Specifications
CHAPTER
12-1
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
12
Configuring Network Scanning
Note Nessus-based network scanning capabilities only apply to users accessing the Cisco NAC
Appliance network via UNIX operating system-based client machines. The Cisco NAC Agent does
not support Nessus-based network scanning.
This chapter describes how to set up network scanning for Cisco NAC Appliance. Topics include:
• Overview, page 12-1
• User Page Summary, page 12-4
• Configure the Quarantine Role, page 12-6
• Load Nessus Plugins into the Clean Access Manager Repository, page 12-6
• Configure General Setup, page 12-9
• Apply Plugins, page 12-10
• Configure Plugin Options, page 12-12
• Configure Vulnerability Handling, page 12-13
• Test Scanning, page 12-16
• Customize the User Agreement Page, page 12-19
• View Scan Reports, page 12-17
Overview
The Cisco NAC Appliance network scanner uses Nessus plugins to check for security vulnerabilities.
With Cisco NAC Appliance, you can define automatic, immediate responses to scan results. For
example, if a vulnerability is found, you can have the user notified, blocked from the network, or
assigned to a quarantine role.
Nessus (http://www.nessus.org), an open source project for security-related software, provides plugins
designed to test for specific vulnerabilities on a network. In addition to plugins for remotely detecting
the presence of particular worms, plugins exist for detecting peer-to-peer software activity or web
servers. The following description defines Nessus plugins:
Nessus plugins are very much like virus signatures in a common virus scanner application. Each
plugin is written to test for a specific vulnerability. These can be written to actually exploit the
vulnerability or just test for known vulnerable software versions. Plugins can be written in most any