Cisco Cisco NAC Appliance 4.1.0
14-4
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 14 Monitoring
Online Users List
Note
When a user device is connecting to Cisco Clean Access from behind a VPN3000/ASA device, the MAC
address of the first physical adapter that is available to the CAS/CAM is used to identify the user on the
Online User List. This may not necessarily be the adapter with which the user is connecting to the
network. Users should disable the wireless interface of their machines when connecting to the network
using the wired (Ethernet card) interface.
address of the first physical adapter that is available to the CAS/CAM is used to identify the user on the
Online User List. This may not necessarily be the adapter with which the user is connecting to the
network. Users should disable the wireless interface of their machines when connecting to the network
using the wired (Ethernet card) interface.
Interpreting Active Users
Once logged onto the Cisco NAC Appliance network, an active user session persists until one of the
following events occurs:
following events occurs:
•
The user logs out of the network through the browser logout page or Clean Access Agent
logout.
logout.
Once on the network, users can remain logged on after a computer shutdown/restart. A user can log
out of the network using the web logout page or Clean Access Agent logout.
out of the network using the web logout page or Clean Access Agent logout.
•
The Clean Access Agent user logs off Windows or shuts down Windows machine.
You can configure the CAM and Agent to log off In-Band users only from the Clean Access system
when the user logs off from the Windows domain (i.e. Start->Shutdown->Log off current user) or
shuts down the machine (Start->Shutdown->Shutdown machine).
when the user logs off from the Windows domain (i.e. Start->Shutdown->Log off current user) or
shuts down the machine (Start->Shutdown->Shutdown machine).
•
An administrator manually drops the user from the network.
The Monitoring > Online Users > View Online Users page (IB or OOB) can be used to drop users
from the network, without deleting their clients from the Certified List.
from the network, without deleting their clients from the Certified List.
•
The session times out using the Session Timer.
The Session Timer works the same way for multi-hop L3 (IB) deployments as for L2 (IB or OOB)
deployments and is set in User Management > User Roles> Schedule > Session Timer. It is set
per user role, and logs out any user in the selected role from the network after the configured time
has elapsed. For details, see
deployments and is set in User Management > User Roles> Schedule > Session Timer. It is set
per user role, and logs out any user in the selected role from the network after the configured time
has elapsed. For details, see
•
The CAS determines that the user is no longer connected using the Heartbeat Timer and the
CAM terminates the session.
CAM terminates the session.
The Heartbeat Timer applies to L2 IB deployments only and is set for all users regardless of role. It
can be set globally for all Clean Access Servers using the form User Management > User Roles>
Schedule > Heartbeat Timer, or for a specific Clean Access Server using the local form Device
Management > CCA Servers > Manage [CAS_IP] > Misc > Heartbeat Timer. For details, see
can be set globally for all Clean Access Servers using the form User Management > User Roles>
Schedule > Heartbeat Timer, or for a specific Clean Access Server using the local form Device
Management > CCA Servers > Manage [CAS_IP] > Misc > Heartbeat Timer. For details, see
The Heartbeat Timer will not function in L3 deployments, and does not apply to OOB users.
However, note that the HeartBeat Timer will work if the CAS is the first hop behind the VPN
concentrator. This is because the VPN concentrator responds to the ARP queries for the IP addresses
of its current tunnel clients.
•
The Certified Device list is cleared (automatically or manually) and the user is removed from
the network.
the network.
The Certified List applies to L2 (IB or OOB) deployments only and can be scheduled to be cleared
automatically and periodically using the global Certified Devices timer form (Device Management
> Clean Access > Certified Devices > Timer). You can manually clear the certified devices for a
specific Clean Access Server from the Certified List using the local form Device Management >
CCA Servers > Manage [CAS_IP] > Filters > Clean Access > Certified Devices, or manually
automatically and periodically using the global Certified Devices timer form (Device Management
> Clean Access > Certified Devices > Timer). You can manually clear the certified devices for a
specific Clean Access Server from the Certified List using the local form Device Management >
CCA Servers > Manage [CAS_IP] > Filters > Clean Access > Certified Devices, or manually