Specifications
6-5
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles
Therefore, if a MAC address associates the client with “Role A”, but the user’s login ID associates him
or her to “Role B”, “Role A” is used.
For additional details, see also Global Device and Subnet Filtering, page 2-10 and Device Filters for
Out-of-Band Deployment, page 2-14.
Client Posture Assessment Roles
You can implement client posture assessment in Cisco NAC Appliance as network scanning only (see
Figure 12-1 on page 12-2), Agent only, or Agent with network scanning. With posture assessment
configured, two types of roles are used specifically for Cisco NAC Appliance:
• Agent Temporary Role
When the Agent is used, the Agent Temporary role is assigned to users after authentication to allow
the user limited network access to download and install required packages that will prevent the
user’s system from becoming vulnerable. The user is prevented from normal login role access to the
network until the Agent requirements are met.
There is only one Agent Temporary role in the system. This role is only in effect when the user is
required to use Agent to login and pass Agent requirements.
The Agent Temporary role is assigned to users for the following time periods:
a. From the login attempt until successful network access. The client system meets Agent
requirements and is not found with vulnerabilities after network scanning. The user transfers
from the Agent Temporary role into the user’s normal login role.
b. From the login attempt until Agent requirements are met. The user has the amount of time
configured in the Session Timer for the role to download and install required packages. If the
user cancels or times out, the user is removed from the Agent Temporary role and must restart
the login process. If the user downloads Agent requirements within the time allotted, the user
stays in the Agent Temporary role and proceeds to network scanning (if enabled).
Note If the user reboots his/her client machine as part of a remediation step (if the required
application installation process requires you to restart your machine, for example), and
the Logoff NAC Agent users from network on their machine logoff or shutdown
after <x> secs option in the CAM Device Management > Clean Access > General
Setup > Agent Login web console page has not been enabled, the client machine
remains in the Temporary role until the Session Timer expires and the user is given the
opportunity to perform login/remediation again.
c. From the login attempt until network scanning finds vulnerabilities on the user system. If the
client system meets Agent requirements, but is found to have vulnerabilities during network
scanning, the user is transferred from the Agent Temporary role into the quarantine role.
• Quarantine Role
With network scanning enabled, the purpose of the Agent quarantine role is to allow the user limited
network access to resources needed to fix vulnerabilities that already exist on the user system. The
user is prevented from normal login role access to the network until the vulnerabilities are fixed.
There can be one or multiple quarantine roles in the system. A user is put into a quarantine role if:
–
The user attempts to log in using the web login page, and network scanning finds a vulnerability
on the user system.