Cisco Cisco Clean Access 3.5
9-17
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 9 Clean Access Implementation Overview
Manage Certified Devices
Manage Certified Devices
This section describes the following:
•
•
•
•
•
•
When a user device passes network scanning or meets Clean Access Agent requirements, the Clean
Access Server automatically adds the MAC address of the device to the Certified List (for users with L2
proximity to the CAS).
Access Server automatically adds the MAC address of the device to the Certified List (for users with L2
proximity to the CAS).
Note
Because the Certified List is based on client MAC addresses, the Certified List never applies to users in
L3 deployments.
L3 deployments.
For network scanning, once on the Certified List, the device does not have to be recertified as long as its
MAC address is in the Certified List, even if the user of the device logs out and accesses the network
again as another user. (Multi-user devices should be configured as floating devices to require
recertification at each login.)
MAC address is in the Certified List, even if the user of the device logs out and accesses the network
again as another user. (Multi-user devices should be configured as floating devices to require
recertification at each login.)
Devices automatically added by Clean Access to the Certified Device list can be cleared manually or
cleared automatically at specified intervals. Because exempt devices are manually added to the list, they
must be manually removed. This means that an exempt device on the Certified List is protected from
being automatically removed when the global Certified Devices Timer form is used to clear the list at
regularly scheduled intervals.
cleared automatically at specified intervals. Because exempt devices are manually added to the list, they
must be manually removed. This means that an exempt device on the Certified List is protected from
being automatically removed when the global Certified Devices Timer form is used to clear the list at
regularly scheduled intervals.
Clearing devices from the Certified List (whether manually or automatically) performs the following
actions:
actions:
•
Removes IB clients from the In-Band Online Users list and logs them off the network.
•
Removes OOB clients from the Out-of-Band Online Users list and bounces their port
(unless port bouncing is disabled for OOB VGW; see
for details).
•
Forces client devices to repeat the Clean Access requirements at the next login.
Note that logging either an IB or OOB user off the network from Monitoring > Online Users > View
Online Users does not remove the client from the Certified List. This allows the user to log in again
without forcing the client device to go through network scanning again. Note that for Clean Access
Agent users, devices always go through Clean Access Agent requirements at each login, even if the
device is already on the Certified List.
Online Users does not remove the client from the Certified List. This allows the user to log in again
without forcing the client device to go through network scanning again. Note that for Clean Access
Agent users, devices always go through Clean Access Agent requirements at each login, even if the
device is already on the Certified List.
Note
Because the Certified List displays users authenticated and certified based on known L2 MAC address,
the Certified List does not display information for remote VPN/multihop L3 users. To view authenticated
remote VPN/multihop L3 users, see the In-Band Online Users List. The User MAC field for these users
will display as “00:00:00:00:00:00.”
the Certified List does not display information for remote VPN/multihop L3 users. To view authenticated
remote VPN/multihop L3 users, see the In-Band Online Users List. The User MAC field for these users
will display as “00:00:00:00:00:00.”
For further details on terminating active user sessions, see