Cisco Cisco Clean Access 3.5
9-8
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 9 Clean Access Implementation Overview
Clean Access Overview
Role-Based Configuration
Clean Access network protection features are configured for users by role and operating system.The
following user roles are used for Clean Access and must be configured with traffic policies and session
timeout:
following user roles are used for Clean Access and must be configured with traffic policies and session
timeout:
•
Unauthenticated Role – Default system role for unauthenticated users (Agent or web login) behind
a Clean Access Server. Web login users are in the unauthenticated role while network scanning is
performed.
a Clean Access Server. Web login users are in the unauthenticated role while network scanning is
performed.
•
Clean Access Agent Temporary Role – Clean Access Agent users are in the Temporary role while
Clean Access Agent requirements are checked on their systems.
Clean Access Agent requirements are checked on their systems.
•
Quarantine Role – Both web login and Agent users are put in the quarantine role when network
scanning determines that the client machine has vulnerabilities.
scanning determines that the client machine has vulnerabilities.
Note that the Temporary and Quarantine roles are intended to have limited session time and network
access in order for users to fix their systems.
access in order for users to fix their systems.
When a user authenticates, either through the web login page or Clean Access Agent, Cisco Clean
Access determines the normal login role of the user and the requirements and/or network scans to be
performed for the role. Cisco Clean Access then performs requirement checking and/or network
scanning as configured for the role and operating system.
Access determines the normal login role of the user and the requirements and/or network scans to be
performed for the role. Cisco Clean Access then performs requirement checking and/or network
scanning as configured for the role and operating system.
Note that while the role of the user is determined immediately after the initial login (in order to
determine the scans or system requirements associated with the user), a user is not actually put into a
normal login role until requirements are met, scanning has occurred and no vulnerabilities are found. If
the client has not met requirements, the user stays in the Clean Access Agent Temporary role until
requirements are met or the session times out. If the user has met requirements but is found with network
scanning vulnerabilities, the user can be assigned to a quarantine role or simply blocked, depending on
the configuration.
determine the scans or system requirements associated with the user), a user is not actually put into a
normal login role until requirements are met, scanning has occurred and no vulnerabilities are found. If
the client has not met requirements, the user stays in the Clean Access Agent Temporary role until
requirements are met or the session times out. If the user has met requirements but is found with network
scanning vulnerabilities, the user can be assigned to a quarantine role or simply blocked, depending on
the configuration.
For additional details, see
.
Clean Access Setup Steps
The general summary of steps to set up Clean Access is as follows:
Step 1
Configure Clean Access Agent /Network Scanning per user role and OS in the General Setup tab.
Require use of the Clean Access Agent for a role, enable network scanning web pages for web login
users, and block or quarantine users with vulnerabilities. See
users, and block or quarantine users with vulnerabilities. See
Step 2
Configure the Clean Access-related user roles with session timeout and traffic policies (in-band).
Traffic policies for the quarantine role allow access to the User Agreement Page and web resources for
quarantined users who failed network scanning. Traffic policies for the Clean Access Agent Temporary
role allow access to the resources from which the user can download required software packages. See
Traffic policies for the quarantine role allow access to the User Agreement Page and web resources for
quarantined users who failed network scanning. Traffic policies for the Clean Access Agent Temporary
role allow access to the resources from which the user can download required software packages. See
.
Step 3
Configure network scanning, or Clean Access Agent scanning, or both.
Step 4
If configuring network scanning. Load Nessus plugins to the Clean Access Manager repository. To
enable network scanning, select the Nessus plugins to participate in scanning, then configure scan result
vulnerabilities for the user roles and operating systems. Customize the User Agreement page. See
enable network scanning, select the Nessus plugins to participate in scanning, then configure scan result
vulnerabilities for the user roles and operating systems. Customize the User Agreement page. See
. Note that the results of network scanning may vary
due to the prevalence of personal firewalls which block any network scanning from taking place.