Specifications
1-15
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 1 Introduction
Client Posture Assessment Overview
• “Double-byte” character support that enables the Agent to display user dialogs for supported
locales/language OS platforms
• Evolution Data Optimized (EVDO) connections where no wired or wireless NICs are enabled on the
client machine. For more information on enabling this function for the Cisco NAC Agent, see
Table 9-10 “Client-Side MAC Address Management”.
• Auto-upgrade. Once the Agent is installed on a client, it can automatically detect, download, and
upgrade itself to next version. The Agent checks for an Agent update at every login request. The
administrator can configure Agent auto-upgrade to be mandatory or optional for all users, or can
disable update notification altogether.
• Built-in AV/AS checking support for major antivirus (AV) and antispyware (AS) vendors. AV/AS
Rule and Requirement configuration facilitates the most common type of checking administrators
need to perform on clients and allows the Agent to automatically detect and update AV and AS
definition files on the client machine. AV/AS product support is kept up-to-date on the CAM through
the use of Cisco NAC Appliance Updates, page 1-6.
• Ability to launch qualified/digitally signed executable programs when a client fails a requirement.
See Configuring a Launch Programs Requirement, page 9-85 for details.
• Custom rule and check configuration. Administrators can configure requirements to check clients
for specific applications, services, or registry entries using pre-configured Cisco checks and rules or
by creating their own custom checks and rules.
• Multi-hop Layer 3 In-Band (IB) and Out-of-Band (OOB) deployment support and VPN
concentrator/Layer 3 access. You can configure the CAM/CAS/Agent to enable clients to discover
the CAS when the network configuration puts clients one or more Layer 3 hops away from the CAS
(instead of in L2 proximity). Single Sign-On (SSO) is also supported when Cisco NAC Appliance
is integrated (In-Band) behind Cisco VPN concentrators. For details, see “Enable L3 Deployment
Support,” “Integrating with Cisco VPN Concentrators,” or “Configuring Layer 3 Out-of-Band (L3
OOB)” in the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x).
• Windows Domain Active Directory Single Sign-On. When Windows AD SSO is configured for the
Cisco NAC Appliance, users with the Agent already installed can automatically log into Cisco NAC
Appliance when they log into their Windows domain. The client system will be automatically
scanned for requirements with no separate Agent login required. See the “Configuring Active
Directory Single Sign-On (AD SSO)” chapter in the Cisco NAC Appliance - Clean Access Server
Configuration Guide, Release 4.9(x) for details.
Note Users logging into Cisco NAC Appliance via AD SSO must be running Windows Vista or
Windows 7 and have the appropriate Cisco NAC Agent (version 4.7.1.15, 4.8.0.32, or 4.9.0.33)
installed on their client machine in order to remain FIPS-compliant. Windows XP clients
performing AD SSO do not conform to FIPS 140-2 compliance requirements.
• Automatic DHCP Release/Renew. When the Agent is used for login in OOB deployments, the Agent
automatically refreshes the DHCP IP address if the client needs a new IP address in the Access
VLAN. See DHCP Release/Renew with Agent/ActiveX/Java Applet, page 5-6 for details.
Note For information on Access to Authentication VLAN change detection for an OOB client
machine, see Configure Access to Authentication VLAN Change Detection, page 3-67.
• Cisco NAC Agent logoff with Windows logoff/shutdown. Administrators can enable or disable the
Agent to log-off from the Cisco NAC Appliance network when a user logs off the Windows domain
or shuts down a Windows machine. This feature does not apply to OOB deployments.