quarantine role) should be careful not

to close the Logout page to be able to log themselves out instead
of having to wait for a session timeout.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-22 OL-12214-01
 Chapter 10 Clean Access Implementation Overview
User Page Summary

Table 10-3 User Page Summary (continued)

Page Configured in: Purpose

Clean Access Agent User Pages
Clean Access Device Management > Clean When use of the Clean Access Agent is required for the role, this page
Agent Access > General Setup > appears after the initial one-time web login to prompt the user to
Download Agent Login download and install the Agent. Once installed, the user should use the
Page Agent to log in rather than opening a browser.

See Create Clean Access Agent

Requirements, page 12-3.

(Optional) See Configure Restricted

Restricted Network Access for Agent
Network Users, page 11-5 The bottom of the Download page can optionally be configured to provide
Access a Restricted Network Access button if the user is required by role to use
the Agent, but cannot download it at that time.
Clean Access Device Management > Clean The Clean Access Agent can be configured to display a “Network Usage
Network Access > General Setup > Terms & Conditions” link that opens an Acceptable Network Usage policy
Policy Page Agent Login web page that you have already configured. This page can be hosted on an
external web server or on the CAM itself. Agent users must click the
See Configure Network Policy
Accept button from the Agent dialog to be able to access the network.
Page (Acceptable Use Policy)
for Agent Users, page 11-6 and
Figure 10-3 on page 10-4

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-23
 Chapter 10 Clean Access Implementation Overview
User Page Summary

Table 10-3 User Page Summary (continued)

Page Configured in: Purpose

Web Login /Network Scanner User Pages
Network Enable in: If enabled, this page appears after a web login user authenticates and
Scanning User Device Management > Clean passes network scanning. The user must click Accept to access the
Agreement Access > General Setup > network.
Page Web Login
Configure page in:
Device Management > Clean
Access > Network Scanner >
Scan Setup > User Agreement
See Customize the User
Agreement Page, page 13-16
and Figure 10-4 on page 10-5.

Scan Enable in: If enabled, this client report appears to web login users after network
Vulnerability scanning results in vulnerabilities. It can also be accessed as a link from
Device Management > Clean
Report the Logout page. Administrators can view the admin version of the client
Access > General Setup >
report from Device Management > Clean Access > Network Scanner >
Web Login
Reports. Agent users with network scanning vulnerabilities see this
Configure page in: information in the context of Agent dialogs. The report appears as follows:
Device Management > Clean
Access > Network Scanner >
Scan Setup > Vulnerabilities
See Configure Vulnerability
Handling, page 13-10 and
Figure 10-4 on page 10-5.

Block Access Device Management > Clean
Page Access > General Setup >
Web Login
See Customize the User
Agreement Page, page 13-16.
If enabled, a web login user sees this page if blocked from the network
when vulnerabilities are found on the client system after network
scanning,

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-24 OL-12214-01
 Chapter 10 Clean Access Implementation Overview
User Page Summary

Table 10-3 User Page Summary (continued)

Page Configured in: Purpose

User Enable in: If enabled, this page appears to a web login user if quarantined when
Agreement Device Management > Clean vulnerabilities are found on the client system after network scanning.
Page: Access > General Setup >
quarantined Web Login
user, original
role Configure page in:
Network Scanner > Scan
Setup > User Agreement
Select normal login role.
See Customize the User
Agreement Page, page 13-16.

This page has the same Information Page Message (or URL) contents
(“Virus Protection Information”) as the User Agreement Page for the
normal login role. However, the Acknowledgment Instructions are
hardcoded to include the Session Timeout for the original role, and button
labels are hardcoded as “Report” and “Logout”.
User Enable in: Device If enabled, this page appears to a web login user if quarantined when
Agreement Management > Clean Access vulnerabilities are found on the client system after network scanning.
Page: > General Setup > Web Login
This page allows you to specify a User Agreement Page just for the
quarantined Configure page in: Network quarantine role, (as opposed to using the quarantine version of the User
user, Scanner > Scan Setup > User Agreement Page for the normal login role, as described above). The
quarantine Agreement Acknowledgment Instructions are hardcoded to include the Session
role Select appropriate quarantine Timeout for the quarantine role, and the button labels are also hardcoded
role. as “Report” and “Logout”.

See Customize the User

Agreement Page, page 13-16.

For additional information on redirecting users by role to specific pages or URLs (outside of Clean
Access), see Create Local User Accounts, page 6-14.
For additional Clean Access configuration information, see Configure General Setup, page 13-6.
For additional details on configuring the Clean Access Agent, see Chapter 12, “Configuring Clean
Access Agent Requirements.”.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-25
 Chapter 10 Clean Access Implementation Overview
Manage Certified Devices

Manage Certified Devices

This section describes the following:
• Add Exempt Device, page 10-27
• Clear Certified or Exempt Devices Manually, page 10-28
• View Clean Access Reports for Certified Devices, page 10-28
• View Switch Information for Out-of-Band Certified Devices, page 10-29
• Configure Certified Device Timer, page 10-29
• Add Floating Devices, page 10-32
When a user device passes network scanning or meets Clean Access Agent requirements, the Clean
Access Server automatically adds the MAC address of the device to the Certified List (for users with L2
proximity to the CAS).

Note Because the Certified List is based on client MAC addresses, the Certified List never applies to users in
L3 deployments.

For network scanning, once on the Certified List, the device does not have to be recertified as long as its
MAC address is in the Certified List, even if the user of the device logs out and accesses the network
again as another user. (Multi-user devices should be configured as floating devices to require
recertification at each login.)
For Clean Access Agent users, devices always go through Clean Access Agent requirements at each
login, even if the device is already on the Certified List.
Devices automatically added by Clean Access to the Certified Device list can be cleared manually or
cleared automatically at specified intervals. Because exempt devices are manually added to the list, they
must be manually removed. This means that an exempt device on the Certified List is protected from
being automatically removed when the global Certified Devices Timer form is used to clear the list at
regularly scheduled intervals.
Clearing devices from the Certified List (whether manually or automatically) performs the following
actions:
• Removes IB clients from the In-Band Online Users list and logs them off the network (configurable
with release 4.1.0+).
• Removes OOB clients from the Out-of-Band Online Users list and bounces their port
(unless port bouncing is disabled for OOB VGW; see Add Port Profile, page 4-28 for details).
• Forces client devices to repeat the Clean Access requirements at the next login.
Note that logging either an IB or OOB user off the network from Monitoring > Online Users > View
Online Users does not remove the client from the Certified List. This allows the user to log in again
without forcing the client device to go through network scanning again. Note that for Clean Access
Agent users, devices always go through Clean Access Agent requirements at each login, even if the
device is already on the Certified List.

Note Because the Certified List displays users authenticated and certified based on known L2 MAC address,
the Certified List does not display information for remote VPN/multihop L3 users tracked by IP address
only. To view these authenticated remote VPN/multihop L3 users, see the In-Band Online Users List.
The User MAC field for these users will display as “00:00:00:00:00:00.”

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-26 OL-12214-01
 Chapter 10 Clean Access Implementation Overview
Manage Certified Devices

For further details on terminating active user sessions, see Interpreting Active Users, page 14-4 and
Out-of-Band User List Summary, page 4-50.
If a certified device is moved from one CAS to another, it must go through Clean Access certification
again for the new CAS unless it has been manually added as an exempt device at the global level for all
Clean Access Servers. This allows for the case where one Clean Access Server has more restrictive Clean
Access requirements than another.
Though devices can only be certified and added to the list per Clean Access Server, you can remove
certified devices globally from all Clean Access Servers or locally from a particular CAS only (see the
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide for additional
details.)
See also Certified List, page 10-7 for additional information.

Add Exempt Device

Designating a device as exempt is the way a device can be manually added to the
automatically-generated Certified List. The Clean Access Server only adds a device to the Certified List
if the device has met the Clean Access criteria you configured. A device designated as Exempt is
considered clean and therefore exempt from having to go through certification while its MAC address
remains on the Certified List. Adding an exempt device in effect bypasses the Clean Access Server’s
automated process of Clean Access certification.

Note For details on how to allow users/devices to bypass both authentication and certification, see Global
Device and Subnet Filtering, page 3-7.

To add an exempt device:

1. Go to Device Management > Clean Access > Certified Devices > Add Exempt Device

Figure 10-9 Add Exempt Device

.

2. Type the MAC address in the Exempt Device MAC Address field. To add several addresses at once,
use line breaks to separate the addresses.
3. Click Add Exempt.
4. The Certified List page appears, highlighting the exempt devices (Figure 10-10).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-27
 Chapter 10 Clean Access Implementation Overview
Manage Certified Devices

Note Exempt devices added with these forms are exempt for all Clean Access Servers. To designate an exempt
device for only a particular Clean Access Server, see the Cisco NAC Appliance - Clean Access Server
Installation and Administration Guide.

Figure 10-10 Clean Access Certified List

Clear Certified or Exempt Devices Manually

To clear device MAC addresses, go to Device Management > Clean Access > Certified Devices >
Certified List and click:
• Clear Exempt to remove only the MAC addresses that were added manually with the Add Exempt
button.
• Clear Certified to remove only the MAC addresses that were added automatically by Clean Access.
• Clear All to remove MAC addresses of both exempt and certified devices.
Remove individual addresses individually by clicking Delete ( ) next to the MAC address.

View Clean Access Reports for Certified Devices

You can view the results of previous Clean Access Agent scans for certified devices under Device
Management > Clean Access > Clean Access Agent > Reports. Click the View ( ) button to see
which requirements, rules, and checks succeeded or failed for an individual client. See NoteFor
additional information on terminating user sessions, see also Configure User Session and Heartbeat
Timeouts, page 9-15., page 10-31 for details.
You can view the results of previous network scans for certified devices at any time from Device
Management > Clean Access > Network Scanner > Reports. Click the Report button ( ) to see an
individual scan report. See View Scan Reports, page 13-14 for details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-28 OL-12214-01
 Chapter 10 Clean Access Implementation Overview
Manage Certified Devices

View Switch Information for Out-of-Band Certified Devices

For out-of-band users only, the Certified List (Figure 10-10) populates the Switch column with a
Switch button. Clicking the Switch button ( ) for an out-of-band client brings up a dialog with the
switch IP, Port ID, and last update time of the client (Figure 10-11).

Figure 10-11 Switch Button Popup

For further details on OOB clients, see Chapter 4, “Switch Management: Configuring Out-of-Band
(OOB) Deployment” and Out-of-Band Users, page 14-7.

Configure Certified Device Timer

You can configure Certified Device Timers to automatically clear the Certified Device list at specified
intervals.Release 4.1(0) enhances Certified Devices Timer configuration to provide better periodic
assessment capabilities. The Certified Devices List no longer needs to be cleared in its entirety each time
the timer is applied. Administrators can now:
• Clear the Certified List per Clean Access Server, User Role, or Authentication Provider, or a
combination of all three
• Clear certified devices without removing users from the network with the “Keep Online Users”
option. When the “Keep Online Users” option is checked, user sessions are not immediately ended
when clearing the list, but at user logout time (or at linkdown for OOB). Devices can re-enter the
list after user authentication and device remediation.
• Clear the Certified List all at once or in batches (to manage user re-login and certification during
peak times). You can clear devices according to how long they have been on the list and/or in fixed
time interval batches. This facilitates CAM database management when clearing large numbers of
devices.
• Configure multiple, independent timers. Administrators can create and save multiple instances of
Certified Device Timers (similar to a Scheduled Job/Task). Each Timer is independent of the others
and can be maintained separately. For example, if managing 6 CAS pairs, the administrator can
create a different Timer for each pair of HA-CASes.
Note that the Certified Devices Timer form is an automatic process that only clears devices added to the
Certified List by Clean Access. It does not clear Exempt devices, which are manually added to the
Certified List. Clearing the Certified List terminates all online user sessions if the “Keep Online Users”
option is disabled.

To create a new certified device timer:

1. Go to Device Management > Clean Access > Certified Devices > Timer. The List page appears
by default.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-29
 Chapter 10 Clean Access Implementation Overview
Manage Certified Devices

Figure 10-12 Certified Devices Timer—List

2. Click the New sublink to bring up the New Timer configuration form.

Figure 10-13 New Certified Devices Timer

3. Type a Timer Name for the timer.

4. Type an optional Description of the timer.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-30 OL-12214-01
Chapter 10 Clean Access Implementation Overview
Manage Certified Devices

5. Click the checkbox for Enable this timer to apply the timer right away after configuration.
6. Click the checkbox for Keep Online Users if you only want to remove client devices from the
Certified List without removing the users from the network.
7. Type the Start Date and Time for the timer, using format: YYYY-MM-DD hh:mm:ss. The Start
Date and Time sets the initial date and time for this timer to clear the Certified List.
8. Type a Recurrence in days to set the repeat interval for this timer. For example, a Recurrence of 7
will clear the Certified List 7 days after the initial clearing and at the same Start Time specified.
Typing 0 will clear the Certified List only once.
9. Choose from any of the dropdown menus to apply this timer by the following Criteria:
a. Clean Access Server: Apply this timer to Any CCA Server (default) or to a specific CAS by
IP address.
b. User Role: Apply this timer to Any User Role (default) or to a specific system user role
c. Provider: Apply this timer to Any Provider (default) or to a specific system Auth Provider
(Local DB or any other)
10. Type a Minimum Age in days to only clear devices that have been on the Certified List for the
number of days specified. Typing 0 clears all devices regardless of how long they have been on the
Certified List.
11. Choose a clearing Method for how much of the Certified List (sorted by Criteria) this timer should
clear at one time. Options are:
a. Clear all matching certified devices.
b. Clear the oldest [] matching certified devices only. (for example, “10” clears the ten oldest
certified devices in the sort list)
c. Clear the oldest [] certified devices every [] minutes until all matching certified devices are
cleared.
12. When done, click Update. This saves the Timer in the Certified Devices Timer List.

Note For additional information on terminating user sessions, see also Configure User Session and Heartbeat
Timeouts, page 9-15.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-31
 Chapter 10 Clean Access Implementation Overview
Manage Certified Devices

Add Floating Devices

A floating device is certified only for the duration of a user session. Once the user logs out, the next user
of the device needs to be certified again. Floating devices are useful for managing shared equipment,
such as kiosk computers or wireless cards loaned out by a library.
In addition to session-length certification, you can configure devices that are never certified. This is
useful for multi-user devices, such as dial-up routers that channel multi-user traffic from the untrusted
side of the network. In this case, the Clean Access Server will see only that device’s MAC address as the
source and destination of the network traffic. If the device is allowed to be certified, after the first user
is certified, additional users would be exempt from certification. By configuring the router’s MAC
address as a floating device that is never certified, you can ensure that each user accessing the network
through the device is individually assessed for vulnerabilities/requirements met.
In this case, the users are distinguished by IP address. Users must have different IP addresses. If the
router performs NATing services, the users are indistinguishable to the Clean Access Manager and only
the first user will be certified.
Figure 10-14 shows the Floating Devices tab.

Figure 10-14 Floating Devices

Note For VPN concentrator/multihop L3 deployment, administrators must add the MAC address of the
router/VPN concentrator to the Floating Device list (example entry: 00:16:21:11:4D:67 1
vpn_concentrator). See “Integrating with Cisco VPN Concentrators” in the Cisco NAC Appliance -
Clean Access Server Installation and Administration Guide.

To configure a floating device:

1. Go to Device Management > Clean Access > Certified Devices > Add Floating Device.
2. In the Floating Device MAC Address field, enter the MAC address. Type the entry in the form:
<MAC> <type> <description>

Where:
– <MAC> is the MAC address of the device.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-32 OL-12214-01
Chapter 10 Clean Access Implementation Overview
Manage Certified Devices

– <type> is either:
0 for session-scope certification, or
1 if the device should never be considered certified
– <description> is an optional description of the device.
Include spaces between each element and use line breaks to separate multiple entries. For example:
00:16:21:23:4D:67 0 LibCard1
00:16:34:21:4C:68 0 LibCard2
00:16:11:12:4A:71 1 Router1

3. Click Add Device to save the setting.

To remove a floating device, click the Delete icon ( ) for the MAC address.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 10-33
 Chapter 10 Clean Access Implementation Overview
Manage Certified Devices

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
10-34 OL-12214-01
 C H A P T E R 11
Distributing the Clean Access Agent

This chapter describes how to enable and configure distribution, installation, and auto-upgrade options
on the CAM and CAS for Clean Access Agent distribution to client machines.
• Overview, page 11-1
• Add Default Login Page, page 11-3
• Require Use of the Clean Access Agent, page 11-3
• Enable Network Access (L3 or L2), page 11-7
• Configuring Agent Distribution/Installation, page 11-12
• Configure Clean Access Agent Auto-Upgrade, page 11-25
• Manually Uploading the Agent to the CAM, page 11-31
• Downgrading the Agent, page 11-32

Overview
The Clean Access Agent provides local-machine agent-based vulnerability assessment and remediation
for Windows clients. Users download and install the Clean Access Agent (read-only client software),
which can check the host registry, processes, applications, and services. The Clean Access Agent can be
used to perform antivirus or antispyware definition updates, distribute files uploaded to the Clean Access
Manager, distribute website links to websites in order for users to download files to fix their systems, or
simply distribute information/instructions.
Clean Access Agent vulnerability assessment is configured in the CAM by creating requirements based
on rules and (optionally) checks, then applying the requirements to user roles/client OSes.

Note For an illustrated overview, see Clean Access Agent Client Assessment Process, page 10-4.

Users in L3 Deployments
Cisco NAC Appliance supports multi-hop L3 deployment and VPN concentrator/L3 access from the
Clean Access Agent. This enables clients to discover the CAS when the network configuration puts
clients one or more L3 hops away from the CAS (instead of in L2 proximity). You must Enable L3
Support on the CAS and ensure there is a valid Discovery Host for the Agent to function in multihop L3
environments or behind a Cisco VPN concentrator.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-1
 Chapter 11 Distributing the Clean Access Agent
Overview

Distribution
The Clean Access Agent Setup Installation file is part of the Clean Access Manager software and is
automatically published to all Clean Access Servers. To distribute the Agent to clients for initial
installation, you require the use of the Clean Access Agent for a user role and operating system in the
General Setup > Agent Login tab. The CAS then distributes the Agent Setup file when the client
requests the Clean Access Agent. If the CAS has an outdated version of the Agent, the CAS acquires the
newest version available from the CAM before distributing it to the client.

Auto Upgrade
By configuring Agent auto-upgrade in the CAM, you can allow users to automatically upgrade to the
latest available version of the Agent upon login.

Installation
You can configure the level of user interaction required when users initially install the Agent.

Out-of-Band Users
Because out-of-band users only encounter the Clean Access Agent during the time they are in-band for
authentication and certification, Agent configuration is the same for in-band and out-of-band users.

Rules and Checks

With pre-configured Cisco checks and rules, or custom checks and rules that you configure, the Clean
Access Agent can check if any application or service is running, whether a registry key exists, and/or the
value of a registry key. Cisco pre-configured rules provide support for Critical Windows OS hotfixes.

Clean Access Agent Updates

Through the Updates page of your CAM web console, Cisco tracks and provides multiple updates per
hour, including the latest versions of Clean Access Agent Upgrade Patches as they become available.
See Retrieving Updates, page 10-11 for complete details.

Configuration Steps for Clean Access Agent

The basic steps needed to configure distribution of Clean Access Agent are as follows:

Step 1 Add Default Login Page, page 11-3

Step 2 Enable Network Access (L3 or L2), page 11-7
Step 3 Configuring Agent Distribution/Installation, page 11-12
Step 4 Configure Clean Access Agent Auto-Upgrade, page 11-25
Step 5 Require Use of the Clean Access Agent, page 11-3
Step 6 Create Clean Access Agent Requirements, page 12-3

Note Continue to Chapter 12, “Configuring Clean Access Agent Requirements” for details on how to
configure Agent requirement scanning and remediation.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-2 OL-12214-01
Chapter 11 Distributing the Clean Access Agent
Add Default Login Page

Add Default Login Page

In order for both web login users and Clean Access Agent users to obtain the list of authentication
providers, a login page must be added and present in the system in order for user to authenticate via the
Clean Access Agent. See Add Default Login Page, page 5-3 to quickly add the default user login page.

Note For L3 OOB deployments, you must also Enable Web Client for Login Page, page 5-6.

Require Use of the Clean Access Agent

Requiring the use of the Clean Access Agent is configured per user role and operating system. When the
Agent is required for a role, users in that role are forwarded to the Clean Access Agent download page
(Figure 11-2) after authenticating for the first time using web login. The user is then prompted to
download and run the Agent installation file. At the end of the installation, the user is prompted to log
into the network using the Agent.
1. Go to Device Management > Clean Access > General Setup > Agent Login (Figure 11-1).
2. Select the User Role for which users will be required to use the Clean Access Agent.
3. Select an Operating System (typically, WINDOWS_ALL is chosen). Note that the Clean Access
Agent is only available for Windows users.

Note Make sure the Operating System is correctly configured for the role to ensure the Download
Clean Access Agent web page is properly pushed to users.

4. Click the checkbox for Require use of Clean Access Agent.

5. You can leave the default message, or optionally type your own HTML message in the Clean Access
Agent Download Page Message (or URL) text field.
6. Click Update.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-3
 Chapter 11 Distributing the Clean Access Agent
Require Use of the Clean Access Agent

Figure 11-1 General Setup

Note For additional details on configuring the General Setup page, see General Setup Summary, page 10-17.

Clean Access Agent users logging in for the first time with the web login page see the Clean Access
Agent Download Page, as shown in Figure 11-2.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-4 OL-12214-01
 Chapter 11 Distributing the Clean Access Agent
Require Use of the Clean Access Agent

Figure 11-2 Clean Access Agent Download Page

Configure Restricted Network Access for Agent Users

Administrators can configure restricted network access to users when they cannot download and install
the Clean Access Agent themselves, due to lack of permissions on the machine or for guest access
purposes. This enhancement is intended to aid guests or partners in a corporate environment to get access
to the network even if their original role requires use of the Agent.
The restricted network access option can only be configured when the Require use of the Clean Access
Agent checkbox is enabled, and the option allows you to configure the user role to which these users
will be assigned in addition to the button and text presented. When the user performs initial web login
and is redirected to download the Agent, the “Restricted Network Access” text and button will appear
below the “Download Clean Access Agent” button on the page (Figure 11-2 on page 11-5) if the “Allow
restricted network access in case user cannot use Clean Access Agent” option is enabled under
Device Management > Clean Access > General Setup | Agent Login (see Allow restricted network
access in case user cannot use Clean Access Agent, page 10-18). If the user is not able to download the
Clean Access Agent, the user can click “Get Restricted Network Access” button to gain the access
permitted by the assigned role through the same browser page.
Note that:
• Restricted network access users appear on the In-Band Online Users List denoted by blue shading.
• Restricted network access users do not appear on the Certified List (since they have not met posture
assessment requirements).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-5
 Chapter 11 Distributing the Clean Access Agent
Require Use of the Clean Access Agent

Configure Network Policy Page (Acceptable Use Policy) for Agent Users
This section describes how to configure user access to a Network Policy page (or Acceptable Usage
Policy, AUP) for Clean Access Agent users. After login and requirement assessment, the Agent will
display an “Accept” dialog (Figure 12-68 on page 12-60) with a Network Usage Terms & Conditions
link to the web page that users must accept to access the network. You can use this option to provide a
policies or information page about acceptable network usage. This page can be hosted on an external
web server or on the CAM itself.

To Configure Network Policy Link

1. Go to Device Management > Clean Access > General Setup (see Figure 11-1 on page 11-4).
2. Make sure User Role, Operating System and Require use of Clean Access Agent are configured.
3. Click Show Network Policy to Clean Access Agent users [Network Policy Link:]. This will
display a link in the Clean Access Agent to a Network Usage Policy web page that Clean Access
Agent users must accept to access the network.
4. If hosting the page on the CAM, you will need to upload the page (for example, “helppage.htm”)
using Administration > User Pages > File Upload. See Upload a Resource File, page 5-12 for
details. If hosting the page on an external web server, continue to the next step.
5. Type the URL for your network policy page in the Network Policy Link field as follows:
– To link to an externally-hosted page, type the URL in the format:
http://mysite.com/helppages.

– To point to a page you have uploaded to the CAM, for example, “helppage.htm,” type the URL
as follows:
http://<CAM_IP_address>/upload/helppage.htm

6. Make sure to add traffic policies to the Temporary role to allow users HTTP access to the page. See
Adding Traffic Policies for Default Roles, page 9-27 for details.
To see how the Network Policy dialog appears to Agent users, see Figure 12-68 on page 12-60.
For a general illustration of where the Network Policy dialog appears during the Clean Access Agent
process, see Clean Access Agent Client Assessment Process, page 10-4.

Configure the Clean Access Agent Temporary Role

See Configure Clean Access Agent Temporary Role, page 9-19 for details on configuring traffic policies
and session timeout for the Agent Temp role.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-6 OL-12214-01
Chapter 11 Distributing the Clean Access Agent
Enable Network Access (L3 or L2)

Enable Network Access (L3 or L2)

By default, Cisco NAC Appliance supports in-band Clean Access Agent users within L2 proximity of
the Clean Access Server.
If deploying for VPN/L3, you must enable L3 support for web login or Clean Access Agent users that
are multiple L3 hops away from the CAS.
You can optionally restrict L2/L3 access so that Agent users cannot use home-based wireless routers or
NAT devices to connect to the network.
The CAS can be configured with the following network access options:
• Enable L3 support: When this option is enabled, the CAS allows all users from any hops away. For
multi-hop L3 in-band deployments, this setting enables/disables L3 discovery of the CAS for web
login users and Clean Access Agent users at the CAS level. When set, the CAS will be forced to use
the routing table to send packets.
• Enable L3 strict mode to block NAT devices with Clean Access Agent — When this option is
checked (in conjunction with “Enable L3 support”), the CAS verifies the source IP address of user
packets against the IP address sent by the Clean Access Agent and blocks all L3 Agent users with
NAT devices between those users and the CAS.
• Enable L2 strict mode to block L3 devices with Clean Access Agent — When this option is
enabled, the CAS verifies the source MAC address of user packets against the MAC address sent by
the Clean Access Agent and blocks all L3 Agent users (those more than one hop away from the
CAS). The user will be forced to remove any router between the CAS and the user’s client machine
to gain access to the network.
• All options left unchecked (Default setting)— The CAS performs in L2 mode and expects that all
clients are one hop away. The CAS will not be able to distinguish if a router is between the CAS and
the client and will allow the MAC address of router as the machine of the first user who logs in and
any subsequent users. Checks will not be performed on the actual client machines passing through
the router as a result, as their MAC addresses will not be seen.

Note • If using L2 deployment only, make sure the Enable L3 support option is not checked.
• L3 and L2 strict options are mutually exclusive. Enabling one option will disable the other option.
• Enabling or disabling L3 or L2 strict mode ALWAYS requires an Update and Reboot of the CAS
to take effect. Update causes the web console to retain the changed setting until the next reboot.
Reboot causes the process to start in the CAS.

For further details on L2/L3 strict mode, refer to the Cisco NAC Appliance - Clean Access Server
Installation and Administration Guide.

CAS/Agent Discovery
For L2 discovery, the Agent sends discovery packets to all the default gateways of all the adapters on the
machine on which the Agent is running. If a CAS is present either as the default gateway (Real-IP/NAT
Gateway) or as a bridge before the default gateway (Virtual Gateway), the CAS will respond.
If the CAS does not respond via L2 discovery, the Agent will perform L3 discovery (if enabled). The
Agent attempts to send packets to the Discovery Host, an IP address on the trusted side of the CAS. This
IP address is set in the Discovery Host field of the Device Management > Clean Access > Clean
Access Agent > Installation page and is typically set by default to the IP address of the CAM. The Clean

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-7
 Chapter 11 Distributing the Clean Access Agent
Enable Network Access (L3 or L2)

Access Agent must be obtained from the CAS/CAM so that the Discovery Host is correctly set for UDP
8096 unicast to occur. When these packets reach a CAS (if present), the CAS intercepts the packets and
responds to the Agent. See Installation, page 11-14 for further details.

Note You can check the Discovery Host on the client by right-clicking the Clean Access Agent from the
taskbar menu and choosing Properties (see Figure 12-55 on page 12-55)

Note To discover the CAS, the Clean Access Agent sends SWISS (proprietary CAS-Agent communication
protocol) packets on UDP port 8905 for L2 users and on port 8906 for L3 users. The CAS always listens
on UDP port 8905 and 8906 and accepts traffic on port 8905 by default. The CAS will drop traffic on
UDP port 8906 unless L3 support is enabled. The Agent performs SWISS discovery every 5 seconds.

This section describes the following:

• Enable L3 Deployment Support, page 11-8 (mandatory for VPN/L3 deployments)
• Enabling L2/L3 Strict Mode (Clean Access Agent Only), page 11-11 (mandatory for VPN/L3
deployments)

Enable L3 Deployment Support

This section describes how to enable support for L3 deployments (L3 in-band, L3 in-band/VPN, L3
out-of-band):
• Clean Access Agent Sends IP/MAC for All Available Adapters
• VPN/L3 Access for Clean Access Agent
• Enable L3 Support
• Disabling L3 Capability

Note Because the Certified List displays users authenticated and certified based on known L2 MAC address,
the Certified List does not display information for remote VPN/multihop L3 users.
To view authenticated remote VPN/multihop L3 users, see the In-Band Online Users List.
The User MAC field for VPN/multihop L3 users displays as “00:00:00:00:00:00.”

Clean Access Agent Sends IP/MAC for All Available Adapters

The Clean Access Agent automatically sends the MAC address of all network adapters on the client to
the Clean Access Server for all deployments. This Agent capability helps achieve the following:
• MAC-based device authentication (see Global Device and Subnet Filtering, page 3-7)
If the MAC address of a Clean Access Agent user is in a “allow” device filter, the CAS informs the
Agent in its UDP discovery response, and the Agent will allow device authentication and posture
assessment of the device without requiring any user login.
• L3 deployments (see Enable Web Client for Login Page, page 5-6

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-8 OL-12214-01
 Chapter 11 Distributing the Clean Access Agent
Enable Network Access (L3 or L2)

The Agent always sends the MAC/IP address pair of the client at login request regardless of the CAS
configuration. The CAS then determines what to read or discard. If the CAS is enabled for L3
deployment, the CAS takes the MAC/IP address of the Agent at UDP discovery and at login request.
If the CAS is configured for L2 Strict mode, the CAS discards all IP addresses, because they are not
needed (see also Enabling L2/L3 Strict Mode (Clean Access Agent Only), page 11-11).
For additional information on L3 OOB, see “Configuring Layer 3 Out-of Band (L3 OOB) in the
Cisco NAC Appliance - Cisco Clean Access Server Installation and Administration Guide.

VPN/L3 Access for Clean Access Agent

The Clean Access Manager, Server, and Agent support multi-hop L3 deployment. The Agent:
1. Checks the client network for the Clean Access Server (L2 deployments), and if not found,
2. Attempts to discover the CAS by sending discovery packets to the CAM. This causes the discovery
packets to go through the CAS even if the CAS is multiple hops away (multi-hop deployment) so
that the CAS will intercept these packets and respond to the Agent.
In order for clients to discover the CAS when they are one or more L3 hops away, clients must initially
download the Agent from the CAS through the Download Clean Access Agent page after web login or
through auto-upgrade. Either method allows the Agent to acquire the IP address of the Discovery Host
(by default, the CAM) in order to send traffic to the CAM/CAS over the L3 network. Once installed in
this way, the Agent can be used for L3/VPN concentrator deployments or regular L2 deployments.
Acquiring and installing the Agent on the client by means other than direct download from the CAS (e.g.
from Cisco Secure Downloads) will not provide the necessary Discovery information to the Agent and
will not allow those Agent installations to operate in a multi-hop Layer 3 deployment.
To support VPN/L3 Access, you must:
1. Check the option for “Enable L3 Support, page 11-10” and perform an Update and Reboot of the
CAS under Device Management > CCA Servers > Manage [CAS_IP] > Network > IP.
2. Specify a valid Discovery Host under Device Management > Clean Access > Clean Access Agent
> Installation (set by default to the trusted IP address of the CAM).
3. Clients must initially download the Agent from the CAS, in one of two ways:
– “Download Clean Access Agent” web page (i.e. via web login)
– Auto-Upgrade to 4.1.0.0 or above Agent.
4. SSO is only supported when integrating Cisco NAC Appliance with Cisco VPN Concentrators.

Note • Uninstalling the Agent while still on the VPN connection does not terminate the connection.
• For VPN-concentrator SSO deployments, if the Agent is not downloaded from the CAS and is
instead downloaded by other methods (e.g. Cisco Secure Downloads), the Agent will not be able to
get the runtime IP information of the CAM and will not pop up automatically nor scan the client.
• If a 3.5.0 or prior version of the Agent is already installed, or if the Agent is installed through
non-CAS means (e.g. Cisco Secure Downloads), you must perform web login to download the Agent
setup files from the CAS directly and reinstall the Agent to get the L3 capability.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-9
 Chapter 11 Distributing the Clean Access Agent
Enable Network Access (L3 or L2)

Enable L3 Support
This section describes how to enable L3 support on the CAS for web login or Clean Access Agent users.
1. Go to Device Management > CCA Servers > List of Servers and click the Manage button ( ) for
the CAS. The management pages for the Clean Access Server appear.
2. Click the Network tab. The IP form appears by default.

Figure 11-3 CAS Network Tab

3. The Clean Access Server Type should display the Server Type selected when the CAS was added
to the CAM.
4. Click the checkbox for Enable L3 support.
5. The Trusted Interface and Untrusted Interface settings should match the configuration
parameters given during the installation or your configured settings.
6. Click Update.
7. Click Reboot.
8. For Clean Access Agent users, make sure the Discovery Host field is correct under Device
Management > Clean Access > Clean Access Agent > Installation.

Note • The enable/disable L3 feature is disabled by default. You must Update and Reboot for changes in
this setting to take effect.
• L3 must be enabled for the Clean Access Agent to work with VPN tunnel mode.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-10 OL-12214-01
 Chapter 11 Distributing the Clean Access Agent
Enable Network Access (L3 or L2)

Disabling L3 Capability
The administrator has the option of enabling or disabling the L3 feature at the CAS level (see Figure 11-3
on page 11-10). L3 capability will be disabled by default after upgrade or new install, and enabling the
feature will require an update and reboot of the Clean Access Server.

To Disable L3 Capability (CAS Level):

To disable L3 discovery of the Clean Access Server at the CAS level:
1. Go Device Management > CCA Servers > Manage [CAS_IP] > Network > IP and disable
(uncheck) the checkbox for “Enable L3 support”.
2. Click Update.
3. Click Reboot.

Enabling L2/L3 Strict Mode (Clean Access Agent Only)

Administrators can optionally restrict Clean Access Agent client connection to the Clean Access Server
using L2 strict mode or L3 strict mode. The CAS can be configured with the following network access
options:
• Enable L3 support: When this option is enabled, the CAS allows all users from any hops away. For
multi-hop L3 in-band deployments, this setting enables/disables L3 discovery of the CAS for web
login users and Clean Access Agent users at the CAS level. When set, the CAS is forced to use the
routing table to send packets.
• Enable L3 strict mode to block NAT devices with Clean Access Agent — When this option is
checked (in conjunction with “Enable L3 support”), the CAS verifies the source IP address of user
packets against the IP address sent by the Clean Access Agent and blocks all L3 Agent users with
NAT devices between those users and the CAS.
• Enable L2 strict mode to block L3 devices with Clean Access Agent — When this option is
enabled, the CAS verifies the source MAC address of user packets against the MAC address sent by
the Clean Access Agent and blocks all L3 Agent users (those more than one hop away from the
CAS). The user will be forced to remove any router between the CAS and the user’s client machine
to gain access to the network.
• All options left unchecked (Default setting)— The CAS performs in L2 mode and expects that all
clients are one hop away. The CAS will not be able to distinguish if a router is between the CAS and
the client and will allow the MAC address of a router as the machine of the first user who logs in
and any subsequent users. Checks will not be performed on the actual client machines passing
through the router as a result, as their MAC addresses will not be seen.

Note • If using L2 deployment only, make sure the Enable L3 support option is not checked.
• L3 and L2 strict options are mutually exclusive. Enabling one option will disable the other option.
• Enabling or disabling L3 or L2 strict mode ALWAYS requires an Update and Reboot of the CAS
to take effect. Update causes the web console to retain the changed setting until the next reboot.
Reboot causes the process to start in the CAS.

For further details on L2/L3 strict mode, refer to the Cisco NAC Appliance - Clean Access Server
Installation and Administration Guide.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-11
 Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

Configuring Agent Distribution/Installation

The latest Setup version of the Clean Access Agent is automatically included with the Clean Access
Manager software for each software release. The CAM automatically publishes the Agent Setup
installation file to each Clean Access Server after CAS installation and anytime the CAM acquires a new
version of the Agent through web Clean Access Updates or through a manual upload. To enable users to
download and install the Clean Access Agent Setup file, you must Require Use of the Clean Access
Agent, page 11-3. For new Agent users, the Clean Access Agent download page appears after the user
logs in for the first time via the web login. If auto-upgrade is enabled, existing Agent users are prompted
at login to upgrade if a new Agent version becomes available.
This section describes the following:
• Distribution, page 11-12
• Installation, page 11-14
• SSL Requirements for Mac OS/CAS Communication, page 11-18
• Clean Access Agent Stub Installer, page 11-17
• Configure Clean Access Agent Auto-Upgrade, page 11-25
• Manually Uploading the Agent to the CAM, page 11-31
• Downgrading the Agent, page 11-32

Distribution
The Distribution page (Figure 11-4) provides the following configuration options.

