/en/manuals/1648573/Table of ContentsCisco Clean Access Server Installation and Administration Guide1About This Guide11Document Objectives11Audience11Document Conventions12Product Documentation12Obtaining Documentation12Cisco.com12Product Documentation DVD13Ordering Documentation13Documentation Feedback13Cisco Product Security Overview13Reporting Security Problems in Cisco Products14Obtaining Technical Assistance14Cisco Technical Support & Documentation Website15Submitting a Service Request15Definitions of Service Request Severity15Obtaining Additional Publications and Information16Introduction17What Is Cisco Clean Access?17Cisco Clean Access Components18Clean Access Server Features19Installation Requirements19Cisco Clean Access Licensing19CAS Management Pages Summary20Global vs. Local Administration Settings21Priority of Settings21Planning Your Deployment23Overview23Clean Access Server Operating Modes23Real-IP Gateway24Virtual Gateway25NAT Gateway26CAS Operating Mode Summary26Central Versus Edge Deployment28Routed Central Deployment (L2)28Multi-Hop L3 Deployment30Bridged Central Deployment30Edge Deployment31Install the Clean Access Server33Overview33Set Up the Clean Access Server Machine34Virtual Gateway Mode Connection Requirements35Access the CAS Over a Serial Connection36Set Up the Terminal Emulation Console Connection36Install the Clean Access Server Software from CD-ROM38Custom Installation38CD Installation Steps38Perform the Initial Configuration39Configuration Utility Script39Using the Command Line Interface44CAM/CAS Connectivity Across a Firewall45Configuring the CAS Behind a NAT Firewall45Troubleshooting the Installation46Network Interface Card (NIC) Driver Not Supported46Resetting the Clean Access Server Configuration46Clean Access Server Managed Domain47Overview47Add the CAS to the CAM48Add New Server48IP Addressing Considerations50Additional Notes for Virtual Gateway with VLAN Mapping (L2 Deployments)50List of Clean Access Servers51Troubleshooting51Navigating the CAS Management Pages52Network IP Settings for the CAS53IP Form53Change Clean Access Server Type55Switching Between NAT and Real-IP Gateway Modes55Switching Between Virtual Gateway and NAT/ Real-IP Gateway Modes55Enable L3 Support for Clean Access Agent56VPN/L3 Access for Clean Access Agent57Configuring Managed Subnets or Static Routes58Overview58Configure Managed Subnets for L2 Deployments60Adding Managed Subnets60Configure Static Routes for L3 Deployments62Configuring Static Routes for Layer 2 Deployments62Add Static Route63Understanding VLAN Settings64Enable Subnet-Based VLAN Retag in Virtual Gateway Mode65VLAN Mapping in Virtual Gateway Modes66VLAN Mapping for In-Band66VLAN Mapping for Out-of-Band66Switch Configuration for Out-of-Band Virtual Gateway Mode66Configure VLAN Mapping for Out-of-Band67To Verify VLAN Mapping for Out-of-Band68Local Device and Subnet Filtering69Configure Device Access Filter Policies69Configure Subnet Access Filter Policies71Configure 1:1 Network Address Translation (NAT)72Configure 1:1 NATing72Configure 1:1 NATing with Port Forwarding73Configure ARP Entries74Add ARP Entry74Configure Proxy Ports75Configuring DHCP77Overview77Enable the DHCP Module78Configure DHCP Mode for the Clean Access Server78Viewing the DHCP Server Startup Message79Configuring IP Ranges (IP Address Pools)80Auto-Generated versus Manually Created Subnets80Subnetting Rules80Create IP Pools Manually82Auto-Generating IP Pools and Subnets84Add Managed Subnet84Create Auto-Generated Subnet85Working with Subnets88View Users by MAC Address/VLAN88View or Delete Subnets from the Subnet List89Edit a Subnet90Reserving IP Addresses91Add a Reserved IP Address91User-Specified DHCP Options93DHCP Global Scope Example96IPSec/L2TP/PPTP/PPP on the CAS97Overview97Enable VPN Policies98Configure IPSec Encryption99Configure L2TP Encryption102Configure PPTP