Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

341

342

343

344

345

346

347

348

349

350

9-40

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment

Configuring Agent-Based Posture Assessment

Rules

In all but one case—the Windows Server Update Service (WSUS) “Severity” option requirement

type—you must map rules to requirements to ensure client machines meet security standards. A rule is

the unit the Agent uses to validate client machines and assess whether or not a requirement has been met.

Rules can be:

• Preconfigured AV/AS rules, which you associate to AV/AS requirements. These require no

additional checks to validate client machines.

• Preconfigured Cisco Rules (“pr_rule”) that feature one or more preset checks. For example,

Windows hotfix-related “pr_” rules that only address “Critical” updates. You can map pr_rules as

the validation criteria for several different requirement types. Refer to Cisco Pre-Configured Rules

(“pr_”), page 9-71 for further details on Cisco Rules.

• A custom rule made up of one or more preconfigured or custom checks. A custom rule is one you

create yourself by configuring a rule expression based on checks.

For details on mapping requirements to rules, see Map Requirements to Rules, page 9-90.

Checks

Checks are the building blocks for rules, but in most cases you will not need to configure them. A check

is a single registry, file, service, or application check for a selected operating system, and is used to

create a custom rule. A check can be a Cisco pre-configured check (pc_ check) or a custom check you

create yourself. When you map rules to requirements, make sure the appropriate checks (pc_ checks or

custom checks) are in place to accurately validate client machines.

Note Preconfigured (“pr_”) rules are already associated with one or more checks that validate client

machine security standards. You only need to create custom rules or checks if the preconfigured

rules or checks do not meet your needs. See Configuring Custom Checks, Rules, and

Requirements, page 9-70 for more information.

Role Mapping

Once you have mapped a requirement to one or more rules, the final step is to associate the requirement

to a normal login user role. Users who attempt to authenticate into the normal user role are put into the

Temporary role until they pass requirements associated with the normal login role:

• If they successfully meet the requirements, the users are allowed on the network in the normal login

role.

• If they fail to meet the requirements, users stay in the Temporary role for the session timeout until

they take the steps described in the Agent dialogs and successfully meet the requirements.

For details on mapping requirements to roles, see Apply Requirements to User Roles, page 9-92.

Note To map a requirement to a normal login user role, the role must already be created as described

in Create User Roles, page 6-2.