Figure 11-4 Distribution Page

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-12 OL-12214-01
Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

• Clean Access Agent Temporary Role—Displays the name of the Agent temporary role (default is
“Temporary”). To change the Role Name, see Edit a Role, page 6-12.
• Windows Clean Access Agent
– Setup Version— The version for the complete Windows Agent Setup Installation file that came
with the software release you installed on the CAM. The Agent Setup file is needed for initial
installation of the Agent on the Windows client and is not distributed by Updates. See Agent
Setup and Agent Patch (Upgrade) Files, page 11-27.
– Patch Version—The version of the Agent Patch Upgrade file to be downloaded by an
already-installed Clean Access Agent to upgrade itself. The upgrade version reflects what the
CAM has downloaded from the Updates page. See Require Use of the Clean Access Agent, page
11-3.
• Macintosh Clean Access Agent Setup Version
The version for the complete Macintosh Agent Setup Installation file that came with the software
release you installed on the CAM. The Agent Setup file is needed for initial installation of the Agent
on a Mac OS client and is not distributed by Updates. See Mac OS X Agent Dialogs (Authentication
Only), page 12-62 for additional details.
• Current Clean Access Agent Patch is a mandatory upgrade— Checking this option and clicking
Update forces the user to accept the prompt to upgrade to the latest version of the Agent when
attempting login. If left unchecked (optional upgrade), the user is prompted to upgrade to the latest
Agent version but can postpone the upgrade and still log in with the existing Agent. See Disable
Mandatory Auto-Upgrade on the CAM, page 11-25

Note New installations of the CAM/CAS automatically set the “Current Clean Access Agent Patch is
a mandatory upgrade” option by default under Device Management > Clean Access > Clean
Access Agent > Distribution. For CAM/CAS upgrades, the current setting (enabled or disabled)
will be carried over to the upgraded system.

• Do not offer current Clean Access Agent Patch to users for upgrade — Checking this option and
clicking Update prevents upgrade notifications (mandatory or optional) to all Agent users, even
when an Agent update is available on the CAM. Enabling this option in effect prevents distribution
of the Agent Patch upgrade to users.
• Clean Access Agent Setup/Patch to Upload— Use the Browse button to manually upload either
the Agent Setup Installation File (setup.tar.gz) or Agent Patch Upgrade file (upgrade.tar.gz) to this
field.

Note Because the CAM differentiates the Agent setup and upgrade file types by filename, it is
mandatory to retain the same filenames used on Cisco Secure Downloads, for example,
CCAAgentSetup-4.1.0.0.tar.gz or CCAAgentUpgrade-4.1.0.0.tar.gz

See Manually Uploading the Agent to the CAM, page 11-31 for further details.
• Version—For manual upload, keep the same version number used for the Clean Access Agent on
Cisco Secure Downloads.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-13
 Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

Installation
The Clean Access Manager provides installation options to allow the administrator to configure the
Discovery Host for the Agent, as well as the user interaction needed when the Agent is initially installed.
The installation options apply to both direct installation of the Agent (where the user installs the Agent
directly on the client machine), and stub installation (where the Agent installer is launched through the
stub installer).

Note The 4.1(0) installation options apply to the Windows Agent installer only.

To configure installation options:

1. Make sure use of the Agent is required as described in Require Use of the Clean Access Agent, page
11-3
2. Go to Device Management > Clean Access > Clean Access Agent > Installation.

Figure 11-5 Clean Access Agent Installation Page

3. Enter a new Discovery Host , or leave the default (CAM IP address) as necessary for your network.
The Discovery Host field is used by the Clean Access Agent to send a proprietary, encrypted,
UDP-based protocol to the Clean Access Manager to discover the Clean Access Server in Layer-3
deployment. The field automatically populates with the CAM’s IP address (or DNS host name). In
most cases, the default IP address does not need to be changed, but in cases where the CAM’s IP
address is not routed through the CAS, the Discovery Host can be any IP address or host name that
can be reached from client machines via the CAS.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-14 OL-12214-01
Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

Note The Discovery Host is set to the IP of the CAM by default because the CAM must always be on
a routed interface on the trusted side of the CAS. This means any client traffic on the untrusted
side must pass through a CAS in order to reach the IP of the CAM. When the client attempts to
contact the Discovery Host IP, the CAS will intercept the traffic and start the login process. It is
assumed that best practices are applied to protect the CAM with ACLs, and that no client traffic
should ever actually arrive at the CAM. For extra security (once L3 is correctly deployed), you
can change the Discovery Host to an IP other than the CAM IP on the trusted side.

Note • The “Enable L3 support” option must be checked on the CAS (under Device Management >
Clean Access Servers > Manage [CAS_IP] > Network > IP) for the Clean Access Agent to work
in VPN tunnel mode.
• See Enable L3 Deployment Support, page 11-8 for additional information.

4. The Installation Options are enabled by default for Windows.

5. When the installer is launched directly by the user on the machine, choose from the following Direct
Installation Options:
– User Interface:
No UI —After the user clicks Open in the File Download dialog for the CCAAgent_Setup.exe
(or Saves and executes), there is no user input required. The “Preparing to Install” dialog only
appears briefly and the Agent is downloaded and installed automatically.
Reduced UI— After the user clicks Open (or Saves and executes) the CCAAgent_Setup.exe
file, the “Preparing to Install” and InstallShield Wizard “Installing Cisco Clean Access Agent”
screens display, but user input fields (such as “Next” buttons) are disabled, and the Agent is
extracted and installed automatically.
Full UI (default)—After the user clicks Open (or Saves and executes) the
CCAAgent_Setup.exe file, the normal installation dialogs appear. The InstallShield Wizard for
the Cisco Clean Access Agent displays, including the Destination Folder directory screen, and
the user must click through the panes using the Next, Install, and Finish buttons to complete the
installation.
– Run Agent After Installation:
Yes (default)—The Agent Login screen pops up after the Agent is installed.
No —The Agent Login screen does not appear after the Agent is installed. The user must
double-click the Clean Access Agent shortcut on the desktop to start the Agent and display it
on the taskbar. The Agent can be verified to be installed under Control Panel > Add/Remove
Programs > Cisco Clean Access Agent. Once the Agent is started, the Login screen will pop
up if Pop Up Login Window is enabled on the taskbar menu.
6. When the installer is invoked by the CCA Agent Stub, choose from the following Stub Installation
Options:
No UI —Only the dialog for the extracting installer is shown.
Reduced UI— Most of the installation dialogs are shown, but users are not allowed to choose
the target location.
Full UI (default)—All of the installation dialogs are shown, and users are allowed to choose
target location. The user must click through the panes to complete the installation.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-15
 Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

– Run Agent After Installation:

Yes (default)—The Agent Login screen pops up after the Agent is installed.
No —The Agent Login screen does not appear after Agent installation, and the Agent user must
double-click the desktop shortcut to start the Agent
7. Click Update to save settings.
8. To download the MSI or EXE stub installer for the Windows Clean Access Agent, click one of the
following buttons:
– CCAA MSI Stub — Click this button to download the stub installer for the Clean Access Agent
in Microsoft Installer format (CAAgentMSIStub.zip).See Clean Access Agent Stub Installer,
page 11-17 for details.
– CCAA EXE Stub— Click this button to download the stub installer for the Clean Access Agent
in generic executable format (CCAAgentEXEStub.zip). See Clean Access Agent Stub Installer,
page 11-17 for details.

Note • When the stub is installed and running on a client machine, CCAAgentStub.exe will display under
Windows Task Manager > Processes.
• When the regular Agent is installed, the “Clean Access Agent” and “Uninstall Clean Access Agent”
shortcuts appear on the client desktop.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-16 OL-12214-01
 Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

Clean Access Agent Stub Installer

Cisco NAC Appliance provides a stub installer to allow users without administrator permissions on their
machines to install or update the Clean Access Agent after the stub is installed by an admin user. The
installer proxy of the Agent installer is also enhanced to check the digital signature of any target
executable and to only perform installation when the digital signatures are trusted.
When the Agent Setup Installation program is started, it:
1. Extracts the installer
2. Checks the privileges of the current user
3. If the user has admin privileges, the installer is launched.
4. If the user is not an admin user:
a. It verifies whether or not the stub is running (or installed but not running)
b. If the stub is not running, the real installer of the Agent is not extracted and the Agent is not
installed.
c. If the stub is running, a request is sent to the stub to launch the installer in the Temp directory
of the local user (CCA will know the exact location of where the real installer has been
extracted).
The stub installer is obtained from the CAM using the administrator download buttons on the Clean
Access Agent Installation page: CCAA MSI Stub (Microsoft Installer format) or CCAA EXE Stub
(generic executable format). Table 11-1 describes the differences between regular installation and stub
installation of the Clean Access Agent.
Table 11-1 Installation—Regular Agent versus Agent Stub

Clean Access Agent Clean Access Agent Stub

• Requires administrator rights to
install/upgrade
• Any rights to run
• Typically installed via CCA Weblogin
(https) if user has rights or via
corporate Systems Management
Server (SMS) if user has no rights
CCA Agent Stub offers an alternative to Agent
deployment:
• Distribute Stub via Systems Management Server
(SMS) to all users
• User installs CCA Agent from weblogin (no admin
rights needed)
• User upgrades CCA Agent from CAS (no admin
rights needed)
• Stub Agent is installed using admin rights via SMS
• Stub Agent can be used for initial Agent install
• Stub can be used to perform periodic Agent updates

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-17
 Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

SSL Requirements for Mac OS/CAS Communication

For the Mac OS Clean Access Agent to communicate with the Clean Access Server, the SSL
communication between the Agent and CAS must meet certain requirements. The CAS must have either:
• A valid CA-signed certificate (from a trusted Certificate Authority), or
• A temporary certificate that meets the requirements described below.

CAS Temporary Certificate Requirements for SSL Connection to Mac OS Agent

If using a temporary certificate for the CAS, make sure the following are in place.

Step 1 The CAS/CAM must use a fully qualified domain name (FQDN) as the “subject” DN on the certificate
(this is the “Full Domain Name or IP” on the CAS/CAM console). An IP address is not allowed. This
may require regenerating the certificate on your CAS. (See “Manage CAS SSL Certificates” in the Cisco
NAC Appliance - Clean Access Server Installation and Administration Guide for details.)
Step 2 On the Mac OS machine, the root certificate which is used to sign the temporary certificate must be
installed in the X509 Anchors in Keychain Access application. To do this, use one of the following set
of steps for the Mac OS version running on the machine:
• Installing the Root Certificate for Mac OS 10.2.x
• Installing the Root Certificate for Mac OS 10.3.x
• Installing the Root Certificate for Mac OS 10.4.x
Step 3 The Mac OS machine must be able to correctly resolve the FQDN name via DNS. There are two
approaches to this:
a. Add an entry into the DNS server which the Mac machine is using, or
b. For a test machine:
1. Enable your root account as described in Enable the Root User on Mac OS X, page 11-22
2. Edit the /etc/hosts file on the Mac machine by running sudo vi /etc/hosts to add a new
domain lookup entry.

Caution Because the CAS/CAM use the full domain name, you cannot use an IP address in the certificate. You
must use the domain name instead.

Caution Make sure your machine's date and time are valid for the certificate. If the current date and time fall out
of the range of the certificate, the Agent will not work.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-18 OL-12214-01
 Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

Installing the Root Certificate for Mac OS 10.2.x

Use the following steps to import a root or CA certificate on a Macintosh running Mac OS X 10.2.

Note You must have administrative permissions on your computer in order to run these steps.

Step 1 Download the root certificate to your client machine (or desktop). See Obtaining the Root Certificate
from the CAS, page 11-23 for details.
Step 2 Make sure that the certificate is in privacy enhanced mail (PEM) format.

Note If the certificate is not in PEM format, you can use Microsoft Certificate Manager in the Office
folder to change formats. Import the certificate, then use the PEM format to save the certificate.

Step 3 Click the Finder icon in the Dock. From the Go menu, choose Applications.
Step 4 Open the Utilities folder.
Step 5 Double-click the Terminal program.
Step 6 Type the following commands, and press the Enter key after each line. Replace cert_filename with the
actual file name of your certificate.
cd ~/Desktop
cp /System/Library/Keychains/X509Anchors ~/Library/Keychains
certtool i cert_filename k=X509Anchors
sudo cp ~/Library/Keychains/X509Anchors /System/Library/Keychains

Step 7 You must enter an administrative password after you press Enter for the last Terminal command.
Figure 11-6 illustrates these steps.

Figure 11-6 Installing Root Certificate on Mac OS 10.2

Note The 10.2 certtool cannot import a certificate into any keychain that does not reside in your
~/Library/Keychains directory. The method outlined here resolves this issue by copying the
X509Anchors to ~/Library/Keychains, performing “certoool i” there, and then (as root) copying the
resulting X509Anchors back to /System/Library/Keychains/. For additional reference information for
importing the root certificate on Mac OS 10.2.x, see also:
http://support.microsoft.com/default.aspx?scid=kb;en-us;887413 and
http://lists.apple.com/archives/apple-cdsa/2004/Jul/msg00021.html

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-19
 Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

Installing the Root Certificate for Mac OS 10.3.x

Use the following steps to import a root or CA certificate on a Macintosh running Mac OS X 10.3.

Note You must have administrative permissions on your computer in order to run these steps.

Step 1 Download the root certificate to your client machine (or desktop). See Obtaining the Root Certificate
from the CAS, page 11-23 for details.
Step 2 Double click the root certificate to bring up the Add Certificates dialog (Figure 11-7).

Figure 11-7 Add Root Certificate on Mac OS 10.3

Step 3 Choose X509 Anchors from the Keychain dropdown menu

Step 4 Click OK.
Step 5 The root certificate is now added to the keychain of the X509 Anchors (Figure 11-8)

Figure 11-8 Root Certificate Added on Mac OS 10.3.x

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-20 OL-12214-01
 Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

Installing the Root Certificate for Mac OS 10.4.x

Note You must have administrative permissions on your computer in order to run these steps.

Step 1 Download the root certificate to your client machine (or desktop). See Obtaining the Root Certificate
from the CAS, page 11-23 for details.
Step 2 Click the Finder icon in the Dock.
Step 3 From the Go menu, choose Applications.
Step 4 Open the Utilities folder.
Step 5 Launch the Keychain Access application.
Step 6 Drag the root certificate to the Keychain Access application.
Step 7 In the Add Certificates dialog box, click X509 Anchors and click OK.
Step 8 The root certificate is added (Figure 11-9)

Figure 11-9 Root Certificate Added on Mac OS 10.4.x

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-21
 Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

Enable the Root User on Mac OS X

Note Ensure you are an administrator on the machine. You must have access to an account that has
administrator privileges to perform the rest of these steps.

Step 1 Click the Finder icon in the Dock.

Step 2 From the Go menu, choose Applications.
Step 3 Open the Utilities folder.
Step 4 Open the NetInfo Manager utility.
Step 5 Click the lock in the NetInfo Manager window (or go to Security > Authenticate).
Step 6 Type your administrator account username and password and click OK.
Step 7 For Mac OS X 10.2 and later, choose Enable Root User from the Security menu (Figure 11-10).

Figure 11-10 Enable Root User

Step 8 Type a password for root to enable the root account. If you have not previously set a root password, an
alert box may appear that says "NetInfo Error," indicating that the password is blank. Click OK.
Step 9 Type the root password you wish to use and click Set.
Step 10 Retype the password for verification and click Verify.
Step 11 The root user is now enabled.
Step 12 Click the lock again to prevent changes.

Note For additional reference, see http://docs.info.apple.com/article.html?artnum=106290#one.

For more information on the Mac OS Agent, see also Mac OS X Agent Dialogs (Authentication Only),
page 12-62.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-22 OL-12214-01
 Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

Obtaining the Root Certificate from the CAS

Because Internet Explorer allows exporting of the CAS certificate, this section describes how to obtain
the root certificate on a Windows system. Administrators can then transfer the certificate to their Mac
via email as an attachment, FTP, or USB storage device.

If the temporary certificate has not yet been installed on the Windows system:
Figure 11-11 illustrates the steps to initially download the temporary certificate.
1. Open an IE browser and enter any address. The browser will redirect to the authentication page for
web login.
2. Since the certificate has not been installed, the Security Alert dialog pops up from the browser.
Click the View Certificate button in the Security Alert dialog.
3. Click the Details tab in the Certificate window that pops up, .
4. Click the Copy to File button in the Details tab
5. Leave format option as DER encoded binary x.509 (.CER) on the Certificate Export Wizard and
click Next to save the certificate on the Windows system.
6. Transfer the certificate to your Mac machine.

Figure 11-11 Download Certificate Option 1

If the browser already has the temporary certificate installed:

Figure 11-12 illustrates the steps to download the certificate if already installed on the system.
1. Open the IE browser.
2. Go to Tools > Internet Options. Click the Content tab then the Certificates button.
3. Click the Intermediate Root Certificate Authorities tab in the Certificates window.
4. Highlight the certificate issued by www.perfigo.com and click the Export button.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-23
 Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation

5. Choose a location on your Windows machine to save the certificate.

6. Transfer the certificate to your Mac machine.

Figure 11-12 Download Certificate Option 2

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-24 OL-12214-01
 Chapter 11 Distributing the Clean Access Agent
Configure Clean Access Agent Auto-Upgrade

Configure Clean Access Agent Auto-Upgrade

This section describes the following:
• Enable Agent Auto-Upgrade on the CAM, page 11-25
• Disable Agent Upgrades to Users, page 11-25
• Disable Mandatory Auto-Upgrade on the CAM, page 11-25
• User Experience for Auto-Upgrade, page 11-26
• Uninstalling the Agent, page 11-26
• Agent Setup and Agent Patch (Upgrade) Files, page 11-27
• Auto-Upgrade Compatibility, page 11-28
• Upgrading from 3.5.0 and Below Agents, page 11-29

Enable Agent Auto-Upgrade on the CAM

To enable Clean Access Agent Auto-Upgrade, you must:
1. Be running release 4.1(0) or above of the Clean Access Manager and Clean Access Server and have
version 3.5.1 or above of the Clean Access Agent installed on clients.
(See User Experience for Auto-Upgrade, page 11-26.)
2. Require use of the Clean Access Agent for the role and client OS.
(See Require Use of the Clean Access Agent, page 11-3.)
3. Retrieve the latest version of the Agent Upgrade patch.
For both mandatory or optional auto-upgrade, a newer version of the Agent patch must be
downloaded to the CAM via Updates, or users will not be prompted to upgrade to the newer Agent.
(See Require Use of the Clean Access Agent, page 11-3.)

Disable Agent Upgrades to Users

You can disable notification and distribution of the Agent Patch upgrade to users as follows:
1. Go to Device Management > Clean Access > Clean Access Agent > Distribution
(see Figure 11-4 on page 11-12).
2. Click the checkbox for “Do not offer current Clean Access Agent Patch to users for upgrade.”
3. Click Update.

Disable Mandatory Auto-Upgrade on the CAM

New installs of the CAM/CAS automatically enable mandatory auto-upgrade by default. For CAM/CAS
upgrades, the current setting (enabled or disabled) will be carried over to the upgraded system. To disable
mandatory Agent auto-upgrade for all users:
4. Go to Device Management > Clean Access > Clean Access Agent > Distribution (Figure 11-4 on
page 11-12).
5. Uncheck the option for “Current Clean Access Agent Patch is a mandatory upgrade.”
6. Click Update.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-25
 Chapter 11 Distributing the Clean Access Agent
Configure Clean Access Agent Auto-Upgrade

Note It is recommended to set the “Current Clean Access Agent Patch is a mandatory upgrade” option to
ensure the latest AV/AS product support.

User Experience for Auto-Upgrade

With auto-upgrade enabled, and a newer Patch Upgrade version of the Agent available in the CAM, the
user experience is as follows:
• New users download and install the latest available Setup version of the Agent after the initial
one-time web login.
• Existing users are prompted at login to auto-upgrade to the latest Patch version of the Agent
available (if upgrade notification is enabled for users). After the user clicks OK (mandatory
upgrade), or Yes (non-mandatory upgrade), the client automatically starts the install of the newer
Agent version.
• Out-of-Band users must be on the Authentication VLAN to be prompted to auto-upgrade at login.
• In-band users remain logged into the Clean Access Agent when the user logs off the Windows
domain or shuts down the machine, unless the General Setup page is configured otherwise. See
Logoff Clean Access Agent users from network on their machine logoff or shutdown (for Windows
& In-Band only), page 10-19 for details.
See also Auto-Upgrade Compatibility, page 11-28 for further details.

Uninstalling the Agent

This section describes how to:
• Uninstall Windows Clean Access Agent, page 11-26
• Uninstall Mac OS Clean Access Agent, page 11-26

Uninstall Windows Clean Access Agent

The Windows Agent installs to C:\Program Files\Cisco Systems\Clean Access Agent\ on the client. You
can uninstall the Clean Access Agent in the following ways:
• By double-clicking the Uninstall Clean Access Agent desktop icon.
• By going to Start Menu > Programs > Cisco Systems > Cisco Clean Access > Uninstall Clean
Access Agent, or
• By going to Start Menu > Control Panel > Add or Remove Programs > Cisco Clean Access
Agent

Uninstall Mac OS Clean Access Agent

There are two steps to uninstall the Clean Access Agent on Mac OS X:
1. Drag the Clean Access Agent application to the trash can. The Agent application is located in
/Library/Application Support/Cisco Systems/CCAAgent.app.
2. Drag the Clean Access Agent installation receipt to the trash can. The receipt is located in
/Library/Receipts/CCAAgent.pkg.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-26 OL-12214-01
 Chapter 11 Distributing the Clean Access Agent
Configure Clean Access Agent Auto-Upgrade

Once these two steps are done, the next time you run the installer, the button in the installer will display
“INSTALL” instead of “UPGRADE” because you have completely removed all traces of the application.

Agent Setup and Agent Patch (Upgrade) Files

Clean Access Agent Auto-Upgrade provides a distinction between the Agent Setup version and the
Agent Patch (Upgrade) version of the client installation files. These reflect the two installers of the same
Agent that are used under different conditions:
• Agent Setup Installer
Used for fresh installs on clients that do not have a previous version of the Agent already installed.
Users download the Agent Setup file from the “Download Clean Access Agent” page after an initial
one-time web login.
• Agent Upgrade (or Patch) Installer
Downloaded by an already-installed, older version of the Clean Access Agent to upgrade itself.
Users are prompted to download the Agent Upgrade file after user login and optionally after
machine reboot (if configured in the General Setup page).

Loading Agent Installation Files to the CAM

The Agent Setup or Upgrade file is placed on the CAM as described below. Once either of these files is
in the CAM, it is published to the Clean Access Servers, then distributed to clients/users.

Agent Setup
The Agent Setup file is the complete Agent Setup installation file that comes with the Clean Access
Manager software release. It is not distributed by Internet updates. It can only be:
1. Installed by CAM CD installation.
2. Installed by CAM software upgrade.
3. Installed by manually uploading the CCAAgentSetup-4.1.x.y.tar.gz file (or
CCAAgentMacOSX-4.1.0.0.tar.gz for Clean Access MacOSX Agent)
4. to the CAM via the web console. See Manually Uploading the Agent to the CAM, page 11-31 for
details.

Agent Patch (Upgrade)

The Agent Patch file is the upgrade file downloaded and installed by an existing Agent. It can only be:
1. Installed by CAM CD installation.
2. Installed by CAM software upgrade.
3. Installed by Clean Access Updates from the Internet (via Device Management > Clean Access >
Updates).
4. Installed by manually uploading the CCAAgentUpgrade-4.1.x.y.tar.gz file to the CAM via the web
console.
See Manually Uploading the Agent to the CAM, page 11-31 for details.

Caution Because the CAM differentiates the Agent setup and upgrade file types by filename, it is mandatory for
users to retain the same names used for the files on Cisco Secure Downloads, for example,
CCAAgentSetup-4.1.0.0.tar.gz or CCAAgentUpgrade-4.1.0.0.tar.gz

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-27
 Chapter 11 Distributing the Clean Access Agent
Configure Clean Access Agent Auto-Upgrade

Auto-Upgrade Compatibility
The newest version of the Clean Access Agent Setup Installation and Patch (Upgrade) installation files
are automatically included with the CAM software for each Cisco NAC Appliance software release.
Every version of the Clean Access Agent is intended to have basic compatibility with the same version
of the server product. For example:
• 4.1.0.0 Agent works with 4.1(0) CAS/CAM
• 4.0.0.0 Agent works with 4.0(0) CAS/CAM
Basic compatibility means the Agent is able to perform basic functions such as login, logout, look for
configured requirements, and report vulnerabilities.

Versioning
The 4-digit versioning of the Clean Access Agent differentiates major versus minor upgrades as follows:
• Agent version 4.1.0.0 is bundled with Cisco NAC Appliance version 4.1(0).
• Minor upgrades to the Agent (e.g. 4.1.0.1) typically reflect enhancements for Agent compatibility
or AV/AS product support.
For a new Agent version bundled with a Cisco NAC Appliance release (e.g. 4.1.0.0), the new Agent
incorporates and supersedes previous minor updates of the Agent (e.g. 4.1.0.1). By design, every 4.1
Agent is intended to have basic backward compatibility with any 4.1(x) Clean Access Server.
Updates to versions of the Clean Access Agent may add additional functionality, or AV/AS support in
conjunction with updated product support for the Supported AV/AS Product List.

Cisco Updates
Once the Clean Access Agent is installed on clients, it automatically detects when an Agent upgrade is
available, downloads the upgrade from the CAS, and upgrades itself on the client after user confirmation.
Administrators can make Agent Auto-Upgrade mandatory or optional for users.
The Clean Access Agent Distribution page provides a “Do not offer current Clean Access Agent Patch
to users for upgrade” option to prevent upgrade notifications when an Agent update becomes available
on the CAM. Enabling this option prevents distribution of the Agent Patch upgrade to users when a
newer Agent is downloaded to the CAM.

Note • Only 4.1(x) Clean Access Servers can auto-download 4.1.x.x Agents and distribute them to clients.
• Customers upgrading to 4.1(x) should upgrade all clients to the 4.1.x.x Agent
• Auto-upgrade is typically supported from any 3.5.1+ Agent directly to the latest 4.1.x.x Agent.
• Agents are not supported across major releases. Do not use 4.1.x.x Agents with prior releases (e.g.
4.0(x)/3.6(x)) or vice versa. However, the upgrade of older Agents (3.5.1+) to 4.1.x.x is supported.
• For users with Agents older than 3.5.1, see Upgrading from 3.5.0 and Below Agents, page 11-29.
• For further details on version upgrade restrictions, refer to the “Agent Upgrade Compatibility
Matrix” of the Release Notes for Cisco NAC Appliance Version 4.1(x).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-28 OL-12214-01
 Chapter 11 Distributing the Clean Access Agent
Configure Clean Access Agent Auto-Upgrade

Upgrading from 3.5.0 and Below Agents

Versions 3.5.0 and below of the Clean Access Agent do not support the auto-upgrade feature. In this
case, you can have users upgrade from previous versions of the Clean Access Agent to version 4.1.0.0
or above in several ways, including:
• CD install
Distribute the setup executable (.exe) to users via CD.

Note If you plan to enable VPN/L3 access for your users, make sure the Agent Setup Installation File
you distribute has been downloaded from the CAS directly to enable clients to acquire the CAM
IP information required for VPN/L3 capability.

• Web login/ download Clean Access Agent

Inform all users to perform web login, which will redirect users to the Clean Access Agent download
page if Agent use is required for that user role and client OS.
• Create a File Distribution requirement that distributes the newest 4.1.0.0+ setup executable
This last method is described below.

Agent Upgrade Through File Distribution Requirement

The following steps illustrate how to upgrade the Clean Access Agent for users running a version that
does not support auto-upgrade (i.e. version 3.5.0 or below). The steps show how to create a software
package requirement that enforces download and installation of the required software before users in the
role can log onto the network. In this case, the required package is the Agent Setup Installation file for
a newer version of the Agent.
After the user downloads the file and double-clicks the executable, the Agent installer (3.5.1+) will
automatically detect if a previous Agent version is installed, remove the old version and install the new
version in one pass. It will also shut down the previous version of the application if it is running on the
client during upgrade. The user will then be prompted to login using the new version of the Agent.

Note When configuring requirements for roles, keep in mind that old versions of the Agent will not support
newer features of newer Agents (i.e. if creating an Agent upgrade requirement, make sure to apply only
that requirement to the role; do not apply additional requirements that an older Agent will not be able to
support). See also Auto-Upgrade Compatibility, page 11-28.

Note For this procedure (requirement for clients) the .exe file is uploaded.

Step 1 Log into the Clean Access Agent download page on

http://www.cisco.com/kobayashi/sw-center/ciscosecure/cleanaccess.shtml and download the latest
Clean Access Agent Install file (e.g.CCAAgentSetup-4.1.x.y.tar.gz) to an accessible location on your
machine (replace the .x.y in the filename with the applicable version number).

Note Distributing an Agent Installation file obtained from Cisco Secure Downloads will not enable
clients to acquire the CAM IP information required for VPN/L3 capability. Users must obtain
the Agent Installation file directly from the CAS to enable VPN/L3 access from the Agent.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-29
 Chapter 11 Distributing the Clean Access Agent
Configure Clean Access Agent Auto-Upgrade

Step 2 Untar the file (change the .x in the filename respectively):

> tar xzvf CCAAgentSetup-4.1.x.y.tar.gz

Step 3 The CCAA folder will contain the CCAAgent_Setup.exe file.

Step 4 On the CAM web admin console, go to Device Management > Clean Access > Clean Access Agent >
Rules > New Check. Create a Registry Check (Type: Registry Value) that checks for a Version (Value
name:Version and Value Data Type:Version) later than 4.1.x.(y-1) in the registry of the client
(HKLM\SOFTWARE\Cisco\Clean Access Agent\). For example, if you want to distribute 4.1.0.1, make
the registry check look for a Version later than 4.1.0.0. Select a client OS for the check/rule, check the
option for “Automatically create rule based on this check,” and click Add Check.
Step 5 Go to Device Management > Clean Access > Clean Access Agent > Requirements > New
Requirement. Create a File Distribution requirement, browse to the CCAA folder, and upload the
untarred CCAAgent_Setup.exe file in the “File to Upload” field. Make sure to select a client OS, type
a requirement name and instructions for the user, and click Add Requirement.
(Example instructions could be:
You are running version 3.5.0 or below of the Clean Access Agent. Please upgrade to
the latest version by clicking the Download button. Save the CCAAgent_Setup.exe file
to your computer, then double-click this file to start the installation. Follow the
prompts to install the Agent.)

Step 6 Under Device Management > Clean Access > Clean Access Agent > Requirements >
Requirement-Rules, select your Agent upgrade requirement and operating system, click the checkbox
for your registry check rule, and click Update.
Step 7 Under Device Management > Clean Access > Clean Access Agent > Requirements >
Role-Requirements, select your Agent upgrade requirement and map it to user roles.
Step 8 Make sure to add traffic policies to the Temporary user role to allow HTTP access to only the IP address
of your Clean Access Manager. This allows clients to download the setup executable file.
Step 9 Test as a user. If all is correctly configured, you will be able to download, install, and login with the
4.1.x.y Clean Access Agent.

Note SmartEnforcer 3.2.x is no longer supported. If you are currently running SmartEnforcer 3.2.x, you will
need to install the 4.1.0.0 or above Agent to use it with the 4.1(x) CAM/CAS.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-30 OL-12214-01
Chapter 11 Distributing the Clean Access Agent
Manually Uploading the Agent to the CAM

Manually Uploading the Agent to the CAM

When performing a software upgrade or new install of the CAM/CAS, it is not necessary to upload
installation or patch upgrade files for the Clean Access Agent since they are automatically included with
the CAM software. However in certain cases, you can manually upload the Agent Setup Installation File
(setup.tar.gz) or Agent Patch Upgrade File (upgrade.tar.gz) directly to the CAM, for example, if you
need to reinstall the Agent or downgrade the version of the Agent distributed to new users (see
Downgrading the Agent, page 11-32 for details). This feature allows administrators to revert to a
previous Setup or Patch upgrade file for distribution.

Note You can manually upload either the Agent Setup Installation File or Agent Patch Upgrade file using the
same Distribution page interface control. Because the CAM differentiates the Agent setup and upgrade
file types by filename, it is mandatory to retain the same filenames used on Cisco Secure Downloads, for
example, CCAAgentSetup-4.1.0.0.tar.gz or CCAAgentUpgrade-4.1.0.0.tar.gz.

Note The CAM will automatically publish the Agent Setup file or Agent Upgrade file to the connected
CAS(es) when the file is uploaded manually. There is no version check while publishing, so the Agent
Setup can be downgraded or replaced. For details on version compatibility for the CAM/CAS and Agent,
refer to the “Agent Upgrade Compatibility Matrix” section of the Release Notes for Cisco NAC
Appliance Version 4.1(x).

The following steps describe how to manually upload the Agent setup or patch file to the CAM.

Caution You must upload the Agent setup or patch file as a tar.gz file (without untarring it) to the CAM. Make
sure you do NOT extract the .exe file before uploading.

Step 1 Log into Cisco Secure Software

(http://www.cisco.com/kobayashi/sw-center/ciscosecure/cleanaccess.shtml) and open the Cisco Clean
Access Agent download page to download the CCAAgentSetup-4.1.x.y.tar.gz file or
CCAAgentUpgrade-4.1.x.y.tar.gz file to an accessible location on your machine (replace the .x.y in the
filename with the applicable version number).
Step 2 Go to Device Management > Clean Access > Clean Access Agent > Distribution
(see Distribution, page 11-12).
Step 3 In the Clean Access Agent Setup/Patch to Upload field, click Browse, and navigate to the folder where
the Clean Access Agent setup or patch file is located.
Step 4 Select the .tar.gz file and click Open. The name of the file should appear in the text field.
Step 5 In the Version field, type the version of the Agent to be uploaded (for example, 4.1.0.0). The Version
you enter should match exactly the version of the .tar.gz file.
Step 6 Click Upload.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 11-31
 Chapter 11 Distributing the Clean Access Agent
Downgrading the Agent

Downgrading the Agent

The following steps describe how to manually downgrade the version of the Clean Access Agent on the
CAM. See also Manually Uploading the Agent to the CAM, page 11-31 for additional details.

Step 1 Under Device Management > Clean Access > Clean Access Agent > Distribution, disable the
“Current Clean Access Agent Patch is a mandatory upgrade” checkbox and click Update.
Step 2 Under Device Management > Clean Access > Updates, disable the “Check for CCA Agent upgrade
patches” checkbox and click Update.
Step 3 From the appropriate Cisco Clean Access folder on the Cisco Secure Software website
(http://www.cisco.com/kobayashi/sw-center/ciscosecure/cleanaccess.shtml), download the
CCAAgentSetup-4.1.x.x.tar.gz and CCAAgentUpgrade-4.1.x.x.tar.gz files for the prior version of the
Agent you want to distribute to your users.
Step 4 Make sure that all the CASs are listed with a status of “Connected” under Device Management > CCA
Servers > List of Servers
Step 5 Under Device Management > Clean Access > Clean Access Agent > Distribution, browse to and
upload first the Setup.tar.gz file then the Upgrade.tar.gz file to the CAM. Make sure you type the correct
version of the Agent (e.g. 4.1.0.0) in the Version Field before you click Upload. Files will be published
to the CASs automatically.
Step 6 Additionally, you can set up a new Link Distribution requirement for the downgraded 4.1.x.x CCA
Agent. Set up a registry check to verify if the Agent version matches the downgraded version you want
to distribute (e.g. 4.1.0.0) If not, users should be directed to the following URL:
https://<CAS_IP_or_name>/auth/perfigo_dm_enforce.jsp.
Step 7 Alternatively, you can instead create a Local Check requirement that provides instructions to the end user
to uninstall the Agent (e.g. 4.1.xx) and perform weblogin again to download the downgraded Agent (e.g.
4.1.0.0).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
11-32 OL-12214-01
 C H A P T E R 12
Configuring Clean Access Agent Requirements

This chapter describes how to configure the Clean Access Agent to be used for vulnerability assessment
and remediation of client machines.
• Summary, page 12-1
• Configuration Steps for Clean Access Agent Requirements, page 12-2
• Create Clean Access Agent Requirements, page 12-3
• Viewing Clean Access Agent Reports, page 12-49
• Clean Access Agent User Dialogs, page 12-51
• Troubleshooting the Agent, page 12-71

Summary
The Clean Access Agent provides local-machine agent-based vulnerability assessment and remediation
for client machines. Users download and install the Clean Access Agent (read-only client software),
which can check the host registry, processes, applications, and services. The Clean Access Agent can be
used to perform Windows updates or antivirus/antispyware definition updates, launch qualified
remediation programs, distribute files uploaded to the Clean Access Manager, distribute website links to
websites in order for users to download files to fix their systems, or simply distribute
information/instructions.
After users log into the Clean Access Agent, the Agent gets the requirements configured for the user
role/OS from the Clean Access Server, checks for the required packages and sends a report back to the
CAM (via the CAS). If requirements are met on the client, the user is allowed network access. If
requirements are not met, the Agent presents a dialog to the user for each unmet requirement. The dialog
(configured in the New Requirement form) provides the user with instructions and the action to take for
the client machine to meet the requirement.
Clean Access Agent vulnerability assessment is configured in the CAM by creating requirements based
on rules and (optionally) checks, then applying the requirements to user roles/client OSes. This chapter
describes how to configure these requirements.