Encryption104Configure PPP105Example Windows L2TP/IPSec Setup106Integrating with Cisco VPN Concentrators109Overview109Single Sign-On (SSO)110Configure Clean Access for VPN Concentrator Integration112Configure User Roles and Clean Access Requirements112Enable L3 Support on the CAS113Add VPN Concentrator to Clean Access Server114Make CAS the RADIUS Accounting Server for VPN Concentrator114Add Accounting Servers to the CAS115Map VPN Concentrator(s) to Accounting Server(s)116Add VPN Concentrator as a Floating Device116Configure Single Sign-On (SSO) on the CAS/CAM117Configure SSO on the CAS117Configure SSO on the CAM117Create (Optional) Auth Server Mapping Rules118Clean Access Agent with VPN Concentrator and SSO119Clean Access Agent L3 VPN Concentrator User Experience120Local Traffic Control Policies123Overview123Extending Global Policies124View Local Traffic Control Policies125Add Local IP-Based Traffic Control Policies126Add / Edit Local IP-Based Traffic Policy126Add Local Host-Based Traffic Control Policies128Add Local Allowed Host129Add Local Trusted DNS Server129View IP Addresses Used by DNS Host129Controlling Bandwidth Usage131Local Authentication Settings135Overview135Local Heartbeat Timer136Local Login Page137Enable Transparent Windows Login139Local Clean Access Settings141Overview141Add Exempt Devices142Clear Exempt Devices142Clear Certified Devices143Specify Floating Devices144Administer the Clean Access Server147Status Tab147Manage SSL Certificates148Generate Temporary Certificate149Export Certificate Request150Import Signed Certificate151Identify DNS Servers on the Network152Synchronize System Clock153Support Logs154Clean Access Server Direct Access Web Console155Implement High Availability (HA) Mode157Overview157Plan Your Environment158Sample HA Configuration159Upgrading an Existing Failover Pair159Before Starting160Selecting and Configuring the Heartbeat UDP Interface160Serial Port High-Availability Connection160Configure High Availability161Configure the Primary Clean Access Server161a. Access the Primary CAS Directly161b. Configure the Host Information for the Primary162c. Configure HA-Primary Mode and Update162d. Configure the SSL Certificate164e. Reboot the Primary Server166Configure the Standby Clean Access Server167a. Access the Standby CAS Directly167b. Configure the Host Information for the Standby167c. Configure HA-Standby Mode and Update167d. Configure the SSL Certificate169e. Reboot the Standby Server170Connect the Clean Access Servers and Complete the Configuration170Test the Configuration170Configure DHCP Failover171To Configure DHCP Failover171Modifying High Availability Settings174To change IP Settings for a High-Availability Clean Access Server:174Upgrading to a New Software Release177General Procedure177New Installation of 3.5(x)178Upgrade Procedure for 3.5(x)179Before You Upgrade179Preparing for Your Upgrade180Upgrading via Web Console (from 3.5.3 and Above Only)181Download the Upgrade File181Upgrade CAS from CAS Management Pages (3.5.5 and above)182Upgrade CAS from CAS Web Console (3.5.3/3.5.4)184Upgrade CAM from CAM Web Console186Upgrading via SSH188Download the Upgrade File and Copy to CAM/CAS188Perform the Upgrade on the CAM188Perform the Upgrade on the CAS189Upgrading High Availability Pairs190Accessing Web Consoles for High Availability190Determining Active and Standby Clean Access Manager190Determining Active and Standby Clean Access Server190Instructions for Upgrading High Availability CAM and CAS190Index193Size: 4.57 MBPages: 196Language: EnglishOpen manual
