Cisco Clean Access Process on a Windows PC
Back to Top
What Networks Require Validation?
We are deploying Cisco Clean Access to the student residential network in the summer 2005 semester.
Why Are We Introducing this Solution Now?
NSUnet experienced numerous virus problems originating from student PCs at the start of the fall 2003 semester. Just prior to move-in weekend, the Blaster worm was introduced. We did not have a solution that could effectively quarantine systems until proven "clean"; thus, many unprotected systems infected the NSUnet as soon as they were physically plugged into the network. It has been determined that the best way to prevent this from happening again is to insure that virus software and OS critical update/patches are current and maintained.
Users who did connect systems that were current with both OS patches and anti-virus software also suffered delays in Internet and other network access due to the excessive traffic caused by the infected machines.
How Does Cisco Clean Access Work?
Cisco Clean Access will "trap" any network access. The user's web browser is redirected to a web page that instructs them to download and install the validation client known as "CISCO Clean Access Agent".
Once launched, the client downloads and processes the validation rules. If the computer fails to validate, it is all owed limited network access to the remediation sites. Once corrected, full network access is provided and a timer is set for the connection.
The connection remains intact until the timer expires; at that time, the connection is reset and the user must re-validate by launching the client.
What is CISCO Clean Access Agent?
CISCO Clean Access Agent is the client application that can check certain security settings on any Microsoft Windows PC to make sure that the system is up-to-date with required security patches and report this status to the Clean Access Server. No information about the user or the content of user files is sent to the server. Each user must use CISCO Clean Access Agent for his/her Microsoft Windows PC in order to authenticate and use NSUnet.
Back to Top
What Validation Checks are Being Performed?
Starting summer 2005, we are configuring CISCO Clean Access Agent to validate the following:
• Check for current release of approved anti-virus software and current virus definitions.
• Check for current Windows OS Patches for Windows 98, ME, 2000 and Windows XP machines.
How Long Do the Validation Checks Take?
In our pilot tests to date, the checks take between 15 and 30 seconds.
What is the Process for Changing the Minimum Security Requirements?
As new critical Microsoft updates become available, the security requirements will be updated to reflect the new patches. Typically, we will not immediately set the validation check for the new patches, but allow some time (typically a week) for people to update their systems in due course. If a vulnerability is reported or the threat of a virus storm or worm attack emerges, we will update the validation check immediately and force all users to re-logon.
Please note that we may cancel all network connections for a particular subnet in response to an attack. We will only resort to these actions in very urgent conditions.
How Long is the Timer?
There are two timers. The network heartbeat timer controls how long the network connection is valid. The session timer controls how frequently re-validation must occur.
The network heartbeat timer will time out under two conditions.
- The PC has been turned off for more that 30 minutes.
- The PC has been disconnected from the network for more than 30 minutes.
The session timer will time-out after 14 days.
How Does a User Re-Validate Before the Timer Expires?
Windows users can logout from the network and then log back into the network by right-clicking the CISCO Clean Access Agent, in the system tray, then choose Logout from the pop-up menu. Once the validation is complete, the login process will reconnect the system back to the network, and the heartbeat and session timers will be reset.
Back to Top
How Does Validation Work for Macintosh Users?
Macintosh users will be redirected to a web page requesting a NSU UserID and NSU password to authenticate. There is no client that is downloaded to Macintosh systems. The heartbeat and session timers for Macintosh systems are set. When they expire, you will have to re-authenticate.
How Does Validation Work for Linux Users?
Linux users will be redirected to a web page requesting a NSU UserID and NSU password to authenticate. There is no client that is downloaded to Linux systems. The heartbeat and session timers for Linux systems are set. When they expire, you will have to re-authenticate.
What About Xboxes, PlayStations, etc.?
The Cisco Clean Access system is set to allow game console play over the internet. If you experience any problems, please call the Help Desk at x5678.
What Remediation is Available?
- Authentication Failure : If a user's systems fails authentication, the user is instructed to provide the correct NSU UserID and NSU Password . If the user has forgotten his/her NSU UserID and/or NSU Password, he/she should visit the Microcomputing Services.
- Anti-Virus Failure: If the user's system fails the check for the presence of one of the three approved antivirus software programs. The three approved antivirus programs are all versions of Symantec, Trend Micro, and all versions of McAfee. If a user does not have an antivirus program, NSU is providing a free download for the current version of Symantec antivirus. Note: NSU is only able to support and troubleshoot the Symantec antivirus provided by the University.