Note For an illustrated overview, see Clean Access Agent Client Assessment Process, page 10-4.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-1
 Chapter 12 Configuring Clean Access Agent Requirements
Configuration Steps for Clean Access Agent Requirements

Configuration Steps for Clean Access Agent Requirements

The basic steps needed to configure the Clean Access Agent are as follows:

Step 1 Make sure to follow the steps in Chapter 11, “Distributing the Clean Access Agent” to enable
distribution and download of the Clean Access Agent.
Step 2 Create Clean Access Agent Requirements, page 12-3
• Configuring Windows Update Requirement, page 12-4
• Configuring AV/AS Definition Update Requirements, page 12-8
• Configure Launch Programs Requirement, page 12-19
• Cisco Pre-Configured Rules (“pr_”), page 12-21
• Using Cisco Pre-Configured Rules to Check for CSA, page 12-21
• Configure Custom Checks, Rules and Requirements, page 12-22
• Configure an Optional Requirement, page 12-38
Step 3 Map Requirement to Rules, page 12-34
Step 4 Apply Requirements to Role, page 12-36
Step 5 Validate Requirements, page 12-37
Step 6 Clean Access Agent User Dialogs, page 12-51
Step 7 Troubleshooting the Agent, page 12-71

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-2 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Create Clean Access Agent Requirements

To implement Clean Access Agent system requirements, you configure and map together the following
elements:
• Requirements
• Rules (AV/AS rules, pr_ rules, or custom rules)
• Checks (pc_ checks or custom checks)—only needed if creating custom rules
• User roles and operating systems
Requirements are used to implement business-level decisions about what users must (or must not) have
running on their systems to be able to access the network. The requirement mechanism maps one or more
rules that you want clients in a user role to meet to the action you want users in the role to take if the
client fails the requirement’s rules. When you create a New Requirement, you choose from one of 7
requirement types (File Distribution, Link Distribution, Local Check, AV Definition Update, AS
Definition Update, Windows Update, or Launch Programs (new for 4.1)) to configure the type of action
and remediation instructions the Clean Access Agent dialogs will present to the user when the client fails
the requirement.
A rule is the unit used by the Clean Access Agent to assess whether a requirement is met on a particular
operating system. A rule can be an AV/AS rule, Cisco pre-configured rule (pr_rule) or a custom rule
made up of a check or a combination of checks.
You must map rules to requirements
A check is a single registry, file, service, or application check for a selected operating system, and is used
to create a custom rule. A check can be a Cisco pre-configured check (pc_ check) or a custom check you
create yourself.
Once a requirement is associated with rules, the final configuration step is to associate the requirement
to a normal login user role. Users who attempt to authenticate into the normal user role are put into the
Temporary role until they pass requirements associated with the normal login role:
• If they successfully meet the requirements, the users are allowed on the network in the normal login
role.
• If they fail to meet the requirements, users stay in the Temporary role for the session timeout until
they take the steps described in the Agent dialogs and successfully meet the requirements.
For out-of-band users, successfully authenticating and meeting requirements allows the users to leave
the in-band network (on the Auth VLAN) and access the out-of-band network on the Access VLAN.
To map a requirement to a normal login user role, the role must already be created as described in Create
User Roles, page 6-1.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-3
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Configuring Windows Update Requirement

The Clean Access Agent “Windows Update” Requirement type configuration page allows administrators
to check and modify Windows Update settings, and launch Windows Updater (Automatic Updates or
WSUS Agent for Local Windows Server Update Services (WSUS)) on Clean Access Agent user
machines. When this requirement is configured, the administrator can turn on Automatic Updates on
Windows 2000 or XP clients which have this option disabled on the machine. If Automatic Updates are
already enabled on the user machine, the administrator can override the user-specified update option
with the administrator-specified option. In addition, administrator-specified Windows Update settings
can be applied temporarily on the user machine or can be set to permanently override user preferences
to ensure updates are always performed.
The “Windows Update” requirement (set to Optional) provides an Update button on the Clean Access
Agent for remediation. When the end user clicks the Update button, the CCA Agent will launch the
AU/WSUS Agent and force it to get the update software from the WSUS Server. The software download
from WSUS may take some time. It is recommended to set the Windows Update requirement to Optional
(default) for WSUS remediation to occur as a background process.

Note • The network administrator must ensure the Automatic Updates Agent is updated to support local
WSUS server for the auto-launch to work. For details, refer to
http://www.microsoft.com/windowsserversystem/updateservices/evaluation/faqs.mspx
• The Windows Update requirement type is only for Windows XP and 2000. It supports checking of
Automatic Updates (AU) Options, changing of AU Options and one-button Update launch of
AU/WSUS Agent
• The Agent launches WindowsUpdater:
– One-button Update that launches Automatic Updates/ WSUS Agent
– Forces update from local WSUS Server (if Automatically Download and Install is selected)
• The Windows Update requirement is set to optional by default.
– WSUS forced update may take a while. It will be launched and run in the background.
– If there are update errors, see C:\Windows\Windows Update.log or
C:\Windows\WindowsUpdate.log

The steps to create a Windows Update Requirements are as follows:

Step 1 Create Windows Update Requirement, page 12-4

Step 2 Map Windows Update Requirement to Windows Rules, page 12-7
Step 3 Apply Requirements to Role, page 12-36
Step 4 Validate Requirements, page 12-37

Create Windows Update Requirement

The following steps show how to configure a Windows Update requirement:
1. Go to Device Management > Clean Access > Clean Access Agent > Requirements > New
Requirement.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-4 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Figure 12-1 New Windows Update Requirement

2. From the Requirement Type dropdown menu, choose Windows Update.

3. Choose an Enforce Type from the dropdown menu:
– Mandatory—Enforce requirement.The user is informed of this requirement and cannot
proceed or have network access unless the client system meets it.
– Optional— Do not enforce requirement. The user is informed of the requirement but can bypass
it if desired (by clicking “Next”). The client system does not have to meet the requirement for
the user to proceed or have network access.
– Audit—Silently audit. The client system is checked “silently” for the requirement without
notifying the user, and a report is generated. The report results (pass or fail) do not affect user
network access.

Note Because the Windows Update process runs in the background, this requirement type is set by
default to “do not enforce” to optimize the user experience. It is recommended to leave this
requirement as Optional, if selecting the “Automatically download and install option.” A WSUS
forced update may take a while, and is launched and run in the background.

4. Choose the Priority of execution for this requirement on the client. A high priority (e.g. 1) means
this requirement is checked on the system ahead of all other requirements (and appears in the Agent
dialogs in that order). Note that if a Mandatory requirement fails, the Agent does not continue past
that point until that requirement succeeds.
5. From the Windows Update Setting dropdown, choose one of the following options:
– Do not change setting
– Notify to download and install
– Automatically download and notify to install

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-5
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

– Automatically download and install

These settings correspond to the Automatic Updates dialog settings on the Windows client
(Figure 12-2)
6. Click the checkbox for Permanently override user setting with administrator Windows Update
Setting, if you want to enforce your administrator-specified setting for Automatic Updates on all
client machines during and after Windows Update. If left unchecked, the admin setting will only
apply when Automatic Updates are disabled on the client; otherwise the user setting applies when
Automatic Updates are enabled.
7. For the Requirement Name, type a unique name to identify this requirement in the Agent. The name
will be visible to users on the Clean Access Agent dialogs.
8. In the Description field, type a description of the requirement and instructions to guide users who
fail to meet the requirement, including instructions for users to click the Update button to update
their systems. Note that Windows Update displays the Update button on the Agent.
9. Click the Windows XP and/or Windows 2000 checkbox(es) to set the Operating System for the
requirement.
10. Click Add Requirement.

Figure 12-2 Windows XP Automatic Updates

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-6 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Map Windows Update Requirement to Windows Rules

1. Go to Device Management > Clean Access > Clean Access Agent > Requirements >
Requirement-Rules

Figure 12-3 Map Windows Update Requirement to Rules

2. From the Requirement Name dropdown menu, choose the Windows Update requirement you
configured.
3. From the Operating System dropdown menu, select either Windows XP or Windows 2000. Once
you have configured the requirement-rule mapping for one OS, you can select settings for the other
OS and update the mapping accordingly.
4. Choose one of the following options for Requirement met if:
– All selected rules succeed (default)
– Any selected rule succeeds
– No selected rule succeeds
5. Ignore the AV Virus/AS Spyware Definition rule options
6. The Rules for Selected Operating System list will display all rules that exist in the system for the
chosen OS (pr_ rules or rules that you have configured). Click the checkbox for each rule you want
to enable for this requirement. Typical rules that are associated to this requirement are:
– pr_AutoUpdateCheck_Rule (Win XP (All), 2000)
– pr_XP_Hotfixes (Win XP Pro/Home)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-7
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

– pr_2K_Hotfixes (Win 2000)

Note that all rules are listed under Device Management > Clean Access > Clean Access Agent >
Rules > Rule List.
7. Click Update to complete the mapping.
Step 5 Continue to the next steps— Apply Requirements to Role, page 12-36 and Validate Requirements, page
12-37 —to complete the configuration.

Configuring AV/AS Definition Update Requirements

The AV Definition Update and AS Definition Update requirement type can be used to update the
definition files on a client for supported antivirus or antispyware products. If the client fails to meet the
AV/AS requirement, the Clean Access Agent communicates directly with the installed antivirus or
antispyware software on the client and automatically updates the definition files when the user clicks the
Update button on the Agent dialog.
AV Rules incorporate extensive logic for 24 antivirus vendors and are associated with AV Definition
Update requirements. AS Rules incorporate logic for 17 antispyware vendors and are associated with AS
Definition Update requirements. For AV or AS Definition Update requirements, the configuration is
similar to that of custom requirements, except there is no need to configure checks. You associate:
• AV Definition Update requirement with AV Rule(s) and user roles and operating systems
• AS Definition Update requirement with AS Rule(s) and user roles and operating systems
and configure the Clean Access Agent dialog instructions you want the user to see if the AV or AS
requirement fails.

Note Where possible, it is recommended to use AV Rules mapped to AV Definition Update Requirements to
check antivirus software on clients. In the case of a non-supported AV product, or if an AV
product/version is not available through AV Rules, administrators always have the option of using Cisco
provided pc_ checks and pr_rules for the AntiVirus vendor or of creating their own custom checks, rules,
and requirements through Device Management > Clean Access > Clean Access Agent (use New
Check, New Rule, and New File/Link/Local Check Requirement), as described in Configure Custom
Checks, Rules and Requirements, page 12-22.
Note that Clean Access works in tandem with the installation schemes and mechanisms provided by
supported Antivirus vendors. In the case of unforeseen changes to underlying mechanisms for AV
products by AV vendors, the Clean Access team will upgrade the Supported AV/AS Product List and/or
Clean Access Agent in the timeliest manner possible in order to support the new AV product changes.
In the meantime, administrators can always use the “custom” rule workaround for the AV product (such
as pc_checks/pr_ rules) and configure the requirement for “Any selected rule succeeds.”

Figure 12-4 shows the Clean Access Agent dialog that appears when a client fails to meet an AV
Definition Update requirement.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-8 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Figure 12-4 Required AV Definition Update (User Dialog)

AV Definition Update Requirement Type

Description field provides your instructions

to the user

User clicks Update to automatically update

client AV definition file(s).

AV Rules and AS Rules

Antivirus rules (AV Rule) and anti-spyware rules (AS Rule) are preconfigured rule types that are mapped
to the matrix of vendors and products sourced in the Supported AV/AS Product List. There is no need to
configure checks with this type of rule.
There are two basic types of AV Rules:
• Installation AV Rules check whether the selected antivirus software is installed for the client OS.
• Virus Definition AV Rules check whether the virus definition files are up-to-date on the client.
Virus Definition AV Rules can be mapped into AV Definition Update requirements so that a user
that fails the requirement can automatically execute the update by clicking the Update button in the
Agent.
There are two basic types of AS Rules:
• Installation AS Rules check whether the selected anti-spyware software is installed for the client
OS.
• Spyware Definition AS Rules check whether the spyware definition files are up-to-date on the
client. Spyware Definition AS Rules can be mapped into AS Definition Update requirements so that
a user that fails the requirement can automatically execute the update by clicking the Update button
in the Agent.
AV Rules are typically associated with AV Definition Update requirements, and AS Rules are typically
associated with AS Definition Update requirements.
The steps to create AV Definition Update Requirements are as follows:

Step 1 Verify AV/AS Support Info, page 12-10

Step 2 Create AV Rule, page 12-12
Step 3 Create AV Definition Update Requirement, page 12-14
Step 4 Map Requirement to Rules, page 12-34
Step 5 Apply Requirements to Role, page 12-36
Step 6 Validate Requirements, page 12-37

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-9
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

The steps to create AS Definition Update Requirements are as follows:

Step 1 Verify AV/AS Support Info, page 12-10

Step 2 Create AS Rule, page 12-16
Step 3 Create AS Definition Update Requirement, page 12-17
Step 4 Map Requirement to Rules, page 12-34
Step 5 Apply Requirements to Role, page 12-36
Step 6 Validate Requirements, page 12-37

Note Note that in some cases it may be advantageous to configure AV or AS rules/requirements in different
ways. For example:
• Not all product versions of a particular vendor may support the Agent launching the automatic
update of the product. In this case, you can provide instructions (via the Description field of the AV
or AS Definition Update requirement) to have users update their AV or AS definition files from the
interface of their installed AV or AS product.
• You can associate the AV or AS rules with a different requirement type, such as Link Distribution
or Local Check, to change the Agent buttons and user action required from “Update” to “Go to
Link”, or to disable the action button and provide instructions only. This allows you flexibility in
configuring the actions you want your users to take.
• You can also configure “optional” requirements. These will generate reports for clients and
optionally provide users extra time to meet a requirement without blocking them from the network.
See Configure an Optional Requirement, page 12-38 for details.

Verify AV/AS Support Info

Cisco NAC Appliance allows multiple versions of the Clean Access Agent to be used on the network.
New updates to the Agent will add support for the latest antivirus or antispyware products as they are
released. The system picks the best method (either Def Date or Def Version) to execute AV/AS definition
checks based on the AV/AS products available and the version of the Agent. The AV/AS Support Info
page provides details on Agent compatibility with the latest Supported AV/AS Product List downloaded
to the CAM. This page lists the latest version and date of definition files for each AV and AS product as
well the baseline version of the Agent needed for product support. You can compare the client’s AV or
AS information against the AV/AS Support Info page to verify if a client’s definition file is the latest.
If running multiple versions of the Agent on your network, this page can help troubleshoot which version
must be run to support a particular product.

To View Agent Support Details:

1. Go to Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info
2. Choose either Antivirus (Figure 12-5) or Anti-Spyware (Figure 12-6) from the Category
dropdown.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-10 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Figure 12-5 AV/AS Support Info — AV Vendor Example

Figure 12-6 AV/AS Support Info — AS Vendor Example

3. Choose a corresponding vendor (Antivirus Vendor or Anti-Spyware Vendor) from the dropdown
menu.
4. For Antispyware products, only the Windows XP/2K operating system is supported. Check the
Minimum Agent Version Required to Support AS Products table for product details.

Note Regular updates for Anti-Spyware definition date/version will be made available via Cisco
Updates. Until update service is available, the system enforces definition files to be X days older
than the current system date for AS Spyware Definition rules (under Device Management >
Clean Access > Clean Access Agent > Requirements > Requirement-Rules).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-11
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

5. For Antivirus products, choose Windows XP/2K or Windows 9x/ME from the Operating System
dropdown menu to view the support information for those client systems. This populates the
following tables:
– Minimum Agent Version Required to Support AV Products: shows the minimum Agent
version required to support each AV product. For example, a 4.1.0.0 Agent can log into a role
that requires Aluria Security Center AntiVirus 1.x, but for any lower Agent version, this check
will fail. Note that if a version of the Agent supports both Def Date and Def Version checks, the
Def Version check will be used.
– Latest Virus Definition Version/Date for Selected Vendor: displays the latest version and
date information for the AV product. The AV software for an up-to-date client should display
the same values.

Note The Agent sends its version information to the CAM, and the CAM always attempts to first use the virus
definition version for AV checks. If the version is not available, the CAM uses the virus definition date
instead.

Tip You can also view the latest def file version when selecting an AV vendor from the New AV Rule form.

Create AV Rule
1. Make sure you have the latest version of the Supported AV/AS Product List, as described in
Retrieving Updates, page 10-11.
2. Go to Device Management > Clean Access > Clean Access Agent > Rules > New AV Rule.

Figure 12-7 New AV Rule

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-12 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

3. Type a Rule Name. You can use digits and underscores, but no spaces in the name.
4. Choose an Antivirus Vendor from the dropdown menu. This populates the Checks for Selected
Operating Systems table at the bottom of the page with the supported products and product versions
from this vendor (for the Operating System chosen).
5. From the Type dropdown menu, choose either Installation or Virus Definition. This enables the
checkboxes for the corresponding Installation or Virus Definition column in the table below.
6. Choose an Operating System from the dropdown menu: Windows XP/2K or Windows ME/98. This
displays the product versions supported for this client OS in the table below.
7. Type an optional Rule Description.
8. In the Checks for Selected Operating Systems table, choose the product versions you want to
check for on the client by clicking the checkbox(es) in the corresponding Installation or Virus
Definition column. Clicking ANY means you want to check for any product and any version from
this AV vendor. Installation checks whether the product is installed, Virus Definition checks
whether the virus definition files are up to date on the client for the specified product.
9. Click Add Rule. The new AV rule will be added at the bottom of the Rule List with the name you
provided.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-13
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Create AV Definition Update Requirement

The following steps show how to create a new AV Definition Update requirement to check the client
system for the specified AV product(s) and version(s) using an associated AV Rule. If the client’s AV
definition files are not up-to-date, the user can simply click the Update button on the Clean Access
Agent, and the Agent causes the resident AV software launch its own update mechanism. Note that the
actual mechanism differs for different AV products (e.g. live update vs.command line parameter).
1. In the Clean Access Agent tab, click the Requirements submenu link and then New Requirement.

Figure 12-8 New Requirement

2. For Requirement Type choose AV Definition Update

3. Choose an Enforce Type from the dropdown menu:
– Mandatory—Enforce requirement.The user is informed of this requirement and cannot
proceed or have network access unless the client system meets it.
– Optional— Do not enforce requirement. The user is informed of the requirement but can bypass
it if desired (by clicking “Next”). The client system does not have to meet the requirement for
the user to proceed or have network access.
– Audit—Silently audit. The client system is checked “silently” for the requirement without
notifying the user, and a report is generated. The report results (pass or fail) do not affect user
network access.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-14 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

4. Choose the Priority of execution for this requirement on the client. A high priority (e.g. 1) means
this requirement is checked on the system ahead of all other requirements (and appears in the Agent
dialogs in that order). Note that if a Mandatory requirement fails, the Agent does not continue past
that point until that requirement succeeds.
5. Choose an Antivirus Product Name from the dropdown menu or choose ANY. The Products table
lists all the virus definition product versions supported per client OS.
6. For the Requirement Name, type a unique name to identify this AV virus definition file requirement
in the Agent. The name will be visible to users on the Clean Access Agent dialogs.
7. In the Description field, type a description of the requirement and instructions to guide users who
fail to meet the requirement. For an AV Definition Update requirement, you should include
instructions for users to click the Update button to update their systems. Note the following:
– AV Definition Update displays Update button on the Agent.
– AS Definition Update displays Update button on the Agent.
– Windows Update displays Update button on the Agent.
8. Click the checkbox for at least one client Operating System (at least one must be chosen).
9. Click Add Requirement to add the requirement to the Requirement List.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-15
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Create AS Rule
1. Make sure you have the latest version of the Supported AV/AS Product List, as described in
Retrieving Updates, page 10-11.
2. Go to Device Management > Clean Access > Clean Access Agent > Rules > New AS Rule.

Figure 12-9 New AS Rule

3. Type a Rule Name. You can use digits and underscores, but no spaces in the name.
4. Choose an Anti Spyware Vendor from the dropdown menu, or choose ANY to select any supported
AS vendor or product. This correspondingly populates the Checks for Selected Operating Systems
table at the bottom of the page with the supported products and product versions from this vendor
(for the Operating System chosen).
5. From the Type dropdown menu, choose either Installation or Spyware Definition. This enables the
checkboxes for the corresponding Installation or Spyware Definition column in the table below.
6. The Operating System field displays Windows XP/2K by default.
7. Type an optional Rule Description.
8. In the Checks for Selected Operating Systems table, choose the product versions you want to
check for on the client by clicking the checkbox(es) in the corresponding Installation or Spyware
Definition column. Clicking ANY means you want to check for any product and any version from
this AS vendor. Installation checks whether the product is installed, Spyware Definition checks
whether the spyware definition files are up to date on the client for the specified product.
9. Click Add Rule. The new AS rule will be added at the bottom of the Rule List with the name you
provided.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-16 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Create AS Definition Update Requirement

1. Go to Device Management > Clean Access > Clean Access Agent > Requirements > New
Requirement.

Figure 12-10 New AS Definition Update Requirement

2. For Requirement Type choose AS Definition Update

3. Choose an Enforce Type from the dropdown menu:
– Mandatory—Enforce requirement.
– Optional— Do not enforce requirement.
– Audit—Silently audit.
4. Choose the Priority of execution for this requirement on the client.
5. Choose an Anti-Spyware Vendor Name from the dropdown menu or choose ANY. The Products
table lists all the spyware definition product versions currently supported per client OS.
6. For the Requirement Name, type a unique name to identify this AS definition file requirement in
the Agent. The name will be visible to users on the Clean Access Agent dialogs.
7. In the Description field, type a description of the requirement and instructions to guide users who
fail to meet the requirement. For an AS Definition Update requirement, you should include an
instruction for users to click the Update button to update their systems. Note the following:
– File Distribution displays Download button on the Agent.
– Link Distribution displays Go To Link button on the Agent.
– Local Check displays Download button (disabled) on the Agent.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-17
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

– AV Definition Update displays Update button on the Agent.

– AS Definition Update displays Update button on the Agent.
– Windows Update displays Update button on the Agent.
8. Click the checkbox for at least one client Operating System (at least one must be chosen).
9. Click Add Requirement to add the requirement to the Requirement List

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-18 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Configure Launch Programs Requirement

Release 4.1 adds a new Launch Programs Programs Requirement Type that allows administrators to
launch a qualified remediation program from the Clean Access Agent. The administrator can create a
check/rule condition; upon its failure, the administrator can configure to launch any remediation
program to fix the machine. Multiple programs are permitted, and they are launched in the same
sequence as specified by the administrator.
The Clean Access Agent launches the programs in two ways, depending on user privileges for the device:
• If the user has admin privileges on the client machine, the program is launched directly and digital
signing and verification of the application are not required
• If the user does not have administrative privileges, the Clean Access stub must be installed to launch
the target executable. In this case, the Clean Access stub will verify that the program is signed by a
trusted certificate authority before launching the program.
Note that it is the administrator's responsibility to populate the required Registry Keys for the programs
to be trusted by Cisco Clean Access Agent and Cisco Clean Access Stub.

Note Version 4.1.0.0 or above of the Clean Access Agent is required to use this feature. This feature is
applicable to Windows 2000 and Windows XP machines only.

1. Go to Device Management > Clean Access > Clean Access Agent > Requirements > New
Requirement.

Figure 12-11 New Launch Program Requirement

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-19
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

2. For Requirement Type choose Launch Programs

3. Choose an Enforce Type from the dropdown menu:
– Mandatory—Enforce requirement.The user is informed of this requirement and cannot
proceed or have network access unless the client system meets it.
– Optional— Do not enforce requirement. The user is informed of the requirement but can bypass
it if desired (by clicking “Next”). The client system does not have to meet the requirement for
the user to proceed or have network access.
– Audit—Silently audit. The client system is checked “silently” for the requirement without
notifying the user, and a report is generated. The report results (pass or fail) do not affect user
network access.
4. Choose the Priority of execution for this requirement on the client. A high priority (e.g. 1) means
this requirement is checked on the system ahead of all other requirements (and appears in the Agent
dialogs in that order). Note that if a Mandatory requirement fails, the Agent does not continue past
that point until that requirement succeeds.
5. Configure the program to be launched as follows:
– For the Program Name, choose the root location from which to launch the program from the
dropdown: SYSTEM_DRIVE, SYSTEM_ROOT, SYSTEM_32, SYSTEM_PROGRAMS,
or None, and type the name of the program executable in the adjoining text field.
– If a more specific path or program parameters are needed, type them in the Program
Parameters text field.
– Click Add Program. This adds the Program Name and Program Parameters to the sublist of
programs to launch for the requirement.
– Configure more programs to add, or click the Delete checkbox to remove programs from the list.
6. When done configuring the program or list of programs to added, type the Requirement Name.
7. Type a Description to be displayed to users.
8. Click the checkbox for the Windows Operating System to which to apply the requirement.
9. Click Add Requirement.

Note See Launch Programs Example, page 12-40 for additional details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-20 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Cisco Pre-Configured Rules (“pr_”)

Cisco NAC Appliance provides a set of pre-configured rules and checks that are downloaded to the CAM
via the Updates page on the CAM web console (under Device Management > Clean Access >
Updates).
Pre-configured rules have a prefix of “pr” in their names (e.g. “pr_XP_Hotfixes”), and can be copied (for
use as a template), but cannot be edited or removed. You can click the Edit button for any “pr_” rule to
view the rule expression that defines it. The rule expression for a pre-configured rule will be composed
of pre-configured checks (e.g. “pc_Hotfix835732”) and boolean operators. The rule expression for
pre-configured rules is updated via Cisco Updates. For example, when new Critical Windows OS
hotfixes are released for Windows XP, the pr_XP_Hotfixes rule will be updated with the corresponding
hotfix checks.
Pre-configured rules are listed under Device Management > Clean Access > Clean Access Agent >
Rules > Rule List. Pre-configured checks have a prefix of “pc” in their names and in turn are listed under
Device Management > Clean Access > Clean Access Agent > Rules > Check List

Note Cisco pre-configured rules are intended to provide support for Critical Windows OS hotfixes only.

Using Cisco Pre-Configured Rules to Check for CSA

You can use Cisco pre-configured rules to create a Clean Access Agent requirement that checks if the
Cisco Security Agent (CSA) is already installed and/or running on a client (from version 14663 and
above of the Cisco Updates ruleset). To do this:
1. Create a new Link Distribution or File Distribution requirement (for Windows XP/2000).
2. Associate the requirement to one or both of the following rules (for Windows XP/2000):
– pr_CSA_Agent_Version_5_0
– pr_CSA_Agent_Service_Running
3. Associate the requirement to the user role(s) for which it will apply.

Note See Configure Custom Checks, Rules and Requirements, page 12-22 next for further details on creating
custom requirements (using either pre-configured or custom rules).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-21
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Configure Custom Checks, Rules and Requirements

A check is a condition statement used to examine the client system. In the simplest case, a requirement
can be a single rule made up of a single check. If the condition statement yields a true result, the system
is considered in compliance with the Clean Access Agent requirement and no remediation is called for.
To create a check, first find an identifying feature of the requirement. The feature (such as a registry key
or process name) should indicate whether the client meets the requirement. The best way to find such an
indicator is to examine a system that meets the requirement. If necessary, refer to the documentation
provided with the software to determine what identifying feature to use for the Clean Access check. Once
you have determined the indicator for the requirement, use the following procedure to create the check.

Custom Requirements
You can create custom requirements to maps rules to the mechanism that allows users to meet the rule
condition. The mechanism may be an installation file, a link to an external resource, or simply
instructions. If a rule check is not satisfied (for example, required software is not found on the client
system), users can be warned or required to fix their systems, depending on your configuration. As
shown in Figure 12-12, a rule can combine several checks with Boolean operators, “&” (and), “|” (or),
and “!” (not). A requirement can rely on more than one rule, specifying that any selected rule, all rules,
or no rule must be satisfied for the client to be considered in compliance with the requirement.

Figure 12-12 Custom Checks, Rules, and Requirements

checks rules requirements

sym_exeExists
RecentVDefExist & Look4SymAV
processIsActive any MustHaveAntiVirus

mcafee_exeExists
campusAVInstall.zip
RecentVDefExist & Look4McAfeeAV

processIsActive Message: install, update

or start software

The steps to create custom requirements are as follows:

Step 1 Create Custom Check, page 12-24

Step 2 Create Custom Rule, page 12-28
Step 3 Validate Rules, page 12-30
Step 4 Create Custom Requirement, page 12-31
Step 5 Map Requirement to Rules, page 12-34
Step 6 Apply Requirements to Role, page 12-36
Step 7 Validate Requirements, page 12-37

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-22 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Cisco Rules
A rule is a condition statement made up of one or more checks. A rule combines checks with logical
operators to form a Boolean statement that can test multiple features of the client system.
Cisco NAC Appliance provides a set of pre-configured rules and checks through the Updates link.
Pre-configured rules have a prefix of “pr” in their names, for example, pr_AutoUpdateCheck_Rule. See
also Cisco Pre-Configured Rules (“pr_”), page 12-21 for additional details.

Cisco Checks
A check is a condition statement that examines a feature of the client system, such as a file, registry key,
service, or application. Pre-configured checks have a prefix of “pc” in their names, for example,
pc_Hotfix828035. Table 12-1 lists the types of checks available and what they test.
Table 12-1 Checks

Check Category Check Type

Registry check • whether or not a registry key exists
• registry key value
File Check • whether or not a file exists
• date of modification or creation
• file version
Service check • whether or not a service is running
Application check • whether or not an application is running

Copying Checks and Rules

Note that pre-configured rules and checks are not editable, but can serve as templates. To modify a
non-editable check or a rule, make a copy of it first by clicking the corresponding Copy button ( ).
Copies of checks are added to the bottom of the Check List, in the form copy_of_checkname. Copies of
rules are added to the bottom of the Rules List, in the form copy_of_rulename. Click the corresponding
Edit button ( ) to bring up the Edit form to modify the check or rule. The edited checks and rules can
then be configured and associated to requirements and roles as described in the following sections.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-23
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Create Custom Check

1. In the Clean Access Agent tab, click the Rules submenu and then open the New Check form

Figure 12-13 New Check

.

For all custom checks, follow steps 2. to 7., refer to the specifics for each check type—Registry Check
Types, File Check Types, Service Check Type, Application Check Type—then perform step 5.
2. Select a Check Category: Registry Check, File Check, Service Check, or Application Check.
3. Type a descriptive Check Name. The rules created from this check will reference the check by this
name, so be sure to give the check a unique, self-descriptive name. The name is case-sensitive and
should be less than 255 characters and without spaces or special characters.
4. Type an optional Check Description.
5. Select at least one Operating System for the check. Options are: Windows All, Windows XP,
Windows 2000, Windows ME, Windows 98.
6. If desired, select “Automatically create rule based on this check”. In this case, the rule is
automatically populated with the check when added and is named “checkname-rule”.
7. Select a Check Type for the Category and fill in specific form fields as described below. Specify the
parameters, operator, and (if the check type is a value comparison) the value and data type of the
statement, and click Add Check to create the evaluation statement. If the condition statement
evaluates to false, the required software is considered missing.

Registry Check Types

– Registry Key – Checks whether a specific key exists in the registry.

– Registry Value (Default) – Checks whether an unnamed (default) registry key exists or has a
particular value, version, or modification date.
– Registry Value – Checks whether a named registry key exists or has a particular value, version,
or modification date.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-24 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Figure 12-14 Registry Check Types

a. For the Registry Key field, select the area of the client registry:
HKLM – HKEY_LOCAL_MACHINE
HKCC – HKEY_CURRENT_CONFIG
HKCU – HKEY_CURRENT_USER
HKU – HKEY_USERS
HKCR – HKEY_CLASSES_ROOT
Then type the path to be checked.
For example: HKLM \SOFTWARE\Symantec\Norton AntiVirus\version
b. For a Registry Value search, enter a Value Name.
c. For Registry Value searches, enter a Value Data Type:
1. For a “Number” Value Data Type (Note: REG_DWORD is equivalent to Number), choose one
of the following Operators from the dropdown: equals, greater than, less than, does not equal,
greater than or equal to, less than or equal to
2. For a “String” Value Data Type choose one of the following Operators from the dropdown:
equals, equals (ignore case), does not equal, starts with, does not start with, ends with, does not
end with, contains, does not contain
3. For a “Version” Value Data Type choose one of the following Operators from the dropdown:
earlier than, later than, same as
4. For a “Date” Value Data Type, choose one of the following Operators from the dropdown:
earlier than, later than, same as

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-25
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

d. If specifying a “Date” Value Data Type, also choose one of two values to check. This allows
you to specify “older than” or “newer than” by more than/fewer than x days to the current date.
- Type the date/time of the client machine in mm/dd/yyyy hh:MM:ss format, or
- Choose the CAM date, + or - from the dropdown, and type the number of days.
e. For a Registry Value searches, enter the Value Data.

File Check Types

– File Existence – Checks whether a file exists on the system.

– File Date – Check whether a file with a particular modification or creation date exists on the
system.
– File Version – Checks whether a particular version of a file exists on the system.

Figure 12-15 File Check Types

a. For File Path, select:

SYSTEM_DRIVE – checks the C:\ drive
SYSTEM_ROOT – checks the root path for Windows 98 systems
SYSTEM_32 – checks C:\WINDOWS\SYSTEM32
SYSTEM_PROGRAMS – checks C:\Program Files
b. For Operator, select:
exists or does not exist – File Existence check
earlier than, later than, same as – File Date or File Version check

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-26 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

c. For a File Date check type, also choose one of two values to check for File Date. This allows
you to specify “older than” or “newer than” by more than/fewer than x days to the current date.
- Type the date/time of the client machine in mm/dd/yyyy hh:MM:ss format, or
- Choose the CAM date, + or - from the dropdown, and type the number of days.
d. For a File Date check type, select a File Date Type:
Creation date
Modification date

Service Check Type

– Service Status – Whether a service is currently running on the system.

Figure 12-16 Service Check Type

a. Enter a Service Name.

b. Select an Operator: running or not running.

Application Check Type

– Application Status – Whether an application is currently running on the system.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-27
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Figure 12-17 Application Check Type

a. Enter an Application Name.

b. Select an Operator: running or not running.
5. Click Add Check when finished.

Create Custom Rule

A rule is an expression made up of checks and operators. A rule is the unit used by the Clean Access
Agent to assess a vulnerability on a particular operating system. The result of the rule expression is
considered to assess compliance with the Clean Access Agent requirement. A rule can be made up of a
single check or it can have multiple checks combined with Boolean operators. Table 12-2 shows the
operators along with their order of evaluation.
Table 12-2 Rule Operators

Priority Operator Description

1 () parens for evaluation priority
2 ! not
3 & and
3 | or

Operators of equal priority are evaluated from left to right. For example, a rule may be defined as
follows:
adawareLogRecent & (NorAVProcessIsActive | SymAVProcessIsActive)

The adawareLogRecent check and either the NorAVProcessIsActive check or the

SymAVProcessIsActive check must be satisfied for the rule to be considered met. Without parentheses,
the following would be implied:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-28 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

(adawareLogRecent & NorAVProcessIsActive) | SymAVProcessIsActive

In this case, either SymAVProcessIsActive or both of the first two checks must be true for the rule to be
considered met.

Create a Custom Rule

1. In the Clean Access Agent tab, click the Rules submenu link and then New Rule.

Figure 12-18 New Rule

2. Type a unique Rule Name.

3. Enter a Rule Description.
4. Select the Operating System for which the rule applies. If Updates have been downloaded, the
pre-configured checks for that operating system appear in the Checks for Selected Operating
System list below.
5. Create the Rule Expression by combining checks and operators. Use the list to select the names of
checks and copy and paste them to the Rule Expression text field. Use the following operators with
the checks: () (evaluation priority), ! (not), & (and), | (or).
For example:
adawareLogRecent & (NorAVProcessIsActive | SymAVProcessIsActive)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-29
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

For a simple rule that tests a single check, simply type the name of the check:
SymAVProcessIsActive

6. Click Add Rule.

The console validates the rule and, if formed correctly, the rule appears in the Rule List. From there,
you can delete the rule, modify it, or copy it (create a new rule by copying this one).

Validate Rules
The Clean Access Manager automatically validates rules and requirements as they are created. Invalid
rules have incompatibilities between checks and rules, particularly those relating to the target operating
system. These errors can arise when you create checks and rules for a particular operating system but
later change the operating system property for a check. In this case, a rule that uses the check and which
is still applicable for the formerly configured operating system is no longer valid. Rule validation detects
these and other errors.
The Validity column under Device Management > Clean Access > Clean Access Agent > Rules >
Rule List display rule validity as follows:
• — The rule is valid.
• — The rule is invalid. Highlight this icon with your mouse to display the validity status message
for this rule. The status message displays which check is causing the rule to be invalid, in the form:
Invalid rule [rulename], Invalid check [checkname] in rule expression.

Figure 12-19 Rule List

To Correct an Invalid Rule:

1. Go to Device Management > Clean Access > Clean Access Agent > Rules > Rule List
2. Click the Edit button for the invalid rule.
3. Correct the invalid Rule Expression. If the rule is invalid because a check has been deleted, make
sure you associate the rule with a valid check.
4. Make sure the correct Operating System. is selected.
5. Make sure the Requirement met if: expression is correctly configured.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-30 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

6. Click Save Rule.

7. Make sure any requirement based on this rule is also corrected as described in Validate
Requirements, page 12-37.

Create Custom Requirement

A requirement is the mechanism that maps a specified collection of rules for an operating system to the
files, distribution links, or instructions that you want pushed to the user via Clean Access Agent dialogs.
Requirements can point to installation files or links where software can be downloaded. For local checks
not associated with a specific installation file, the requirement can map the rule to an informational
message, for example, instructing the user to remove software or run a virus check. A new requirement
can be created at any time in the configuration process. However, the requirement must be associated to
both a rule for an operating system and a user role before it can take effect.

Create File Distribution /Link Distribution / Local Check Requirement

1. In the Clean Access Agent tab, click the Requirements submenu link and then New Requirement.

Figure 12-20 New Requirement (File Distribution)

2. Select a Requirement Type:

– File Distribution – This distributes the required software directly by making the installation
package available for user download using the Clean Access Agent. In this case, the file to be
downloaded by the user is placed on the CAM using the File to Upload field. For the Agent to
download this file, a traffic policy allowing HTTP access only to the CAM should be created
for the Temporary role. See Adding Traffic Policies for Default Roles, page 9-27.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-31
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

– Link Distribution – This refers users to another web page where the software is available, such
as a software download page. Make sure the Temporary role is configured to allow HTTP
(and/or HTTPS) access to the link.
– Local Check – This is used when creating checks not associated with installable software, for
example, to check if Windows Update Service (Automatic Updates) is enabled, or to look for
software that should not be on the system.
– AV Definition Update– This is used when creating AV rules. See Configuring AV/AS
Definition Update Requirements, page 12-8 for details.
– AS Definition Update– This is used when creating AS rules. See Configuring AV/AS
Definition Update Requirements, page 12-8 for details.
– Windows Update– This is used to configure a Windows Update options on the client. See
Configuring Windows Update Requirement, page 12-4 for details.
– Launch Programs– This is used to launch a remediation program on the client when the
requirement fails. See Configure Launch Programs Requirement, page 12-19 for details.
3. Choose an Enforce Type from the dropdown menu:
– Mandatory—Enforce requirement.
– Optional— Do not enforce requirement. See Configure an Optional Requirement, page 12-38
– Audit—Silently audit.
4. Specify the Priority of the requirement. Requirements with the lowest number (e.g “1”) have the
highest priority and are performed first. If a requirement fails, the remediation instructions
configured for the requirement are pushed to the user without additional requirements being tested.
Therefore you can minimize processing time by putting the requirements that are most likely to fail
at a higher priority.
5. The Version field lets you keep track of various versions of a requirement. This is particularly useful
when there are updates to the required software. You can use any versioning scheme you like, such
as numbers (1, 2, 3), point numbers (1.0), or letters.
6. If you chose File Distribution as the Requirement Type, click Browse next to the File to Upload
field and navigate to the folder where you have the installation file (.exe) for the required software.
7. If you chose Link Distribution as the Requirement Type, enter the URL of the web page where
users can get the install file or patch update in the File Link URL field.
8. For the Requirement Name type a unique name to identify the system requirement. The name will
be visible to users on the Clean Access Agent dialog.
9. In the Description field, type a description of the requirement and instructions for the benefit of
your users. Note the following:
– File Distribution displays Download button on the Agent.
– Link Distribution displays Go To Link button on the Agent.
– Local Check displays Download button (disabled) on the Agent.
– AV Definition Update displays Update button on the Agent.
– AS Definition Update displays Update button on the Agent.
– Windows Update displays Update button on the Agent.
– Launch Programs displays Launch button on the Agent.
10. Select the Operating System for which the requirement applies (at least one must be chosen).
11. Click Add Requirement to save the settings for the download requirement.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-32 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

12. The requirement appears in the Requirement List.

Figure 12-21 shows an example of how requirement configuration fields display in the Clean Access
Agent.