/en/manuals/1601013/Table of ContentsCisco Clean Access Manager Installation and Administration Guide1About This Guide15Audience15Document Conventions15Product Documentation16Obtaining Documentation16Cisco.com16Product Documentation DVD16Ordering Documentation17Documentation Feedback17Cisco Product Security Overview17Reporting Security Problems in Cisco Products18Obtaining Technical Assistance18Cisco Technical Support & Documentation Website19Submitting a Service Request19Definitions of Service Request Severity19Obtaining Additional Publications and Information20Introduction23What Is Cisco Clean Access?23Cisco Clean Access Components24Clean Access Manager (CAM)25Clean Access Server (CAS)26Clean Access Agent26Managing Users27Installation Requirements27Cisco Clean Access Licensing28FlexLM Licensing28Evaluation Licenses31Legacy Perfigo License Keys31Overview of Web Admin Console Elements32Clean Access Server (CAS) Management Pages33Admin Console Summary34Installing the Clean Access Manager37Overview37Set Up the Clean Access Manager Machine38Access the CAM Over a Serial Connection39Install the Clean Access Manager Software from CD-ROM41Custom Installation41CD Installation Steps41Perform the Initial Configuration42Configuration Utility Script42Using the Command Line Interface (CLI)45Troubleshooting Network Card Driver Support Issues46CAM/CAS Connectivity Across Firewall47Access the CAM Web Console47Device Management: Adding Clean Access Servers, Adding Filters49Overview49Working with Cisco Clean Access Servers50Add Cisco Clean Access Servers to the Managed Domain50Networking Considerations for CAS52Troubleshooting when Adding the Clean Access Server52Manage the Clean Access Server53Check Clean Access Server Status53Disconnect a Clean Access Server54Reboot the Clean Access Server54Remove the Clean Access Server from the Managed Domain54Global and Local Administration Settings55Global and Local Settings55Global Device and Subnet Filtering56Device Filters for In-Band Deployment57Device Filters for Out-of-Band Deployment57Device Filters and IPSec/L2TP/PPTP Connections to CAS58Device Filters and Gaming Ports58Global vs. Local (CAS-Specific) Filters58Configure Device Filters58Create Global Device Filter59Display / Search Device Filter Policies60Edit Device Filter Policies61Delete Device Filter Policies61Configure Subnet Filters61Switch Management and Cisco Clean Access Out-of-Band (OOB)63Overview63In-Band Versus Out-of-Band64Implementation Requirements64SNMP Control65Deployment Modes66Basic Connection66Out-of-Band Virtual Gateway Deployment68Out-of-Band Real-IP/NAT Gateway Deployment71Configuring Your Network for Out-of-Band73Configure Your Switches73Configuration Notes73Example Switch Configuration Steps74OOB Network Setup / Configuration Worksheet77Configure OOB Switch Management in the CAM78Add Out-of-Band Clean Access Servers and Configure Environment79Configure Group Profiles81Add Group Profile82Edit Group Profile82Configure Switch Profiles83Add Switch Profile84Configure Port Profiles86Add Port Profile87Configure SNMP Receiver90SNMP Trap90Advanced Settings91Add Managed Switch92Add New Switch93Search New Switches94Discovered Clients95Manage Switch Ports96Ports Tab96Ports -MAC Notification97Ports-Linkup/Linkdown102Config Tab103Basic103Advanced104Group105Out-of-Band User List Summary106User Management: User Roles107Overview107Create User Roles107User Role Types108Unauthenticated Role108Normal Login Role109Role Assignment Priority110Clean Access Roles110Session Timeouts111Traffic Policies for Roles112Add New Role112Create a Role112Role Properties114Modify Role117Edit a Role118Delete Role119Create Local User Accounts119Create a Local User119User Management: Auth Servers121Overview121Configure an Authentication Provider124Kerberos125RADIUS126Windows NT128LDAP129Transparent Windows131Implementing Transparent Authentication131Add Transparent Windows Auth Server132Transparent 802.1x133Cisco VPN Server134Authenticating Against Active Directory136AD/LDAP Configuration Example136Map Users to Roles Using Attributes or VLAN IDs138Configure Mapping Rule139Editing Mapping Rules143Test User Authentication145RADIUS Accounting146Enable RADIUS