Cisco Cisco NAC Appliance 4.1.0
1-5
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 1 Introduction
Managing Users
This guide describes the global configuration and administration of Clean Access Servers and Cisco
NAC Appliance deployment using the Clean Access Manager web admin console.
NAC Appliance deployment using the Clean Access Manager web admin console.
For a summary of CAS operating modes, see
. For complete details on CAS deployment, see the Cisco NAC Appliance - Clean Access Server
Installation and Administration Guide.
For details on OOB implementation and configuration, see
For details on options configured locally on the CAS, such as DHCP configuration, Cisco VPN
Concentrator integration, CAS High-Availability implementation, or local traffic policies, see the Cisco
NAC Appliance - Clean Access Server Installation and Administration Guide.
Concentrator integration, CAS High-Availability implementation, or local traffic policies, see the Cisco
NAC Appliance - Clean Access Server Installation and Administration Guide.
Clean Access Agent
When enabled for your Cisco NAC Appliance deployment, the Clean Access Agent can ensure that
computers accessing your network meet the system requirements you specify. The Clean Access Agent
is a read-only, easy-to-use, small-footprint program that resides on Windows user machines. When a user
attempts to access the network, the Clean Access Agent checks the client system for the software you
require, and helps users acquire any missing updates or software.
computers accessing your network meet the system requirements you specify. The Clean Access Agent
is a read-only, easy-to-use, small-footprint program that resides on Windows user machines. When a user
attempts to access the network, the Clean Access Agent checks the client system for the software you
require, and helps users acquire any missing updates or software.
Agent users who fail the system checks you have configured are assigned to the Clean Access Agent
Temporary role. This role gives users limited network access to access the resources needed to comply
with the Clean Access Agent requirements. Once a client system meets the requirements, it is considered
“clean” and allowed network access.
Temporary role. This role gives users limited network access to access the resources needed to comply
with the Clean Access Agent requirements. Once a client system meets the requirements, it is considered
“clean” and allowed network access.
Managing Users
The Clean Access Manager makes it easy to apply existing authentication mechanisms to users on the
network (
network (
). You can customize user roles to group together and define traffic policies,
bandwidth restrictions, session duration, Clean Access vulnerability assessment, and other policies
within Cisco Clean Access for particular groups of users. You can then use role-mapping to map users
to these policies based on VLAN ID or attributes passed from external authentication sources.
within Cisco Clean Access for particular groups of users. You can then use role-mapping to map users
to these policies based on VLAN ID or attributes passed from external authentication sources.
When the Clean Access Server receives an HTTP request from the untrusted network, it checks whether
the request comes from an authenticated user. If not, a customizable secure web login page is presented
to the user. The user submits his or her credentials securely through the web login page, which can then
be authenticated by the CAM itself (for local user testing) or by an external authentication server, such
as LDAP, RADIUS, Kerberos, or Windows NT. If distributing the Clean Access Agent, users download
and install it after the initial web login, then use the Agent after that for login/posture assessment.
the request comes from an authenticated user. If not, a customizable secure web login page is presented
to the user. The user submits his or her credentials securely through the web login page, which can then
be authenticated by the CAM itself (for local user testing) or by an external authentication server, such
as LDAP, RADIUS, Kerberos, or Windows NT. If distributing the Clean Access Agent, users download
and install it after the initial web login, then use the Agent after that for login/posture assessment.