Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

391

392

393

394

395

396

397

398

399

400

9-87

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment

Configuring Agent-Based Posture Assessment

How the Agent Verifies Digital Signature and Trust on an Executable Program

On client machines where users will launch executables, you must add a Trust<N> key in the Windows

registry for the executable you want to run. It is the administrator's responsibility to populate the required

registry keys for the programs to be trusted by the Cisco NAC Agent service. The Cisco NAC Agent

verifies the launch program for a trusted digital signature as follows:

1. Verifies the digital signature - Ensures the digital signature is trusted.

2. Verifies the signer certificate information based on the information in the registry.

The related registry structure appears as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub\Trust<N>\

Certificate\2.5.4.3

\FileVersionInfo\ProductName

Where:

• <N> is a numeric number.

• For the entries under Certificate, each value can be exact case-insensitive.

• For the entries under FileVersionInfo, each value must appear in the corresponding value in the file

information stream, and can also be case-insensitive.

• All the entries under Certificate and FileVersionInfo must be satisfied (AND operations) to qualify

as a trusted target.

• If any of the Trust<N> chain is satisfied, the target is qualified to launch.

For example, the following key-value pairs in the registry qualify Cisco NAC Agent to be launched as

an application by non-admin:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub\Trust0\Certificate\

2.5.4.3 with a value of “Cisco Systems”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCAAgentStub\Trust0\

FileVersionInfo\ProductName with a value of “Cisco NAC Agent”

Administrators should add registry entries to qualify all applications users will launch on client

machines. See Table 9-16 for a list of supported keys,

Table 9-16 Supported Launch Program Executable Keys for Trusted Digital Signature

Registry Key

Default

Value

(Decimal)

Valid

Range Supported Value Names

Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CCAAgentStub\

Trust<N> —0 and

above

The Trust<N> chain is a digital signature for the

executable that the Clean Access Agent Stub uses to

determine whether or not Windows can trust the

executable before launching.