Accounting146Restore Factory Default Settings147Add Data to Login, Logout or Shared Events147Add New Entry (Login Event, Logout Event, Shared Event)148User Pages and Guest Access151User Login Page151Proxy Settings152Add a Global Login Page153Customize Login Page Content154Customize Login Page Styles156Upload a Resource File157Create Content for the Right Frame158Configure Other Login Properties159Redirect the Login Success Page159Specify Logout Page Information160Set Up Guest Access161User Management: Traffic Control, Bandwidth, Schedule163Overview163Global vs. Local Scope165View Global Traffic Control Policies165Add Global IP-Based Traffic Policies166Add IP-Based Policy166Edit IP-Based Policy168Add Global Host-Based Traffic Policies169Add Trusted DNS Server for a Role170Enable Default Allowed Hosts171Add Allowed Host172View IP Addresses Used by DNS Hosts173Control Bandwidth Usage174Configure User Session and Heartbeat Timeouts176Session Timer176Heartbeat Timer176In-Band (L2) Sessions176OOB (L2) and Multihop (L3) Sessions177Session Timer / Heartbeat Timer Interaction177Configure Session Timer (per User Role)177Configure Heartbeat Timer (User Inactivity Timeout)178Configure Policies for Agent Temporary and Quarantine Roles179Configure Clean Access Agent Temporary Role179Configure Session Timeout and Traffic Policies for the Temporary Role179Configure Network Scanning Quarantine Role180Create Additional Quarantine Role180Configure Session Timeout181Configure Traffic Control Policies for the Quarantine Role182Example Traffic Policies184Allowing Authentication Server Traffic for Windows Domain Authentication184Allowing Gaming Ports184Microsoft Xbox184Other Game Ports185Adding Traffic Policies for Default Roles187Troubleshooting Host-Based Policies189Clean Access Implementation Overview191Clean Access Overview191Network Scanning Process192Clean Access Agent Process192Clean Access Agent Download193Clean Access Agent for VPN Users193Clean Access Agent195Network Scanner196Certified List197Role-Based Configuration198Clean Access Setup Steps198General Setup Summary200User Page Summary203Manage Certified Devices207Add Exempt Device208Clear Certified or Exempt Devices Manually209View Clean Access Reports for Certified Devices209View Switch Information for Out-of-Band Certified Devices209Certified Device Timer210Add Floating Devices211Network Scanning213Overview213Network Scanning Implementation Steps214Configure the Quarantine Role215Load Nessus Plugins into the Clean Access Manager Repository215Manually Loading Plugins216Deleting Plugins217Configure General Setup218Apply Plugins219Configure Plugin Options221Configure Vulnerability Handling222Test Scanning224Show Log225View Scan Reports226Customize the User Agreement Page228Clean Access Agent233Summary233Configuration Steps for Clean Access Agent235Enable Clean Access Agent for L3 Deployments235VPN/L3 Access for Clean Access Agent (3.5.3+)235Enable L3 Support for Clean Access Agent237Disabling L3 Capability238Distribute the Clean Access Agent239Distribution Page239Configure Clean Access Agent Auto-Upgrade241Enable Agent Auto-Upgrade on the CAM242Disable Agent Patch Upgrade Distribution to Users242Disable Mandatory Auto-Upgrade on the CAM242User Experience for Auto-Upgrade242Uninstalling the Agent243Agent Setup vs. Agent Upgrade Files243Auto-Upgrade Compatibility244Upgrading Agent to 3.5.1245Agent Upgrade Through File Distribution Requirement2453.5.0 Agent and Below246Manually Uploading the Agent to the CAM247Retrieve Updates248Require Use of the Clean Access Agent for Role251Configure Network Policy Page (Acceptable Usage Policy) for Agent Users252Configure the Clean Access Agent Temporary Role253Create Clean Access Agent Requirements254Configure AV Definition Update Requirements254AV Rules255Create AV Rule256Verify Agent-AV Support Info257Create AV Definition