Specifications
11-11
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 11 Monitoring and Troubleshooting Agent Sessions
Manage Certified Devices
Agreement Page (for web login users) or the Network Policy Page (for Agent users) if either page was
configured for the role. See Table 1-2 “Web Login—General Setup Configuration Options” and
Table 1-3 “Web Login User Page Summary” for details on these pages.
A certified device remains on the Certified Devices List until:
• The list is automatically cleared using a Certified Devices Timer.
• The administrator manually clears the entire list.
• The administrator manually drops the client from the list.
• The user logs out or is removed from the network, and the Require users to be certified at every
web login option is checked for the role from the General Setup > Web Login page.
Devices automatically added to the Certified Devices List can be cleared manually or cleared
automatically at specified intervals. Because the administrator must manually add exempt devices to the
list, the administrator must also manually remove them. This means that an exempt device on the
Certified Devices List is protected from being automatically removed when the global Certified Devices
Timer form is used to clear the list at regularly scheduled intervals.
Clearing devices from the Certified Devices List (whether manually or automatically) performs the
following actions:
• Removes IB clients from the In-Band Online Users list and logs them off the network.
• Removes OOB clients from the Out-of-Band Online Users list and bounces their port
(unless port bouncing is disabled for OOB VGW; see Add Port Profile, page 3-34 for details).
• Forces client devices to repeat posture assessment at the next login.
Once off the Certified Devices List, the client must pass network scanning and meet Agent Requirements
again to be readmitted to the network. You can add floating devices that are certified only for the duration
of a user session. You can also exempt network scanning devices from Nessus Scanning altogether by
manually adding them to the Certified Devices List.
If using a Certified Device timer, you can configure whether or not a user is removed when the list is
cleared by enabling/disabling the Keep Online Users option for the timer. See Configure Certified
Device Timer, page 11-14 for further details.
Note that logging an IB user off the network from Monitoring > Online Users > View Online Users
does not remove the client from the Certified Devices List. This allows the user to log in again without
forcing the client machine to go through posture assessment again. Note that for Agent users, devices
always go through Agent Requirements at each login, even if the device is already on the Certified
Devices List.
Note Because the Certified Devices List displays users authenticated and certified based on known L2 MAC
address, the Certified Devices List does not display information for remote VPN/multihop L3 users
tracked by IP address only. To view these authenticated remote VPN/multihop L3 users, see the In-Band
Online Users list. The User MAC field for these user entries appears as “00:00:00:00:00:00.”
For further details on terminating active user sessions, see Interpreting Active Users, page 11-29 and
Out-of-Band Users, page 3-68.
If a certified device is moved from one CAS to another, it must go through Nessus Scanning again for
the new CAS unless it has been manually added as an exempt device at the global level for all Clean
Access Servers. This allows for the case where one Clean Access Server has more restrictive posture
assessment requirements than another.