Specifications
6-6
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 6 User Management: Configuring User Roles and Local Users
Create User Roles
–
The user logs in using the Agent and meets requirements but network scanning finds a
vulnerability on the user system.
The user has the amount of time configured in the Session Timer for the role to access resources to
fix vulnerabilities. If the user cancels or times out, the user is logged out of the quarantine role and
must restart the login process. At the next login attempt, the client again goes through posture
assessment.
When the user fixes vulnerabilities within the time allotted, if the Agent is used to log in, the user
can go through network scanning again during the same session. If web login is used, the user must
log out or time out then login again for the second network scanning to occur.
Note When using web login, the user should be careful not to close the Logout page (see Figure 5-11 on
page 5-16). If the user cannot not log out but reattempts to login before the session times out, the user is
still considered to be in the original quarantine role and is not redirected to the login page.
Only when the user has met requirements and fixed vulnerabilities is the user allowed network access in
the corresponding normal login role. You can map all normal login roles to a single quarantine role, or
you can create and customize different quarantine roles. For example, multiple quarantine roles can be
used if different resources are required to fix vulnerabilities for particular operating systems. In either
case, a normal login role can only be mapped to one quarantine role. After the roles are created, the
association between the normal role and quarantine role is set up in the Device Management > Clean
Access > General Setup form. See Client Login Overview, page 1-6 for details.
Session Timeouts
You can also limit network access with brief session timeouts and restricted traffic policy privileges. The
session timeout period is intended to allow users only a minimum amount of time to complete posture
assessment and remediation. A minimal timeout period for client posture assessment-related roles:
• Limits the exposure of vulnerable users to the network.
• Prevents users from full network access in the Temporary role. This is to limit users from
circumventing rechecks if they fail a particular check, install the required package, restart their
computers, but do not manually log out.
Factors in determining the timeout period appropriate for your environment include the network
connection speed available to users and the download size of packages you will require.
You can additionally configure a Heartbeat Timer to log off all users if the CAS cannot connect to the
clients after a configurable number of minutes. See Configure User Session and Heartbeat Timeouts,
page 8-15 for further details.
You can configure Max Sessions per User Account for a user role. This allows administrators to limit
the number of concurrent machines that can use the same user credentials. The feature allows you to
restrict the number of login sessions per user to a configured number. If the online login sessions for a
username exceed the value specified (1–255; 0 for unlimited), the web login page or the Agent will
prompt the user to end all sessions or end the oldest session at the next login attempt. See Role
Properties, page 6-9 for details.