Specifications
9-62
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment
Configuring Agent-Based Posture Assessment
Note Windows Service Pack updates traditionally take a long time to download and install. Before you require
users to update their Windows operating system with a full service pack installation, be sure you extend
the session timeout period for Temporary Role users to accommodate the long install and update process.
(See Configure Session Timeout for the Temporary Role, page 8-19.)
Step 9 For Windows Updates Installation Sources, specify the source for the Windows update(s):
• Windows Servers—Updates the Windows operating system using Microsoft-managed Windows
update servers.
• Managed WSUS Servers—Updates the Windows operating system using resources managed by the
Windows server administrator or other trusted third-party source.
Step 10 For Installation Wizard Interface Setting, specify whether or not the user sees the Installation Wizard
user interface during Windows Update installation:
• Show UI—The Windows Update Installation Wizard progress is visible to users during the update
process so they can tell what components are being updated and when the update completes. (Users
must have Administrator privileges on the client machine in order to see the Installation Wizard user
interface during Windows Update.)
• No UI—The Windows Update takes place in the background once the update process has begun and
the user is only notified when the update is complete.
Note • If users without Administrator privileges are using WSUS to update Windows, you must choose the
No UI option.
• When a WSUS update is performed on a new installation of Windows 7 (where no updates have been
applied), and the No UI option is selected for the requirement, the WSUS update can fail.
The portion of the Windows update that fails to install is the KB890830 update (Windows Malicious
Software Removal Tool, http://support.microsoft.com/?kbid=890830). This upgrade must be
installed with admin privileges and there is a one time EULA that the user must accept during
installation.
After KB890830 is installed, there are monthly updates that are pushed out from Microsoft on patch
Tuesday. The subsequent updates of KB890830 do not require admin privileges and they work fine
on a client where the user is not a member of the admin group.
If users manually install KB890830 on a client system as a non-admin user using Windows Update,
they are prompted for the administrator password and then get the EULA.
Step 11 For the Requirement Name, type a unique name to identify this requirement in the Agent. The name
will be visible to users on the Agent dialogs.
Step 12 In the Description field, type a description of the requirement and instructions to guide users who fail
to meet the requirement, including instructions for Agent users to click the Update button to update their
systems. Note that Windows Server Update Service displays the Update button on the Agent.
Note Some of the default user messages in the Agent dialogs are very similar between various rules and/or
requirements. To ensure the user clearly understands the remediation issue at hand, Cisco strongly
recommends providing an appropriate message in this field describing the nature and purpose of the
given function.