Figure 12-21 Example Optional Link Distribution Requirement

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-33
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Map Requirement to Rules

Once the requirement is created and the remediation links and instructions are specified, map the
requirement to a rule or set of rules. A requirement-to-rule mapping associates the ruleset that checks
whether the client system meets the requirement to the user requirement action (Agent button,
instructions, links) needed for the client system to comply.
1. In the Clean Access Agent tab, click the Requirements submenu and then open the
Requirement-Rules form.

Figure 12-22 Requirement-Rules Mapping

2. From the Requirement Name menu, select the requirement to map.

3. Verify the operating system for the requirement in the Operating System menu. The Rules for
Selected Operating System list will be populated with all rules available for the chosen OS.
4. For AV Virus Definition Rules (yellow background) and AS Spyware Definition rules (blue
background), you can optionally configure the CAM to allow definition files on the client to be a
number of days older than what the CAM has available from Updates (see Rules > AV-AS Support
Info for the latest product file dates). This allows you to configure leeway into a requirement so that
if no new virus/spyware definition files are released from a product vendor, your clients can still pass
the requirement.
Click the checkbox for either:
– For AV Virus Definition rules, allow definition file to be x days older than:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-34 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

– For AS Spyware Definition rules, allow definition file to be x days older than:
Type a number in the text box. The default is “0” indicating the definition date cannot be older than
the file/system date.
Choose either:
• Latest file date—This allows the client definition file to be older than the latest virus/spyware
definition date on the CAM by the number of days you specify.
• Current system date— This allows the client definition file to be older than the CAM's system
date when the last Update was performed by the number of days you specify.

Note For AS Spyware Definition rules, the system will enforce this feature (allowing the definition
files to be X days older then the current system date) until Cisco Update service is available to
regularly update the date/version for Spyware definition files.

When this feature is configured for a requirement, the Agent checks for the definition date of the
AV/AS product then verifies whether the date meets the requirement. If the Agent cannot detect
the definition date (i.e., def date detection is not supported for that product), the system ignores
this feature and the Agent checks whether the client has the latest definition version.

5. Scroll down the page and click the Select checkbox next to each rule you want to associate with the
requirement. The rules will be applied in their order of priority, as described in Table 12-2 on
page 12-28.

Figure 12-23 Select Rules to Map to Requirement

6. For the Requirements met if option, choose one of the following options:
– All selected rules succeed—if all the rules must be satisfied for the client to be considered in
compliance with the requirement.
– Any selected rule succeeds—if at least one selected rule must be satisfied for the client to be
considered in compliance with the requirement.
– No selected rule succeeds—if the selected rules must all fail for the client to be considered in
compliance with the requirement.
If clients are not in compliance with the requirement, they will need to install the software associated
with the requirement or take the steps instructed.
7. Click Update.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-35
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Apply Requirements to Role

Once requirements are created, configured with remediation steps, and associated with rules, they need
to be mapped to user roles. This last step applies your requirements to the user groups in the system.

Note Make sure you already have normal login user roles created as described in Create User Roles, page 6-1.

1. In the Clean Access Agent tab, click the Role-Requirements submenu link.

Figure 12-24 Role- Requirements Mapping

2. From the Role Type menu, select the type of the role you are configuring. In most cases, this will
be Normal Login Role.
3. Select the name of the role from the User Role menu.
4. Click the Select checkbox for each requirement you want to apply to users in the role.
5. Click Update.
6. Before finishing, make sure users in the role are required to use the Clean Access Agent. See Create
Clean Access Agent Requirements, page 12-3.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-36 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Validate Requirements
The Clean Access Manager automatically validates requirements and rules as they are created. The
Validity column under Device Management > Clean Access > Clean Access Agent > Requirements
> Requirement List display requirement validity as follows:
• — The requirement is valid.
• — The requirement is invalid. Highlighting this icon with your mouse displays the validity status
message for this requirement. The status message states which rule and which check is causing the
requirement to be invalid, in the form:
Invalid rule [rulename] in package [requirementname] (Rule verification error:
Invalid check [checkname] in rule expression)
The requirement must be corrected and made valid before it can be used. Typically requirements/rules
become invalid when there is an operating system mismatch.

To Correct an Invalid Requirement:

1. Go to Device Management > Clean Access > Clean Access Agent > Requirements >
Requirement-Rules
2. Correct any invalid rules or checks as described in Validate Rules, page 12-30.
3. Select the invalid Requirement Name from the dropdown menu.
4. Select the Operating System.
5. Make sure the Requirement met if: expression is correctly configured.
6. Make sure the rules selected for the requirement are valid (blue checkmark in Validity column).

Figure 12-25 Requirement List

Status message for

invalid requirement

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-37
 Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

Configure an Optional Requirement

You can make any requirement an “optional” requirement by clicking the Do Not Enforce Requirement
checkbox in the New Requirement or Edit Requirement form. Optional requirements allow you to
view administrative reports for a Clean Access Agent user without blocking the client from the network
if the optional requirement fails. If an optional requirement fails, the user is put in the Temporary role
and will see “Optional” preceding the name of the requirement in the Agent dialog; however the user can
click Next and either proceed to the next requirement or to the network if no other requirements are
configured.
If you want to provide an extended period of time for users to meet requirements without blocking them
from the network, you can configure an optional requirement with instructions to comply by a certain
date. You can later enforce the requirement at the specified date to make the requirement mandatory.

To Create an Optional Requirement:

1. Go to Device Management > Clean Access > Clean Access Agent > Requirements > New
Requirement

Figure 12-26 Optional Requirement

2. Choose a Requirement Type from the dropdown.

3. Choose Optional (do not enforce) as the Enforce Type from the dropdown menu. The user is
informed of the requirement but can bypass it if desired (by clicking “Next”). The client system does
not have to meet the requirement for the user to proceed or have network access.
4. Choose the Priority of execution for this requirement on the client. A high priority (e.g. 1) means
this requirement is checked on the system ahead of all other requirements (and appears in the Agent
dialogs in that order). Note that if a Mandatory requirement fails, the Agent does not continue past
that point until that requirement succeeds.
5. Configure specific fields for the requirement type.
6. Type the Requirement Name for the optional requirement.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-38 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Create Clean Access Agent Requirements

7. Type instructions in the Description field to inform users that this is an optional requirement and
that they can still proceed to the network by clicking the Next button on the Agent dialog. Note the
following:
– File Distribution displays Download button on the Agent.
– Link Distribution displays Go To Link button on the Agent.
– Local Check displays Download button (disabled) on the Agent.
– AV Definition Update displays Update button on the Agent.
– AS Definition Update displays Update button on the Agent.
8. Click the checkbox(es) for the Operating System.
9. Click Add Requirement.
Optional requirements must be mapped to rules and user roles in the same way as mandatory
requirements. Refer to the following sections to complete configuration:
• Map Requirement to Rules, page 12-34
• Apply Requirements to Role, page 12-36

Figure 12-27 Agent Dialog for Optional Requirement

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-39
 Chapter 12 Configuring Clean Access Agent Requirements
Launch Programs Example

Launch Programs Example

The following example shows how to use Launch Programs to launch a qualified (signed) program. If
using a CA authority to sign the program, you can skip the steps related to how to perform your own
application signing in the example.
If the user has admin privileges on the client machine, any program that is an executable is qualified.
If the user does not have admin privileges, the target executable is launched via Agent Stub. The
executable must have:
1. A valid digital signature signed by certificates with specific field value(s)
2. Optionally, file version information with specific item value(s).
The values for certificate and file version information are also configurable in the registry.
Code or program signing is the process of attaching a digital signature to the program so that it can be
considered “trustworthy” of launching. When NAC Appliance launches a signed program, the
“Launcher” will confirm that the signature is from a trusted source (i.e. CA certificate is in trusted store)
before executing it. Application signing is needed because launching unsigned applications is a security
risk. Anyone can mask a trojan/worm as the program that you are trying to launch and cause harm.
Certificate Authorities (CA), such as Thawte and Verisign, offer signing services.
To sign programs yourself, you need:
• CA Server (Public or Private)
• Certificate Issued by CA server
• Private Key, CA server public key, for above cert
• The .exe, .dll, .scr, .wsh that needs be signed
• A signing tool (such as signcode.exe/signtool.exe)

Note Example references/tools:

• http://www.pantaray.com/signcode.html
• http://www.cryptguard.com/documentation_resources_tools.shtml

Add Requirement

Step 1 Create a New Requirement of type Launch Programs.

Step 2 Indicate whether the Requirement is Optional, Mandatory, or Audit.
Step 3 Indicate the root location from which to launch the qualified Program:
• System_Root = C:\Windows
• System_32 = C:\Windows\System32
• System_Programs = C:\Program Files

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-40 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Launch Programs Example

Figure 12-28 Choose Root Location

Step 4 A more specific path and program parameters can be added:

Figure 12-29 Specify Program Parameters

Step 5 Click Add Program to add the program to the Program Name list.

Figure 12-30 Add Program

Step 6 Click Save Requirement.

Configure Application Signing

Step 1 Obtain a certificate and Private Key that will be used to sign your .exe file. You can obtain this from a
Private CA (e.g. MS CA server) or Public CA (Verisign/Thawte, etc.).The rest of the files are tools you
will need.

Figure 12-31 Obtaining Certificate

certificate

private key

EXE to be signed

Step 2 Use the cert2spc.exe tool to create a SPC file also known as Software Publishing Certificate.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-41
 Chapter 12 Configuring Clean Access Agent Requirements
Launch Programs Example

C:\inetsdk\test>cert2spc prem1.cer prem1.spc

Succeeded
Step 3 This creates a prem1.spc file as shown

Figure 12-32 Create Software Publishing Certificate (SPC)

Step 4 Run signcode.exe

C:\inetsdk\test>signcode

Figure 12-33 Run signcode. exe

Step 5 Browse and pick the .EXE that needs to be signed (tftpd.exe, in this example).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-42 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Launch Programs Example

Figure 12-34 Choose Executable to Sign

Step 6 Pick the “Custom” option

Figure 12-35 Choose Custom Option

Step 7 Click “Select from File” and select the prem1.spc file created earlier.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-43
 Chapter 12 Configuring Clean Access Agent Requirements
Launch Programs Example

Figure 12-36 Select SPC File

Step 8 Click “Browse” to select the private key prem1.pvk file.

Figure 12-37 Browse to Private Key

Step 9 Enter the password needed to use your private key (if any).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-44 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Launch Programs Example

Figure 12-38 Enter Password to Private Key

Step 10 Select the hash algorithm you want to use for the signature.

Figure 12-39 Select Hash Algorithm

Step 11 Leave default values for the screens shown.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-45
 Chapter 12 Configuring Clean Access Agent Requirements
Launch Programs Example

Figure 12-40 Leave Defaults

Step 12 Click Finish

Figure 12-41 Click Finish

Step 13 If prompted again for Private Key, re-enter it. You will see the message:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-46 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Launch Programs Example

Figure 12-42 Re-Enter Private Key if Necessary

Step 14 Confirm that your EXE is signed by right- clicking the file and selecting “Properties”. The digital
signatures tab and the Certificate CN name will confirm it.

Figure 12-43 Confirm Signed Executable

Step 15 Next, create a custom check/rule on NAC Appliance to check if the application called TFTPD32.exe is
running or not.

Figure 12-44 Create Check

Step 16 Finally, create a requirement that uses this rule as follows:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-47
 Chapter 12 Configuring Clean Access Agent Requirements
Launch Programs Example

Figure 12-45 Create Requirement

Launch Signed Program: User View

Step 1 User logs in with Agent. NAC Appliance detects that TFTPD32.exe is not running. User is quarantined
and asked to remediate.
Step 2 User clicks on Launch and TFTPD32.exe is launched.
Step 3 User clicks Next and logs onto network.

Figure 12-46 Launch Signed Program: User View

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-48 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Viewing Clean Access Agent Reports

Viewing Clean Access Agent Reports

The Clean Access Agent Reports page (under Device Management > Clean Access > Clean Access
Agent > Reports > Report List) gives you detailed information about the activities of the Clean Access
Agent. The information includes user access attempts and system check results.
Report List entries with an orange background indicate clients who failed system checking.
With release 4.1(), Clean Access Agent report logging and searching is enhanced to facilitate
information gathering for the administrator. The Reports page now provides an “Advanced/Simple”
toggle option that expands the search criteria to include the following options:
• AV/AS Software:
The AV/AS Software dropdown menu allows you to search/display client reports for the following
cases:
– AntiVirus Software Installed
– AntiSpyware Software Installed
– Unknown AV/AS Software Installed
• Requirement and Success/Failure:
The Requirement dropdown lists all Clean Access Agent requirements configured in the system, and
the Success/Failure dropdown option allows you to search/display success or failure client reports
for the chosen requirement.
Clicking the Show button after selecting any of the Simple or expanded Advanced search options will
display a summary of all entries that match the criteria as well the detailed administrator report for each
client.

Figure 12-47 Clean Access Agent Administrator Report

Click the View ( ) button to see an individual user report, as shown in Figure 12-48.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-49
 Chapter 12 Configuring Clean Access Agent Requirements
Viewing Clean Access Agent Reports

Figure 12-48 Example Clean Access Agent User Report

The Clean Access Agent report lists the requirements applicable for the user role (both Mandatory and
Optional). Requirements that the user met are listed in green, and failed requirements are listed in red.
The individual checks making up the requirement are listed by status of Passed, Failed, or Not executed.
This allows you to view exactly which check a user failed when a requirement was not met.
Not Executed checks are checks that were not applied, for example because they apply to a different
operating system. Failed checks may be the result of an “OR” operation. To clear the reports, click the
Delete button. The button clears all the report entries that are currently selected by the filtering criteria.

Limiting the Number of Reports

You can limit the number of reports in the log under Device Management > Clean Access > Clean
Access Agent > Reports > Report Setting. Specify the maximum number of reports as a value between
100 and 200000 (default is 30000).
Clean Access Agent reports are stored in their own table and are separate from the general Event Logs.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-50 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Clean Access Agent User Dialogs

This section describes the following:
• Windows Agent Dialogs, page 12-51
• Mac OS X Agent Dialogs (Authentication Only), page 12-62
• Agent Localized Language Templates, page 12-69

Windows Agent Dialogs

This section illustrates the user experience when Cisco NAC Appliance is installed on your network and
the Clean Access Agent is required and configured for the user role.

Note For details on the Clean Access Agent when configured for Single Sign-On (SSO) behind a VPN
concentrator, see the Cisco NAC Appliance - Clean Access Server Installation and Administration Guide.

1. When the user first opens a web browser, the user is redirected to the web login page (Figure 12-50).

Figure 12-49 Login Page

2. The user logs into the web login page and is redirected to the Clean Access Agent Download page
(Figure 12-50) for the one-time download of the Clean Access Agent installation file.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-51
 Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Figure 12-50 Clean Access Agent Download Page

3. The user clicks the Download Clean Access Agent button (the button will display the version of
the Agent being downloaded).

Note If the “Allow restricted network access in case user cannot use Clean Access Agent” option
is selected under Device Management > Clean Access > General Setup > Agent Login, the
Get Restricted Network Access button and related text will display in the Download Clean
Access Agent page. See Agent Login, page 10-17 for details.

4. The user should Save the CCAAgent_Setup.exe file to a download folder on the client system, then
Run the CCAAgent_Setup.exe file.

Note If the CAS certificate is not trusted on the client, the user must accept the certificate in the Security Alert
dialog that appears before Agent installation can successfully proceed.

5. The Welcome to the InstallShield Wizard for Clean Access Agent dialog appears (Figure 12-51).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-52 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Figure 12-51 Clean Access Agent InstallShield Wizard

6. The setup wizard prompts the user through the short installation steps to install the Clean Access
Agent to C:\Program Files\Cisco Systems\Cisco Clean Access\Clean Access Agent and adds a
desktop shortcut on the client (Figure 12-52).

Figure 12-52 Desktop Shortcut

7. When the InstallShield Wizard completes and the user clicks Finish, the Clean Access Agent login
dialog pops up (Figure 12-53) and the Clean Access Agent taskbar icon ( ) appears in the system
tray.

Figure 12-53 Clean Access Agent Login Dialog

8. The user enters credentials to log into the network. Similar to the web login page, an authentication
provider can be chosen from the Provider list (if configured for multiple providers).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-53
 Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Note Clicking the session-based Remember Me checkbox causes the User Name and Password
fields to be populated with the last values entered throughout multiple logins/logouts if the user
does not exit or upgrade the application or reboot the machine. On shared machines, the
Remember Me checkbox can be disabled to ensure multiple users on the machine are always
prompted for their individual username and password.

9. The user can right-click the Clean Access Agent icon in the system tray to bring up the taskbar menu
for the Agent (Figure 12-54).

Figure 12-54 Clean Access Agent Taskbar Menu

Taskbar menu options are as follows:

Login/Logout—This toggle reflects the login status of the user. Login is displayed when the user
is behind a Clean Access Server and is not logged in. Logout is displayed when the user is already
logged into Cisco NAC Appliance. Note that the Login option is disabled (greyed out) in the
following cases:
• The Clean Access Agent cannot find a Clean Access Server.
• For Out-of-Band deployments, the Agent user is already logged in through the CAS and is
moved to the Access VLAN.
• For multi-hop L3 deployments, Single Sign-On (SSO) has been enabled and the user has already
authenticated through the VPN concentrator (therefore is already automatically logged into
Cisco NAC Appliance).
• MAC address-based authentication is configured for the machine of this user and therefore no
user login is required.
Popup Login Window—This option is set by default when the Agent is first installed and causes
the Agent login dialog to automatically pop up when it detects that the user is behind a Clean Access
Server and is not logged in.
Properties — Selecting Properties brings up the Agent Properties and Information dialog
(Figure 12-55) which shows all of the AV and AS products installed on the client machine and the
Discovery Host for L3 deployments.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-54 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Figure 12-55 Properties

About—Displays the version of the Agent (Figure 12-56).

Figure 12-56 About

Exit— Exits the application, removes the Agent icon on the taskbar, and automatically logs off the
user.

Note • After exiting the Agent or if the taskbar icon is not running, the user can click the Desktop shortcut
(Figure 12-55) to bring up the Agent and display the taskbar icon.
• If “Popup Login Window” is disabled on the taskbar menu, the user can always right-click the
Agent icon from the system tray and select Login (Figure 12-54) to bring up the login dialog.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-55
 Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Note Auto-Upgrade for Already-Installed Agents: When the Agent is already installed, users are prompted
to auto-upgrade at each login, unless you disable upgrade notification. You can optionally force logout
at machine shutdown (default is for users to remain logged in at machine shutdown). You can configure
auto-upgrade to be mandatory or optional. With auto-upgrade enabled and a newer version of the Agent
available from the CAM, existing Agent users will see one of the following upgrade prompts at login
(Figure 12-57 or Figure 12-58).

Figure 12-57 Example Auto-Upgrade Prompt (Mandatory)

Figure 12-58 Example Auto-Upgrade Prompt (Optional)

10. Clicking OK or Yes then brings up the setup wizard to upgrade the Agent to the newest version
(Figure 12-51 on page 12-53). After Agent upgrade and user log in, requirement checking proceeds.

11. After the user submits his or her credentials, the Clean Access Agent automatically checks whether
the client system meets the requirements configured for the user role. If network scanning is also
configured, the dialog shown in Figure 12-59 additionally appears.

Figure 12-59 Agent Scanning Dialog

12. If required software is determined to be missing, the You have temporary access! dialog appears
(Figure 12-60). The user is assigned to the Clean Access Agent Temporary role for the session
timeout indicated in the dialog. The Temporary role session timeout is set by default to 4 minutes
and should be configured to allow enough time for users to access web resources and download the
installation package for the required software.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-56 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Figure 12-60 Temporary Access—Requirement Not Met

13. When the user clicks Continue, the Agent dialog for the AV or custom requirement displays to
identify the missing software and present the instructions, action buttons, and/or links configured
for the requirement type.
14. The Description text displays what you configured in the Description field of the requirement to
direct the user to the next step. Specify instructions for the AV or AS update to be executed, the web
resource to be accessed, the installation file you are distributing through the CAM, or any other
aspects of the requirement that may need explanation.
For an AV Definition Update requirement (Figure 12-61), the user clicks the Update button to
update the client AV software on the system.

Figure 12-61 AV Definition Update Requirement Example

AV Definition Update Requirement Type

Description field provides your instructions

to the user

User clicks Update to automatically update

client AV definition file(s).

The Clean Access Agent will display a success confirmation once the AV/AS software is updated
(Figure 12-62)

Figure 12-62 AV Definition Update Success Confirmation

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-57
 Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Note The Agent displays a success confirmation based on the response it receives from the update mechanism
of theAV/AS software installed on the client. The Agent does not control the update interaction itself
between the AV/AS client software and the update server.

For an AS Definition Update requirement (Figure 12-63), the user clicks the Update button to
update the definition files for the Anti-Spyware software on the client system.

Figure 12-63 AS Definition Update Requirement Example

AS Definition Update Requirement Type

Description field provides your instructions

to the user

User clicks Update to automatically update

client AS definition file(s).

For a Windows Update requirement (Figure 12-64), the user clicks the Update button to set the
Windows Update and force updates on the client system if “Automatically Download and Install” is
configured for the requirement.

Figure 12-64 Windows Update Requirement Example

Windows Update (Optional) Requirement Type

Description field provides your instructions

to the user

User clicks Update to set or start Windows

update for the client.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-58 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

For a Launch Program requirement (Figure 12-65), the user clicks the Launch button to
automatically launch the qualified program for remediation if the requirement is not met.

Figure 12-65 Launch Program Requirement Example

Launch Program Requirement Type

Number of associated programs

User clicks Launch

to execute program.

For a File Distribution requirement (Figure 12-66), the button displays Download instead of Go
To Link. When the user clicks download, the Save file to dialog appears. The user needs to save the
installation file to a local folder, and run the executable file from there.

Figure 12-66 File Distribution Requirement Example

File to Download from CAM

User clicks Download

to save and install software.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-59
 Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

For a Link Distribution requirement (Figure 12-67), the user can access the website for the required
software installation file by clicking Go To Link. This opens a browser for the URL specified in the
Location field.

Figure 12-67 Link Distribution Requirement Example

File Link URL

User clicks Go To Link to open a browser

and download software.

15. Clicking Cancel at this stage stops the login process.

16. For each requirement, the user needs to click Next to proceed after completing the action required
(Update, Go To Link, Download). The Agent again performs a scan of the system to verify that the
requirement is met. If met, the Agent proceeds to the next requirement configured for the role.
17. If a Network Policy page was configured for the role, the following dialog will appear
(Figure 12-68) after requirements are met. The user can view the “network usage policy” HTML
page (uploaded to the CAM or external server) by clicking the Network Usage Terms &
Conditions link. The user must click the Accept button to successfully log in.

Figure 12-68 Network Policy Dialog

Link to network usage policy web page

User must click “Accept” to login

See Configure Network Policy Page (Acceptable Use Policy) for Agent Users, page 11-6 for details
on configuring this dialog.
18. When all requirements are met (and Network Policy accepted, if configured), the user is transferred
from the Temporary role to the normal login role and the login success dialog appears
(Figure 12-69). The user is free to access the network as allowed for the normal login role.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-60 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Note If the “Do not enforce requirement” option is checked (to make a requirement optional), when the user
clicks Next in the Agent for the optional requirement, the next requirement dialog will display or the
login success dialog will appear if all other requirements are met.

Note With 4.1, the administrator can configure the Login and Logout success dialogs to close automatically
after a specified number of seconds, or not to appear at all. See Agent Login, page 10-17 for details.

Figure 12-69 Successful Login

19. To log off the network, the user can right-click the Clean Access Agent icon ( ) in the system tray
and select Logout. The logout screen appears (Figure 12-70). If the administrator removes the user
from the network, the Login dialog will reappear instead (if Popup Login Window is set).

Note With 4.1, the administrator can configure the Login and Logout success dialogs to close automatically
after a specified number of seconds, or not to appear at all. See Agent Login, page 10-17 for details.

Figure 12-70 Successful Logout

20. Once a user has met requirements, the user will pass these Clean Access Agent checks at the next
login unless there are changes to the user’s computer or Clean Access Agent requirements.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-61
 Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

21. If a required software installation requires users to restart their computers, the user should log out
of the network before restarting. Otherwise, the user is still considered to be in the Temporary role
until the session times out. The session timeout and heartbeat check can be set to disconnect users
who fail to logout of the network manually.

Mac OS X Agent Dialogs (Authentication Only)

Release 4.1(0) introduces a Clean Access Agent that performs authentication on Mac OS X machines.
The Agent is in the form of a universal binary that supports Mac OS 10.2 to 10.4. The Mac OS X Clean
Access Agent supports single-sign on (SSO) with VPN deployments but does not support SSO with
Active Directory.

Note In the CAM web console, you can view the distribution options for the Mac OS X Clean Access Agent
under Device Management > Clean Access > Clean Access Agent > Distribution. See Distribution,
page 11-12 for details.

See also SSL Requirements for Mac OS/CAS Communication, page 11-18 for additional details.

Figure 12-71 Distribution - CAM Web Console

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-62 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

The Mac OS Agent user sequence is as follows.

1. The user is redirected to the Login page (Figure 12-72).

Figure 12-72 Login Page—Mac OS X

2. The user is directed to the Download Clean Access Agent page (Figure 12-73).

Figure 12-73 Download Agent—Mac OS X

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-63
 Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

3. The user clicks the “Download” button and the CCAAgent_MacOSX.tar.gz.tar file is download to
the desktop (Figure 12-74) and untarred.

Figure 12-74 Download Clean Access Agent Setup Executable to Desktop

4. The user double-clicks the CCAAgent.pkg file and the MacOS installer for the Clean Access Agent
starts up (Figure 12-75).

Figure 12-75 Double-Click CCAAgent.pkg to Start Clean Access Agent Installer

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-64 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

5. The user clicks the Continue button to proceed with the Read Me and Select Destination screens of
the installer (Figure 12-76).

Figure 12-76 Installation Executes

6. The user clicks the Upgrade button to perform the installation (Figure 12-77). When done, the user
clicks Close.

Figure 12-77 Installation Executes (Continued

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-65
 Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Note If the Agent has never been installed on the machine, the Installation screen (Figure 12-77)
displays an “Install” button. If the Agent was installed at one point, even if there is no Agent
currently in the system when the installer is invoked, the “Upgrade” button is displayed.

7. After installation, the Clean Access Agent login dialog pops user. The Agent icon is now available
from the Tool Menu (Figure 12-78). Right-clicking the Agent icon brings up the menu choices:
– Login/Logout (toggle depending on login status)
– Auto Popup Login Window (enabled by default)
– About (displays version screen for the Agent)
– Quit (exits the Agent application)

Figure 12-78 Agent Login Pops Up / Desktop Icon Available from Tool Menu

8. The Agent login status is indicated by the tool tip popup and the color of the Agent icon in the menu.
GREEN (Figure 12-79) indicates:
– CAS is discovered
– Login status is “Logged In”
– CAS status is Fallback: “Allow All”; user status will be “Bypass”
– Agent is filtered by MAC address with “Allow/Role”, with user status of “Logged-In”

Figure 12-79 Agent Login Status—Green (Logged In)

GREY (Figure 12-80) indicates the CAS is not discovered.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-66 OL-12214-01
Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Figure 12-80 Agent Login Status—Grey (CAS is Not Discovered)

ORANGE (Figure 12-81) indicates:

– CAS is discovered
– Login status is not logged in
– CAS status is Fallback: “Block All”; user status will be “Blocked”
– Agent is filtered by MAC address with “Deny”; user status will be “Blocked”
– Agent is filtered by MAC address with “Check”; user status is not supported currently.

Figure 12-81 Agent Login Status—Orange (CAS is Discovered/Agent Not Logged In)

9. The Clean Access Agent application itself is installed under Macintosh HD > Library >
Application Support > Cisco Systems > CCAAgent (Figure 12-82)

Figure 12-82 Clean Access Agent—Application Installation Location

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-67
 Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

10. The Clean Access Agent event.log debug file and setting.plist system preferences file are installed
under <username> > Library > Application Support > Cisco Systems > CCAAgent
(Figure 12-83)

Figure 12-83 Clean Access Agent—Event.log and Setting.plist File Locations

11. The setting.plist file (Figure 12-84) will include:

– LogLevel selected for Agent event.log
– Whether Remember Me is checked in the Login screen
– Whether AutoPopup Login Window is checked in the Menu.

Figure 12-84 Clean Access Agent—Setting.plist File Contents

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-68 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Agent Localized Language Templates

With release 4.1(0), the Clean Access Agent supports multiple European languages using language
templates. In addition to English, version 4.1.0.0 of the Clean Access Agent supports German, Italian,
Finnish, Czech, Norwegian, Spanish, Danish, French, Russian, Swedish, Turkish, Serbian, and Catalan.
The Agent picks the correct template based on the Locale settings of the local computer. To use the
localized Agent, the user needs to change the Windows locale setting to the corresponding language
under Control Panel > Regional and Language Options. For example, to use the Agent in French, the
user needs to set the Windows locale to French.
In addition, Agent error messages warnings and Properties data are all based on the supported language
templates. It is recommended to use the localized Agent in a localized version of Windows, for example,
Russian Agent in Russian Windows, as the English version of Windows may not be able to display all
characters correctly. For administrators, the name of requirements/ descriptions are as configured on the
CAM. On the CAM, these can be configured using characters of the appropriate language.

Note While all text based messages will appear in the supported language, the names of the actual checks/rules
will be as configured on the CAM.

Note Agent template support is not the same as support for different client OSes for the Agent Installer or for
AV/AS products. The Agent language template only controls what the viewer sees after the Agent is
installed.

1. The Agent picks the correct template based on the Windows locale settings of client PC
(Figure 12-85), set under Control Panel > Regional and Language Options.

Figure 12-85 Agent Language Template Based on Locale

2. Requirements configured on CAM will appear in the language template (Figure 12-86).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-69
 Chapter 12 Configuring Clean Access Agent Requirements
Clean Access Agent User Dialogs

Note While all text based messages will appear in the supported language, the names of the actual
checks/rules/requirements will be as configured on the CAM. On the CAM, these can be
configured using characters of the appropriate language.

Figure 12-86 Agent Requirement Dialogs (Localized)

3. Errors, messages, warnings and Properties data are all based on the supported language templates
(Figure 12-87).

Figure 12-87 Messages, Properties in Language Template

Note Agent template support does not mean that the Agent Installer package or the AV/AS product will be
supported on a different OS. The language template only controls what the viewer sees after the Agent
is installed.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-70 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Troubleshooting the Agent

Troubleshooting the Agent

This section contains the following:
• Client Cannot Connect/Login
• No Agent Pop-Up/Login Disabled
• Client Cannot Connect (Traffic Policy Related)
• AV/AS Rule Troubleshooting
• Known Issue for Windows Script 5.6
• Known Issue for MS Update Scanning Tool (KB873333)

Client Cannot Connect/Login

The following client errors at login can indicate CAM/CAS certificate related issues (i.e. the CAS does
not trust the certificate of the CAM, or vice-versa):
• Users attempting web login continue to see the login page after entering user credentials and are not
redirected.
• Users attempting Agent login see the following error: “Clean Access Server could not establish a
secure connection to the Clean Access Manager at <IPaddress or domain>
To resolve these issues, refer to Troubleshooting Certificate Issues, page 15-15.

No Agent Pop-Up/Login Disabled

For L2 or L3 deployments, the Clean Access Agent will pop up on the client if “Popup Login Window”
is enabled on the Agent and the Agent detects it is behind the Clean Access Server. If the Agent does not
pop up, this indicates it cannot reach the CAS.

To Troubleshoot L2 Deployments:
1. Make sure the client machine can get a correct IP address. Open a command tool (Start > Run > cmd)
and type ipfconfig or ipconfig /all to check the client IP address information.
2. If necessary, type ipconfig /release , then ipconfig /renew to reset the DHCP lease for the client.

To Troubleshoot L3 Deployments:
1. Check whether the Discovery Host field is set to the IP address of the CAM itself under Device
Management > Clean Access > Clean Access Agent > Distribution | Discovery Host. This field
must be the address of a device on the trusted side and cannot be the address of the CAS.
2. Uninstall the Agent on the client.
3. Change the Discovery Host field to the IP address of the CAM and click Update.
4. Reboot the CAS.
5. Re-download and re-install the Agent on the client.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-71
 Chapter 12 Configuring Clean Access Agent Requirements
Troubleshooting the Agent

Note The Login option on the Agent is correctly disabled (greyed out) in the following cases:
• For OOB deployments, the Agent user is already logged in through the CAS and the client port is
on the Access VLAN.
• For multi-hop L3 deployments, Single Sign-On (SSO) has been enabled and the user has already
authenticated through the VPN concentrator (therefore is already automatically logged into Cisco
NAC Appliance).
• MAC address-based authentication is configured for the machine of this user and therefore no user
login is required.

Client Cannot Connect (Traffic Policy Related)

The following errors can indicate DNS, proxy or network traffic policy related issues:
• User can login via Agent, but cannot access web page/Internet after login.
• User cannot access web login page without typing in https://<CAS_IP_address> as the URL.
To troubleshoot these issues:
• Verify and/or change DNS Servers setting on the CAS (under Device Management > CCA Servers
> Manage <CAS_IP> > Network > DNS)
• If enabling the CAS as a DHCP server, verify and/or change the DNS Servers field for the Subnet
List (under Device Management > CCA Servers > Manage <CAS_IP> > Network > DHCP >
Subnet List > List | Edit).
• If remediation sites cannot be reached after login, verify default host policies (Allowed Hosts) are
enabled for the Temporary role (under User Management > User Roles > Traffic Control > Host).
• If using a proxy server, make sure a traffic policy allowing HTTP traffic to the proxy server is
enabled for the Temporary role. Verify the proxy is correctly set in the browser (from IE go to Tools
> Internet Options > Connections > LAN Settings | Proxy server).
See Troubleshooting Host-Based Policies, page 9-29 for additional details.

AV/AS Rule Troubleshooting

To view administrator reports for the Clean Access Agent, go to Device Management > Clean Access
> Clean Access Agent > Reports. To view information from the client, right-click the Agent taskbar
icon and select Properties.
When troubleshooting AV/AS Rules, please provide the following information:
1. Version of CAS, CAM, and Clean Access Agent.
2. Client OS version (e.g. Windows XP SP2)
3. Name and version of AV/AS vendor product.
4. What is failing—AV/AS installation check or AV/AS update checks? What is the error message?
5. What is the current value of the AV/AS def date/version on the failing client machine?
6. What is the corresponding value of the AV/AS def date/version being checked for on the CAM? (see
Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-72 OL-12214-01
 Chapter 12 Configuring Clean Access Agent Requirements
Troubleshooting the Agent

Known Issue for Windows Script 5.6

Windows Script 5.6 is required for proper functioning of the Clean Access Agent. Most Windows 2000
and older operating systems come with Windows Script 5.1 components. Microsoft automatically
installs the new 5.6 component on performing Windows updates. Windows installer components 2.0 and
3.0 also require Windows Script 5.6. However, PC machines with a fresh install of Windows 98, ME, or
2000 that have never performed Windows updates will not have the Windows Script 5.6 component.
Cisco NAC Appliance cannot redistribute this component as it is not provided by Microsoft as a merge
module/redistributable.
In this case, administrators will have to access the MSDN website to get this component and upgrade to
Windows Script 5.6. For convenience, links to the component from MSDN are listed below:

Win 98, ME, NT 4.0:

Filename: scr56en.exe
URL:
http://www.microsoft.com/downloads/details.aspx?familyid=0A8A18F6-249C-4A72-BFCF-FC6AF26
DC390&displaylang=en

Win 2000, XP:

Filename: scripten.exe
URL:
http://www.microsoft.com/downloads/details.aspx?familyid=C717D943-7E4B-4622-86EB-95A22B83
2CAA&displaylang=en
If these links change on MSDN, try a search for the file names provided above or search for the phrase
“Windows Script 5.6.”

Known Issue for MS Update Scanning Tool (KB873333)

Background

KB873333 is a critical update that is required for Windows XP Professional and Home for SP1 and SP2.
It fixes an OS vulnerability that can allow remote code to run. However, Microsoft had a bug in this
hotfix which caused problems on SP2 editions (home/pro). This bug required another fix (KB894391),
because KB873333 on SP2 caused a problem with displaying Double Byte Character Sets (DBCS).
However, KB894391 does not replace KB873333, it only fixes the DBCS display issue.
Ideally, KB894391 should not be installed or shown in updates unless the user machine has KB873333.
However, the MS Update Scanning Tool tool shows it irrespective of whether or not KB873333 is
installed. In addition, if due to ordering of the updates, KB894391 is installed, the MS Update Scanning
Tool does not show KB873333 as being installed, thereby leaving the vulnerability open. This could
happen if the user does not install KB873333 and only selects KB894391 to install from the updates list
shown or manually installs KB894391 without installing KB873333 first. In this case, the next time
updates are run, the user will not be shown KB873333 as a required update, because the MS Update
Scanning Tool (including MS Baseline Analyzer) will assume KB873333 is installed if KB894391 is
installed, even if this is not true and the machine is still vulnerable.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 12-73
 Chapter 12 Configuring Clean Access Agent Requirements
Troubleshooting the Agent

Workaround
Because of this potential vulnerability, Cisco does not intend to remove the update check for KB87333
from the Clean Access ruleset and users should manually download and install KB873333 to protect
their machines. This can be done in one of two ways:

Option 1 (Cisco Recommended Option)

Create a new Link requirement in the CAM web console to check for KB873333, using the following
steps:
1. Create a rule to check for the presence of KB873333. To create this rule, go to the Rules section of
the web console and click New Rule. Give the rule a name (e.g. “KB873333_Rule”), and for the rule
expression, copy/paste the exact name of the KB873333 check from the list of checks displayed on
that page (the list of available checks appear below the new rule creation section). Save the rule by
clicking “Add Rule.”
2. Download the update executable for KB873333 from Microsoft's website and host it on an available
web server.
3. Create a Link Requirement on CCA, and enter the URL from step 2.
4. Create Requirement-Rules for this requirement by selecting the rule you created in step 1.
5. Finally, go to the Role-Requirements section, and associate the Requirement you just created with
the role to which you want this to be applied.

