Cisco Cisco Clean Access 3.5
5-4
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 5 User Management: User Roles
Create User Roles
Role Assignment Priority
Note that the order of priority for role assignment is as follows:
1.
MAC address
2.
Subnet / IP Address
3.
Login information (login ID, user attributes from auth server, VLAN ID of user machine, etc.)
Therefore, if a MAC address associates the client with “Role A”, but the user’s login ID associates him
or her to “Role B”, “Role A” is used.
or her to “Role B”, “Role A” is used.
For additional details, see also
.
Clean Access Roles
The Clean Access process can be implemented on your network as network scanning only (see
), Clean Access Agent only, or Clean Access Agent with network scanning (see
). With Clean Access enabled, two types of roles are used specifically for Clean
Access:
•
Clean Access Agent Temporary Role
When the Clean Access Agent is used, the Clean Access Agent Temporary role is assigned to users
after authentication to allow the user limited network access to download and install required
packages that will prevent the user’s system from becoming vulnerable. The user is prevented from
normal login role access to the network until the Clean Access Agent requirements are met.
after authentication to allow the user limited network access to download and install required
packages that will prevent the user’s system from becoming vulnerable. The user is prevented from
normal login role access to the network until the Clean Access Agent requirements are met.
There is only one Clean Access Agent Temporary role in the system. This role is only in effect when
the user is required to use Clean Access Agent to login and pass Clean Access requirements.
the user is required to use Clean Access Agent to login and pass Clean Access requirements.
The Clean Access Agent Temporary role is assigned to users for the following time periods:
a.
From the login attempt until successful network access. The client system meets Clean Access
Agent requirements and is not found with vulnerabilities after network scanning. The user
transfers from the Clean Access Agent Temporary role into the user’s normal login role.
Agent requirements and is not found with vulnerabilities after network scanning. The user
transfers from the Clean Access Agent Temporary role into the user’s normal login role.
b.
From the login attempt until Clean Access Agent requirements are met. The user has the amount
of time configured in the Session Timer for the role to download and install required packages.
If the user cancels or times out, the user is removed from the Clean Access Agent Temporary
role and must restart the login process. If the user downloads requirements within the time
allotted, the user stays in the Clean Access Agent Temporary role and proceeds to network
scanning (if enabled).
of time configured in the Session Timer for the role to download and install required packages.
If the user cancels or times out, the user is removed from the Clean Access Agent Temporary
role and must restart the login process. If the user downloads requirements within the time
allotted, the user stays in the Clean Access Agent Temporary role and proceeds to network
scanning (if enabled).
c.
From the login attempt until network scanning finds vulnerabilities on the user system. If the
client system meets Clean Access Agent requirements, but is found to have vulnerabilities
during network scanning, the user is transferred from the Clean Access Agent Temporary role
into the quarantine role.
client system meets Clean Access Agent requirements, but is found to have vulnerabilities
during network scanning, the user is transferred from the Clean Access Agent Temporary role
into the quarantine role.
•
Quarantine Role
With network scanning enabled, the purpose of the Clean Access quarantine role is to allow the user
limited network access to resources needed to fix vulnerabilities that already exist on the user
system. The user is prevented from normal login role access to the network until the vulnerabilities
are fixed.
limited network access to resources needed to fix vulnerabilities that already exist on the user
system. The user is prevented from normal login role access to the network until the vulnerabilities
are fixed.
There can be one or multiple quarantine roles in the system. A user is put into a quarantine role if:
–
The user attempts to log in using the web login page, and Clean Access network scanning finds
a vulnerability on the user system.
a vulnerability on the user system.