Specifications
1-12
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 1 Introduction
Client Login Overview
Show Network Scanner
User Agreement Page to
web login users
Click this checkbox to present the User Agreement Page (“Virus Protection Information”) after
web login and network scanning. The page displays the content you configure in the User
Agreement configuration form. Users must click the Accept button to access the network.
Note The User Agreement page is only shown to the first user that logs in with the device.
This helps to identify the authenticating user who accepted the UAP. Clearing the device
from the Certified Devices List will force the user to accept the UAP again at the next
login.
If choosing this option, be sure to configure the page as described in Customize the User
Agreement Page, page 12-19.
Enable pop-up scan
vulnerability reports
from User Agreement
Page
Click this checkbox to enable web login users to see the results of their network scan from a
popup browser window. If popup windows are blocked on the client computer, the user can view
the report by clicking the Scan Report link on the Logout page.
Require users to be
certified at every web
login
• Click this checkbox to force user to go through network scanning every time they access
the network.
• If disabled (default), users only need to be certified the first time they access the network,
or until their MAC address is cleared from the Certified Devices List.
Note This option only applies to the In-Band Online Users list. When this option is enabled
and the Online Users list entry is deleted, the corresponding Certified Devices List entry
is deleted if there are no other Online Users list (either In-Band or Out-of-Band) entries
with the same MAC address.
Exempt certified devices
from web login
requirement by adding to
MAC filters
Click this checkbox to place the MAC address of devices that are on the Cisco NAC Appliance
Certified Devices List into the authentication passthrough list. This allows devices to bypass
authentication and posture assessment the next time they access the network.
Block/Quarantine users
with vulnerabilities in
role
• Click this checkbox and select a quarantine role from the dropdown menu to put the user
in the quarantine role if found with vulnerabilities after network scanning. If quarantined,
the user must correct the problem with their system and go through network scanning again
until no vulnerabilities are found in order to access the network.
• Click this checkbox and select Block Access from the dropdown menu to block the user
from the network if found with vulnerabilities after network scanning. If a user is blocked,
the Blocked Access page is shown with the content entered in the Message (or URL) for
Blocked Access Page: field.
Note The role session expiration time appears in parentheses next to the quarantine role name.
This session time will also appears on the User Agreement Page, if display of the page
is enabled for a quarantined user.
Show quarantined users
the User Agreement Page
of
If Quarantine is selected for Block/Quarantine users with vulnerabilities in role, this option
appears below. It lets you present a User Agreement Page specific to the quarantine role chosen
for users who fail scanning. Alternatively, Cisco NAC Appliance can present the page
associated with the user’s normal login role, or no page. See Customize the User Agreement
Page, page 12-19 for further information.
Message (or URL) for
Blocked Access Page:
If Block Access is selected for “Block/Quarantine users with vulnerabilities in role”, this
option appears. To modify the default message, type HTML text or enter a URL for the message
that should appear when a user is blocked from the network for failing Nessus Scanning.
Table 1-2 Web Login—General Setup Configuration Options (continued)
Control Description