Note On the Requirements page, make sure that the KB873333 requirement is above the Windows Hotfixes
requirement.

Option 2
Uninstall KB894391 from affected machines. After rebooting, go to the Windows Update page again.
Windows Update should now display both the updates. Install KB873333 and KB894391 on the client
machine. Note that this requires administrators to educate users or manually perform this task on the user
machines.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
12-74 OL-12214-01
 C H A P T E R 13
Configuring Network Scanning

This chapter describes how to set up network scanning for Clean Access. Topics include:
• Overview, page 13-1
• Configure the Quarantine Role, page 13-3
• Load Nessus Plugins into the Clean Access Manager Repository, page 13-3
• Configure General Setup, page 13-6
• Apply Plugins, page 13-7
• Configure Plugin Options, page 13-9
• Configure Vulnerability Handling, page 13-10
• Test Scanning, page 13-12
• Customize the User Agreement Page, page 13-16
• View Scan Reports, page 13-14

Overview
The Clean Access network scanner uses Nessus plugins to check for security vulnerabilities. With Clean
Access, you can define automatic, immediate responses to scan results. For example, if a vulnerability
is found, you can have the user notified, blocked from the network, or assigned to a quarantine role.
Nessus (http://www.nessus.org), an open source project for security-related software, provides plugins
designed to test for specific vulnerabilities on a network. In addition to plugins for remotely detecting
the presence of particular worms, plugins exist for detecting peer-to-peer software activity or web
servers. The following description defines Nessus plugins:
Nessus plugins are very much like virus signatures in a common virus scanner application. Each
plugin is written to test for a specific vulnerability. These can be written to actually exploit the
vulnerability or just test for known vulnerable software versions. Plugins can be written in most any
language but usually are written in the Nessus Attack Scripting Language (NASL). NASL is Nessus'
own language, specifically designed for vulnerability test writing. Each plugin is written to test for
a specific known vulnerability and/or industry best practices. NASL plugins typically test by
sending very specific code to the target and comparing the results against stored vulnerable values.
Anderson, Harry. “Introduction to Nessus” October 28, 2003
http:/www.securityfocus.com/infocus/1741 (10/29/04).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 13-1
 Chapter 13 Configuring Network Scanning
Overview

You can use most standard Nessus plugins with Clean Access. You can also customize plugins or create
your own using NASL. Refer to the Nessus website for information on how to create plugins using
NASL.
When scanning is performed, the network scanner scans the client system according to the plugins you
selected and generates a standard report to the Clean Access Manager containing the results of the scan.
Network scanning reports will indicate whether the plugin resulted in a security hole, warning, or system
information (according to how the Nessus plugin was written). The Clean Access Manager then
interprets the report by comparing the result of the plugin to the vulnerability definition you have
configured for it. If the report result matches the result you have configured as a vulnerability, the event
is logged under Monitoring > Event Logs > View Logs, and you can also configure the following
options:
• Show the result of the scan to the user.
• Block the user from the network
• Put the user in the quarantine role for limited access until the client system is fixed.
• Warn the user of the vulnerability (with the User Agreement Page).

Network Scanning Implementation Steps

The following sections describe the steps required to set up network scanning:

Step 1 Configure the Quarantine Role, page 13-3

Step 2 Load Nessus Plugins into the Clean Access Manager Repository, page 13-3
Step 3 Configure General Setup, page 13-6
Step 4 Apply Plugins, page 13-7
Step 5 Configure Plugin Options, page 13-9
Step 6 Configure Vulnerability Handling, page 13-10
Step 7 Test Scanning, page 13-12
Step 8 Customize the User Agreement Page, page 13-16
Step 9 View Scan Reports, page 13-14

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
13-2 OL-12214-01
Chapter 13 Configuring Network Scanning
Configure the Quarantine Role

Configure the Quarantine Role

See Configure Network Scanning Quarantine Role, page 9-21 for details.

Load Nessus Plugins into the Clean Access Manager Repository

When the Clean Access Manager is first installed, its Nessus scan plugin repository is empty
(Figure 13-1). Plugins in the repository are listed under Device Management > Clean Access >
Network Scanner > Scan Setup > Plugins. You can manually load plugins you have downloaded from
the Nessus website—as a combined plugins.tar.gz file or as individual .nasl files—to the Clean Access
Manager’s plugin repository. You can also load .nasl plugins that you have created yourself.

Figure 13-1 Network Scanner Plugins Page

Note Due to a licensing requirement by Tenable, Cisco is not able to bundle pre-tested Nessus plugins or
automated plugin updates to Cisco NAC Appliance, effective Release 3.3.6/3.4.1. Customers can still
download Nessus plugins selectively and manually through http://www.nessus.org.
For details on Nessus plugin feeds, see http://www.nessus.org/plugins/index.php?view=feed.
To facilitate the debugging of manually uploaded plugins, see Show Log, page 13-13.

Note Most Nessus 2.2 plugins are supported and can be uploaded to the Clean Access Manager. You must
register for Nessus 2.2 plugins from http://www.nessus.org/plugins/index.php?view=register. Once you
register, you will be able to download the free plugins.

If a plugin you want to add has dependent plugins, you must load those dependencies or the plugin is not
applied. When customizing a plugin, it is recommended that you give the plugin a unique name, so that
it is not overwritten later by a plugin in a Nessus update set.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 13-3
 Chapter 13 Configuring Network Scanning
Load Nessus Plugins into the Clean Access Manager Repository

The plugin’s description appears in the Plugins form of the Scan Setup submenu (Figure 13-3 on
page 13-5). By customizing the plugin’s description, you enable admin console users to distinguish the
plugin from others in the plugin set.
Plugins that you have loaded are automatically published from the Clean Access Manager repository to
the Clean Access Servers, which perform the actual scanning. The CAM distributes the plugin set to the
Clean Access Servers as they start up, if the CAS version of the plugin set differs from the CAM version.

Uploading Plugins
1. Go to Device Management > Clean Access > Network Scanner > Plugin Updates.

Figure 13-2 Plugin Updates

2. With the plugin file in a location accessible to the computer on which you are working, click the
Browse button next to the Manual Update field and navigate to the plugin archive file
(plugins.tar.gz) or individual plugin file (myplugin.nasl).

Note The filename of the uploaded nessus plugin archive must be plugins.tar.gz.
Most Nessus 2.2 plugins are supported.

3. Click Upload.
4. The list of plugins loaded to the repository displays under Network Scanner > Scan Setup >
Plugins (Figure 13-3).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
13-4 OL-12214-01
 Chapter 13 Configuring Network Scanning
Load Nessus Plugins into the Clean Access Manager Repository

Figure 13-3 Plugins Page After Upload

Note The default view on the Plugins page is “Selected.” If Nessus plugins have not yet been checked
and updated for the user role, the default view (i.e. Selected Plugins) shows no plugins. To view
the plugins you have uploaded, choose one of the other views (for example, “All,” “Backdoors,”
etc.) from the “Show...Plugins” dropdown.

5. If the plugins do not immediately display after Upload, click Delete All Plugins, then perform the
upload again.
6. Apply the plugin and configure its parameters as described in the following sections:
– Apply Plugins, page 13-7
– Configure Vulnerability Handling, page 13-10.

Note When there are plugin dependencies and a prerequisite plugin is not uploaded, the uploaded
plugin will not be applied.

Deleting Plugins
1. Go to Device Management > Clean Access > Network Scanner > Plugin Updates.
2. Click the Delete All Plugins button to remove all plugins from the repository. The Network
Scanner > Scan Setup > Plugins page will no longer be populated.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 13-5
 Chapter 13 Configuring Network Scanning
Configure General Setup

Configure General Setup

After loading the scan plugins, you can configure scanning by user role and operating system. Before
starting, make sure user roles appropriate for your environment are created.
The General Setup page provides general controls to configure user roles and operating systems for
network scanning, including whether user agreement or scan report pages pop up, and whether a client
is blocked or quarantined if found with vulnerabilities.

To configure network scanning user page options:

1. Go to Device Management > Clean Access > General Setup> Web Login

Figure 13-4 General Setup—Web Login

2. Choose the role for which you want to configure scanning from the User Role dropdown.
3. Similarly, choose the user operating system to which the configuration applies from the Operating
System dropdown. You can apply settings to all versions of an OS platform (such as
WINDOWS_ALL), or to a specific operating system version (such as WINDOWS_XP). ALL
settings will apply to a client system if a configuration for the specific version of that user’s
operating system does not exist.
If providing specialized settings, select the operating system and clear the checkbox for the ALL
setting (for example, deselect “Use 'ALL' settings for the WINDOWS OS family if no
version-specific settings are specified”).
4. Enable the network scanning options:
– Show Network Scanner User Agreement page to web login users
– Enable pop-up scan vulnerability reports from User Agreement page
– Require users to be certified at every web login — this forces clients to go through network
scanning at each login (otherwise, clients go through scanning only the first time they log in.)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
13-6 OL-12214-01
Chapter 13 Configuring Network Scanning
Apply Plugins

– Exempt certified devices from web login requirement by adding to MAC filters —
(Optional) this allows users that have met network scanning requirements to bypass web login
altogether by adding the MAC address of their machines to the device filters list.
– Block/Quarantine users with vulnerabilities in role—either:
Select the quarantine role in which to quarantine the user, or
Select block access to block the user from the network and modify the contents (if desired) of
the blocked access page that will appear.
5. When finished, click Update to save your changes to the user role.
For additional details, see General Setup Summary, page 10-17 and Customize the User Agreement
Page, page 13-16.

Apply Plugins
Select the Nessus plugins to be used to determine client vulnerabilities from the Plugins page. Select the
user role and operating system and choose the plugins that participate in scanning.

To apply scanning plugins:

1. Go Network Scanner > Scan Setup > Plugins.

Figure 13-5 Plugins

2. In the form, select a User Role and Operating System, and check the Enable scanning with
selected plugins check box.
3. If you have many plugins in the repository, you can filter which are displayed at a time by choosing
a plugin family from the plugins list, as shown below.
– Selecting All displays all plugins in the repository.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 13-7
 Chapter 13 Configuring Network Scanning
Apply Plugins

– Choosing - Selected- displays only the plugins you already chose and enabled for the role.

Note The default view on the Nessus plugin page (Device Management > Clean Access > Network Scanner
> Scan Setup > Plugins) is “Selected.” Note that if Nessus plugins have not yet been checked and
updated for the user role, the default view (i.e. Selected Plugins) shows no plugins. To select plugins,
the administrator must choose one of the other views (for example, “All,” “Backdoors,” etc.) from the
“Show...Plugins” dropdown.

4. Click the plugin name for details. An information dialog appears for each plugin (Figure 13-6).

Figure 13-6 Nessus Plugin Description

5. Select the check box for each plugin that you want to participate in the scan for that role.

Note If the plugin is dependent on other plugins in the repository, those plugins are enabled automatically.

6. When finished, click Update. This transfers the selected plugins to the Vulnerabilities page so that
you can configure how these vulnerabilities are handled if discovered on a client system.
If the plugin has configurable parameters, you can now use the Options form to configure them, as
described in the following procedures. Otherwise you can continue to Configure Vulnerability Handling,
page 13-10.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
13-8 OL-12214-01
Chapter 13 Configuring Network Scanning
Configure Plugin Options

Configure Plugin Options

For plugins that support input parameters, you can configure parameters in the Options form. Before
starting, the plugin must be enabled in the Plugins form, as described in Apply Plugins, page 13-7.

To configure plugin options:

1. In the Network Scanner tab, click the Scan Setup submenu link, then open the Options form.
2. With the appropriate role and operating system selected, choose the plugin you want to configure
from the Plugin list. All plugins enabled for the role appear in the list.
3. Choose the option you want to configure for the plugin from the options list. When you select a
configurable option, Category, Preference Name, and Preference Value dropdowns and/or text
boxes will display, as applicable for the option. Parameters that cannot be configured are indicated
by a “Not supported” message.

Figure 13-7 Options

4. From the dropdown menus, select the Category and Preference Name, type the Preference Value
(if applicable), and click Update. Note that you need to click Update for each parameter you
configure.

Note Cisco recommends using the Clean Access Agent for host registry checks. In order to use Nessus
Windows registry checks, you will need to have a common account (with access to the registry) on all
the machines you want to check. This can be configured under Device Management > Clean Access >
Network Scanner > Scan Setup > Options | Category: Login configurations | Preference Name: [SMB
account/domain/password]. For details on Nessus 2.2 Windows registry checks (requiring credentials),
refer to http://www.nessus.org/documentation/nessus_credential_checks.pdf.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 13-9
 Chapter 13 Configuring Network Scanning
Configure Vulnerability Handling

Configure Vulnerability Handling

If scanning uncovers a vulnerability on the user’s system, the user can be blocked from the network,
quarantined, or only warned about the vulnerability.
Network scan reports are listed by user logon attempt under Device Management > Clean Access >
Network Scanner > Reports. Client scan reports can be enabled by selecting the “Enable pop-up scan
vulnerability reports from User Agreement page” option from Device Management > Clean Access
> General Setup.
If enabled, a client scan report will appear in a popup window to notify users if a vulnerability result was
found. This client report is a subset of the scan report and lists only vulnerability results along with
instruction steps or a URL link that guide the user through remediation for the vulnerability. If browser
popups are blocked on the user’s system, the user can click the Scan Report link on the logout page to
view the report. The warning text that appears to users for each vulnerability is configurable, as
described in the following procedures.
Note that typically, plugins do not return results when no issue is found. If a client goes through network
scanning and no vulnerability results are found, no scan report popup is displayed.

To configure how vulnerabilities are handled:

1. Open the Network Scanner > Scan Setup > Vulnerabilities form.
2. Select a User Role and Operating System. Note that plugins selected apply to the User Role:OS
pair. The same set of plugins appears for all operating systems in the role. However, you can
customize which plugins are considered vulnerabilities per operating system.

Figure 13-8 Vulnerabilities

3. For Enabled Plugins (plugins that have been enabled through the Plugins menu) select the following:
ID: This is the number of the plugin that will be listed on the scan report.
Name: Name of the plugin.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
13-10 OL-12214-01
Chapter 13 Configuring Network Scanning
Configure Vulnerability Handling

Vulnerable if: These dropdown controls configure how the Clean Access Manager interprets the scan
result for the plugin. If the client is scanned and the result returned for a plugin matches the
vulnerability configuration, the client will be put in the quarantine role (or blocked). You can
increase or decrease the level of result that triggers a vulnerability and assigns users to the
quarantine role.
1. NEVER = Ignore the report for the plugin. Even if a HOLE, WARN, or INFO result appears on
the report, this plugin is never treated as vulnerability and will never cause the user to be put in
the quarantine role.
2. HOLE = If HOLE is the result for this plugin, the client has this vulnerability and will be put
in the quarantine role. A result of WARN or INFO on the report is not considered a vulnerability
for this plugin. In most cases, administrators should select “HOLE” to configure vulnerabilities.
“HOLE” will ignore the other types of information (if any) reported by plugins.
3. HOLE, WARN (Timeout) = This setting means the following:
A HOLE result for this plugin is considered a vulnerability and the client will be put in the
quarantine role.
A WARN result for this plugin is considered a vulnerability and the client will be put in the
quarantine role. A WARN result means the plugin scan timed out (due to personal firewalls or
other software) and could not be performed on the machine. Choosing WARN as a vulnerability
will quarantine any client that has a firewall enabled. However, it can also be used as a
precautionary measure to quarantine clients when the results of the scan are not known.
An INFO result on the report is not considered a vulnerability for this plugin.
4. HOLE, WARN, INFO = This setting means the following:
A HOLE result for this plugin means the client has this vulnerability and will be put in the
quarantine role.
A WARN result for this plugin is considered a vulnerability and the client will be put in the
quarantine role. An WARN result usually indicates a client that has a firewall enabled.
An INFO result on the report is considered a vulnerability and the client will be put in the
quarantine role. An INFO result indicates status information such as what services (e.g.
Windows) may running on a port, or NetBIOS information for the machine. Choosing this level
of vulnerability will quarantine any client that returns status information.

Note If the plugin does not return INFO results (and there are no HOLE or WARN results), the
client will not be quarantined.

5. To edit a plugin, click the Edit button next to the plugin that you want to configure.
6. The Edit Vulnerabilities form appears.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 13-11
 Chapter 13 Configuring Network Scanning
Test Scanning

Figure 13-9 Edit Vulnerability

7. From the Vulnerability if report result is: option menu, you can increase or decrease the level of
vulnerability reported by this plugin that assigns users to the quarantine role.
8. In the Instruction text field, type the informational message that appears in the popup window to
users if the plugin discovers a vulnerability.
9. In the Link field, type the URL where users can go to fix their systems. The URL appears as a link
in the scan report. Make sure to enable traffic policies for the quarantine role to allow users HTTP
access to the URL.
10. When finished, click Update.

Test Scanning
The Test form lets you try out your scanning configuration. You can target any machine for the scan, and
specify the user role to be assumed by the target client for the purpose of the test. For this type of testing,
the test is actually performed against copies of the scan plugins that are kept in the Clean Access
Manager. In a production environment, the Clean Access Servers get copies of scan plugins
automatically from the Clean Access Manager and perform the scanning,

To perform a test scan:

1. Go to Device Management > Clean Access > Network Scanner > Scan Setup > Test.
2. Choose the User Role and Operating System for which you want to test the user.
3. Enter the IP address of the machine that you want to scan (the address of the current machine appears
by default) in the Target Computer field.
4. Click Test. The scan result appears at the bottom of the page.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
13-12 OL-12214-01
 Chapter 13 Configuring Network Scanning
Test Scanning

Figure 13-10 Network Scanning Test Page

Show Log
Clicking the Show Log button on the Device Management > Network Scanner > Scan Setup > Test
page brings up a debug log (Figure 13-11) for the target computer tested (sourced from
/var/nessus/logs/nessusd.messages). The log shows which plugins were executed, the results of the
execution, which plugins were skipped and the reason (dependency, timeout, etc). Administrators can
check this log to debug why a scan result is not as expected.

Figure 13-11 Network Scanning Show Log

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 13-13
 Chapter 13 Configuring Network Scanning
View Scan Reports

View Scan Reports

After enabling network scanning, you can view individual scan reports from Device Management >
Clean Access > Network Scanner > Reports. The report shown here is the full administrator report
(Figure 13-13). The report shown to end users contains only the vulnerability results for the enabled
plugins. (Users can access their version of the scan report by clicking the Scan Report link in their
Logout page.)

Figure 13-12 Network Scanner Reports

• Choose Anytime from the Time dropdown menu to view all reports.
• To view only selected reports, choose a different Time, or enter search Text or Plugin ID, and click
View. If choosing a “User Defined” Time interval, type the “begin” year-month-day and time in the
first text box (e.g. 2006-03-22 13:10:00) and the “end” year-month-day and time in the second text
box (e.g.2006-03-23 11:25:00), then click View.
• To delete reports displayed according to the selected criteria, click Delete.
• Click the Report icon( ) to open the detailed scan report, as shown in Figure 13-14.

Figure 13-13 Network Scanner Administrator Report Example

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
13-14 OL-12214-01
Chapter 13 Configuring Network Scanning
View Scan Reports

Note When there are dependencies between plugins, for example plugin B is enabled and the scan result of
plugin A is the prerequisite of plugin B, the network scanner automatically applies plugin A whether or
not plugin A is enabled. However, since plugin A is not explicitly enabled, the scan result reported from
plugin A will only be shown in the administrator reports.

• To add reports to the Event log (Monitoring > Event Logs > View Logs), check the “Add reports
containing holes to event log” option. CleanAccess category reports will be generated as shown in
Figure 13-14.

Figure 13-14 CleanAccess Network Scanning Event Log

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 13-15
 Chapter 13 Configuring Network Scanning
Customize the User Agreement Page

Customize the User Agreement Page

You can enable a User Agreement Page (“Virus Protection Page”) for web login users to provide network
usage policy information, virus warnings and/or links to software patches or updates after login and
successful network scanning.
Only uncertified users will see the User Agreement Page. Once a user device is on the Certified List, the
User Agreement Page is not presented again until the device is cleared from the Certified List. Note that
the Certified List only records the first user that logs in with the device and in this way tracks which
user accepted the User Agreement Page at login. To ensure that the User Agreement Page is presented
to users at each login, enable the “Require users to be certified at every web login” option for the
role/OS on the General Setup page.
Configuration settings for this page are located in two places:
• The page target (whether the page is shown to users in a user role) is configured from Device
Management > Clean Access > General Setup (Figure 13-15).

Figure 13-15 General Setup Tab

Link to User Agreement Page

Configuration Form

• The page contents for a user role are configured under Device Management Clean Access >
Network Scanner > Scan Setup > User Agreement Page (Figure 13-16).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
13-16 OL-12214-01
Chapter 13 Configuring Network Scanning
Customize the User Agreement Page

Figure 13-16 User Agreement Page Content Configuration Form

Figure 13-17 illustrates what the default generated page looks like to an end user. The User Agreement
Page is not a popup but an HTML frame-based page made up of several components:
• The Information Page Message (or URL) component, which contains the contents you specify.
• The Acknowledgement Instructions frame component. This contains text and buttons (Accept,
Decline) for acknowledging the agreement information.

Note For quarantine role pages, the text is hardcoded and contains the Session Timeout configured for the role,
and the buttons are also hardcoded (“Report” and “Logout”).

Figure 13-17 User Agreement Page (Quarantine Role Example)

Information Page
Message (or URL)

Session
Acknowledgement
Timeout
Instructions

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 13-17
 Chapter 13 Configuring Network Scanning
Customize the User Agreement Page

Note The page content (“Virus Protection Information”) shown in Figure 13-17 is the default content shown
to the end user, if no other information message or URL is specified for the User Agreement Page. Note
that this default content is not displayed in the Information Page Message (or URL) text area of the
configuration form.

The configuration form (shown in Figure 13-16) can be used to set up the following types of pages for
a web login user:
• After network scanning with no system vulnerabilities found—Users see the User Agreement Page
configured for the normal login role (Accept and Decline buttons).
• After web login and network scanning with client system vulnerabilities found—
– Users are put in a quarantine role and see the User Agreement Page of the quarantine role
(Report and Logout buttons).
– Users are put in a quarantine role but see the User Agreement Page of their normal login role
(Report and Logout buttons).
Before starting, create the HTML page that you want to use for the Information Page Message (or
URL) component. Cisco NAC Appliance lets you present a specific information page to users with a
particular role or operating system. The customized page should be on a web server accessible to Cisco
NAC Appliance elements.
After configuring the User Agreement Page, you will need to create a traffic policy to enable users in the
role access to the web resources of the page. Note that the role must grant access to port 80 of the CAM.
See Chapter 9, “User Management: Traffic Control, Bandwidth, Schedule” for details.

To customize the User Agreement Page:

1. Go to Device Management > Clean Access > Network Scanner > Scan Setup > User Agreement
Page. The configuration form for the User Agreement Page appears as shown in Figure 13-18.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
13-18 OL-12214-01
Chapter 13 Configuring Network Scanning
Customize the User Agreement Page

Figure 13-18 User Agreement Page Configuration Form

2. Choose the User Role and Operating System for which the page applies. The Clean Access
Manager determines the operating system of the user’s system at login time and serves the page you
have specified for that operating system. If selecting a quarantine role, the Acknowledgement
Instructions and button fields will be disabled.
3. Type HTML content or the URL of the page that you want to appear in the Information Page
Message (or URL) field of the User Agreement page. If using a file you uploaded to the CAM or
CAS, you can reference the file as described below:
a. Enter URLs: (for a single webpage to appear)
For an external URL, use the format http://www.webpage.com.
For a URL on the CAM use the format:
https://<CAM_IP>/upload/file_name.htm

where <CAM_IP> is the domain name or IP listed on the certificate.

Note If you enter an external URL or CAM URL, make sure you have created a traffic policy for the
Unauthenticated role that allows the user HTTP access only to the CAM or external server.

b. Enter HTML: (to add a combination of resource files, such as logos and HTML links)
Type HTML content directly into the text field.
To reference an uploaded resource file as part of the HTML content, use the following formats:
- To reference a link to an uploaded HTML file:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 13 Configuring Network Scanning
Customize the User Agreement Page

<a href=”file_name.html”> file_name.html </a>

- To reference an image file (such as a JPEG file) enter:

<img src=”file_name.jpg”>

See Upload a Resource File, page 5-12 for additional details.

4. If desired, type the text that you want to appear above the accept and decline buttons in the
Acknowledgement Instructions field.
5. Type the labels that should appear on the accept and decline buttons in their respective fields.
6. Click the Save button to save your changes.
The User Agreement Page is now generated with the changes you made for users logging into the
network.

Note For details on the web user login page, see Chapter 5, “Configuring User Login Page and Guest Access.”
For traffic policy details, see Configure Policies for Agent Temporary and Quarantine Roles, page 9-19.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 14
Monitoring

This chapter describes the Monitoring module of Cisco NAC Appliance. Topics include:
• Overview, page 14-1
• Online Users List, page 14-3
• Interpreting Event Logs, page 14-13
• Log Files, page 14-17
• SNMP, page 14-18

Overview

The Monitoring pages provide operational information for your deployment, including information on
user activity, syslog events, network configuration changes. The Monitoring module also provides basic
SNMP polling and alerts. The Monitoring Summary status page summarizes several important statistics,
shown in Figure 14-1.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 14 Monitoring
Overview

Figure 14-1 Monitoring > Summary Page

The page includes the information shown in Table 14-1.

Table 14-1 Monitoring > Summary Page

Item
Current Windows Clean
Access Agent Version:
Current Windows Clean
Access Agent Patch Version:
Current Macintosh Clean
Access Agent Version:
Clean Access Servers
configured:
Global MAC addresses
configured (addresses/ranges): filter passthrough list. For details on MAC passthrough lists, see
Description
The current Windows version of the Clean Access Agent installed
with the CAM software or manually uploaded (reflects the contents
of the Version field).
The latest Windows Clean Access Agent patch downloaded to the
CAM and CAS(s) and available for client Auto-Upgrade.
The current version of the MacOS X Clean Access Agent installed
with the CAM software or manually uploaded (reflects the contents
of the Version field).
The number of Clean Access Servers configured in the CAS
management pages for the Clean Access Manager domain.
The number of addresses and ranges currently in the MAC/IP device
Global Device and Subnet Filtering, page 3-7

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
14-2 OL-12214-01
 Chapter 14 Monitoring
Online Users List

Table 14-1 Monitoring > Summary Page (continued)

Item Description
Global Subnets configured: The number of subnet addresses currently in the subnet-based
passthrough list. For more information, see Global Device and
Subnet Filtering, page 3-7.
Online users (In-Band / These entries list:
Out-of-Band):
• Total number of IB and/or OOB online user names
• Total number of IB and/or OOB online MAC addresses
• Number of IB and OOB online users per user role
Note Per-role user tallies are links to the Monitoring > Online
Users > View Online Users page. Clicking a link displays
the IB or OOB online user list for the particular role.

Online Users List

Two Online Users lists are viewed from the Monitoring > Online Users > View Online Users tab:
• In-Band Online Users
– Tracks in-band authenticated users logged into the network. In-band users with active sessions
on the network are listed by characteristics such as IP address, MAC address (if available),
authentication provider, and user role.
– Removing a user from the In-Band Online Users list logs the user off the in-band network.
• Out-of-Band Online Users
– Tracks all authenticated out-of-band users that are on the Access VLAN (trusted network).
Out-of-band users can be listed by Switch IP, Port, and Access VLAN, in addition to IP address,
MAC address (if available), authentication provider, and user role.
– Removing a user from the Out-of-Band Online Users list causes the VLAN of the port to be
changed from the Access VLAN to the Auth VLAN. You can additionally configure the Port
profile to bounce the port (for Real-IP/NAT gateways). See Out-of-Band Users, page 14-7 and
Out-of-Band User List Summary, page 4-50 for details.
Both Online Users lists are based on the IP address of users. Note that:
• For L2 deployments the User MAC address field is valid
• For L3 deployments the User MAC address field is not valid (for example, 00:00:00:00:00:00)
Only the Certified List is based on client MAC addresses, and therefore the Certified List never applies
to users in L3 deployments.
For Out-of-Band deployments, OOB users always display first in the In-Band Online Users list, then in
the Out-of-Band Online Users list. When user traffic is coming from a controlled port of a managed
switch, the user shows up first in the In-Band Online Users list during the authentication process, then
is moved to the Out-of-Band Online Users list after the user is authenticated and moved to the Access
VLAN.
Finally, the Display Settings tab let you choose which user characteristics are displayed on each
respective Online Users page.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 14-3
 Chapter 14 Monitoring
Online Users List

Note When a user device is connecting to Cisco Clean Access from behind a VPN3000/ASA device, the MAC
address of the first physical adapter that is available to the CAS/CAM is used to identify the user on the
Online User List. This may not necessarily be the adapter with which the user is connecting to the
network. Users should disable the wireless interface of their machines when connecting to the network
using the wired (Ethernet card) interface.

Interpreting Active Users

Once logged onto the Cisco NAC Appliance network, an active user session persists until one of the
following events occurs:
• The user logs out of the network through the browser logout page or Clean Access Agent
logout.
Once on the network, users can remain logged on after a computer shutdown/restart. A user can log
out of the network using the web logout page or Clean Access Agent logout.
• The Clean Access Agent user logs off Windows or shuts down Windows machine.
You can configure the CAM and Agent to log off In-Band users only from the Clean Access system
when the user logs off from the Windows domain (i.e. Start->Shutdown->Log off current user) or
shuts down the machine (Start->Shutdown->Shutdown machine).
• An administrator manually drops the user from the network.
The Monitoring > Online Users > View Online Users page (IB or OOB) can be used to drop users
from the network, without deleting their clients from the Certified List.
• The session times out using the Session Timer.
The Session Timer works the same way for multi-hop L3 (IB) deployments as for L2 (IB or OOB)
deployments and is set in User Management > User Roles> Schedule > Session Timer. It is set
per user role, and logs out any user in the selected role from the network after the configured time
has elapsed. For details, see Configure Session Timer (per User Role), page 9-17.
• The CAS determines that the user is no longer connected using the Heartbeat Timer and the
CAM terminates the session.
The Heartbeat Timer applies to L2 IB deployments only and is set for all users regardless of role. It
can be set globally for all Clean Access Servers using the form User Management > User Roles>
Schedule > Heartbeat Timer, or for a specific Clean Access Server using the local form Device
Management > CCA Servers > Manage [CAS_IP] > Misc > Heartbeat Timer. For details, see
Configure Heartbeat Timer (User Inactivity Timeout), page 9-17.

The Heartbeat Timer will not function in L3 deployments, and does not apply to OOB users.
However, note that the HeartBeat Timer will work if the CAS is the first hop behind the VPN
concentrator. This is because the VPN concentrator responds to the ARP queries for the IP addresses
of its current tunnel clients.
• The Certified Device list is cleared (automatically or manually) and the user is removed from
the network.
The Certified List applies to L2 (IB or OOB) deployments only and can be scheduled to be cleared
automatically and periodically using the global Certified Devices timer form (Device Management
> Clean Access > Certified Devices > Timer). You can manually clear the certified devices for a
specific Clean Access Server from the Certified List using the local form Device Management >
CCA Servers > Manage [CAS_IP] > Filters > Clean Access > Certified Devices, or manually

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
14-4 OL-12214-01
 Chapter 14 Monitoring
Online Users List

clear the Certified Device list across all Clean Access Servers using the global form Device
Management > Clean Access > Certified Devices. For details, see Manage Certified Devices, page
10-26.
Keep in mind that the Certified Device List will not display remote VPN/L3 clients (since these
sessions are IP-based rather than MAC address-based).
• SSO and Auto-Logout are configured for the VPN concentrator, and the user disconnects from
the VPN.
With Auto Logout enabled, when the user disconnects from the VPN client, the user is automatically
removed from the Online Users list (In-Band).
Note that when SSO is configured for multi-hop L3 VPN concentrator integration, if the user’s
session on the CAS times out but the user is still logged in on the VPN concentrator, the user will
be able to log back into the CAS without providing a username/password.

Note Whether the CAS or another server is used for DHCP, if a user’s DHCP lease expires, the user remains
on the Online Users list (in-band or out-of-band). When the lease expires, the client machine will try to
renew the lease.

See also Configure User Session and Heartbeat Timeouts, page 9-15 and Out-of-Band User List
Summary, page 4-50 for additional details.

View Online Users

The View Online Users tab provides two links for the two online users lists: In-Band and Out-of-Band.
By default, View Online User pages display the login user name, IP and MAC address (if available),
provider, and role of each user. For information on selecting the column information to display, such as
OS version, or for out-of-band users: switch port, see Display Settings, page 14-11.
A green background for an entry indicates a user device accessing the Clean Access network in a
temporary role: either a quarantine role or the Clean Access Agent Temporary role.
A blue background for an entry indicates a user device accessing the Clean Access network in a Clean
Access Agent restricted network access role.
A device listed on the View Online Users page but not in the Clean Access Certified List generally
indicates the device is in the process of certification.

In-Band Users
Clicking the In-Band link brings up the View Online Users page for in-band users (Figure 14-2). The
In-Band Online Users list tracks the in-band users logged into the Clean Access network.
The Clean Access Manager adds a client IP and MAC address (if available) to this list after a user logs
into the network either through web login or the Clean Access Agent.
Removing a user from the Online Users list logs the user off the in-band network.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 14-5
 Chapter 14 Monitoring
Online Users List

Figure 14-2 View Online Users Page—In-Band

actual number Filtered users

of Active users indicator

Note For AD SSO users, the Provider field displays AD_SSO, and the User/User Name field lists both the
username and domain of the user (for example, [email protected].) on the Online Users and
Certified Devices pages.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 14 Monitoring
Online Users List

Out-of-Band Users
Clicking the Out-of-Band link brings up the View Online Users page for out-of-band users
(Figure 14-3).
The Out-of-Band Online Users list tracks all out-of-band authenticated users that are on the Access
VLAN (on the trusted network). The CAM adds a user IP address to the Out-of-Band Online Users list
after a client is switched to the Access VLAN.

Note The “User IP” for Out-of-Band online users is the IP address of the user on the Authentication VLAN.
By definition CCA does not track users once they are on the Access VLAN; therefore, OOB users are
tracked by the Auth VLAN IP address they have while in the CCA network.

When a user is removed from the Out-of-Band Online Users list, the following typically occurs:
1. The CAM bounces the switch port (off and on).
2. The switch resends SNMP traps to the CAM.
3. The CAM changes the VLAN of the port based on the configured Port Profile associated with this
controlled port.

Note Removing an OOB user from the Certified List also removes the user from Out-of-Band Online Users
list and changes the port from the Access VLAN to the Auth VLAN.

Note When the “Remove Out-of-Band online user without bouncing port” option is checked for the Port
Profile, for OOB Virtual Gateways, the switch port will not be bounced when:
Users are removed from the Out-of-Band Online Users List, or
Devices are removed from the Certified Devices list
Instead, the port Access VLAN will be changed to the Authentication VLAN (see Add Port Profile, page
4-28 for details).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 14 Monitoring
Online Users List

Figure 14-3 View Online Users Page—Out-of-Band

Originating switch

Switch port
of the client

Access VLAN ID

Note For AD SSO users, the Provider field displays AD_SSO, and the User/User Name field lists both the
username and domain of the user (for example, [email protected].) on the Online Users and
Certified Devices pages.

For further details, see Chapter 4, “Switch Management: Configuring Out-of-Band (OOB)
Deployment”.
Table 14-2 describes the search criteria, information/navigation elements, and options for removing
user.s from the online users pages. Note that clicking a column heading sorts entries on the page by the
column.
Table 14-2 View Online Users Page Controls

Item Description
User Name The user name used for login is displayed.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 14 Monitoring
Online Users List

Table 14-2 View Online Users Page Controls

Item Description
Search Clean Access • Any Clean Access Server
Criteria: Server
• <specific CAS IP address>
Provider • Any Provider
• <specific authentication provider>
Role • Any Role
• Unauthenticated Role
• Temporary Role
• Quarantine Role
• <specific Role>
Switch (OOB • Any Switch
only) • <specific switch IP address>
Select Field • User Name
• IP Address
• MAC Address
Operator equals: Search text value must be an exact match for this operator
starts with:
ends with:
contains:
Search Text Enter the value to be searched using the operator selected.
Controls: View After selecting the search criteria, click View to display the results.
You can view users by CAS, provider, user role, user name, IP
address, MAC address (if available), or switch (OOB only).
Reset View Resets to the default view (with search criteria reset to “Any”)
Kick Users Clicking Kick Users terminates all user sessions filtered through the
search criteria across the number of applicable pages. Users can be
selectively dropped from the network by any of the search criteria
used to View users. The “filtered users indicator” shown in
Figure 14-2 displays the total number of filtered users that will be
terminated when Kick Users is clicked.
Reset Max Users Resets the maximum number of users to the actual number of users
displayed in the “Active users:” status field (Figure 14-2)
Kick User You can remove as many users as are shown on the page by selecting
the checkbox next to each user and clicking the Kick User button.
Navigation: First/Previous/N These navigation links allow you to page through the list of online
ext/Last users. A maximum of 25 entries is displayed per page.

View Users by Clean Access Server, Authentication Provider, or Role

1. From the View Online Users page, select a specific Clean Access Server, or leave the first field as
Any CCA Server
2. Select a specific authentication provider, or leave as Any Provider.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 14 Monitoring
Online Users List

3. Select a specific user role, or leave as Any Role.

4. Click View to display users by Clean Access Server, provider, role or any combination of the three.

Search by User Name, IP, or MAC Address

1. In the Select Field dropdown menu next to Search For:, select User Name or IP Address or MAC
Address.
2. Select one of the four operators: starts with, ends with, contains, exact match.
3. Enter the text to be searched in the Search For: text field. If using the exact match operator, only
the exact match for the search text entered is returned.
4. Click View to display results.

