Specifications
11-30
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 11 Monitoring and Troubleshooting Agent Sessions
Online Users list
The Heartbeat Timer applies to L2 IB deployments only and is set for all users regardless of role. It
can be set globally for all Clean Access Servers using the form User Management > User Roles>
Schedule > Heartbeat Timer, or for a specific Clean Access Server using the local form Device
Management > CCA Servers > Manage [CAS_IP] > Misc > Heartbeat Timer. For details, see
Configure Heartbeat Timer (User Inactivity Timeout), page 8-17.
The Heartbeat Timer will not function in L3 deployments, and does not apply to OOB users.
However, note that the HeartBeat Timer will work if the CAS is the first hop behind the VPN
concentrator. This is because the VPN concentrator responds to the ARP queries for the IP addresses
of its current tunnel clients.
• The Certified Device list is cleared (automatically or manually) and the user is removed from the
network.
The Certified Devices List applies to L2 (IB or OOB) deployments only and can be scheduled to be
cleared automatically and periodically using the global Certified Devices timer form (Device
Management > Clean Access > Certified Devices > Timer). You can manually clear the certified
devices for a specific Clean Access Server from the Certified Devices List using the local form
Device Management > CCA Servers > Manage [CAS_IP] > Filters > Clean Access > Certified
Devices, or manually clear the Certified Device list across all Clean Access Servers using the global
form Device Management > Clean Access > Certified Devices. For details, see Manage Certified
Devices, page 11-10.
Keep in mind that the Certified Devices List will not display remote VPN/L3 clients (since these
sessions are IP-based rather than MAC address-based).
• SSO and Auto-Logout are configured for the VPN concentrator, and the user disconnects from the
VPN.
With Auto Logout enabled, when the user disconnects from the VPN client, the user is automatically
removed from the Online Users list (In-Band).
Note that when SSO is configured for multi-hop L3 VPN concentrator integration, if the user’s
session on the CAS times out but the user is still logged in on the VPN concentrator, the user will
be able to log back into the CAS without providing a username/password.
Note Whether the CAS or another server is used for DHCP, if a user’s DHCP lease expires, the user remains
on the Online Users list (In-Band or Out-of-Band). When the lease expires, the client machine will try
to renew the lease.
See also Configure User Session and Heartbeat Timeouts, page 8-15 and Out-of-Band Users, page 3-68
for additional details.
View Online Users
The View Online Users tab provides two links for the two online users lists: In-Band and Out-of-Band.
By default, View Online User pages display the login user name, IP and MAC address (if available),
provider, and role of each user. For information on selecting the column information to display, such as
OS version, or for Out-of-Band users: switch port, see Display Settings, page 11-35.
A green background for an entry indicates a user device accessing the Clean Access network in a
temporary role: either a Quarantine role or the Agent Temporary role.
A blue background for an entry indicates a user device accessing the Clean Access network in a restricted
network access role.