Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
31323334353637383940
1-16
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 1 Introduction
Client Posture Assessment Overview
For complete details on the Agent configuration features mentioned above, see Chapter 9, “Configuring
Cisco NAC Appliance for Agent Login and Client Posture Assessment.
For details on the features of each version of the Agent, see “Cisco NAC Appliance Agents” in the latest
Release Notes.
Cisco NAC Web Agent
Unlike the Cisco NAC Agent, the Cisco NAC Web Agent is not a “persistent” entity, thus it only exists
on the client machine long enough to accommodate a single user session. Instead of downloading and
installing an Agent application, once the user opens a browser window, logs in to the NAC Appliance
web login page, and chooses to launch the temporal Cisco NAC Web Agent, an ActiveX control or Java
applet (you specify the preferred method using the Web Client (ActiveX/Applet) option in the
Administration > User Pages > Login Page configuration page) initiates a self-extracting Agent
installer on the client machine to install Agent files in a client’s temporary directory, perform posture
assessment/scan the system to ensure security compliance, and report compliance status back to the NAC
Appliance system. During this period, the user is granted access only to the Temporary Role and if the
client machine is not compliant for one or more reasons, the user is informed of the issues preventing
network access and may do one of the following:
Users must manually remediate/update their client machine and try to test compliance again before
the Temporary Role times out
Accept “restricted” network access for the time being and try to ensure the client machine meets
requirements for the next login session
Note If an OOB user accepts restricted access, they remain in that role for as long as it is defined
on the CAM. Therefore, even if the user is able to perform manual remediation while
connected using the restricted access role, the client machine is not Re-Scanned until the
session terminates and the user tries to log in again.
Note The Cisco NAC Web Agent does not perform client remediation. Users must adhere to NAC
Appliance requirement guidelines independent of the Web Agent session to ensure compliance
before they can gain access to the internal network. If users are able to correct/update their client
machine to be compliant before the Temporary Role time-out expires, they can choose to
“Re-scan” the client machine and successfully log in to the network.
Once the user has provided appropriate login credentials and the Web Agent ensures the client machine
meets the NAC Appliance security requirements, the browser session remains open and the user is
logged in to the network until the user clicks the Logout button in the Web Agent browser window, shuts
off their system, or the NAC Appliance administrator terminates the session from the CAM. After the
session terminates, the web interface logs the user out of the network, removes the session from the client
machine, and the user ID disappears from the Online Users list.