Specifications
9-71
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment
Configuring Agent-Based Posture Assessment
–
All selected rules succeed (default)—all the rules must be satisfied for the client to be
considered in compliance with the requirement.
–
Any selected rule succeeds—at least one selected rule must be satisfied for the client to be
considered in compliance with the requirement.
–
No selected rule succeeds—the selected rules must all fail for the client to be considered in
compliance with the requirement.
c. Ignore the AV Virus/AS Spyware Definition rule options.
d. The Rules for Selected Operating System list will display all rules that exist in the system for the
chosen OS (pr_ rules or rules that you have configured). Click the checkbox for each rule you want
to enable for this requirement. Typical rules that are associated to this requirement are:
–
pr_AutoUpdateCheck_Rule (Windows XP (All)
–
pr_XP_Hotfixes (Windows XP Pro/Home)
–
pr_Vista_<version>_Hotfixes (Windows Vista Home Basic/Premium, Business, Ultimate,
Enterprise)
Note that all rules are listed under Device Management > Clean Access > Clean Access Agent >
Rules > Rule List.
e. Click Update to complete the mapping.
Step 4 Continue to the next steps—Apply Requirements to User Roles, page 9-92 and Validate Requirements,
page 9-93—to complete the configuration.
Configuring Custom Checks, Rules, and Requirements
A check is a condition statement used to examine the client system. In the simplest case, a requirement
can be created from a single rule made up of a single check. If the condition statement yields a true result,
the system is considered in compliance with the Agent requirement and no remediation is necessary.
To create a check, first determine an identifying feature of the requirement. The feature (such as a
registry key or process name) should indicate whether the client meets the requirement. The best way to
find such an indicator is to examine a system that meets the requirement. If necessary, refer to the
documentation provided with the software to determine what identifying feature to use for the Clean
Access check. Once you have determined the indicator for the requirement, use the following procedure
to create the check.
Note The Mac OS X Agent does not support custom checks and custom rules. You can only assign AV and
AS rules to the Link Distribution, Local Check, AV Definition Update, and AS Definition Update
requirement types for Mac OS X posture remediation.
Custom Requirements
You can create custom requirements to map rules to the mechanism that allows users to meet the rule
condition. The mechanism may be an installation file, a link to an external resource, or simply
instructions. If a rule check is not satisfied (for example, required software is not found on the client
system), users can be warned or required to fix their systems, depending on your configuration. As