Specifications
9-10
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment
Require Agent Login for Client Machines
• Check whether the client machine is able to reach CAS using the name/IP address after successful
login to Access VLAN. This will update the client IP address in Access VLAN in the CAM web
console.
• If using the name to reach the CAS, perform a DNS Lookup of the CAS using its Fully Qualified
domain name (FQDN).
• Open up wireshark minimally to see if CAS is responding back to Agent logout request.
• Check whether the CAS was rebooted after enabling OOB Logout feature in CAM web console.
• Check the CAS log files by using the following commands:
/perfigo/access/tomcat/logs/nac_server.log
/perfigo/access/tomcat/logs/catalina.out
/perfigo/access/apache/logs/access_log
• Check the CAM log files by using the following commands:
/perfigo/control/tomcat/logs/nac_manager.log
/perfigo/control/tomcat/logs/catalina.out
• Check the Event Logs in the CAM web console by clicking Monitoring > Event Logs > View Logs.
Note See Cisco NAC Appliance Log Files, page 13-11 for more details.
• Collect the NAC Agent support logs by clicking Start > All Programs > Cisco > Client Utilities
> Cisco Log Packager.
Configure Restricted Network Access for Agent Users
Administrators can configure restricted network access to users when they choose not to download and
install the Cisco NAC Agent or launch the Cisco NAC Web Agent themselves, due to lack of permissions
on the machine or for guest access purposes, for example. This enhancement is intended to aid guests or
partners in a corporate environment to get access to the network even if their assigned user role requires
them to log in via an Agent.
Users can also take advantage of “restricted” network access to gain limited network access when the
client machine fails remediation and the user must implement updates to meet network access
requirements before they can log in using their assigned user role.
The restricted network access option can only be configured when the Require use of Agent and/or
Require use of Cisco NAC Web Agent checkboxes are enabled, and the option in question allows you
to configure the user role to which these users will be assigned in addition to the button and text
presented. When the user performs initial web login and is redirected to download the Agent, the
“Restricted Network Access” text and button will appear below the “Download Cisco NAC Agent”
and/or “Launch Cisco NAC Web Agent” buttons on the page (Figure 9-2 and Figure 9-3) if the “Allow
restricted network access in case user cannot use NAC Agent or Cisco NAC Web Agent” option is
enabled under Device Management > Clean Access > General Setup | Agent Login. If the user
chooses not to download the Agent or launch the Cisco NAC Web Agent, the user can click “Get
Restricted Network Access” button to gain the access permitted by the assigned role through the same
browser page.
To support Agent login and/or remediation, users can choose to accept “restricted” network access
during Agent login dialog sessions when it is clear that the client machine requires update in order to
meet network security requirements. During the Agent session, the user can click Get Restricted
Network Access in the Cisco NAC Agent/Cisco NAC Web Agent dialogs and immediately access the