Specifications
9-8
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment
Require Agent Login for Client Machines
• In Layer 3 network topology, when users are moving from one location to another using same CAS
name as the Discovery Host, it is recommended to use DNS to resolve the name to the IP of the CAS
that is closest to the user.
• Once a device is connected to the Access network, the OOB Logoff heartbeat packets of the NAC
Agent must be sent to the same CAS that authenticated the device.
Feature Dependencies - Optional
• In order to enforce OOB Heartbeat Timer, you must enable Out-of-Band Logoff. See Configure
OOB Heartbeat Timer (per User Role), page 8-18 for more information.
• The Certified Devices List (CDL) is cleared by Out-of-Band Logoff only when the Require users
to be certified at every web login option in the CAM Device Management > Clean Access >
General Setup > Web Login web console page is enabled for the user role and appropriate OS. See
Web Login, page 1-11 for more details.
• To enable logout of the NAC Agent per role basis when a user logs off the Windows domain, ensure
that the Logoff NAC Agent users from network on their machine logoff or shutdown after <x>
secs option in the CAM Device Management > Clean Access > General Setup > Agent Login
web console page has been enabled for the user role. See Agent Login, page 1-7 for more details.
By default, when Logout or Exit options are selected from the Cisco NAC Agent icon in the system
tray, the Agent sends a logout request to CAS.
Feature Limitations
• Release 4.7(x) and earlier versions of the Cisco NAC Agent and Mac OS X Agent do not support
the Out-of-Band Logoff feature.
• User will be logged off if DHCP Renew provides a different IP, or if the client machine moves to
second Access VLAN.
• While using Out-of-Band Logoff in a multi-home environment, the NAC agent can track only one
login at a time (PRA, Heartbeat, or Logout).
For example, if a user logs in to the NAC agent through the wireless connection, and then connects
the PC and login through the wired connection. At this point, the agent uses only the wired IP
address for communication. If the user logs out at this point, the entry using IP from wired
connection will be removed from the OUL, but the wireless entry will remain in the OUL. After the
OOB Heartbeat Timer expires, the wireless entry will be removed from the OUL. It is recommended
to set a short OOB Heartbeat interval to remove the wireless side user appropriately.
• The following failure scenarios might cause the Cisco NAC Agent to appear following successful
user authentication when the client machine roams between CASs in Layer 3 (both In-Band and
Out-of-Band) and Layer 2 /Layer 3 Out-of-Band environments. Erroneous Agent login dialogs could
also appear if users roam from the Cisco NAC Appliance network in Layer 3 mode to a non-NAC
network:
–
ARP poisoning
–
Temporary loss of network connection between the client machine and the CAS
–
Access to untrusted interface IP address on the CAS from non-NAC network segments on
NAC-enabled client machines
Cisco offers the following recommendations to prevent this situation:
–
Ensure all trusted networks (post-authentication) can reach the CAS untrusted interface IP
address through the CAS trusted interface only