Specifications
9-13
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment
Retrieving Cisco NAC Appliance Updates
OS Detection Fingerprint:
By default, the system uses the User-Agent string from the HTTP header to determine the client OS. In
addition, platform information from JavaScript or the OS fingerprinting from the TCP/IP handshake can
also be compared against the OS signature information in the CAM database to determine the client OS.
This information can be updated in the CAM when new OS signatures become available in order to
verify an OS fingerprint as a Windows machine. This enhanced OS fingerprinting feature is intended to
prevent users from changing identification of their client operating systems through manipulating HTTP
information. Note that this is a “passive” detection technique (accomplished without Nessus) that only
inspects the TCP handshake and is not impacted by the presence of a personal firewall. See also Device
Management > CCA Servers > Manage [CAS_IP] > Authentication > OS Detection in the CAS
management pages of the web console, and the Cisco NAC Appliance - Clean Access Server
Configuration Guide, Release 4.9(x) for further details.
Note The OS detection/fingerprinting feature uses both browser User-Agent string and TCP/IP stack
information to try to determine the OS of the client machine. While the detection routines will attempt
to find the best match, it is possible that the OS may be detected incorrectly if the end-user modifies the
TCP/IP stack on the client machine and changes the User-Agent string on the browser. If there is concern
regarding malicious users evading the OS fingerprinting/detection mechanisms, then administrators are
advised to use network scanning in order to confirm the OS on the machine. If, for any reason, it is not
possible or not desirable to use network scanning, then network administrators should consider
pre-installing the Agent on client machines or allowing users to log in via the Cisco NAC Web Agent.
In a FIPS 140-2 compliant network where both the CAMs and CASs are configured in failover mode,
Cisco NAC Appliance does not correctly report the operating system of a client machine following a
failover event and subsequent synchronization. Once the CAM/CAS detect client HTTP/HTTPS traffic,
the CAM/CAS are able to “rediscover” the client machine operating system following the failover event.
Windows NAC Agent
Displays the current version of the Cisco NAC Windows Agent installed on the CAM. This is the version
of Cisco NAC Agent that users upload and install on their client machines when they first sign in to Cisco
NAC Appliance.
Compliance Module for Windows
Displays the current version of the AV/AS vendor application support package available to Windows
client machines logging into the Cisco NAC Appliance system.
Macintosh Clean Access Agent
Displays the current version of the Mac OS X Cisco NAC Agent available on the CAM. This is the
version of Mac OS X Agent that users upload and install on their client machines when they first sign in
to Cisco NAC Appliance. The Mac OS X Agent is automatically updated to a more current version when
users sign in and a newer version of the Agent is available on the CAM.
Compliance Module for Mac
Displays the current version of the AV/AS vendor application support package available to Macintosh
client machines logging into the Cisco NAC Appliance system.
Cisco NAC Web Agent
Displays the current version of the Cisco NAC Web Agent currently installed on the CAM. Users who
log in and choose to use the temporal Cisco NAC Web Agent always receive the current version of the
Agent for their user session.