Cisco Cisco NAC Appliance 4.1.0
10-6
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 10 Clean Access Implementation Overview
Clean Access Overview
•
Built-in AV/AS checking support for major antivirus (AV) and antispyware (AS) vendors. AV/AS
Rule and Requirement configuration facilitates the most common type of checking administrators
need to perform on clients and allows the Agent to automatically detect and update AV and AS
definition files on the client machine. AV/AS product support is kept up-to-date on the CAM through
the use of
Rule and Requirement configuration facilitates the most common type of checking administrators
need to perform on clients and allows the Agent to automatically detect and update AV and AS
definition files on the client machine. AV/AS product support is kept up-to-date on the CAM through
the use of
.
•
Ability to launch qualified/digitally signed executable programs when a client fails a requirement
(4.1.0.0+). See
(4.1.0.0+). See
for details.
•
Custom rule and check configuration. Administrators can configure requirements to check clients
for specific applications, services, or registry keys using pre-configured Cisco checks and rules or
by creating their own custom checks and rules.
for specific applications, services, or registry keys using pre-configured Cisco checks and rules or
by creating their own custom checks and rules.
•
Multi-hop L3 in-band (IB) and out-of-band (OOB) deployment support and VPN concentrator/L3
access. You can configure the CAM/CAS/Agent to enable clients to discover the CAS when the
network configuration puts clients one or more L3 hops away from the CAS (instead of in L2
proximity). Single Sign-On (SSO) is also supported when Clean Access is integrated (in-band)
behind Cisco VPN concentrators. For details, see
access. You can configure the CAM/CAS/Agent to enable clients to discover the CAS when the
network configuration puts clients one or more L3 hops away from the CAS (instead of in L2
proximity). Single Sign-On (SSO) is also supported when Clean Access is integrated (in-band)
behind Cisco VPN concentrators. For details, see
and
“Integrating with Cisco VPN Concentrators,” or “Configuring Layer 3 Out-of-Band (L3 OOB)” in
the Cisco NAC Appliance - Clean Access Server Installation and Administration Guide.
the Cisco NAC Appliance - Clean Access Server Installation and Administration Guide.
•
Windows Domain Active Directory Single Sign-On. When Windows AD SSO is configured for the
Cisco NAC Appliance, users with the Clean Access Agent already installed can automatically log
into Cisco NAC Appliance when they log into their Windows domain. The client system will be
automatically scanned for requirements with no separate Agent login required. See
Cisco NAC Appliance, users with the Clean Access Agent already installed can automatically log
into Cisco NAC Appliance when they log into their Windows domain. The client system will be
automatically scanned for requirements with no separate Agent login required. See
for details.
•
Automatic DHCP Renew/Release. When the 4.1.0.0+ Clean Access Agent is used for login in OOB
deployments, the Agent will automatically refresh the DHCP IP address if the client needs a new IP
address in the Access VLAN. See
deployments, the Agent will automatically refresh the DHCP IP address if the client needs a new IP
address in the Access VLAN. See
for details.
•
Agent logoff with Windows logoff/shutdown. Administrators can enable or disable the Agent to log
off from the Cisco NAC Appliance network when a user logs off the Windows domain or shuts down
a Windows machine. This feature does not apply for OOB deployments.
off from the Cisco NAC Appliance network when a user logs off the Windows domain or shuts down
a Windows machine. This feature does not apply for OOB deployments.
For complete details on the Agent configuration features mentioned above, see
For details on the features of each version of the Agent, see “Clean Access Agent Version Summary” in
the latest
the latest
Clean Access Updates
Regular updates of pre-packaged policies/rules can be used to check the up-to-date status of operating
systems, antivirus/antispyware software, and other client software. Cisco NAC Appliance provides
built-in support for major AV and AS vendors. For complete details, see
systems, antivirus/antispyware software, and other client software. Cisco NAC Appliance provides
built-in support for major AV and AS vendors. For complete details, see