Cisco Cisco Clean Access 3.5
5-5
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 5 User Management: User Roles
Create User Roles
–
The user logs in using Clean Access Agent and meets Clean Access Agent requirements but
Clean Access network scanning finds a vulnerability on the user system.
Clean Access network scanning finds a vulnerability on the user system.
The user has the amount of time configured in the Session Timer for the role to access resources to
fix vulnerabilities. If the user cancels or times out, the user is logged out of the quarantine role and
must restart the login process. At the next login attempt, the client again goes through the Clean
Access process.
fix vulnerabilities. If the user cancels or times out, the user is logged out of the quarantine role and
must restart the login process. At the next login attempt, the client again goes through the Clean
Access process.
When the user fixes vulnerabilities within the time allotted, if Clean Access Agent is used to log in,
the user can go through network scanning again during the same session. If web login is used, the
user must log out or time out then login again for the second network scanning to occur.
the user can go through network scanning again during the same session. If web login is used, the
user must log out or time out then login again for the second network scanning to occur.
Note
When using web login, the user should be careful not to close the Logout page (see
). If the user cannot not log out but reattempts to login before the session times out, the user is
still considered to be in the original quarantine role and is not redirected to the login page.
Only when the user has met requirements and fixed vulnerabilities is the user allowed network access in
the corresponding normal login role. You can map all normal login roles to a single quarantine role, or
you can create and customize different quarantine roles. For example, multiple quarantine roles can be
used if different resources are required to fix vulnerabilities for particular operating systems. In either
case, a normal login role can only be mapped to one quarantine role. After the roles are created, the
association between the normal role and quarantine role is set up in the Device Management > Clean
Access > General Setup form. See
the corresponding normal login role. You can map all normal login roles to a single quarantine role, or
you can create and customize different quarantine roles. For example, multiple quarantine roles can be
used if different resources are required to fix vulnerabilities for particular operating systems. In either
case, a normal login role can only be mapped to one quarantine role. After the roles are created, the
association between the normal role and quarantine role is set up in the Device Management > Clean
Access > General Setup form. See
for details.
Session Timeouts
You can limit network access for Clean Access roles with brief session timeouts and restricted traffic
policy privileges. The session timeout period is intended to allow users only a minimum amount of time
to complete Clean Access checks and get required software packages. A minimal timeout period for
Clean Access-related roles:
policy privileges. The session timeout period is intended to allow users only a minimum amount of time
to complete Clean Access checks and get required software packages. A minimal timeout period for
Clean Access-related roles:
•
Limits the exposure of vulnerable users to the network.
•
Prevents users from full network access in the Temporary role
This is to limit users from circumventing rechecks if they fail a particular check, install the required
package, restart their computers, but do not manually log out.
package, restart their computers, but do not manually log out.
Factors in determining the timeout period appropriate for your environment include the network
connection speed available to users and the download size of packages you will require.
connection speed available to users and the download size of packages you will require.
You can additionally configure a Heartbeat Timer to log off all users if the CAS cannot connect to the
clients after a configurable number of minutes. See
clients after a configurable number of minutes. See
for further details.
With release 3.5.1 and above, you can configure Max Sessions per User Account for a user role. This
allows administrators to limit the number of concurrent machines that can use the same user credentials.
The feature allows you to restrict the number of login sessions per user to a configured number. If the
online login sessions for a username exceed the value specified (1 – 255; 0 for unlimited), the web login
page or the Clean Access Agent will prompt the user to end all sessions or end the oldest session at the
next login attempt. See
allows administrators to limit the number of concurrent machines that can use the same user credentials.
The feature allows you to restrict the number of login sessions per user to a configured number. If the
online login sessions for a username exceed the value specified (1 – 255; 0 for unlimited), the web login
page or the Clean Access Agent will prompt the user to end all sessions or end the oldest session at the
next login attempt. See
for details.