Log Users Off the Network

Clicking Kick Users terminates all user sessions filtered through the search criteria across the number
of applicable pages. (Note that a maximum of 25 entries is displayed per page.) You can selectively
remove users from the network by any of the search criteria used to View users. The “filtered users
indicator” shown in Figure 14-2 displays the total number of filtered user sessions that will be terminated
when you click the Kick Users button.
1. Go to Monitoring > Online Users > View Online Users.
2. To terminate user sessions either:
– Drop all users (filtered through search criteria) from the network by clicking Kick Users
– Drop individual users by selecting the checkbox next to each user and clicking the Kick User
( ) button.
Note that removing a user from the online users list (and the network) does not remove the user from the
Certified List. However, dropping a user from the Certified List also logs the user off the network. See
Certified List, page 10-7 for further details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
14-10 OL-12214-01
 Chapter 14 Monitoring
Online Users List

Display Settings
Figure 14-4 shows the Display Settings page for in-band users.

Figure 14-4 Display Settings—In-Band

Note • Role: The role assigned to the user upon login

• IPSec Type: Users on an encrypted connection are indicated by a lock, as follows:
– —A clear lock indicates an IPSec connection.
– —A lock labeled “L” in the lower left corner indicates an L2TP connection.
– —A lock labeled “P” in the lower left corner indicates an PPTP connection.
• Foreign CCA Server: See Monitoring Roaming Users, page 17-8 for additional details.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 14-11
 Chapter 14 Monitoring
Online Users List

Figure 14-5 shows the Display Settings page for out-of-band users.

Figure 14-5 Display Settings—Out-of-Band

To choose what information is displayed on the View Online Users page:

1. Click the Display Settings tab.
2. Select the check box next to an item to display it in the list.
3. Click Update.
4. Click the View Online Users tab to see the desired settings displayed.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
14-12 OL-12214-01
 Chapter 14 Monitoring
Interpreting Event Logs

Interpreting Event Logs

Click the Event Logs link in the Monitoring module to view syslog-based event logs in the admin
console. There are three Event Logs tabs: View Logs, Logs Settings, and Syslog Settings.

View Logs
Figure 14-6 shows the View Logs pane.

Figure 14-6 View Logs Pane

Log
search text
display
field
filtering
criteria filtered event
indicator

Event
column

The View Logs tab includes the following information:

• System statistics for Clean Access Servers (generated every hour by default)
• User activity, with user logon times, log-off times, failed logon attempts, and more.
• Network configuration events, including changes to the MAC or IP passthrough lists, and addition
or removal of Clean Access Servers.
• Switch management events (for OOB), including when linkdown traps are received, and when a port
changes to the Auth or Access VLAN.
• Changes or updates to Clean Access checks, rules, and Supported AV/AS Product List.
• Changes to Clean Access Server DHCP configuration.
System statistics are generated for each CAS managed by the Clean Access Manager every hour by
default. See Configuring Syslog Logging, page 14-17 to change how often system checks occur.

Note The most recent events appear first in the Events column.

Table 14-3 describes the navigation, searching capabilities, and actual syslog displayed on View Logs.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 14-13
 Chapter 14 Monitoring
Interpreting Event Logs

Table 14-3 View Logs Page

Column Description
Navigati First/Prev These navigation links page through the event log. The most recent events
on ious/Next/ appear first in the Events column. The Last link shows you the oldest events in
Last the log. A maximum of 25 entries is displayed per page.
Column Click a column heading (e.g. Type or Category) to sort the Event log by that
column.
Search Type Search by Type column criteria (then click View):
criteria • Any Type
• Failure
• Information
• Success
Category Search by Category column criteria (then click View):
• Authentication 1
• Administration
• Client
• Clean Access Server
• Clean Access
• SW_Management (if OOB is enabled)
• Miscellaneous
• DHCP
Time Search by the following Time criteria (then click View):
• Within one hour
• Within one day
• Within two days
• Within one week
• Anytime
• One hour ago
• One day ago
• Two days ago
• One week ago
Search in Type desired search text and click View
log text

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
14-14 OL-12214-01
Chapter 14 Monitoring
Interpreting Event Logs

Table 14-3 View Logs Page (continued)

Column Description
Controls View After selecting the desired search criteria, click View to display the results.
Reset Clicking Reset View restores the default view, in which logs within one day are
View displayed.
Delete Clicking Delete removes the events filtered through the search criteria across
the number of applicable pages. Clicking Delete removes filtered events from
Clean Access Manager storage. Otherwise, the event log persists through
system shutdown. Use the filter event indicator shown in Figure 14-6 on
page 14-13 to view the total number of filtered events that are subject to being
deleted.
Status Type • Red flag ( ) = Failure; indicates error or otherwise unexpected event.
Display
• Green flag ( ) = Success; indicates successful or normal usage event,
such as successful login and configuration activity.
• Yellow flag ( ) = Information; indicates system performance
information, such as load information and memory usage.
Category Indicates the module or system component that initiated the log event. (For a
list, see Category, page 14-14.) Note that system statistics are generated for each
Clean Access Server managed by the Clean Access Manager every hour by
default.
Time Displays the date and time (hh:mm:ss) of the event, with the most recent events
appearing first in the list.
Event Displays the event for the module, with the most recent events listed first. See
Table 14-4 on page 14-16 for an example of Clean Access Server event.
1. Authentication-type entries may include the item “Provider: <provider type>, Access point: N/A, Network: N/A.” To continue
to provide support for the EOL'ed legacy wireless client (if present and pre-configured in the Manager), the “Access point:
N/A, Network: N/A” fields provide AP MAC and SSID information respectively for the legacy client.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 14-15
 Chapter 14 Monitoring
Interpreting Event Logs

Event Log Example

Table 14-4 explains the following typical Clean Access Server health event example:
CleanAccessServer 2006-04-03 15:07:53 192.168.151.55 System Stats: Load factor 0 (max
since reboot: 9) Mem Total: 261095424 bytes Used: 246120448 bytes Free: 14974976 bytes
Shared: 212992 bytes Buffers: 53051392 bytes Cached: 106442752 bytes CPU User: 0%
Nice: 0% System: 97% Idle: 1%

Table 14-4 Event Column Fields

Value Description
CleanAccessServer A Clean Access Server is reporting the event
2006-04-03 15:07:53 Date and time of the event
192.168.151.55 IP address of reporting Clean Access Server
System Stats: System statistics are generated for each Clean Access Server managed
by the Clean Access Manager every hour by default.
Load factor 0 Load factor is a number that describes the number of packets waiting
to be processed by the Clean Access Server (that is, the current load
being handled by the CAS). When the load factor grows, it is an
indication that packets are waiting in the queue to be processed. If the
load factor exceeds 500 for any consistent period of time (e.g. 5
minutes), this indicates that the Clean Access Server has a steady high
load of incoming traffic/packets. You should be concerned if this
number increases to 500 or above.
(max since reboot: <n>) The maximum number of packets in the queue at any one time (i.e. the
maximum load handled by the Clean Access Server).
Mem Total: 261095424 bytes These are the memory usage statistics. There are 6 numbers shown
Used: 246120448 bytes here: total memory, used memory, free memory, shared memory,
Free: 14974976 bytes buffer memory, and cached memory.
Shared: 212992 bytes
Buffers: 53051392 bytes
Cached: 106442752 bytes
CPU User: 0% These numbers indicate CPU processor load on the hardware, in
Nice: 0% percentages. These four numbers indicate time spent by the system in
System: 97% user, nice, system, and idle processes.
Idle: 1% Note Time spent by the CPU in system process is typically < 90%
on a Clean Access Server. This indicates a healthy system.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
14-16 OL-12214-01
 Chapter 14 Monitoring
Log Files

Limiting the Number of Logged Events

The event log threshold is the number of events to be stored in the Clean Access Manager database. The
maximum number of log events kept on the CAM, by default, is 100,000. You can specify an event log
threshold of up to 200,000 entries to be stored in the CAM database at a time. The event log is a circular
log. The oldest entries will be overwritten when the log passes the event log threshold.

To change the maximum number of events:

1. Click the Logs Setting tab in the Monitoring > Event Logs pages.
2. Type the new number in the Maximum Event Logs fields.
3. Click Update.

Configuring Syslog Logging

System statistics are generated for each Clean Access Server managed by the Clean Access Manager
every hour by default. By default, event logs are written to the CAM. You can redirect CAM event logs
to another server (such as your own syslog server).
Additionally, you can configure how often you want the CAM to log system status information by setting
the value in the Syslog Health Log Interval field (default is 60 minutes).

To configure Syslog logging:

1. Go to Monitoring > Event Logs > Syslog Settings.
2. In the Syslog Server Address field, type the IP address of the syslog server (default is 127.0.0.1).
3. In the Syslog Server Port field, type the port for the syslog server (default is 514)
4. In the System Health Log Interval field, type how often you want the CAM to log system status
information, in minutes (default is 60 minutes). This setting determines how frequently CAS
statistics are logged in the event log.
5. Click the Update button to save your changes.

Note After you set up your syslog server in the CAM, you can test your configuration by logging off and
logging back into the CAM admin console. This will generate a syslog event. If the CAM event is not
seen on your syslog server, make sure that the syslog server is receiving UDP 514 packets and that they
are not being blocked elsewhere on your network.

Log Files
The Event Log is located in the Clean Access Manager database table and is named log_info table.
Table 14-5 lists other logs in the Clean Access Manager.
Table 14-5 Clean Access Manager Log Files

File Description
/var/log/messages Startup
/var/log/dhcplog DHCP relay, DHCP logs

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 14-17
 Chapter 14 Monitoring
SNMP

Table 14-5 Clean Access Manager Log Files

File Description
/tmp/perfigo-log0.log.* Perfigo service logs for 3.5(4) and below 1
/perfigo/logs/perfigo-log0.log.* Perfigo service logs for 3.5(5) and above 1,2
/perfigo/logs/perfigo-redirect-log0.log.0 Certificate-related CAM/CAS connection errors.
/var/nessus/logs/nessusd.messages Nessus plugin test logs
/perfigo/control/apache/logs/* SSL (certificates), Apache error logs
/perfigo/control/tomcat/logs/localhost*. Tomcat, redirect, JSP logs
/var/log/ha-log High availability logs (for CAM and CAS)
1. 0 instead of * shows the most recent log.
2. Switch Management events for notifications received by the CAM from switches are written only to the logs on the file
system (/perfigo/logs/perfigo-log0.log.0). Furthermore, these events are written to disk only when the log level is set to INFO
or finer.

For additional details see also Support Logs, page 15-22 and Certificate-Related Files, page 15-17.

SNMP
You can configure the Clean Access Manager to be managed/monitored by an SNMP management tool
(such as HP OpenView). This feature provides minimal manageability using SNMP (v1). It is expected
that future releases will have more information/actions exposed via SNMP.
You can configure the Clean Access Manager for basic SNMP polling and alerting through Monitoring
> SNMP. Note that SNMP polling and alerts are disabled by default. Clicking the Enable button under
Monitoring > SNMP activates the following features:
• SNMP Polling — If an SNMP rocommunity (“Read-only community”) string is specified, the Clean
Access Manager will respond to snmpget and snmpwalk requests with the correct community string.
• SNMP Traps — The Clean Access Manager can be configured to send traps by adding trap sinks. A
trap sink is any computer configured to receive traps, typically a management box. All traps sent are
version 1 (v1) traps. A copy of each trap will be sent to each trapsink.
When enabled, the SNMP module monitors the following processes:
• SSH Daemon
• Postgres Database
• Clean Access Manager
• Apache Web Server
The Clean Access Manager also sends traps in the following cases:
• When the Clean Access Manager comes online.
• When the Clean Access Manager shuts down.
• When the Clean Access Manager gains or loses contact with any Clean Access Servers it manages.
• When the SNMP service starts (a Cold Start Trap is sent).
This section describes the following:
• Enable SNMP Polling/Alerts

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
14-18 OL-12214-01
 Chapter 14 Monitoring
SNMP

• Add New Trapsink

Enable SNMP Polling/Alerts

1. Go to Monitoring > SNMP to bring up the SNMP configuration page (Figure 14-7).

Figure 14-7 Monitoring > SNMP Page

2. Click the Enable button to activate SNMP polling and SNMP traps.
3. Specify values for the following fields:
• Read-Only Community String:
Specify a string to enable the Clean Access Manager to respond to snmpget and snmpwalk
requests with the correct community string.
Leave blank to disable all Clean Access Manager responses to SNMP polling of the Clean
Access Manager.
• Disk Trap Threshold%: (default is 50%)
A trap will be sent when root partition free space falls below specified percentage.
• One-Minute Load Average Threshold: (default is 3.0)
A trap will be sent when the one-minute load average exceeds the threshold set here. Enter load
averages as per standard unix definition. For example, a one-minute load average of 1.0 means
on average over a full minute there were at least three processes blocked due to lack of CPU
time.
• Five-Minute Load Average Threshold: (default is 2.0)
A trap will be sent when the 5-minute load average exceeds the threshold set here. Enter load
averages as per standard unix definition.
• Fifteen-Minute Load Average Threshold: (default is 1.0)
A trap will be sent when the 15-minute load average exceeds the threshold set here. Enter load
averages as per standard unix definition.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 14-19
 Chapter 14 Monitoring
SNMP

4. Click Update to update the SNMP configuration with new thresholds.

5. Click Download to download the SNMP MIB archive in .tar.gz form.

Add New Trapsink

The Clean Access Manager can be configured to send traps by adding trap sinks. All traps sent are
version 1 (v1) traps. A copy of each trap will be sent to each trapsink.
1. Click the Add New Trapsink link in the upper-right-hand corner of the pane to bring up the Add
New Trapsink form.
2. Enter a Trapsink IP.
3. Enter a Trapsink Community string.
4. Enter an optional Trapsink Description.
5. Click Update to update the SNMP Trapsink table.

Figure 14-8 Add New Trapsink

Once trapsink configuration is complete, the Clean Access Manager will send DISMAN-EVENT style
traps which refer to UCD table entries. The Clean Access Manager also sends traps if the root partition
falls below a configured amount of space remaining (which defaults to 50%), and if the CPU load is
above the configured amount for 1, 5 or 15 minutes.
A trap will contain the following contents:

Trap Contents Description

Type: Enterprise-Specific(1)
SNMP Trap OID (1.3.6.1.6.3.1.1.4.1.0) Set to DISMAN-EVENT-MIB 2.0.1
(1.3.6.1.2.1.88.2.0.1)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
14-20 OL-12214-01
Chapter 14 Monitoring
Trap Contents
The contents of a DISMAN mteObjectsEntry:
mteHotTrigger (OID 1.3.6.1.2.1.88.2.1.1)
mteHotTargetName (OID 1.3.6.1.2.1.88.2.1.2)
mteHotContextName (OID 1.3.6.1.2.1.88.2.1.3) Always blank.
mteHotOID (OID 1.3.6.1.2.1.88.2.1.4)
mteHotValue (OID 1.3.6.1.2.1.88.2.1.5)
mteFailedReason (OID 1.3.6.1.2.1.88.2.1.6)
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
SNMP
Description
Generally:
“process table” for processes
“laTable” for load average alerts
“dskTable” for disk capacity alerts
“memory” for virtual memory alerts
Always blank.
Set to the OID of the UCD table that contains the
data that triggered the event.
Set to 0 if the trap is not an error
Set to non-zero if an error condition is being
reported (generally 1).
Set to a string describing the reason the alert was
sent.
14-21
 Chapter 14 Monitoring
SNMP

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
14-22 OL-12214-01
 15
Administration

This chapter discusses the administration pages for the Clean Access Manager. Topics include:
• Overview, page 15-1
• Network & Failover, page 15-2
• Set System Time, page 15-4
• Manage CAM SSL Certificates, page 15-5
• Licensing, page 15-20
• Support Logs, page 15-22
• Admin Users, page 15-24
• Manage System Passwords, page 15-30
• Backing Up the CAM Database, page 15-33
• API Support, page 15-36
For details on the User Pages module, see Chapter 5, “Configuring User Login Page and Guest Access.”
For details on high availability configuration, see Chapter 16, “Configuring High Availability (HA).”

Overview
At installation time, the initial configuration script provides for many of the Clean Access Manager’s
internal administration settings, such as its interface addresses, DNS servers, and other network
information. The Administration module (Figure 15-1) allows you to access and change these settings
after installation has been performed.

Figure 15-1 Administration Module

The CCA Manager pages of the Administration module allows you to perform the following
administration tasks:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Network & Failover

• Change network settings for the Clean Access Manager. See Network & Failover, page 15-2.
• Set up Clean Access Manager High-Availability mode. See Chapter 16, “Configuring High
Availability (HA).”
• Manage Clean Access Manager system time and SSL certificates. See Set System Time, page 15-4
and Manage CAM SSL Certificates, page 15-5.
• Fully upgrade the software on the Clean Access Manager. See Chapter 18, “Upgrading to a New
Software Release.”
• Manage Clean Access Manager license files. See Licensing, page 15-20.
• Create support logs for the CAM to send to customer support. See Support Logs, page 15-22.
The User Pages tabs of the Administration module allows you to perform these administration tasks:
• Add the default login page, and create or modify all web user login pages. See Chapter 5,
“Configuring User Login Page and Guest Access.”
• Upload resource files to the Clean Access Manager. See Upload a Resource File, page 5-12.
The Admin Users pages of the Administration module (see Admin Users, page 15-24) allows you to
perform these administration tasks:
• Add and manage new administrator groups and admin users/passwords
• Configure and manage administrator privileges as new features are added
The Backup page of the Administration module allows you to make manual snapshots of your Clean
Access Manager in order to backup your CAM’s configuration. See Backing Up the CAM Database,
page 15-33.
In addition, the CAM provides an API interface described in API Support, page 15-36.

Network & Failover

You can view or change the Clean Access Manager’s network settings from Administration > CCA
Manager > Network & Failover page.
Changes to the network settings generally require a reboot of the Clean Access Manager machine to take
effect. Therefore, if making changes to a production machine, make sure to perform the changes when
rebooting the machine will have minimal impact on the users.

Note The service perfigo config configuration utility script also lets you modify CAM network settings.
Because the configuration utility is used from the command line, it is particularly useful if the admin
console web server is not responsive due to incorrect network or VLAN settings. For further details, see
Perform the Initial Configuration, page 2-8.

To Modify CAM Network Settings

1. Go Administration > CCA Manager > Network & Failover.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
15-2 OL-12214-01
Chapter 15 Administration
Network & Failover

Figure 15-2 CAM Network & Failover

2. In the Network & Failover page, modify the settings as desired from the following fields/controls:
• IP Address —The eth0 IP address of the CAM machine.
• Subnet Mask — The subnet mask for the IP address.
• Default Gateway — The default IP gateway for the CAM.
• Host Name — The host name for the CAM. The name is required in high availability mode.
• Host Domain — An optional field for your domain name suffix. To resolve a host name to an
IP address, the DNS requires the fully qualified host name. Within a network environment, users
often type host names in a browser without a domain name suffix, for example:
http://siteserver

The host domain value is used to complete the address. For example, with a suffix value of
cisco.com, the request URL would be:
http://siteserver.cisco.com

• DNS Servers — The IP address of the DNS (Domain Name Service) server in your
environment. Separate multiple addresses with commas. If you specify more than one DNS
server, the Clean Access Manager tries to contact them one by one, and stops when it receives
a response.
• High-Availability Mode — The operating mode of the Clean Access Manager:
Standalone Mode – If the Clean Access Manager is operating alone.
HA-Primary Mode – For the primary Clean Access Manager in a failover configuration.
HA-Standby Mode – For the secondary Clean Access Manager.
If you choose one of the HA (high availability) options, additional fields appear. For
information on the fields and setting up high availability, see Chapter 16, “Configuring High
Availability (HA).”
3. Click the Update button.
4. Click Reboot to restart the Clean Access Manager with the new settings.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Set System Time

Set System Time

For logging purposes and other time-sensitive tasks (such as SSL certificate generation), the time on the
Clean Access Manager and Clean Access Servers needs to be correctly synchronized. The System Time
tab lets you set the time on the Clean Access Manager and modify the time zone setting for the Clean
Access Manager operating system.
After CAM and CAS installation, you should synchronize the time on the CAM and CAS before
regenerating a temporary certificate on which a Certificate Signing Request (CSR) will be based. The
easiest way to ensure this is to automatically synchronize time with the time server (Sync Current Time
button).

Note The time set on the CAS must fall within the creation date/expiry date range set on the CAM’s SSL
certificate. The time set on the user machine must fall within the creation date /expiry date range set on
the CAS’s SSL certificate.

The time can be modified on the CAS under Device Management > CCA Servers > Manage [CAS_IP]
> Misc > Time. See the Cisco NAC Appliance - Clean Access Server Installation and Administration
Guide for details.

To view the current time:

1. Go to Administration > CCA Manager > System Time.
2. The system time for the Clean Access Manager appears in the Current Time field.

Figure 15-3 Time Form

There are two ways to adjust the system time: manually, by typing in the new time, or automatically, by
synchronizing from an external time server.

To manually modify the system time:

1. In the System Time form, either:
2. Type the time in the Date & Time field and click Update Current Time. The time should be in the
form: mm/dd/yy hh:ss PM/AM
3. Or, click the Sync Current Time button to have the time updated by the time servers listed in the
Time Servers field.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 15 Administration
Manage CAM SSL Certificates

To automatically synchronize to the time server:

The default time server is the server managed by the National Institute of Standards and Technology
(NIST), at time.nist.gov. To specify another time server:
1. In the System Time form type the URL of the server in the Time Servers field. The server should
provide the time in NIST-standard format. Use a space to separate multiple servers.
2. Click Update Current Time.
If more than one time server is listed, the CAM tries to contact the first server in the list when
synchronizing. If available, the time is updated from that server. If it is not available, the CAM tries the
next one, and so on, until a server is reached.
The CAM will then automatically synchronize time with the configured NTP server at periodic intervals.

To change the time zone of the server system time:

1. In the Current Time tab of the Administration > CCA Manager page, choose the new time zone
from the Time Zone drop-down list.
2. Click Update Time Zone.

Manage CAM SSL Certificates

The elements of Cisco NAC Appliance communicate securely over Secure Socket Layer (SSL)
connections. Cisco NAC Appliance uses SSL connections for the following:
• Between the CAM and the CAS
• Between the CAM and the browser accessing the CAM web admin console
• Between the CAS and end-users connecting to the CAS
• Between the CAS and the browser accessing the CAS direct access web console
During installation, the configuration utility script for both the CAM and CAS requires you to generate
a temporary SSL certificate for the server being installed (CAM or CAS). A corresponding private key
is also generated with the temporary certificate.
For a production deployment, you will typically want to replace the temporary certificate for the Clean
Access Server with a CA-signed SSL certificate, since the CAS certificate is the one that is visible to
the end user. Otherwise, if the Clean Access Server has a temporary certificate, users accessing the
network will have to explicitly accept the certificate from the CAS each time they login. For details on
managing SSL certificates for the CAS, see the Cisco NAC Appliance - Clean Access Server Installation
and Administration Guide.

Note Due to Java version dependencies on the system software, Cisco Clean Access only supports 1024- and
2048-bit key lengths for SSL certificates.

For the Clean Access Manager, it is not necessary to use a CA-signed certificate and you can continue
to use a temporary certificate, if desired. The following sections describes how to manage SSL
certificates for the CAM:
• Generate Temporary Certificate, page 15-8
• Export CSR/Private Key/Certificate, page 15-9
• Verify Currently Installed Private Key and Certificates, page 15-10

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage CAM SSL Certificates

• Import Signed Certificate, page 15-13

• View Certificate Files Uploaded for Import, page 15-14
• Troubleshooting Certificate Issues, page 15-15

Note You cannot use a CA-signed certificate that you bought for the Clean Access Manager on the Clean
Access Server. You must buy a separate certificate for each Clean Access Server.

Web Console Pages for SSL Certificate Management

The actual CAM SSL certificate files are kept on the CAM machine, and the CAS SSL certificate files
are kept on the CAS machine. After installation, the CAM and CAS certificates can be managed from
the following web console pages (respectively):

Clean Access Manager Certificates:

• Administration > CCA Manager > SSL Certificate

Clean Access Server Certificates:

• CAS management pages: Device Management > CCA Servers > Manage [CAS_IP] > Network
> Certs, or
• CAS direct access console: Administration > SSL Certificate
The CAM web admin console lets you perform the following SSL certificate-related operations:
• Generate a temporary certificate (and corresponding private key).
• Generate a PEM-encoded PKCS #10 Certificate Signing Request (CSR) based on the current
temporary certificate.
• Import and export the private key. The Export Key feature is used to save a backup copy of the
Private Key on which the CSR is based. When a CA-signed certificate is returned from the
Certificate Authority and imported into the CAM, this Private Key must be used with it.

Typical Steps for New Installs

For new installations, some typical steps for managing the CAM certificate are as follows.

Note It is not necessary to have CA-signed certificates for the CAM.

1. Synchronize time
After CAM and CAS installation, make sure the time on the CAM and CAS is synchronized before
regenerating the temporary certificate on which the Certificate Signing Request will be based. See
the next section, Set System Time, page 15-4, for details.
2. Check DNS settings for the CAM
If planning to use the DNS name instead of the IP address of your servers for CA-signed certs, you
will need to verify the CAM settings and regenerate a temporary certificate. See Regenerating
Certificates for DNS Name Instead of IP, page 15-16 for details.
3. Generate Temporary Certificate, page 15-8

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 15 Administration
Manage CAM SSL Certificates

A temporary certificate and private key are automatically generated during CAM installation. If
changing time or DNS settings on the CAM, regenerate the temporary certificate and private key
prior to creating the Certificate Signing Request.
4. Export (Backup) the private key to a local machine for safekeeping/backup.
It is a good idea to always back up the private key corresponding to the current temporary certificate
to a local hard drive for safekeeping before you generate and export the Certificate Signing Request.
See Export CSR/Private Key/Certificate, page 15-9.
5. Export (save) the Certificate Signing Request (CSR) to a local machine.
See Export CSR/Private Key/Certificate, page 15-9.
6. Send the CSR file to a Certification Authority (CA) authorized to issue trusted certificates.
7. After the CA signs and returns the certificate, import the CA-signed certificate to your server.
When the CA-signed certificate is received from the CA, upload it as PEM-encoded file to the CAM
temporary store. See Import Signed Certificate, page 15-13.
8. If necessary, upload any required intermediate CA certificate(s) as a single PEM-encoded file to the
CAM temporary store.
9. Click Verify and Install Uploaded Certificates to verify the entire certificate chain and private key
in the temporary store and install the verified certificates to the CAM.
10. Test access to the CAM.

Note Make sure the CA-signed certificate you are importing is the one with which you generated the CSR and
that you have NOT subsequently generated another temporary certificate. Generating a new temporary
certificate will create a new private-public key combination. In addition, always export and save the
private key to a secure location when you are generating a CSR for signing (for safekeeping and to have
the private key handy).

For additional details, see also Troubleshooting Certificate Issues, page 15-15.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage CAM SSL Certificates

Generate Temporary Certificate

The following procedures describe how to generate a new temporary certificate for the CAM. After
generating a temporary certificate, you can generate a certificate signing request based on the certificate.
1. Go to Administration > CCA Manager> SSL Certificate (Figure 15-4).
2. Select Generate Temporary Certificate (default) from the Choose an action dropdown list.

Figure 15-4 SSL Certificate: Generate Temporary Certificate

3. Type appropriate values for the following fields:

Full Domain Name or IP – The fully qualified domain name or IP address of the Clean Access
Manager for which the certificate is to apply. For example: camanager.<your_domain_name>
Organization Unit Name – The name of the unit within the organization, if applicable.
Organization Name – The legal name of the organization.
City Name – The city in which the organization is legally located.
State Name – The full name of the state in which the organization is legally located.
2-letter Country Code – The two-character, ISO-format country code, such as GB for Great
Britain or US for the United States.
4. When finished, click Generate. This generates a new temporary certificate and new private key.

Note The Current SSL Certificate Domain: <IP or domain name> field at the bottom of each form displays
the IP address or domain name of the current SSL certificate being used to access the web console page
displayed. For example, if accessing the SSL Certificate management pages of a CAS, the domain name
or IP address that is on the SSL certificate of that CAS is shown. If accessing the SSL Certificate
management pages of the CAM, the domain name/IP on the SSL certificate of the CAM is shown.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage CAM SSL Certificates

Export CSR/Private Key/Certificate

Exporting a CSR generates a PEM-encoded PKCS#10-formatted Certificate Signing Request suitable
for submission to a certificate authority. The CSR will be based on the temporary certificate and private
key currently in the keystore database.

To create a certificate request:

1. Go to Administration > CCA Manager> SSL Certificate (Figure 15-5).
2. Select Export CSR/Private Key/Certificate from the Choose an action dropdown list.

Figure 15-5 SSL Certificate: Export CSR / Private Key /Certificate

Fields disabled
for temporary
certificate

3. Create a backup of the private key used to generate the request by clicking the Export button for
Currently Installed Private Key (A) in the Export CSR/Private Key/Certificate Request form. You
are prompted to save or open the file (see Filenames for Exported Files, page 15-10). Save it to a
secure location.

Note Cisco Clean Access only supports 1024- and 2048-bit key lengths for SSL certificates.

4. Click Export CSR (B). A certificate signing request file for the CAS is generated and made
available for downloading (see Filenames for Exported Files, page 15-10).

Note This step will generate a certificate request based on the currently installed (temporary)
certificate and private key pair. Make sure these are the ones for which you want to submit the
CSR to the certificate authority.

5. Save the CSR file to your hard drive (or Open it immediately in a text editor if you are ready to fill
out the certificate request form). Use the CSR file to request a certificate from a certificate authority.
When you order a certificate, you may be asked to copy and paste the contents of the CSR file into
a CSR field of the order form.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage CAM SSL Certificates

6. When you receive the CA-signed certificate back from the certification authority, you can import it
into the Clean Access Manager as described in Import Signed Certificate, page 15-13.

After the CA-signed cert is imported, the “currently installed certificate” is the CA-signed
certificate. You can always optionally Export the Currently Installed Certificate if you need to
access a backup of this certificate later.

Note The Current SSL Certificate Domain: <IP or domain name> field at the bottom of each form displays
the IP address or domain name of the current SSL certificate being used to access the web console page
displayed. For example, if accessing the SSL Certificate management pages of a CAS, the domain name
or IP address that is on the SSL certificate of that CAS is shown. If accessing the SSL Certificate
management pages of the CAM, the domain name/IP on the SSL certificate of the CAM is shown.

Filenames for Exported Files

File names for SSL Certificate files that can be exported from the CAM are as follows:

File Name 1 Description

smartmgr_csr.pem CAM Certificate Signing Request (CSR)
smartmgr_key.pem CAM Currently Installed Private Key
smartmgr_crt.cer2 CAM Currently Installed Certificate
1. For release 3.6.0.1 and below the filename extension is .csr instead of .pem.
2. For release 3.6(1) only, the filename is smartmgr_crt.pem.

Verify Currently Installed Private Key and Certificates

You can verify the following files by viewing them under Administration > CCA Manager > SSL
Certificate | Export CSR/Private Key/Certificate (Figure 15-5):
• Currently Installed Private Key
• Currently Installed Certificate
• Currently Installed Certificate Details
• Currently Installed Root/Intermediate CA Certificate
• Currently Installed Root/Intermediate CA Certificate Details

Note You must be currently logged into your web console session to view any certificate files.

On the CAM, View/Details/Delete buttons are disabled (greyed out) if the files are not installed (for
export) or not uploaded (for import). For example, if only a temporary certificate is present on the CAM,
the “Root/Intermediate CA” and “Currently Installed Root/Intermediate CA” View/Details/Delete
buttons will be disabled on the Import and Export forms, respectively.
Clicking View for “Currently Installed Private Key” brings up the dialog shown in Figure 15-6
(BEGIN PRIVATE KEY/END PRIVATE KEY).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 15 Administration
Manage CAM SSL Certificates

Figure 15-6 View Currently Installed Private Key

Clicking View for “Currently Installed Certificate” brings up the dialog shown in Figure 15-7 (BEGIN
CERTIFICATE / END CERTIFICATE).

Figure 15-7 View Currently Installed Certificate

Clicking Details for “Currently Installed Certificate” brings up the dialog shown in Figure 15-8
(“Certificate:”). The Currently Installed Certificate Details form provides an easy way to verify
whether you have a temporary or CA-signed certificate. The most important fields to check are:
• Issuer —Who signed the current certificate. The temporary certificate generated during installation
will have the Issuer information shown in Figure 15-8.
• Validity—The creation date (“Not Before:”) and expiry date (“Not After”:) of the certificate.

Note The time set on the CAS must fall within the creation date/expiry date range set on the SSL
certificate of the CAM. The time set on the user machine must fall within the creation
date/expiry date range set on the SSL certificate of the CAS.

• Subject—The server and organizational information you entered when you generated the temporary
certificate.
• Begin Certificate/End Certificate—The actual certificate is displayed in this section. It is identical
to the information shown when you click View “Currently Installed Certificate”.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage CAM SSL Certificates

Figure 15-8 View Currently Installed Certificate Details (Example Temporary Certificate)

Issuer: Signer of
certificate

Validity: Creation date

Expiry date

Subject: Organizational
info from Temporary cert

Actual certificate
(Begin/End)

Clicking View or Details for “Currently Installed Root/Intermediate CA Certificate” will bring up
similar dialogs for the root or intermediate certificates you have installed on your CAM

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage CAM SSL Certificates

Import Signed Certificate

If you have received a CA-signed PEM-encoded X.509 certificate for the Clean Access Manager, you
can import it into the Clean Access Manager as described here. Before starting, make sure that the root
and CA-signed certificate files are in an accessible file directory location. If using a certificate authority
for which intermediate CA certificates are necessary, make sure these files are also present and
accessible.
1. Go to Administration > CCA Manager> SSL Certificate (Figure 15-9).
2. Select Import Certificate from the Choose an action dropdown list.

Figure 15-9 SSL Certificate: Import Certificate (CAM)

3. Click the Browse button next to the Certificate File field and locate the certificate file on your
directory system.

Note Make sure there are no spaces in the filename when importing files (you can use underscores).

4. Select the File Type from the dropdown menu:

CA-signed PEM-encoded X.509 Cert — Select this option to upload the PEM-encoded
CA-signed certificate.
Root/Intermediate CA — Select this option to upload the PEM-encoded intermediate CA
certificate or root certificate.

Note If there are multiple intermediate CA files, you must copy and paste them into a single
Intermediate CA PEM-encoded file for upload to the CAM. Only one Intermediate CA file
can be uploaded to the CAM.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage CAM SSL Certificates

Private Key — Select this option if you need to upload the Private Key for the CAM (from
backup). Typically, you only need to do this if the current Private Key does not match the Private
Key used to create the original CSR on which the CA-Signed certificate is based.
Trust Non-Standard CA — On the CAM, select this option if uploading a certificate signed
by a non-standard organization that is needed for communication between the CAM and an
external server, such as an LDAP authentication server. For example, you may have a
non-standard certificate for your LDAP server that is signed by your institution (e.g. university).
If the auth server certificate is signed by a CA that is not well known, import the CA cert using
the Trust Non-Standard CA option to have it accepted. The Clean Access Manager must be
rebooted for this to take effect.
5. Click Upload to upload the certificate file to the temporary store on the Clean Access Manager.
6. Click Verify and Install Uploaded Certificates to verify the entire certificate chain and private key
in the temporary store and install the verified certificate files to the correct locations in the CAM. If
any files are missing, errors will be displayed indicating which files need to be uploaded. For
example, if an intermediate CA certificate is required for the certificate authority you are using,
upload it to the CAM temporary store in order for the certificate chain to be verified and installed
on the CAM.

Note Neither the CAM nor CAS will install an unverifiable certificate chain. You must have delimiters
(Begin/End Certificate) for multiple certificates in one file, but you do not need to upload
certificate files in any particular sequence because they are verified in the temporary store first
before being installed.

7. If you try to upload a root/intermediate CA certificate for the CAM that is already in the list, you
may see an error message “this intermediate CA is not necessary” after you click the Verify and
Install Uploaded Certificates button. You must Delete the uploaded Root/Intermediate CA in
order to remove any duplicate files.

Note The Current SSL Certificate Domain: <IP or domain name> field at the bottom of each form displays
the IP address or domain name of the current SSL certificate being used to access the web console page
displayed. For example, if accessing the SSL Certificate management pages of a CAS, the domain name
or IP address that is on the SSL certificate of that CAS is shown. If accessing the SSL Certificate
management pages of the CAM, the domain name/IP on the SSL certificate of the CAM is shown.

View Certificate Files Uploaded for Import

You can verify certificate files you have uploaded to the temporary store for import into the CAM under
Administration > CCA Manager> SSL Certificate | Import Certificate (Figure 15-9), as follows:
• Uploaded Private Key
• Uploaded CA-Signed Certificate
• Uploaded CA-Signed Certificate Details
• Uploaded Root/Intermediate CA Certificate
• Uploaded Root/Intermediate CA Certificate Details

Note You must be currently logged into your web console session to view any certificate files.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage CAM SSL Certificates

On the CAM, View/Details/Delete buttons are disabled (greyed out) if the files are not installed (for
export) or not uploaded (for import). For example, if only a temporary certificate is present on the CAM,
the “Root/Intermediate CA” and “Currently Installed Root/Intermediate CA” View/Details/Delete
buttons will be disabled on the Import and Export forms, respectively.

