Specifications
9-60
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment
Configuring Agent-Based Posture Assessment
Step 4 Choose the Priority of execution for this requirement on the client. A high priority (e.g. 1) means this
requirement is checked on the system ahead of all other requirements (and appears in the Agent dialogs
in that order). Note that if this is a Mandatory requirement and it fails, the Agent does not continue past
that point until that requirement succeeds.
Step 5 If you want to enable and configure Auto Remediation for the Agent:
a. Choose the Remediation Type [Manual | Automatic] from the dropdown menu. Choosing Manual
preserves previous Agent behavior. The user has to click through each of the requirements using the
Next/Skip button in the Agent. Choosing Automatic sets the Agent to perform Auto Remediation,
where the Agent automatically performs updates or launches required programs on the client after
the user logs in.
b. If you configure the requirement to use automatic remediation, specify the Interval in seconds (the
default interval is 0). Depending on the requirement type, this interval either sets the delay before
the Agent re-attempts remediation or sets the total time allowed for a particular remediation process.
c. Enter the Retry Count []. Specifying a retry count sets a limit on the number of times the Agent
automatically retries the requirement if it initially fails. (The default retry count setting is 0.)
For details on configuring Auto Remediation, see Configuring Auto Remediation for Requirements,
page 9-98.
Note The Cisco NAC Web Agent does not support Auto Remediation.
Step 6 Under Windows Updates Validation by, specify the validation method to use when checking the
Windows operating system installed on the client machine:
• Cisco Rules—Use Cisco Rules (e.g. pr_<Windows operating system>_Hotfixes) or similar
administrator-configured custom rules on the CAM to verify whether the client Windows operating
system meets minimum security standards. This is the faster method to assess the client machine’s
security posture, as it relies on criteria available in the CAM’s local database. For fastest execution,
Cisco recommends using Cisco Rules as the validation method with Express installation (which
installs “Critical and Important” Windows updates) and Windows Servers as the installation source.
Note If you choose this option, you also need to configure requirement-rule mapping, as described
in Map Windows Server Update Service Requirement to Windows Rules, page 9-63.
If you wish to validate against your own custom rules, Cisco recommends that you configure
them similarly to an existing Cisco Rule (e.g pr_<Windows operating system>_Hotfixes).
You should know the level of severity of the hotfix to check for (e.g. “Important” vs. “Low”).
Refer to Copying Checks and Rules, page 9-72 for details.
• Severity—Verify whether or not the Windows operating system on the client meets minimum
security standards using a Microsoft-managed or local Windows Update server. With this validation
method, you do not need to map the WSUS requirement to any rules. However, the Severity setting
requires the CAM to use an external WSUS server to verify updates currently installed on the client
machine and then install the Windows updates necessary to meet the requirement.
When you use locally-managed or hosted Windows (WSUS) servers to perform the Windows
updates to satisfy a WSUS requirement, the Agent calls on WSUS to install the updates. Note that
the WSUS Agent automatically installs all of the updates available for the specified severity level.
(That is, if there are 5 “Important” updates and 3 “Critical” updates and the client machine already