Cisco Cisco Clean Access 3.5
11-22
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 11 Clean Access Agent
Create Clean Access Agent Requirements
Create Clean Access Agent Requirements
To implement Clean Access Agent system requirements, you configure the following elements:
requirements, rules (AV rules or custom rules), and checks (if creating custom rules).
requirements, rules (AV rules or custom rules), and checks (if creating custom rules).
Requirements basically implement business-level decisions about what users must (or must not) have
running on their systems to be able to access the network. A requirement maps a rule or set of rules that
clients in a user role must meet to the remediation action a user must take if the client fails to meet the
requirement’s rules. When you create a requirement, you configure the remediation instructions you
want the user to see via Clean Access Agent dialogs when the user fails the requirement.
running on their systems to be able to access the network. A requirement maps a rule or set of rules that
clients in a user role must meet to the remediation action a user must take if the client fails to meet the
requirement’s rules. When you create a requirement, you configure the remediation instructions you
want the user to see via Clean Access Agent dialogs when the user fails the requirement.
A rule is the unit used by the Clean Access Agent to assess whether a requirement is met on a particular
operating system. A rule can be an AV rule, Cisco pre-configured rule (pr_rule) or a custom rule made
up of a check or a combination of checks.
operating system. A rule can be an AV rule, Cisco pre-configured rule (pr_rule) or a custom rule made
up of a check or a combination of checks.
A check is a single registry, file, service, or application check for a selected operating system, and is used
to create a custom rule.
to create a custom rule.
Once a requirement is associated with rules, the final configuration step is to associate the requirement
to a normal login user role. Users who attempt to authenticate into the normal user role are put into the
Temporary role until they pass requirements associated with the normal login role. If they successfully
meet the requirements, the users are allowed on the network in the normal login role. If they fail to meet
the requirements, users stay in the Temporary role for the session timeout until they take the steps
described in the Agent dialogs and successfully meet the requirements.
to a normal login user role. Users who attempt to authenticate into the normal user role are put into the
Temporary role until they pass requirements associated with the normal login role. If they successfully
meet the requirements, the users are allowed on the network in the normal login role. If they fail to meet
the requirements, users stay in the Temporary role for the session timeout until they take the steps
described in the Agent dialogs and successfully meet the requirements.
For out-of-band users, successfully authenticating and meeting requirements allows the users to leave
the in-band network (on the Auth VLAN) and access to the out-of-band network on the Access VLAN.
the in-band network (on the Auth VLAN) and access to the out-of-band network on the Access VLAN.
This section describes the following:
•
•
•
•
•
•
•
Configure AV Definition Update Requirements
Release 3.5 provides the AV Definition Update requirement type that can update the virus definition
files on a client for most antivirus products. If the client fails to meet the AV requirement, the Clean
Access Agent communicates directly with the installed antivirus software on the client and automatically
updates the virus definition files when the user clicks the Update button on the Agent dialog.
files on a client for most antivirus products. If the client fails to meet the AV requirement, the Clean
Access Agent communicates directly with the installed antivirus software on the client and automatically
updates the virus definition files when the user clicks the Update button on the Agent dialog.
AV Rules incorporate extensive logic for 17 antivirus vendors and are associated with AV Definition
Update requirements. For AV Definition Update requirements, the configuration is similar to that of
custom requirements, except there is no need to configure checks. You associate the AV Definition
Update requirement with AV Rule(s) and user roles and operating systems, and configure the Clean
Access Agent dialog instructions you want the user to see if the AV requirement fails.
Update requirements. For AV Definition Update requirements, the configuration is similar to that of
custom requirements, except there is no need to configure checks. You associate the AV Definition
Update requirement with AV Rule(s) and user roles and operating systems, and configure the Clean
Access Agent dialog instructions you want the user to see if the AV requirement fails.