Specifications
9-58
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment
Configuring Agent-Based Posture Assessment
using Cisco Rules can provide for quicker client validation and user login. However, client machines are
only checked against “Critical” hotfixes encompassed by the Cisco Rules. For details on pr_rules, see
Configuring Custom Checks, Rules, and Requirements, page 9-70.
If you choose to validate client machines using Windows Update “Severity” options, you do not have to
configure requirement-rule mapping and you can choose the level of hotfix to check against. The
“Severity” posture assessment settings require access to external WSUS update servers to both verify
client machine security compliance and install Windows updates, which can take a significantly longer
period of time to complete.
The “Windows Server Update Services” requirement provides an Update button on the Agent for
remediation. When the end user clicks the Update button, the Agent launches the Automatic Updates
Agent and forces it to get the update software from a Microsoft-managed or local/third-party-managed
WSUS server. You can make the WSUS requirement Mandatory, however, the software download from
WSUS servers can take some time (particularly if you are using “Severity” settings to validate client
machines). Therefore, Cisco recommends making the WSUS requirement “Optional” so that WSUS
remediation takes place as a background process on the client machine.
Note The Cisco NAC Web Agent only supports Go To Link manual remediation and File Distribution
functionality. Cisco NAC Web Agent does not support Update or Launch remediation actions, nor does
it perform Auto Remediation.
If you only need to enable or disable Windows Updates (that is, if you do not require specific updates
based on the Microsoft severity level), you can configure a standard Windows Update requirement
instead of a WSUS requirement. For more information, see Configuring a Windows Update
Requirement, page 9-64.
Prerequisites
• The network administrator must ensure the Automatic Updates Agent is updated to support a local
WSUS server to support auto-launch capabilities. For details, refer to:
–
http://www.microsoft.com/windowsserversystem/updateservices/evaluation/faqs.mspx
• The “Windows Server Update Services” requirement type is only for Windows 8.1/8/7/XP/Vista.
• In order to support Windows Server Update Services operations, client machines must have version
5.4.3790.1000 (or a more recent version) of the WUAUENG.dll file installed.
• If users without Administrator privileges are using WSUS to update Windows, you must choose the
No UI option for the Installation Wizard Interface Setting when configuring a WSUS
requirement.
• Some Microsoft Windows components (i.e., Internet Explorer 7) require admin privileges in order
to successfully update. If the user does not have admin privileges on the client machine, the
Windows update process returns a “WU_E_NO_INTERACTIVE_USER” error. Therefore, Cisco
recommends making any Windows updates requiring admin privileges “Optional” to minimize
update failures. For details, refer to http://msdn2.microsoft.com/en-us/library/aa387289.aspx.
• WSUS forced updates can take a while. They are launched and run in the background.
• If there are update errors, refer to C:\Windows\Windows Update.log or
C:\Windows\WindowsUpdate.log on the client machine.
The steps to create a Windows Server Update Service Requirements are:
Step 1 Create Windows Server Update Service Requirement, page 9-59