Troubleshooting Certificate Issues

Issues can arise during Cisco NAC Appliance certificate management, particularly if there are
mismatched SSL certificates somewhere along the certificate chain. Common problems on SSL
certificates can be time-oriented (if the clocks are not synchronized on the CAM and CAS,
authentication fails), IP-oriented (certificates are created for the wrong interface) or
information-oriented (wrong or mistyped certificate information is imported). This section describes the
following:
• No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM
• Private Key in Clean Access Server Does Not Match the CA-Signed Certificate
• Regenerating Certificates for DNS Name Instead of IP
• Certificate-Related Files

No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM

The following client connection errors can occur if the CAS does not trust the certificate of the CAM,
or vice-versa:
• No redirect after web login— users continue to see the login page after entering user credentials.
• Agent users attempting login get the following error: “Clean Access Server could not establish a
secure connection to the Clean Access Manager at <IPaddress or domain>” (Figure 15-10)
These errors typically indicate one of the following certificate-related issues:
• The time difference between the CAM and CAS is greater than 5 minutes.
• Invalid IP address
• Invalid domain name
• CAM is unreachable
To identify common issues:
1. Check the CAM’s certificate and verify it has not been generated with the IP address of the CAS.
2. Check the time set on the CAM and CAS. The time set on the CAM and the CAS must be 5 minutes
apart or less.
To resolve these issues:
1. Set the time on the CAM and CAS correctly first (see Set System Time, page 15-4)
2. Regenerate the certificate on the CAS using the correct IP address or domain.
3. Reboot the CAS.
4. Regenerate the certificate on the CAM using the correct IP address or domain.
5. Reboot the CAM.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage CAM SSL Certificates

Figure 15-10 Troubleshooting: “CAS Cannot Establish Secure Connection to CAM”

Note If you check nslookup and date from the CAS, and both the DNS and TIME settings on the CAS are
correct, this can indicate that the cacerts file on the CAS is corrupted. In this case it is recommended to
back up the existing cacerts file from /usr/java/j2sdk1.4/lib/security/cacerts, then override it with the file
from /perfigo/common/conf/cacerts, then perform “service perfigo restart” on the CAS.

Note If the error message on the client is “Clean Access Server is not properly configured, please report to
your administrator,” this typically is not a certificate issue but indicates that a default user login page has
not been added to the CAM. See Add Default Login Page, page 5-3 for details.

For additional information, see also:

• Troubleshooting when Adding the Clean Access Server, page 3-4
• Troubleshooting the Agent, page 12-71

Private Key in Clean Access Server Does Not Match the CA-Signed Certificate
This issue can arise if a new temporary certificate is generated but a CA-signed certificate is returned
for the Certificate Signing Request (CSR) generated from a previous temporary certificate and private
key pair.
For example, an administrator generates a CSR, backs up the private key, and then sends the CSR to a
CA authority, such as VeriSign.
Subsequently, another administrator regenerates a temporary certificate after the CSR has been sent.
When the CA-signed certificate is returned from the CA authority, the private key on which the
CA-certificate is based no longer matches the one in the Clean Access Server.
To resolve this issue, re-import the old private key and then install the CA-signed certificate.

Regenerating Certificates for DNS Name Instead of IP

If planning to regenerate certificates based on the DNS name instead of the IP address of your servers:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage CAM SSL Certificates

• Make sure the CA-signed certificate you are importing is the one with which you generated the CSR
and that you have NOT subsequently generated another temporary certificate. Generating a new
temporary certificate will create a new private-public key combination. In addition, always export
and save the private key when you are generating a CSR for signing (to have the private key handy).
• When importing certain CA-signed certificates, the system may warn you that you need to import
the root certificate (the CA’s root certificate) used to sign the CA-signed certificate, or the
intermediate root certificate may need to be imported.
• Make sure there is a DNS entry in the DNS server.
• Make sure the DNS address in your Clean Access Server is correct.
• For High-Availability (failover) configurations, use the DNS name for the Service IP (virtual DNS)
• It is recommended to reboot when you generate a new certificate or import a CA-signed certificate.
• When using a DNS-based certificate, if it is not CA-signed, the user will simply be prompted to
accept the certificate.

Certificate-Related Files
For troubleshooting purposes, Table 15-1 lists certificate-related files on the Clean Access Manager. For
example, if the admin console becomes unreachable due to a mismatch of the CA-certificate/private key
combination, these files may need to be modified directly in the file system of the Clean Access
Manager.
Table 15-1 Clean Access Manager Certificate-Related Files

File Description
/root/.tomcat.key Private key
/root/.tomcat.crt Certificate
/root/.tomcat.csr Certificate Signing Request
/root/.chain.crt Intermediate certificate
/perfigo/common/conf/perfigo-ca-bundle.crt The root CA bundle

For additional information on Clean Access Manager files, see Log Files, page 14-17.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
System Upgrade

System Upgrade
Once release 4.1(0) or above is installed on the CAM and CAS, minor release upgrades to a later 4.1(x)
release can be performed on the CAM through the web console. This section describes the System
Upgrade page of the CAM.
For complete upgrade details, refer to Chapter 18, “Upgrading to a New Software Release.”

Note • You can use System Upgrade to upgrade a standalone CAM to release 4.1.
• If upgrading your system from 3.5(x) to 4.1 you must follow the in-place upgrade procedure detailed
in Chapter 18, “Upgrading to a New Software Release.”

1. To access the CAM upgrade page, go to Administration > CCA Manager > System Upgrade.

Figure 15-11 CAM System Upgrade

2. Click Browse to locate the .tar.gz upgrade file you have downloaded from Cisco Secure Software.
Filenames for upgrade typically reflect the following conventions:
cca_upgrade_4.1.x.tar.gz—CAM/CAS release upgrade file (e.g. 4.1.0)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 15 Administration
System Upgrade

cam_upgrade_4.1.x.tar.gz—CAM-only patch upgrade file

cas_upgrade_4.1.x.tar.gz—CAS-only patch upgrade file; must be uploaded through the CAS
management pages. See Chapter 18, “Upgrading to a New Software Release” for details.
3. Click Upload to upload the .tar.gz upgrade file to your CAM
4. Once the upgrade file appears in the list, click the checkbox for “Upgrade Agent” if you want to
upgrade the Clean Access Agent Setup Installation and Patch Installation files to the latest Agent
version bundled with the release (for example, Agent 4.1.0.0 for release 4.1(0)).

This option is typically only available when upgrading between minor releases. If upgrading
between major releases (e.g. 4.0(x) to 4.1), the Clean Access Agent setup/patch files within the
CAM are automatically upgraded (e.g. to 4.1.0.0), regardless of whether “Upgrade Agent” is
enabled.
5. Click the red Apply icon. You will see the following dialog:
This will schedule a system upgrade in two minutes. Are you sure you wish to do this?

Click OK to start the CAM upgrade. Click Cancel if you do not want to upgrade at this time.
6. Clicking the notes link displays a summary of the new features, enhancements, and resolved caveats
for the release.
7. Clicking Upgrade Log displays a brief summary of the upgrade process including the date and time
it was performed.
8. Clicking Upgrade Details displays the details of the upgrade process, in the following format:
state before upgrade
upgrade process details
state after upgrade
It is normal for the “state before upgrade” to contain several warning/error messages (e.g.
“INCORRECT”). The “state after upgrade” should be free of any warning or error messages.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Licensing

Licensing
The Clean Access Manager and Clean Access Servers require a valid product license to function. The
licensing model for Clean Access incorporates the FlexLM licensing standard.

Note For step-by-step instructions on initially installing the Clean Access Manager license, as well as details
on permanent, evaluation, and legacy licenses, see Cisco NAC Appliance Service Contract / Licensing
Support.

Install FlexLM License for Clean Access Server:

Once the initial product license for the Clean Access Manager is installed, you can use the Licensing
page to add or manage additional licenses (such as CAS licenses, or a second CAM license for
HA-CAMs).
1. Go to Administration > CCA Manager > Licensing.

Figure 15-12 Licensing Page

2. In the Clean Access Manager License File field, browse to the license file for your Clean Access
Server or Server bundle and click Install License. You will see a green confirmation text string at
the top of the page if the license was installed successfully, as well as the CAS increment count (for
example, “License added successfully. Out-of-Band Server Count is now 10.”).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 15 Administration
Licensing

3. Repeat this step for each Clean Access Server license file you need to install (you should have
received one license file per PAK submitted during customer registration). The status information at
the bottom of the page will display total number of Clean Access Servers enabled per successful
license file installation.

Remove Product Licenses

1. Go to Administration > CCA Manager > Licensing
2. Click the Remove All Licenses button to remove all FlexLM license files in the system.
3. The Clean Access Manager License Form will reappear in the browser, to prompt you to install a
license file for the Clean Access Manager.

Note Until you enter the license file for the Clean Access Manager, you will not be redirected to the
admin user login page of the web admin console.

Note • You cannot remove individual FlexLM license files. To remove a file, you must remove all license
files.
• Once installed, a permanent FlexLM license overrides an evaluation FlexLM license.
• Once installed, FlexLM licenses (either permanent or evaluation) override legacy license keys (even
though the legacy key is still installed).
• When an evaluation FlexLM expires, or is removed, an existing legacy license key will again take
effect.

Change Legacy License Keys

1. Go to Administration > CCA Manager > Licensing
2. To change the license key (for releases prior to release 3.5), copy the license key to the Product
License Key field, then click Apply Key.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Support Logs

Support Logs
The Support Logs page on the Clean Access Manager is intended to facilitate TAC support of customer
issues. The Support Logs page allows administrators to combine a variety of system logs (such as
information on open files, open handles, and packages) into one tarball that can be sent to TAC to be
included in the support case. Administrators should download these support logs when sending their
customer support request.
The Support Logs pages on the CAM web console and CAS direct access web console provide web page
controls to configure the level of log detail recorded for troubleshooting purposes in /perfigo/logs. These
web controls are intended as convenient alternative to using the CLI loglevel command and parameters
in order to gather system information when troubleshooting. Note that the log level configured on the
Support Logs page does not affect the CAM’s Monitoring > Event Log page display.
For normal operation, the log level should always remain at the default setting (severe). The log level is
only changed temporarily for a specific troubleshooting time period —typically at the request of the
customer support/TAC engineer. In most cases, the setting is switched from “Severe” to “All” for a
specific interval, then reset to “Severe” after data is collected. Note that once you reboot the CAM/CAS,
or perform the service perfigo restart command, the log level will return to the default setting
(Severe).

Caution Do not leave the log level set at “All” or “Info” indefinitely, as this will cause the log file to grow very
quickly.

To Download CAM Support Logs:

1. Go to Administration > CCA Manager > Support Logs

Figure 15-13 CAM Support Logs

2. Click the Download button to download the cam_logs.<cam-ip-address>.tar.gz file to your local
computer.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 15 Administration
Support Logs

3. Send this .tar.gz file with your customer support request.

Note To retrieve the compressed support logs file for the Clean Access Server, go to Device Management >
CCA Servers > Manage [CAS_IP] > Misc > Support Logs. See the Cisco NAC Appliance - Clean
Access Server Installation and Administration Guide for details.

To Change the Loglevel for CAM Logs:

1. Go to Administration > CCA Manager > Support Logs
2. Choose the CAM log category to change:
CCA Manager General Logging: This category contains the majority of logging events for the
system. Any log event not contained in the other four categories listed below will be found under
CCA Manager General Logging (e.g. authentication failures).
CAM/CAS Communication Logging: This category contains CAM/CAS configuration or
communication errors, for example, if the CAM’s attempt to publish information to the CAS
fails, the event will be logged.
Switch Management Logging: This category contains generic SNMP errors that can arise from
the CAM directly communicating with the switch, for example, if the CAM receives an SNMP
trap for which the community string does not match.
General OOB Logging: This category contains general OOB errors that may arise from
incorrect settings on the CAM, for example, if the system cannot process an SNMP linkup trap
from a switch because it is not configured on the CAM or is overloaded.
Low level Switch Communication Logging: This category contains OOB errors for specific
switch models.
3. Click the loglevel setting for the category of log:
All: This is the lowest loglevel, with all events and details recorded.
Info: Provides more details than the Severe loglevel. For example, if a user logs in successfully
an Info message is logged.
Severe: This is the default level of logging for the system. A log event is written to /perfigo/logs
only if the system encounters a severe error, such as:
- CAM cannot connect to CAS
- CAM and CAS cannot communicate
- CAM cannot communicate with database
For details on the Event Log, see Chapter 14, “Monitoring.”

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Admin Users

Admin Users
This section describes how to add multiple administrator users in the Administration > Admin Users
module of the CAM web admin console.
Under Administration > Admin Users there are two tabs: Admin Groups, and Admin Users.
You can create new admin users and associate them to pre-existing default admin groups, or you can
create your own custom admin groups. In either case, the access permissions defined for the admin group
are applied to admin users when you add those users to the group.

Admin Groups
There are three default (uneditable) admin groups in the system, and one predefined custom group
(“Help Desk”) that you can edit. In addition, you can also create any number of your own custom admin
groups under Administration > Admin Users > Admin Groups > New.
The three default admin group types are:
1. Read-Only
2. Add-Edit
3. Full-Control (has delete permissions)
The three default admin group types cannot be removed or edited. You can add users to one of the three
pre-defined groups, or you can configure a new Custom group to create specialized permissions. When
creating custom admin permissions, create and set access permissions for the custom admin group first,
then add users to that group to set their permissions.

Add a Custom Admin Group

To create a new admin group:
1. Go to Administration > Admin Users > Admin Groups.

Figure 15-14 Admin Groups

2. Click the New link to bring up the new Admin Group configuration form.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 15 Administration
Admin Users

Figure 15-15 New Admin Group

3. Enter a Group Name for the custom admin group.

4. Enter an optional Description for the group.
5. In the Clean Access Servers section, set the Default Clean Access Server Access as either read
only (default) or local admin. The first option at the top of the list defines the default permissions
when a (new) Clean Access Server is added to the managed domain. If no existing access settings
are found for the CAS, this default access policy is used.
6. Set the access options next to each individual Clean Access Server as read only or local admin.
This allows you to give the administrator group full control over certain Clean Access Servers
(including delete/reboot) but only view permissions on others.
7. In the Module Features section, set the Default Feature Access as either read only (default),
add-edit, or full control. The first option at the top of the list defines the default permissions for
any new feature added to the Clean Access Manager, as in the case of a software upgrade. Existing
administrator privilege settings before the upgrade will be preserved.

8. Select group access privileges of read only, add-edit, or full control for each individual module.
This allows you to tailor administrative control over the modules of the Clean Access Manager per
admin group.
9. Click Create Group to add the group to the Admin Groups list.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Admin Users

You can edit the group later by clicking the Edit ( ) button next to the group in the list. To delete the
group click the Delete ( ) icon next to the group. Users in an admin group are not removed when the
group is deleted, but are assigned to the default Read-Only Admin group.

Note If an administrator changes the permissions of a particular admin group by editing the admin group, the
administrator must remove all admin users belonging to that group since the new permissions will only
be effective from the next login.

Admin Users

Note The default admin user is in the default Full-Control Admin group and is a special system user with
full control privileges that can never be removed from the Clean Access Manager. For example, a
Full-Control user can log in and delete his/her own account, but one cannot log in as user admin and
delete the admin account.

Admin users are classified according to Admin Group. The following general rules apply:
• All admin users can access the Administration > Admin Users module and change their own
passwords.
• Features that are not available to a level of admin user are simply disabled in the web admin console.
• Read-Only users can only view users, devices, and features in the web admin console.
• Add-Edit users can add and edit but not remove local users, devices, or features in the web admin
console. Add-Edit admin users cannot create other admin users.
• Full-Control users can add, edit, and delete all applicable aspects of the web admin console.
• Only Full-Control admin users can add, edit, or remove other admin users or groups.
• Custom group users can be configured to have a combination of access privileges.

Login / Logout an Admin User

As admin users are session-based, admin users should log out using the Logout icon ( ) in the top-right
corner of every page of the web admin console. The administrator login page will appear:

Figure 15-16 Admin Login

Additionally, you can use the logout button to log out as one type of admin user and relogin on as another.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Admin Users

Add an Admin User

To add a new admin user:
1. Go to Administration > Admin Users > New.

Figure 15-17 New Admin User

2. Enter an Admin User Name.

3. Enter a password in the Password and Confirm Password fields.
4. Select an admin group type from the Group Name dropdown list. Default groups are Read-Only,
Add-Edit, and Full-Control. To add a user to a custom-access permissions group, add the group first
as described in Add a Custom Admin Group, page 15-24.
5. Enter an optional Description.
6. Click Create Admin. The new user appears under the Admin Users > List

Edit an Admin User

To edit an existing admin user:
1. Go to Administration > Admin Users > List.

Figure 15-18 Admin Users List

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Admin Users

2. Click the Edit ( ) button next to the admin user.

Figure 15-19 Edit Admin User

3. Change the Password and Confirm Password fields, or other desired fields.
4. Click Save Admin.

Note You can edit all properties of the system admin user, except its group type.

Active Admin User Sessions

You can view which admin users are using the Clean Access Manager web admin console from
Administration > Admin Users > Admin Users > Active Sessions. The Active Sessions list shows all
admin users that are currently active. Admin users are session-based. Each browser that an admin user
opens to connect to the Clean Access Manager webserver creates an entry for the user in the Active
Sessions list.
If an admin user opens a browser, closes it, then opens a new browser, two entries will remain for a period
of time on the Active Session list. The Last Access time does not change for the ended session, and
eventually the entry will be removed by the Auto-logout feature.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 15 Administration
Admin Users

Figure 15-20 Admin User Active Sessions

The Active Sessions page includes the following elements:

• Admin Name – The admin user name.
• IP Address – The IP address of the admin user’s machine.
• Group Name – The access privilege group of the admin user.
• Login Time – The start of the admin user session.
• Last Access - The last time the admin user clicked a link anywhere in the web admin console. Each
click resets the last access time.
• “Auto-Logout Interval for Inactive Admins” -- This value is compared against the Login Time
and Last Access time for an active admin user session. If the difference between the login time and
last access time is greater than the auto-logout interval configured, the user is logged out. This value
must be in the range of 1 to 120 minutes, with an interval of 20 minutes set by default.
• Kick ( )— Clicking this button logs out an active admin user and removes the session from the
active session list.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage System Passwords

Manage System Passwords

It is important to provide secure passwords for the user accounts in Cisco NAC Appliance system, and
to change them from time to time to maintain system security. The suite does not generally impose
standards for the passwords you choose, but it is advised that you use strong passwords, that is,
passwords with at least six characters, mixed letters and numbers, and so on. Strong passwords reduce
the likelihood of a successful password guessing attack against your system.
Cisco NAC Appliance contains the following built-in administrative user account passwords:
1. Clean Access Manager installation machine root user
2. Clean Access Server installation machine root user
3. Clean Access Server web console admin user
4. Clean Access Manager web console admin user
The first three passwords are initially set at installation time (the default password is cisco123). To
change these passwords at a later time, access the CAM or CAS machine by SSH, logging in as the user
whose password you want to change. Use the Linux passwd command to change the user’s password.
This section describes the following:
• Change the CAM Web Console Admin Password
• Change the CAS Web Console Admin User Password
• Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x)

Change the CAM Web Console Admin Password

To change the Clean Access Manager web console admin user password, use the following procedure.
1. Go to Administration > Admin Users > List.

2. Click the Edit ( ) icon for user admin

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage System Passwords

3. Type the new password in the Password field.

4. Type the password again in the Confirm Password field.
5. Click the Save Admin button. The new password is now in effect.

Change the CAS Web Console Admin User Password

Most configuration tasks are performed in the CAM web admin console. However, the CAS direct access
web console is used to perform several tasks specific to a local CAS configuration, such as configuring
High-Availability mode. Use the following instructions to change the CAS web console admin password:
1. Open the Clean Access Server admin console by navigating to the following address in a browser:
https://<CAS_IP>/admin
where <CAS_IP> is the trusted interface IP address of the CAS. For example,
https://172.16.1.2/admin

2. Log in with the default user name and password of admin/cisco123.

3. Click the Admin Password link from the left side menu.
4. In the Old Password field, type the current password.
5. Type the new password in the New Password and the Confirm Password fields.
6. Click Update.

Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x)

Use the following procedure to recover the root password for a 4.1/4.0/3.6 CAM or CAS machine. The
following password recovery instructions assume that you are connected to the CAM/CAS via a
keyboard and monitor (i.e. console or KVM console, NOT a serial console)
1. Power up the machine.
2. When you see the boot loader screen with the “Press any key to enter the menu… ” message,
press any key.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Manage System Passwords

3. You will be at the GRUB menu with one item in the list “Cisco Clean Access (2.6.11-perfigo).”
Press “e” to edit.
4. You will see multiple choices as follows:
root (hd0,0)
kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 console=ttyS0,9600n8
Initrd /initrd-2.6.11-perfigo.img

5. Scroll to the second entry (line starting with "kernel…") and press “e” to edit the line.
6. Delete the line “console=ttyS0,9600n8”, add the word “single” to the end of the line, then press
“Enter”. The line should appear as follows:
kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 single

7. Next, press “b” to boot the machine in single user mode. You should be presented with a root shell
prompt after boot-up (note that you will not be prompted for password).
8. At the prompt, type “passwd”, press “Enter” and follow the instructions.
9. After the password is changed, enter “reboot” to reboot the box.

Recovering Root Password for CAM/CAS (Release 3.5.x or Below)

To recover the root password for CAM/CAS on release 3.5(x), you can use the Linux procedure to boot
to single user mode and change the root password:
1. Connect to the CAM/CAS machine via console.
2. Power cycle the machine.
3. After power-cycling, the GUI mode displays. Press Ctrl-x to switch to text mode. This displays a
“boot:” prompt.
4. At the prompt type: linux single. This boots the machine into single user mode.
5. Type: passwd.
6. Change the password.
7. Reboot the machine using the reboot command.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Backing Up the CAM Database

Backing Up the CAM Database

You can create a manual backup snapshot of the CAM database to backup the CAM/CAS configuration
for the current release being run. When you create the snapshot, it is saved on the CAM, but you can also
download it to another machine for safekeeping. Only the CAM snapshot needs to be backed up. The
CAM snapshot contains all database configuration data for the Clean Access Manager, and configuration
information for all Clean Access Servers added to the CAM’s domain. The snapshot is a standard
postgres data dump.

Note Product licenses are stored in the database and are therefore included in the backup snapshot.

Once a CAS is added to the CAM, the CAS gets its configuration information from the CAM every time
it contacts the CAM, including after a snapshot configuration is downloaded to the CAM.
In the case that you replace the underlying machine for a CAS that is already added to the CAM, you
will need to execute the service perfigo config utility to configure the new machine with the CAS IP
address and certificate configuration. Thereafter, the CAM will push all the other configuration
information to the CAS. Note that if the shared secret between the CAM and CAS is changed, you may
need to add the CAS to the CAM again (via Device Management > CCA Servers > New Server).
The Clean Access Agent is always included as part of the CAM database snapshot. The Agent is always
stored in the CAM database when:
• The Agent is received as a Clean Access Update (Agent Patch) from web Updates.
• The Agent is manually uploaded to the CAM.
However, when the CAM is newly installed from CD or upgraded to the latest release, the Clean Access
Agent is not backed up to the CAM database. In this case, the CAM software will contain the new Agent
software but this is not uploaded to the CAM database. Agent backups only start when a new Agent is
uploaded to the system either manually or by web Updates.

Note You can only restore a CAM snapshot that has the same version as the CAM (e.g. 4.1(0) snapshot to
4.1(0) CAM).

Automated Daily Database Backups

Cisco NAC Appliance automatically creates daily snapshots of the Clean Access Manager database and
preserves the most recent from the last 30 days. It also automatically creates snapshots before and after
software upgrades, and before and after failover events. For upgrades and failovers, only the last 5
backup snapshots are kept. See Database Recovery Tool, page 15-35 for additional details.

Manual Backups from Web Console

It is recommended to create a backup of the CAM before making major changes to its configuration.
Backing up the configuration from time to time also ensures a recent backup of a known-good
configuration profile, in case of a malfunction due to incorrect settings. Besides protecting against
configuration data loss, snapshots provide an easy way to duplicate a configuration among several
CAMs.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Backing Up the CAM Database

Creating Manual Backup

1. In the Administration > Backup page, type a name for the snapshot in the Database Snapshot Tag
Name field. The field automatically populates with a filename that incorporates the current date and
time (e.g MM_DD_YY-hh-mm_snapshot). You can either accept the default name or type another.
2. Click Create Snapshot. The Clean Access Manager generates a snapshot file, which is added to the
snapshot list. The Version column automatically lists the CAM software version for the snapshot.

Figure 15-21 Backup Snapshot

Note that the file still physically resides on the Clean Access Manager machine. For archiving
purposes, it can remain there. However, to back up a configuration for use in case of system failure,
the snapshot should be downloaded to another computer.
3. To download the snapshot to another computer, click either the Download icon or the Tag Name of
the snapshot that you want to download.
4. In the File Download dialog, Save the file to your local computer.
To remove the snapshot from the snapshot list, click the Delete ( ) button.

Backing Up Snapshots to Another Server via FTP

The /perfigo/control/bin/pg_backup script on the CAM takes the database snapshot and backs it up
on to another server using FTP.
You can set up a cron job to run this script on a regular basis to obtain OFF-SERVER copies of the
backup snapshot. To execute the script:
1. SSH to the CAM
2. Execute the following script:
./pg_backup <FTPserver> Username Password

The script uses the Postgres pg_dump utility to create an instant database snapshot and then export it to
the FTP server specified. This snapshot is essentially the same as a snapshot created manually using the
CAM web console. You can set up a cron job to run this script daily.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
Backing Up the CAM Database

Restoring Configuration from CAM Snapshot

Note You can only restore a CAM snapshot that has the same version as the CAM (e.g. 4.1(0) snapshot to
4.1(0) CAM).

Restore from CAM List of Snapshots

To restore the Clean Access Manager to the configuration state of the snapshot:
1. Go to Administration > Backup
2. Click the Restore ( ) button for the desired snapshot in the list. Make sure the version of the
snapshot to which you want to restore the CAM is the same version currently running on the CAM.
3. The existing configuration is overridden by the configuration in the snapshot.

Restore from Downloaded Snapshot

If the snapshot was downloaded to a remote computer, it can be uploaded to the list again as follows:
1. Go to Administration > Backup and click the Browse button next to the Snapshot to Upload field.
Find the file in the directory system.
2. Click Upload Snapshot and confirm the operation. The snapshot now appears in the snapshot list.
3. Click the Restore button next to the snapshot to overwrite the current configuration with the
snapshot’s configuration.
4. Confirm the operation.
The configuration is now restored to the configuration state recorded in the snapshot.

Database Recovery Tool

The Database Recovery tool is a command line utility that can be used to restore the database from the
following types of backup snapshots:
• Automated daily backups (the most recent 30 copies)
• Backups made before and after software upgrades
• Backups made before and after failover events
• Manual snapshots created by the administrator via the web console
Although the web console already allows you to manually create and upload snapshots (via
Administration > Backup), the CLI tool presents additional detail. The tool provides a menu that lists
the snapshots from which to restore, and the uncompressed size and table count. Note that a file which
is corrupt or not in the proper format (e.g. not .tar.gz) will show a remediation warning instead of an
uncompressed size and a table count.

Caution The CAM must be stopped before you can run this utility and must be rebooted after the utility is run.

To run the command utility:

1. Access your Clean Access Manager by SSH.
2. Login as user root with the root password (default password is cisco123)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
API Support

3. Cd to the directory of the database recovery tool: cd /perfigo/dbscripts

4. Run service perfigo stop to stop the Clean Access Manager.

5. Run ./dbbackup.sh to start the tool.
6. Follow the prompts to perform database restore.
7. Run reboot to reboot the Clean Access Manager after running the utility.

Note For general information on CLI commands, see Using the Command Line Interface (CLI), page 2-11.

Manual Database Backup from SSH

If the web admin console becomes inaccessible, you can perform a manual database backup as follows:
1. Login as root on the Clean Access Manager box.
2. Switch user to postgres by typing: su – postgres

3. Create the dump of the database by typing: pg_dump –h 127.0.0.1 controlsmartdb –D –f

sm_back_092004.sql

4. This command creates a file called sm_back_092004.sql in the /var/lib/pgsql directory.

5. You can SCP that file.

API Support
Cisco NAC Appliance provides a utility script called cisco_api.jsp that allows you to perform certain
operations using HTTPS POST. The Clean Access API for your Clean Access Manager is accessed from
a web browser as follows: https://<ccam-ip-or-name>/admin/cisco_api.jsp

Usage Requirements
To use this API, note the following:
• You or someone in your organization must be competent with scripting languages such as Perl.
• Only HTTPS, POST and AUTH are supported. HTTP, GET, and “No Authentication” APIs are not
supported.
• You need to install Perl packages or similar on the machine that runs these scripts.
• Cisco TAC does not support debugging of your Perl or scripting packages.

Authentication Requirement
The API requires authentication over SSL for access to the API, via two authentication methods:
• Authentication by Session
With this method, the administrator uses the adminlogin and adminlogout functions to create an
authentication shell script that will set a cookie with the session ID to be accessed for the rest of the
admin session. If a session ID cookie is not set, the user will be prompted to login. The adminlogin

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
API Support

(administrator login) function returns a session ID which has to be set as a cookie for usage of any
API. The adminlogout function should then be used to terminate the session. However, if
adminlogout is not used, the session will still be terminated by admin session timeout.
• Authentication by Function
If you do not want to create a shell script using cookies, you can instead perform authentication
every time a function is used. If authenticating by function, you will need to add the admin and
password parameters to all functions that you are using in your existing script. In this case, you do
not use the adminlogin and adminlogout functions.

Guest Access Support

The getlocaluserlist, addlocaluser, deletelocaluser API functions allow administrators to create, delete,
and view local user accounts on the CAM (local users are those internally validated by the CAM as
opposed to an external authentication server): These APIs are intended to support guest access for
dynamic token user access generation, providing the ability to:
• Use a webpage to access Cisco NAC Appliance API to insert a visitor username/password (for
example, [email protected], jdoe112805), and assign a role (for example, guest1day).
• Delete all guest users associated with that role for that day (for example, guest1day)
• List all usernames associated with that role (for example, all users for guest1day)
These APIs will support most implementations of guest user access dynamic token/password generation
and allow the removal of those users for a guest role.

Note You will still need to create the front-end generation password/token. For accounting purposes, Cisco
NAC Appliance provides RADIUS accounting functionality only.

Summary of Operations
Table 15-2 summarizes the operations supported. See the Cisco API page itself (via
https://<ccam-ip-or-name>/admin/cisco_api.jsp) for complete details.
Table 15-2 Operations Supported by cisco_api.jsp

Operation Name Description

1. addcleanmac Adds MAC address to Clean Access certified devices list as an exempted device.
2. addlocaluser Adds a new local user account. Takes user name, password, and role name. Returns success
or failure.
Note getlocaluselist , addlocaluserlist, and deletelocaluser support guest access
for dynamic token user access generation.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
API Support

Table 15-2 Operations Supported by cisco_api.jsp (continued)

Operation Name Description

3. addmac Adds MAC address to Devices list.
Note The addmac operation adds the MAC address to Device Management > Filters >
Devices on the CAM. IP addresses specified in device filters are to prevent MAC
spoofing and are optional. For devices with a reserved or static IP you can provide the
IP along with the MAC address to make sure no one spoofs the MAC address to gain
network access.

Note Supported address formats for the mac parameter are 00:01:12:23:34:45 or
00:01:12:* or 00:01:12:23:34:45-11:22:33:44:55:66. Using a wildcard or
address range format will ignore the ip parameter.
4. adminlogin Administrator login returns a session ID which has to be set as a cookie for usage of any API.
Use adminlogin and adminlogout to create a shell script if using authentication by session
using cookies; otherwise, use the admin and password parameters in each function.
5. adminlogout Administrator is logged out. The session is identified by the cookie. Use adminlogin and
adminlogout to create a shell script if using authentication by session using cookies;
otherwise, use the admin and password parameters in each function.
6. changeloggedinuserrole Changes in-band user access permissions by modifying user's logged in role to the specified
role. Specify the IP address of the logged in user, and the role to assign the user. For multiple
users, specify a comma-separated list of IP addresses.
7. changeuserrole Changes in-band user access permissions by removing the user from the Online Users list and
adding the user's MAC address to the Device Filters with new specified role.
8. clearcertified Removes OOB users in addition to IB users from the Clean Access Certified Devices list.
Removal from certified devices list ends the current session for online users (in-band or OOB)
9. deletelocaluser Takes user name or “ALL” (to delete entire list). Returns success or failure.
Note getlocaluselist , addlocaluserlist, and deletelocaluser support guest access
for dynamic token user access generation.
10. getcleanuserinfo When queried with MAC, Name, or All, the certified user(s) information is returned. If there
are multiple users matching the criteria, a list of certified users is returned.
11. getlocaluserlist Returns a list of local users with user name and role name.
Note getlocaluselist , addlocaluserlist, and deletelocaluser support guest access
for dynamic token user access generation.
12. getoobuserinfo When queried with IP, MAC, Name, or All, returns a list of OOB users matched to the
parameter, and user properties such as Provider, Role, Auth VLAN, Access VLAN, OS,
SwitchIP, and PortNum.
13. getuserinfo When queried with IP, MAC, Name, or All, returns a list of in-band users matched to the
parameter, and user properties such as current Role, VLAN, Provider, OS.
14. kickoobuser Removes logged-in out-of-band user(s). Specify a comma-separated list of IP addresses to
remove multiple users.
15. kickuser Removes logged-in in-band user(s). Specify a comma-separated list of IP addresses to remove
multiple users.
16. kickuserbymac Remove in-band logged in user(s) by their MAC addresses. Specify the MAC address of the
user to be removed, or a comma-separated list of MAC addresses to remove multiple users.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
API Support

Table 15-2 Operations Supported by cisco_api.jsp (continued)

Operation Name Description

17. queryuserstime Query logged-in user’s remaining time in the session. Only users logged into session timeout
roles will be returned.
18. removecleanmac Removes MAC address from Clean Access Certified Devices list. Removal from Certified
Devices list ends the current session for an online user (in-band or OOB).
19. removemac Removes MAC address(es) from Device Filters list. Specify a comma-separated list of MAC
addresses to remove multiple addresses.
Note The MAC address entered for the mac parameter should match the display format
(including wildcards).
20. renewuserstime Renew logged in user’s session timeout by a session.

Examples
For further details, access the Cisco API page itself from your CAM
(https://<ccam-ip-or-name>/admin/cisco_api.jsp), or refer to the following resources:
• Cisco NAC Appliance FAQ for the cisco_api.jsp page:
http://www.cisco.com/warp/customer/707/ca-mgr-faq2.html#q8
• Sample of Perl test script for the “addmac” operation (this link is included in the FAQ above)
http://www.cisco.com/warp/public/707/https-auth-post.txt
• Global Device and Subnet Filtering, page 3-7 —For general details on exempting devices through
the CAM web console interface.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 Chapter 15 Administration
API Support

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
 C H A P T E R 16
Configuring High Availability (HA)

This chapter describes how to set up a pair of Clean Access Manager machines for high-availability. By
deploying Clean Access Managers in high-availability mode, you can ensure that important monitoring,
authentication, and reporting tasks continue in the event of an unexpected shutdown. Topics include:
• Overview, page 16-1
• Before Starting, page 16-3
• Connect the Clean Access Manager Machines, page 16-4
• Configure the HA-Primary CAM, page 16-5
• Configure the HA-Secondary CAM, page 16-8
• Upgrading an Existing Failover Pair, page 16-10
• Failing Over an HA-CAM Pair, page 16-10
• Useful CLI Commands for HA, page 16-11
• Adding High Availability Cisco NAC Appliance To Your Network, page 16-13

Overview
The following key points provide a high-level summary of HA-CAM operation:
• The Clean Access Manager high-availability mode is an Active/Passive two-server configuration in
which a standby CAM machine acts as a backup to an active CAM machine.
• The active Clean Access Manager performs all tasks for the system. The standby CAM monitors the
active CAM and keeps its database synchronized with active CAM’s database.
• Both CAMs share a virtual Service IP for the eth0 trusted interface. The Service IP should be used
for the SSL certificate.
• The primary and secondary CAM machines exchange UDP heartbeat packets every 2 seconds. If the
heartbeat timer expires, stateful failover occurs.
• The eth1 interface and/or serial interface on the CAMs can be used for heartbeat packets and
database synchronization. If both eth1 and serial interfaces are configured for heartbeat, both
interfaces need to fail for failover to occur.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 16-1
 Chapter 16 Configuring High Availability (HA)
Overview

Figure 16-1 illustrates a sample configuration.

Figure 16-1 Clean Access Manager Example High-Availability Configuration

192.168.151.152

eth0 eth1
Primary Clean
Access Manager 10.10.10.253
(camanager1) Crossover
Network
Service IP - UDP heartbeat
trusted Address - DB sync
serial
network 10.10.10.252
heartbeat
192.168.151.151
(advertised to (specify
Clean Access network portion
Standby Clean
Servers) of address in
Access Manager 10.10.10.254
web console)
(camanager2)
eth0 eth1
192.168.151.153

The Clean Access Manager high-availability mode is an Active/Passive two-server configuration in

which a standby Clean Access Manager machine acts as a backup to an active Clean Access Manager
machine. While the active CAM carries most of the workload under normal conditions, the standby
monitors the active CAM and keeps its data store synchronized with the active CAM’s data.
If a failover event occurs, such as the active CAM shuts down or stops responding to the peer’s
“heartbeat” signal, the standby assumes the role of the active CAM.
When first configuring the HA peers, you must specify an HA-Primary CAM and HA-Secondary CAM.
Initially, the HA-Primary is the active CAM, and the HA-Secondary is the standby (passive) CAM, but
the active/passive roles are not permanently assigned. If the primary CAM goes down, the secondary
(standby) becomes the active CAM. When the original primary CAM restarts, it assumes the backup role.
When the Clean Access Manager starts up, it checks to see if its peer is active. If not, the starting CAM
assumes the active role. If the peer is active, on the other hand, the starting CAM becomes the standby.
You can configure two Clean Access Managers as an HA pair at the same time, or you can add a new
Clean Access Manager to an existing standalone CAM to create a high-availability pair. In order for the
pair to appear to the network and to the Clean Access Servers as one entity, you must specify a Service
IP address to be used as the trusted interface (eth0) address for the HA pair. This Service IP address is
also used to generate the SSL certificate.
To create the crossover network on which high-availability information is exchanged, you connect the
eth1 ports of both CAMs and specify a private network address not currently routed in your organization
(the default HA crossover network is 192.168.0.252). The Clean Access Manager then creates a private,
secure two-node network for the eth1 ports of each CAM to exchange UDP heartbeat traffic and
synchronize databases. Note that the CAM always uses eth1 as the UDP heartbeat interface.
For extra security, you can also connect the serial ports of each Clean Access Manager for heartbeat
exchange. In this case, both the UDP heartbeat and serial heartbeat interfaces must fail for the standby
system to take over.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
16-2 OL-12214-01
Chapter 16 Configuring High Availability (HA)
Before Starting

Note For serial cable connection for HA (either HA-CAM or HA-CAS), the serial cable must be a “null
modem” cable. For details, refer to http://www.nullmodem.com/NullModem.htm.

