Specifications
9-86
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment
Configuring Agent-Based Posture Assessment
Configuring a Launch Programs Requirement
Note The Cisco NAC Agent is required to use this feature. This feature applies to Windows 8.1/8/7/Vista/XP
machines only. The Mac OS X Agent and the Cisco NAC Web Agent do not support this requirement
type.
The Launch Programs Requirement Type allows administrators to launch a qualified (signed)
remediation program through the Agent. The administrator can create a check/rule condition; upon its
failure, the administrator can configure to launch any remediation program to fix the machine. Multiple
programs are permitted, and they are launched in the same sequence as specified by the administrator.
The Agent launches the programs in two ways, depending on whether the user has or does not have
admin user privileges on the device.
When Cisco NAC is configured to launch an application as a remediation, the application gets launched
and is available in the task manager, but the UI is not visible to the user, irrespective of whether the user
is logged in as admin or not. Since Launch program remediation feature is modified from user privilege
to system privilege, NAC Agent allows UAC Elevation for all Launch program remediation actions. See
also the caveat CSCui73412 in Release Notes for Cisco NAC Appliance, Version 4.9(4).
Launch Programs With Admin Privileges
If the user has admin privileges on the client machine, any program that is an executable is qualified.
The program is launched directly and digital signing and verification of the application are not required.
Launch Programs Without Admin Privileges
The executable must have:
• A valid digital signature signed by certificates with specific field value(s)
• File version information with specific item value(s)
Note also that:
• The executable must be signed with a code signing certificate with a proper chain of certificates.
The code signing certificate must be installed on the client machine.
• The root certificate must also be installed on the client machine and must be in the Trusted Root
Certification Authority on Windows.
• You must create a registry key that is particular to the executable being run in addition to
installing the certificate. Refer to How the Agent Verifies Digital Signature and Trust on an
Executable Program, page 9-86 for details.
Note For non-admin users, if you want to configure Auto Remediation and launch a program (for example, a
Microsoft KB patch), the signature check may fail if the executable is available on a network share, even
if it is a mapped drive. It is recommended to copy the files to your local system and execute them.
Starting from Release 4.9(1), non-admin users can set the SignatureCheck parameter to “1” in the
Configuration file to check the signature. See also Cisco NAC Agent Verifying Launch Program
Executable for Trusted Digital Signature.