Specifications
9-61
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment
Configuring Agent-Based Posture Assessment
features some of the updates, the WSUS installer still automatically installs all of the updates
specified by the requirement type.) As a result, validating client matches based on severity can take
a longer period of time to assess and remediate.
Note You set the validation method to coincide with the Severity option using the Windows
Updates Installation Sources setting in step 9.
Step 7 Under Windows Updates to be Installed, specify the level of updates to install. The validation method
essentially checks what's missing on the machine to trigger an update. The actual update will originate
from Microsoft or WSUS servers. The number of updates installed depends on the level of updates you
choose here. For example, if you choose validation by Cisco Rules, which only checks for Critical
hotfixes, but choose Custom Windows Updates to be Installed, with a level of Medium, all “Critical,
Important, and Moderate” hotfixes will be installed on the client, but only if the client is missing Critical
hotfixes to begin with.
• Express—This option installs the same Windows updates as would be available from the Windows
Update application “Express” option. Typically, the “Express” option includes only the “Important
and Critical” Windows updates. However, if the Microsoft version of the Express update includes
other installations (like a Service Pack update, for example), then all of the updates are
automatically installed on the client machine.
• Custom—Use this setting and the associated dropdown menu to install updates based on their
severity by choosing Critical, Medium, or All from the associated dropdown menu.
–
Critical—Installs only “Critical” Microsoft Windows updates.
–
Medium—Installs all “Critical, Important, and Moderate” Windows updates.
–
All—Installs all “Critical, Important, Moderate, and Low” Windows updates.
In all cases, the WSUS server automatically downloads all of the updates to install on the client.
Therefore, even if the client machine already features 3 of 5 updates of a given severity, the WSUS
server still downloads and installs all updates.
Step 8 Click Upgrade to Latest OS Service Pack to automatically install the latest service pack available for
the user’s operating system.
Note This option is automatically included in the install process when you specify either Medium or
All Custom updates, above, and cannot be “left out.” If you specified Critical Custom updates,
you can choose to enable or disable this option.
Cisco Rules validate all “Critical” Windows updates and verify whether or not minimum
Windows XP Service Pack updates are installed on the client machine. If you choose to require
only “Critical” Windows Updates to be Installed, Windows XP Service Pack 2 may not be
present on the client machine, hence, the client machine will not pass posture assessment via
“Cisco Rules.” To address this potential problem, Cisco recommends that if you choose to
validate client machines using “Cisco Rules” and require only “Critical” updates, that you also
require Service Pack Updates to ensure any clients validated using “Cisco Rules” pass posture
assessment. (If you choose to validate client machines according to “Severity” rather than
“Cisco Rules,” this is not an issue.)