The following sections describe the steps for setting up high availability.

Note The instructions in this section assume that you are adding a Clean Access Manager to a standalone
CAM in order to configure the HA pair for a test network.

Before Starting
Warning To prevent any possible data loss during database synchronization, always make sure the standby
(secondary) Clean Access Manager is up and running before failing over the active (primary) Clean
Access Manager.

Before configuring high availability, ensure that:

• You have obtained a high-availability (failover) license.

Note When installing a CAM Failover (HA) license, install the Failover license to the Primary CAM
first, then load all the other licenses.

• Both CAMs are installed and configured (see Perform the Initial Configuration, page 2-8.)
• For heartbeat, each CAM needs to have a unique hostname (or node name). For HA CAM pairs, this
host name will be provided to the peer, and must be resolved via DNS or added to the peer's
/etc/hosts file.
• You have a CA-signed certificate for the Service IP of the HA CAM pair. (For testing, you can use
the CA-signed certificate of the HA-Primary CAM, but this requires additional steps to configure
the HA-Primary CAM’s IP as the Service IP).
• The HA-Primary CAM is fully configured for runtime operation. This means that connections to
authentication sources, policies, user roles, access points, and so on, are all specified. This
configuration is automatically duplicated in the HA-Secondary (standby) CAM.
• Both Clean Access Managers are accessible on the network (try pinging them to test the connection).
• The machines on which the CAM software is installed have a free Ethernet port (eth1) and at least
one free serial port. Use the specification manuals for the server hardware to identify the serial port
(ttyS0 or ttyS1) on each machine.
• In Out-of-Band deployments, Port Security is not enabled on the switch interfaces to which the CAS
and CAM are connected. This can interfere with CAS HA and DHCP delivery.
The following procedures require you to reboot the Clean Access Manager. At that time, its services will
be briefly unavailable. You may want to configure an online CAM when downtime has the least impact
on your users.

Note Cisco NAC Appliance web admin consoles support the Internet Explorer 6.0 or above browser.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 16-3
 Chapter 16 Configuring High Availability (HA)
Connect the Clean Access Manager Machines

Connect the Clean Access Manager Machines

There are two types of connections between HA-CAM peers: one for exchanging runtime data relating
to the Clean Access Manager activities and one for the heartbeat signal. In High Availability, the Clean
Access Manager always uses the eth1 interface for both data exchange and heartbeat UDP exchange.
When the UDP heartbeat signal fails to be transmitted and received within a certain time period, the
standby system takes over. In order to provide an extra measure of security, it is highly recommended to
add a serial heartbeat connection between the Clean Access Manager peers. The serial connection
provides an additional dedicated heartbeat exchange method that must fail before the standby system can
take over. However, note that the eth1 connection between the CAM peers is mandatory.
Physically connect the peer Clean Access Managers as follows:
• Use crossover cable to connect the eth1 Ethernet ports of the Clean Access Manager machines. This
connection is used for the heartbeat UDP interface and data exchange (database mirroring) between
the failover peers.
• Use null modem serial cable to connect the serial ports (highly recommended). This connection is
used as an additional heartbeat serial exchange (keep-alive) between the failover peers.

Note For serial cable connection for HA, the serial cable must be a “null modem” cable. For details,
refer to http://www.nullmodem.com/NullModem.htm.

Serial Connection
If the machine running the Clean Access Manager software has two serial ports, you can use the
additional port for the serial heartbeat connection. By default, the first serial port detected on the CAM
server is configured for console input/output (to facilitate installation and other types of administrative
access).
If the machine has only one serial port (COM1 or ttyS0), you can reconfigure the port to serve as the
high-availability heartbeat connection. This is because, after the CAM software is installed, SSH or
KVM console can always be used to access the command line interface of the CAM.
You can enable/disable the serial port using the Disable Serial Login checkbox on the HA CAM settings
(under Administration > Clean Access Manager > Network & Failover | Failover Settings | Disable
Serial Login). When there is only one serial port on the CAM machine, this checkbox allows
administrators to disable serial login on COM1 so that it can be used as the Heartbeat Serial Interface
for a pair of HA-Clean Access Managers.

Note Serial login is enabled by default on the CAM. If you are using COM1 for the Heartbeat Serial Interface
of the CAM, you must click the Disable Serial Login checkbox to disable serial login on COM1.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
16-4 OL-12214-01
Chapter 16 Configuring High Availability (HA)
Configure the HA-Primary CAM

Configure the HA-Primary CAM

Once you have verified the prerequisites, perform the following steps to configure the Clean Access
Manager as the HA-Primary for the high availability pair. See Figure 16-1 for a sample configuration
example.
1. Open the web admin console for the Clean Access Manager to be designated as the HA-Primary, and
go to Administration > CCA Manager > SSL Certificate to configure the SSL certificate for the
primary CAM. The Generate Temporary Certificate form appears.

Note The HA configuration steps in this chapter assume that a temporary certificate will be exported
from the HA-Primary CAM to the HA-Secondary CAM.

If using a temporary certificate for the HA pair:

a. Complete the Generate Temporary Certificate form and click Generate.
The certificate must be generated for the Service IP address of the HA pair.
b. When finished generating the temporary certificate, choose Export CSR/Private
Key/Certificate from the Choose an action menu.
c. Click the Export button for Currently Installed Private Key to export the SSL private key.
Save the key file to disk. You will have to import this key into the HA-Secondary CAM later.
d. Click the Export button for Currently Installed Certificate to export the current SSL
certificate. Save the certificate file to disk. You will have to import this certificate file into the
HA-Secondary CAM later.
If using a CA-signed certificate for the HA pair:

Note The CA-signed certificate must either be based on the Service IP or a hostname/domain
name resolvable to the Service IP through DNS. See Manage CAM SSL Certificates, page
15-5 for details.

a. Select Import Certificate from the Choose an action: menu.

b. Use the Browse button next to the Certificate File field and navigate to the CA-signed cert.
c. Choose CA-signed PEM-encoded X.509 Cert from the File Type dropdown menu:
d. Click Upload to import the certificate. Note that you will need to import this same certificate
into the HA-Secondary CAM later.
e. Click Verify and Install Uploaded Certificates.
f. Select Export CSR/Private Key/Certificate from the Choose an action dropdown list.
g. Click the Export button for the Currently Installed Private Key to export the SSL private key
associated with the CA-signed certificate. Save the key file to disk. You will need to import this
file into the HA-Secondary CAM later.
2. Go to Administration > CCA Manager and click the Network & Failover tab. Choose the
HA-Primary option from the High-Availability Mode dropdown menu. The high availability
settings appear:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 16-5
 Chapter 16 Configuring High Availability (HA)
Configure the HA-Primary CAM

Figure 16-2 Network & Failover Settings for the CAM

HA
settings

3. Copy the value from the IP Address field under Network Settings and enter it in Service IP
Address field. The Network Settings IP Address is the existing IP address of the current Clean
Access Manager. The idea here is to turn this IP address, which the Clean Access Servers already
recognize, into the virtual Service IP address for the Clean Access Manager pair.

Figure 16-3 Configuring the Service IP

4. Change the IP address under Network Settings to an available address (for example n .152)

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
16-6 OL-12214-01
Chapter 16 Configuring High Availability (HA)
Configure the HA-Primary CAM

Figure 16-4 Configuring New IP Address

new
IP address

5. Each Clean Access Manager must have a unique host name (such as camanager1 and camanager2).
Type the host name of the HA-Primary CAM in the Host Name field under Network Settings, and
type the host name of the HA-Secondary CAM in the Peer Host Name field under Failover
Settings.

Figure 16-5 Example Primary Clean Access Manager Failover Settings

Primary
CAM
host name

Secondary
CAM
host name

Note • A Host Name value is mandatory when setting up high availability, while the Host Domain name
is optional.
• The Host Name and Peer Host Name fields are case-sensitive. Make sure to match what is typed
here with what is typed for the HA-Secondary CAM later.

6. From the Heartbeat Serial Interface dropdown menu, choose the serial port to which you
connected the serial cable of the HA-Primary CAM, or leave this N/A if not using serial connection.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 16-7
 Chapter 16 Configuring High Availability (HA)
Configure the HA-Secondary CAM

7. If your machine only has one serial port and you are using COM1 as the Heartbeat Serial Interface,
you must check the Disable Serial Login checkbox to ensure serial login is disabled on COM1. See
Serial Connection, page 16-4 for further details.
8. To maintain synchronization, the Clean Access Manager peers exchange data by a crossover
network. You must specify a private network address space not currently routed in your organization
in the Crossover Network field (such as 10.10.10). The default crossover network provided is
192.168.0.252. If this address conflicts with your network, make sure to specify a different private
address space. For example, if your organization uses the private network 192.168.151.0, use
10.1.1.x as the crossover network. The subnet mask and last octet of the IP address are fixed, so only
enter the network portion of the IP address in the Crossover Network field.
9. Click Update and then Reboot to restart the Clean Access Manager.
After the Clean Access Manager restarts, make sure that the CAM machine is working properly. Check
to see if the Clean Access Servers are connected and new users are being authenticated.

Configure the HA-Secondary CAM

1. Open the web admin console for the Clean Access Manager to be designated as the HA-Secondary,
and go to Administration > CCA Manager > SSL Certificate.
2. Before starting:
– Back up the secondary CAM’s private key
– Make sure the private key and SSL certificate files associated with the Service IP/HA-Primary
CAM are available (previously exported as described in Configure the HA-Primary CAM, page
16-5).
3. Import the HA-Primary CAM’s private key file and certificate as described below:
a. In the SSL Certificate tab, choose Import Certificate from the Choose an action: menu
b. Click Browse next to the Certificate File field, and browse to your backup copy of the private
key file generated with the certificate that will be used for the HA pair.
c. Choose Private Key as the File Type.
d. Click Upload to upload the private key.
e. With Import Certificate selected from the Choose an action: menu, browse to the certificate
(temporary or CA-signed) associated with the private key.
f. Choose CA-signed PEM-encoded X.509 Cert as the File Type.
g. Click Upload to upload the temporary certificate or CA-signed certificate.
h. Click Verify and Install Uploaded Certificates.
See Manage CAM SSL Certificates, page 15-5 for details.
4. Go to the Administration > CCA Manager > Network & Failover | Network Settings and change
the IP Address of the secondary CAM to an address that is different from the HA-Primary CAM IP
address and the Service IP address (such as n.153).

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
16-8 OL-12214-01
Chapter 16 Configuring High Availability (HA)
Configure the HA-Secondary CAM

Figure 16-6 Example HA-Secondary Clean Access Manager Failover Settings

5. Set the Host Name value under Network Settings to the same value set for the Peer Host Name in
the HA-Primary CAM configuration. See Figure 16-5 on page 16-7.

Note The Host Name and Peer Host Name fields are case-sensitive. Make sure to match what is typed here
with what was typed for the HA-Primary CAM.

6. Choose HA-Secondary in the High-Availability Mode dropdown menu. The high availability
settings appear.
7. Set the Service IP Address value under Failover Settings to the same value set for the Service IP
Address in the HA-Primary CAM configuration.
8. Set the Peer Host Name value under Failover Settings to the HA-Primary CAM’s host name.
9. From the Heartbeat Serial Interface dropdown menu, choose the serial port to which you
connected the serial cable of the HA-Primary CAM, or leave this N/A if not using serial connection.
10. If your machine only has one serial port and you are using COM1 as the Heartbeat Serial Interface,
you must check the Disable Serial Login checkbox to ensure serial login is disabled on COM1. See
Serial Connection, page 16-4 for further details.
11. Type the same Crossover Network Interface Settings as you entered for the HA-Primary CAM.
12. Click Update and then Reboot.
When the standby CAM starts up, it automatically synchronizes its database with the active CAM.
Finally, open the admin console for the standby again and complete the configuration as follows. Notice
that the admin console for the standby now has only one management module.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 16-9
 Chapter 16 Configuring High Availability (HA)
Upgrading an Existing Failover Pair

Figure 16-7 Standby Web Admin Console

Complete the Configuration

1. Verify settings in the Network & Failover page for the standby CAM.
The high availability configuration is now complete.

Upgrading an Existing Failover Pair

For instructions on how to upgrade an existing failover pair to a new CCA release, see “Upgrading High
Availability Pairs” in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(x)

Failing Over an HA-CAM Pair

Warning To prevent any possible data loss during database synchronization, always make sure the standby
CAM is up and running before failing over the active CAM.

To failover an HA-CAM pair, SSH to the active machine in the pair and perform one of the following
commands:
• shutdown, or
• reboot , or
• service perfigo stop

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
16-10 OL-12214-01
 Chapter 16 Configuring High Availability (HA)
Useful CLI Commands for HA

This stops all services on the active machine. When heartbeat fails, the standby machine will assume the
active role. Perform service perfigo start to restart services on the stopped machine. This should
cause the stopped machine to assume the standby role.

Note service perfigo restart should not be used to test high availability (failover). Instead, Cisco
recommends “shutdown” or “reboot” on the machine to test failover, or, the CLI commands service
perfigo stop and service perfigo start. See Using the Command Line Interface (CLI), page 2-11.

Useful CLI Commands for HA

The following are useful directories to know about for HA on the CAM:
• /etc/ha.d/perfigo/conf
• /etc/ha.d/ha.cf
The following example shows the location of the HA debug/log files, as well as the name of each CAM
(node) in the HA pair:
[root@cam1 ha.d]# more ha.cf
# Generated by make-hacf.pl
udpport 694
bcast eth1
auto_failback off
apiauth default uid=root
log_badpack false
debug 0
debugfile /var/log/ha-debug
logfile /var/log/ha-log
#logfacility local0
watchdog /dev/watchdog
keepalive 2
warntime 10
deadtime 15
node cam1
node cam2

How to Verify Active/Standby Runtime Status on the HA CAM

The following example shows how to use the CLI to determine the runtime status (active or standby) of
each CAM in the HA pair. You can generally find the fostate.sh command from the /store directory of
your last upgrade, for example, /store/cca_upgrade-4.x.x.
1. Run the fostate.sh script on the first CAM:
[root@cam1 cca_upgrade-4.x.x]# ./fostate.sh
My node is active, peer node is standby
[root@cam1 cca_upgrade-4.x.x]#

This CAM is the active CAM in the HA-pair

2. Run the fostate.sh script on the second CAM:
[root@cam2 cca_upgrade-4.x.x]# ./fostate.sh
My node is standby, peer node is active
[root@cam2 cca_upgrade-4.x.x]#

This CAM is the standby CAM in the HA-pair

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 16-11
 Chapter 16 Configuring High Availability (HA)
Useful CLI Commands for HA

How to Verify Primary/Secondary Configuration Status on the HA CAM

The following example shows how to use the CLI to determine the HA mode (Primary/Secondary) for
which each CAM was initially configured in the HA pair.
1. Find the name of the CAMs (nodes) with /etc/ha.d/ha.cf.
2. Then check status on each CAM, for example:
[root@cam1 ~]# /perfigo/control/bin/check-ha cam1
active
[root@cam1 ~]# /perfigo/control/bin/check-ha cam2
active
3. Go to /perfigo/control/tomcat and perform ls –la:
– If webapps is pointing to normal-webapps , it is the primary CAM
– If webapps is pointing to admin-webapps, it is the secondary CAM
For example, this CAM is the primary CAM:
[root@cam1 tomcat]# cd /perfigo/control/tomcat
[root@cam1 tomcat]# ls -la
total 216
drwxr-xr-x 12 root root 4096 Sep 14 23:28 .
drwxr-xr-x 8 root root 4096 Aug 28 22:12 ..
drwxr-xr-x 4 root root 4096 Aug 28 22:12 admin-webapps
<output cut…..>
drwxr-xr-x 2 root root 4096 Aug 28 22:12 temp
lrwxrwxrwx 1 root root 38 Sep 14 23:28 webapps ->
/perfigo/control/tomcat/normal-webapps
drwxr-xr-x 3 root root 4096 Aug 28 15:15 work

This CAM is the secondary CAM:

[root@cam2 tomcat]# ls -la
total 216
drwxr-xr-x 12 root root 4096 Sep 14 23:33 .
drwxr-xr-x 8 root root 4096 Sep 15 2006 ..
drwxr-xr-x 4 root root 4096 Sep 15 2006 admin-webapps
<output cut …>
drwxr-xr-x 2 root root 4096 Sep 15 2006 temp
lrwxrwxrwx 1 root root 37 Sep 14 23:33 webapps ->
/perfigo/control/tomcat/admin-webapps
drwxr-xr-x 3 root root 4096 Sep 14 23:25 work

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
16-12 OL-12214-01
Chapter 16 Configuring High Availability (HA)
Adding High Availability Cisco NAC Appliance To Your Network

Adding High Availability Cisco NAC Appliance To Your Network

The following diagrams illustrate how HA-CAMs and HA-CASs can be added to an example
core-distribution-access network (with Catalyst 6500s in the distribution and access layers).
Figure 16-8 shows a network topology without Cisco NAC Appliance, where the core and distribution
layers are running HSRP (Hot Standby Router Protocol), and the access switches are dual-homed to the
distribution switches.

Figure 16-8 Example Core-Distribution-Access Network Before Cisco NAC Appliance

Core

2/8 2/8

2/6 2/6
Distribution Si 2/7 2/7 Si

2/9 2/9

Access

181225
Si Si Si Si

Figure 16-9 shows how HA-CAMs can be added to the core-distribution-access network. In this
example, the HA heartbeat connection is configured over both serial and eth1 interfaces.

Figure 16-9 Adding HA CAMs to Network

serial serial

CAM CAM

eth1 eth0 2/8 2/8 eth0 eth1

2/1 2/1
2/6 2/6
2/2 2/2
Si 2/7 2/7 Si

2/9 2/9
181226

Si Si Si Si

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 16-13
 Chapter 16 Configuring High Availability (HA)
Adding High Availability Cisco NAC Appliance To Your Network

Figure 16-10 shows how HA-CASs can be added to the core-distribution-access network. In this
example, the CAS is configured as an L2 OOB Virtual Gateway in Central Deployment. The HA
heartbeat connection is configured over both a serial interface and a dedicated eth2 interface.
Link-failure based failover connection can also be configured over the eth0 and/or eth1 interfaces.

Figure 16-10 Adding HA CAS to Network

serial serial
10.10.40.100
CAM CAM

eth1 eth0 2/8 2/8 eth0 eth1

2/1 2/1
serial 2/2 2/2
serial
eth0 2/3 2/6 2/6 2/3 eth0 CAS
CAS eth1 2/4 2/4 eth1
Si 2/7 2/7 Si
eth2 2/5 2/5 eth2

2/9 2/9

181227
Si Si Si Si

10.10.20.100

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
16-14 OL-12214-01
 C H A P T E R 17
Device Management: Roaming (Deprecated)

Warning The roaming feature is deprecated in release 4.1(0) and will be removed in future releases.

This chapter describes how to set up subnet roaming for wireless clients. Topics include:
• Overview, page 17-1
• Before Starting, page 17-4
• Setting Up Simple Roaming, page 17-5
• Setting Up Advanced Roaming, page 17-6
• Monitoring Roaming Users, page 17-8

Overview
With roaming enabled, users can physically move between Clean Access Server-connected subnets
without interruption of network connectivity. Roaming is transparent to users—they can continue to
browse the Internet or use a network application without losing work if using a web application or having
to log in again.
A Clean Access Server supports roaming by identifying clients who have migrated from the range of an
access point managed by another Clean Access Server. The new Server tunnels the traffic from those
clients back to the original Server.
When the user roams from one access point to another, the physical connection established by the
wireless client is uninterrupted. Also, the client keeps the same IP address, so VPN connections do not
have to be rekeyed.
You can turn on roaming for Clean Access Servers selectively. That is, you can enable it for particular
Servers and leave others disabled. Since a Clean Access Server can manage multiple subnets, you can
also enable roaming by individual subnets.

Requirements
There are several requirements for the network to support roaming:
• The access points for which you want to enable roaming must all have the same SSID.
• The access point signals need to overlap. Gaps between the signals will cause the user connection
to be lost.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 17-1
 Chapter 17 Device Management: Roaming (Deprecated)
Overview

• Each Clean Access Server that supports roaming needs to be on a different subnet.
• Clean Access Servers acting as virtual gateways only support roaming with other virtual gateway
Servers. Roaming can occur between Clean Access Servers that are operating as real-IP gateways
and NAT gateways, but not between these types and virtual gateways.

How Roaming Works

When users first access a roaming-enabled network, they associate with a particular access point and
acquire an IP address. Also, authentication and security encryption parameters for the session are
established.

Figure 17-1 Session Established

CAM
to the network

CAS-1 CAS-2

subnet subnet
10.1.3.0 10.1.2.0

AP AP
SSID=uninet SSID=uninet

10.1.3.23

When the user moves to the range of the new access point, the IP address of the user device allows the
second Clean Access Server to identify which Clean Access Server originated the session.
All traffic from the user is tunneled to the original Server, and traffic for the client is tunneled from the
original Server to the current Server. From there, any filtering or other traffic handling measures or
policies are enforced.
The traffic is then routed to the network as appropriate:

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
17-2 OL-12214-01
Chapter 17 Device Management: Roaming (Deprecated)
Overview

Figure 17-2 Traffic Routing with Roaming

CAM
to the network

CAS-2
CAS-1
subnet
10.1.2.0
subnet
10.1.3.0 AP

AP SSID=uninet
SSID=uninet

10.1.3.23

Roaming Modes
There are two roaming modes for the Clean Access Server:
• Simple Roaming mode – Lets you turn roaming off or on by Clean Access Server, regardless of the
individual subnets that the CAS manages. Roaming applies to all subnets managed by the Clean
Access Server. In most cases, simple roaming mode can be used.
• Advanced Roaming – Allows you to turn roaming off or on at the managed subnet level for a
particular Clean Access Server. You only need to use this mode if a Server manages multiple subnets
that have different roaming requirements. Clients who get an IP address in the address space of the
supported subnet will be able to roam, while those that get an address from an unsupported subnet
will not, as illustrated in Figure 17-3.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 17-3
 Chapter 17 Device Management: Roaming (Deprecated)
Before Starting

Figure 17-3 Advanced Roaming

CAM

roaming configuration:
subnet 10.1.1.0 Forwarding = Enabled
subnet 10.1.2.0 Forwarding = Disabled
managed subnets:
CAS-2 subnet 10.1.1.0 /24
subnet 10.1.2.0 /24
CAS-1

AP
subnet 10.1.3.0
subnet:
10.1.2.0 /24
AP

10.1.2.23

roaming subnet:
blocked! 10.1.1.0 /24

10.1.2.23

10.1.1.23
roaming
enabled!

10.1.1.23

Before Starting
Before setting up roaming, you need to add the Clean Access Servers for which you want to support
roaming to the Clean Access Manager’s administrative domain. See Add Clean Access Servers to the
Managed Domain, page 3-2.
For advanced roaming, the managed subnets also need to be added to the Clean Access Server’s
configuration. To view or modify managed subnet settings, go to the following CAS configuration page:
Device Management > CCA Servers >Manage [CAS_IP] > Advanced > Managed Subnet. For more
information, see the Cisco NAC Appliance - Clean Access Server Installation and Administration Guide.
Once you have configured managed Clean Access Servers and, optionally, managed subnets, use the
procedures described in the following sections to set up roaming.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
17-4 OL-12214-01
Chapter 17 Device Management: Roaming (Deprecated)
Setting Up Simple Roaming

Setting Up Simple Roaming

The simple roaming mode permits roaming for users per Clean Access Server. Users assigned addresses
from a particular Clean Access Server will be able to roam to the Clean Access Server domains that you
set up here as roaming-traffic forwarding servers.

To set up simple roaming:

1. In the Clean Access Manager admin console, click the Roaming link in the Device Management
administration group:

Roaming
link

2. Choose the Simple Roaming Mode button and click Update. The Clean Access Servers managed
by the Clean Access Manager appear under the Advanced Roaming Mode heading:

managed
Clean Access
Servers

Roaming is possible only between Clean Access Servers within a roaming region, which appear at
the bottom of the form. A roaming region is comprised of Servers running in roaming-compatible
operating modes. Notice that roaming is not possible between Clean Access Servers of type
real-IP/NAT and virtual gateway.
3. Click the Enable button for each Clean Access Server that you want to support roaming. Enabling
roaming for a Server means that it will forward packets from users whose sessions originated in
another Clean Access Server back to the original Clean Access Server. In other words, it is enabled
as a roaming user destination.
The status indicator toggles between enabled and disabled.
4. Enable roaming as appropriate for particular roles. To enable roaming for a role:
a. Click the User Roles link.
b. In the List of Roles tab, click the Edit button for the role for which you want to enable roaming.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 17-5
 Chapter 17 Device Management: Roaming (Deprecated)
Setting Up Advanced Roaming

c. Choose Allow for the Roam Policy for the role.

Roam
policy

d. Click Save Role.

You can turn off roaming at any time by choosing the No Roaming option in the roaming page and
clicking Update. Confirm the operation when prompted.

Setting Up Advanced Roaming

The advanced roaming mode lets you enable/disable roaming for users by managed subnet. Users
assigned addresses from particular subnets managed by a Clean Access Server will be able to roam to
the Clean Access Server domains that you enable as roaming destinations, as described here.
1. Make sure that the subnets for which you want to permit roaming are configured in the Managed
Subnet form of the originating Clean Access Server (that is, where the roaming users will be
authenticated). To see the form, go to Device Management > CCA Servers > Manage [CAS_IP]
> Advanced > Managed Subnet:

managed
subnets

2. In the Clean Access Manager, click the Roaming link from the Device Management module.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
17-6 OL-12214-01
Chapter 17 Device Management: Roaming (Deprecated)
Setting Up Advanced Roaming

3. Choose the Advanced Roaming Mode button and click Update. The Clean Access Servers
managed by the Clean Access Manager appear under the Advanced Roaming Mode heading:

managed
Clean Access
Servers

4. Click the Manage button for the Clean Access Server that you want to configure as a roaming
destination.
5. Select the Enable Roaming option and then click Update:

6. For each subnet managed by another Clean Access Server that you want to enable as a roaming
source, click the Add button:

Note • Only subnets that have already been configured in the Managed Subnet form of the Clean Access
Server management page appear in the list.
• Notice that the forwarding column changes to “Yes”

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 17-7
 Chapter 17 Device Management: Roaming (Deprecated)
Monitoring Roaming Users

enabled
roaming
source subnet

Note • Clicking Remove disables roaming for clients in the source subnet.
• Clicking Back returns you to the Device > Roaming page.

7. Enable roaming as desired for particular roles. To enable roaming for a role:
a. Click the User Roles link.
b. In the List of Roles tab, click the Edit button for the role for which you want to enable roaming.
c. Choose Allow for the Roam Policy for the role.

Roam
policy

d. Click Save Role.

You can turn off roaming at any time by choosing the No Roaming option in the roaming page and
clicking Update. Confirm the operation when prompted.

Monitoring Roaming Users

You can view which users are roaming from the Monitoring > Online Users > View Online Users page.
The page also shows which Clean Access Server originated the roaming the user session and the Clean
Access Server of the domain roamed into.
To view roaming users, click the Online Users link in the Monitoring administration group. An entry
for a roaming user appears as follow:

roaming
user

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
17-8 OL-12214-01
Chapter 17 Device Management: Roaming (Deprecated)
Monitoring Roaming Users

For a roaming user:

• The CCA Server column indicates the Clean Access Server through which the user originally
logged in.
• The Foreign CCA Server column indicates the Clean Access Server through which the user is
currently sending traffic (that is, the Clean Access Server “roamed into”). See Display Settings, page
14-11 for further details on online user properties that can be monitored.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 17-9
 Chapter 17 Device Management: Roaming (Deprecated)
Monitoring Roaming Users

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
17-10 OL-12214-01
 A P P E N D I X A
Error and Event Log Messages

Client Error Messages

Login Failed
Clean Access Server is not properly configured, please report to your administrator.

A login page must be added and present in the system in order for both web login and Clean Access
Agent users to authenticate. If a default login page is not present, Clean Access Agent users will see
this error dialog when attempting login. See also Add Default Login Page, page 5-3.
Clean Access Server could not establish a secure connection to the Clean Access Manager at
<IP_address>

This error message to clients attempting login (Figure A-1) commonly indicates one of the
following issues:
– The time difference between the CAM and CAS is greater than 5 minutes.
– Invalid IP address
– Invalid domain name
– CAM is unreachable
See also Troubleshooting Certificate Issues, page 15-15.

Figure A-1 “CAS Cannot Establish Secure Connection to CAM”

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 A-1
 Appendix A Error and Event Log Messages
Client Error Messages

Network Error
The request has timed out. [12002]

This error (Figure A-2) indicates a communication issue between the Agent and the CAS. The Agent
pops up initially indicating that the Agent is able to reach the CAS and vice versa. However, at some
point the communication is lost resulting in the error message. This error can reflect a timing issue
after the VLAN has been changed for the user machine in OOB deployments. Increasing the VLAN
Change Delay (under Switch Management > Profiles > SNMP Receiver > Advanced Settings)
from the 2 second default to 3 or 4 seconds may resolve the issue.

Figure A-2 “Request Has Timed Out [12002]”

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
A-2 OL-12214-01
 Appendix A Error and Event Log Messages
CAM Event Log Messages

CAM Event Log Messages

Table A-1describes Clean Access Manager event log messages. You can view the even log in the Clean
Access Manager admin console from Monitoring > Event Logs.
Table A-1 Event Log Messages (Sheet 1 of 3)

Message Explanation Severity

<MAC address> added to AP MAC list The access point is successfully added to the Normal configuration log
access point list.
<MAC address> could not be added to Adding access point to a passthrough list Error occurred when trying to
the AP MAC list failed; the Clean Access Server might not be automatically add to
connected. passthrough list
<MAC address> removed from the MAC Access point removed from the list. Normal configuration log
list
<MAC address> could not be removed Removing the access point from the Error occurred when trying to
from the AP MAC list passthrough list failed; the Clean Access remove from a passthrough list
Server might not be connected.
<Authentication Server Name> added to Authentication server is added to the list. Normal configuration log
authentication server list
<Authentication Server Name> is Authentication server being added is already Normal configuration log
already configured in authentication on the list.
server list
Provider name <Authentication Server Authentication server name already in use; Error on authentication server
Name> is already been used by different updating authentication server failed. update
authentication server
<Authentication Server Name> updated Authentication server updated successfully. Normal configuration log
to authentication server list
<Authentication Server Name> is not a Authentication server update failed; not a Error on authentication server
valid authentication server valid authentication server. update
<Authentication Server Name> removed Authentication server removed successfully. Normal configuration log
from the authentication server list
<User name, MAC, IP> - Logout request IPSec Client user logout request. Normal configuration log
<User name, MAC, IP> - Logout attempt User logout failed; Clean Access Server is not Error
failed; connected.
Invalid user credentials, <User name, Username and password invalid. Error
MAC, IP>
Invalid authentication provider, User authentication server invalid. Error
<Provider Name> <User name, MAC,
IP>
<Clean Access Server IP> is Heartbeat between Clean Access Manager Critical error; Clean Access
inaccessible! and Clean Access Server failed; the Clean Server should be brought up
Access Server is offline. immediately
Dhcp properties are added DHCP properties are published to DHCP Normal configuration log
server in Clean Access Server.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 A-3
 Appendix A Error and Event Log Messages
CAM Event Log Messages

Table A-1 Event Log Messages (Sheet 2 of 3)

Message Explanation Severity

Dhcp properties are not added DHCP properties publishing to Clean Access Error while publishing DHCP
Server failed. properties to the Clean Access
Server
Cleared the event log The entire event log has been cleared. Normal configuration log
Domain authentication server User login failed; authentication server Error on user login
information not available information not available.
Domain authentication server User login failed; authentication server Error on user login
information not set information not completely configured.
<MAC address> added to MAC list Device MAC address is added to the list. Normal configuration log
<MAC address> could not be added to Device MAC address is not added to the list. Error
the MAC list
<MAC address> is already in the MAC Device MAC address already added to the list. Normal configuration log
list
<MAC address> removed from the MAC Device MAC address is removed from the list. Normal configuration log
list
Updated policy to <Clean Access Server Policy is updated successfully. Normal configuration log
IP>
Could not update policy to <Clean Policy update to Clean Access Server failed. Error
Access Server IP>
Could not update policy to all Clean A global policy is not updated to all Clean Normal configuration log. Not
Access Servers, policies will be published Access Servers; some of the servers might be an error, as the policies will be
whenever connected disconnected. updated when they are
connected.
Unable to ping <User IP>, going to Ping manager is logging off user, as the user Normal user log
logout user <Username> is not online. Automatic user log off feature.
<Role name> role already exists A role by this name has already been created. Normal configuration log
<Role Name> role is created successfully The role has been created successfully. Normal configuration log
Deleting role <Role Name> failed, Clean Deleting role failed; Clean Access Server is Error
Access Server <Clean Access Server IP> not connected.
is not connected
Could not connect to <Clean Access Clean Access Server could not be added to the Error
Server IP> Clean Access Manager administration
domain; the Clean Access Server is offline or
not reachable by the Clean Access Manager.
<Clean Access Server IP> added to Clean Access Server is added successfully to Normal configuration log
Clean Access Manager the Clean Access Manager administration
domain.
<Clean Access Server IP> updated in Clean Access Server is updated successfully. Normal configuration log
Clean Access Manager
<Clean Access Server IP> is not Updating Clean Access Server failed; Clean Error
configured in Clean Access Manager Access Server information not found in the
Clean Access Manager.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
A-4 OL-12214-01
 Appendix A Error and Event Log Messages
CAM Event Log Messages

Table A-1 Event Log Messages (Sheet 3 of 3)

Message Explanation Severity

<Subnet/Netmask> is already in the
SUBNET list
<Subnet/Netmask> removed from the
SUBNET list
<IP Number> System Stats
Subnet has already been added to the subnet Normal configuration log
list.
Subnet is removed from the list successfully. Normal configuration log
Runtime statistics for the identified Clean N/A
Access Server. The information is:
• load factor – Current number of packets
in the queue that the server is processing
(i.e., the current load being handled by
the Clean Access Server).
• max since reboot – The maximum
number of packets in the queue at any one
time (i.e., the maximum load handled by
the Clean Access Server).
• mem – The memory usage statistics. This
lists the used memory, shared memory,
buffered memory, and unused memory.
• cpu – The processor load on the
hardware.

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 A-5
 Appendix A Error and Event Log Messages
CAM Event Log Messages

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
A-6 OL-12214-01
 I N D EX

configuring the installation 2-7 to 2-10

A
CSR, generating 15-9
Active Directory 7-9, 7-15
Add Exempt Device 10-27
Add Floating Device 10-32
D
admin console Domain Name field 7-5, 7-8, 7-9, 8-22
Manager 2-12
Server 15-31
admin password, changing 15-30 E
AD SSO Configuration Steps for CAM, CAS, and AD eth0 2-8
Server 8-4
Event Logs 14-12
AD SSO Overview 8-1
Event column 14-14
advanced roaming mode 17-6
Logs Setting 14-16
Agent 11-1 to ??, 12-1 to 12-74
messages 18-2 to 18-4
checks 12-22
Syslog Setting 14-16
reports 12-49
View Logs 14-12

B
F
Backup 15-33
failover. See high availability.
Bandwidth
File Upload 5-12
limiting usage 9-13
filter policies
bursting 9-13
by subnet 3-19
floating devices 10-32
C fragmentation, IP packet 9-6

CAS management pages 1-9

certificate. See SSL certificate. G
Certified Devices
global settings 3-6
overview 10-26
guest access 5-16
Clean Access
implementing 10-1 to 10-33
CLI commands 2-11

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 IN-1
 Index

H N

HA-Primary mode 15-3, 16-5 NAS RADIUS properties 7-7, 7-27

HA-Standby mode 15-3 Nessus plugins 13-1
Heartbeat Timer 9-17 Network Scanning 13-1
high availability
overview 16-1
O

Online Users
I
overview 14-3
installation 2-6 to 2-7
IP fragment packets 9-6
P
IP Setting tab 15-3
passthrough policies
by subnet 3-19
K
password, admin 15-30
Kerberos authentication Plugins 13-3
settings 7-5 primary HA server 16-5
Kick All Users command 14-9 Provider dropdown 7-3

L Q

LDAP authentication, configuring 7-9 quarantine role, configuring 9-21, 13-3

local settings 3-6
Local Users 6-14
R
log events 18-2 to 18-4
logging RADIUS authentication 7-6
event logs 14-12 reboot Server 3-5
user activity 14-3 Reports
Logout Page 5-15 Clean Access Agent 12-49
network scanner 13-14
roaming 17-1 to 17-9
M
roles, user 6-1 to 6-12
Monitoring default policies 9-2
overview 14-1 deleting 6-13
MS Update Scanning Tool 12-73 rules
creating 12-29

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
IN-2 OL-12214-01
 Index

Timer, certified device clearing 10-29

S
time server 15-4
Server
admin console, opening 15-31
Delete (Remove) 3-5
U
disconnect 3-5 User Management 5-1 to ??, 6-1, 7-1, ?? to 14-9
Manage 3-4 activity logs 14-3
reboot 3-5 guest access 5-16
system stats 14-12, 14-14, 14-16 Mapping Rules 7-17
service perfigo config 2-8, 3-5 terminate sessions 14-8
Session Timer 9-17 user management
Shared Secret terminating sessions 14-9
installation 2-9
RADIUS 7-6
simple roaming mode 17-5 V
SSL Certificate Verify Rules 12-30
Certificate-Related Files 15-17 vulnerabilities 13-10
Export Certificate Request 15-9, 15-13
Generate Temporary Certificate 15-8
Import Signed Certificate 15-13 W
installation 2-9
Windows NT authentication 7-8
overview 15-5
Windows Script 5.6 12-73
Troubleshooting 15-15
SSL certificate
exporting CSR 15-9
standalone mode 15-3
subnet, managing access 3-19
subnet roaming 17-1, 17-9
syslog 14-12, 14-16
system stats 14-12, 14-14, 14-16

Temporary role 9-19, 11-6

terminate user sessions 14-8
terminating user sessions 14-9
test
authentication 7-25
network scanning 13-12

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01 IN-3
 Index

Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
IN-4 OL-12214-01