Specifications
8-19
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule
Configure Policies for Agent Temporary and Quarantine Roles
expires, the user must log in again to continue using the network. For example, if the timer is set for 5
minutes, and the user removes the system from the network for 6 minutes, the user must log in again to
use the network.
Step 4 Click Update to enable the Heartbeat Timeout.
Configure Policies for Agent Temporary and Quarantine Roles
This section demonstrates typical traffic policy and session timeout configuration needed to:
• Configure Agent Temporary Role, page 8-19
• Configure Network Scanning Quarantine Role, page 8-21
Configure Agent Temporary Role
Users who fail a system check are assigned to the Agent Temporary role. This role is intended to restrict
user access to only the resources needed to comply with the Agent requirements.
Unlike Quarantine roles, there is only one Agent Temporary role in the Cisco NAC Appliance system.
The role can be fully edited, and is intended as single point for aggregating the traffic control policies
that allow users to access required installation files. If the Temporary role is deleted, the Unauthenticated
role is used by default. The name of the role that is used for the Temporary role (in addition to the version
of the Agent) is displayed under Device Management > Clean Access > Clean Access Agent >
Distribution.
Both session timeout and traffic policies need to be configured for the Temporary role. The Temporary
role has a default session timeout of 4 minutes, which can be changed as described below. The
Temporary and quarantine roles have default traffic control policies of Block All traffic from the
untrusted to the trusted side. Keep in mind that while you associate requirements (required packages) to
the normal login roles that users attempt to log into, clients will need to meet those requirements while
still in the Temporary role. Therefore, traffic control policies need to be added to the Temporary role to
enable clients to access any required software installation files from the download site(s).
Note If the user reboots his/her client machine as part of a remediation step (if the required application
installation process requires you to restart your machine, for example), and the Logoff NAC Agent users
from network on their machine logoff or shutdown after <x> secs option in the CAM Device
Management > Clean Access > General Setup > Agent Login web console page has not been enabled,
the client machine remains in the Temporary role until the Session Timer expires and the user is given
the opportunity to perform login/remediation again.
Configuring Agent-Based Posture Assessment, page 9-39 provides complete details on Agent
Requirement configuration. See also User Role Types, page 6-3 for additional information.
Configure Session Timeout for the Temporary Role
1. Go to User Management > User Roles> Schedule.
2. The Session Timer list appears.