Update Requirement258Configure Custom Checks, Rules and Requirements260Custom Requirements260Cisco Rules261Cisco Checks261Copying Checks and Rules261Create Custom Check261Registry Check Types262File Check Types263Service Check Type264Application Check Type265Create Custom Rule266Create a Custom Rule266Validate Rules267Create Custom Requirement269Create File Distribution /Link Distribution / Local Check Requirement269Map Rules to Requirement272Apply Requirements to Role273Validate Requirements274Create an Optional Requirement275Access Clean Access Agent Reports277Limiting the Number of Reports278Verify Clean Access Agent User Experience279Troubleshooting286AV Rule Troubleshooting286Enable Debug Logging on the Clean Access Agent286Known Issue for Windows Script 5.6287Known Issue for MS Update Scanning Tool (KB873333)288Background288Workaround288Monitoring289Overview289Online Users List291Interpreting Active Users291View Online Users293In-Band Users293Out-of-Band Users294View Users by Clean Access Server, Authentication Provider, or Role296Search by User Name, IP, or MAC Address296Log Users Off the Network296Display Settings297Interpreting Event Logs298View Logs298Event Log Example301Limiting the Number of Logged Events302Configuring Syslog Logging302Log Files302SNMP303Enable SNMP Polling/Alerts304Add New Trapsink305Administration307Overview307Network & Failover308Network & Failover Parameters308Set System Time309View Current Time309Modify System Time310Change Time Zone310Manage SSL Certificates310Generate a Temporary Certificate311Export a Certificate Request311Import a Signed Certificate312Troubleshooting Certificate Issues313Private Key in Clean Access Manager Does Not Match the CA-Signed Certificate313Signed Certificate Not Trusted313Regenerating Certificates for DNS Name Instead of IP313Certificate-Related Files314Licensing315Support Logs316Admin Users317Admin Groups317Add a Custom Admin Group317Admin Users319Login / Logout an Admin User319Add an Admin User319Edit an Admin User320Active Admin User Sessions321Manage System Passwords323Change the CAM Web Console Admin Password323Change the CAS Web Console Admin User Password324Back Up the Configuration324Automated Daily Database Backups325Manual Backups from Web Console325Create a Manual Backup325Apply a Configuration from a Downloaded File326Manual Database Backup from SSH326Database Recovery Tool326API Support328Usage Requirements328Authentication Requirement328Guest Access Support328Summary of Operations329Configuring High Availability331Overview331Before Starting332Upgrading an Existing Failover Pair333Connect the Clean Access Manager Machines333Serial Connection333Set Up the Primary Clean Access Manager334Configure the Primary Manager for High Availability334Set Up the Standby Clean Access Manager337Complete the Configuration338Device Management: Roaming339Overview339Requirements339How Roaming Works340Roaming Modes341Before Starting342Setting Up Simple Roaming343Setting Up Advanced Roaming344Monitoring Roaming Users347Upgrading to a New Software Release349General Procedure349New Installation of 3.5(x)350Upgrade Procedure for 3.5(x)351Before You Upgrade351Preparing for Your Upgrade352Upgrading via Web Console (from 3.5.3 and Above Only)353Download the Upgrade File353Upgrade CAS from CAS Management Pages (3.5.5 and above)354Upgrade CAS from CAS Web Console (3.5.3/3.5.4)356Upgrade CAM from CAM Web Console358Upgrading via SSH360Download the Upgrade File and Copy to CAM/CAS360Perform the Upgrade on the CAM360Perform the Upgrade on the CAS361Upgrading High Availability Pairs362Accessing Web Consoles for High Availability362Determining Active and Standby Clean Access Manager362Determining Active and Standby Clean Access Server362Instructions for Upgrading High Availability CAM and CAS362Event Log Messages365Size: 8.97 MBPages: 372Language: EnglishOpen manual