- Microsoft Windows Patch Failure : If the user's system fails the check for current critical OS patches, the user is instructed to click on the URL for the Microsoft Windows update site and follow the instructions provided there.
What Happens If an "Infected" System Behaves Badly on the Network?
The Cisco Clean Access can not prevent all infections. In addition, we have experienced denial-of-service attacks originating from within the university network. For those subnets controlled by Cisco Clean Access, the process will be to disconnect the offending system using the management console. Unless the system is demonstrating a vulnerability for which there is no patch, there should be no need to block the physical switch port, as the user will not be able to reconnect until the problem is corrected.
Back to Top
Why do I have to go through this process?
The University is making every effort to make your network experience productive and secure. This will assist us in protecting the network resources and reducing excessive downtime and cleanup efforts due to virus outbreaks and vulnerabilities.
Last spring, students, through no fault of their own in most cases, were not able to access the Internet/NSUnet due to computer virus infections and OS vulnerabilities. From investigations on the causes of the problems experienced, it has been determined that the best way to prevent this from happening again is to insure that virus software and OS critical update/patches are current and maintained.
Am I required to install any software on my computer?
All Microsoft Windows computers are required to install the CISCO Clean Access Agent client software to connect to the Internet/NSUnet. You will also be required to use a "university approved" anti-virus program and install all critical Microsoft OS patches and updates.
Complete List of Cisco-approved Antivirus Software
Below is a list of currently supported AntiVirus Solutions supported by the Cisco Clean Access Agent. Please note that this list is subject to change. While all listed antivirus clients are supported by the Clean Access Agent, only the current version of Symantec Antivirus Corporate edition will be supported by the NSU Help Desk.
Windows 2000/XP Supported Antivirus Solutions
Norton/Symantec
Norton AntiVirus Corporate Edition 7.0 for Windows NT 7.x
Norton AntiVirus Corporate Edition 7.x
Symantec AntiVirus Client 8.x
Symantec AntiVirus 9.x
Symantec Client Security 9.x
Norton AntiVirus 2002 Professional Edition 8.x
Norton AntiVirus 2002 Professional 8.x
Norton AntiVirus 2002 8.00.x
Norton AntiVirus 2003 Professional Edition 9.x
Norton AntiVirus 2003 Professional 9.x
Norton AntiVirus 2003 9.x
Norton AntiVirus 10.x
Norton AntiVirus 2004 Professional Edition 10.x
Norton AntiVirus 2004 Professional 10.x
Norton AntiVirus 2004 10.x
Norton AntiVirus 2004 (Symantec Corporation) 10.x
Norton AntiVirus 2005 11.0.x
Norton Internet Security 7.x
Norton Internet Security 8.0.x
McAfee
McAfee VirusScan 4.5.x
McAfee VirusScan 8.x
McAfee VirusScan 9.x
McAfee VirusScan 8xxx
McAfee VirusScan 9xxx
McAfee VirusScan Enterprise 7.0.x
McAfee VirusScan Enterprise 7.1.x
McAfee VirusScan Enterprise 7.5.x
McAfee VirusScan Enterprise 8.0.x
McAfee VirusScan Professional Edition 7.x
McAfee VirusScan Professional 8xxx
McAfee VirusScan Professional 8.x
McAfee VirusScan Professional 9.x
Note: McAfee Internet Security and other Security Packages offered by McAfee are not supported at this time.
Trend Micro
Trend Micro OfficeScan Corporate Edition 5.x
Trend Micro OfficeScan Corporate Edition 6.x
PC-cillin 2002 9.x
PC-cillin 2003 10.x
Trend Micro PC-cillin 2004 11.x
Trend Micro Antivirus 11.x
Trend Micro Internet Security 11.x
Trend Micro Internet Security 12.x
Windows 98/ME Supported AntiVirus Solutions
Norton AntiVirus 2002 8.00.x
Norton AntiVirus 2003 9.x
Norton AntiVirus 2004 10.x
Norton AntiVirus 2004 (Symantec Corporation) 10.x
Norton AntiVirus 10.x
Norton AntiVirus 2005 11.0.x
Norton Internet Security 8.0.x
McAfee VirusScan 4.5.x
McAfee VirusScan Professional Edition 7.x
McAfee VirusScan Professional 8xxx
Note: McAfee Internet Security and other Security Packages offered by McAfee are not supported at this time.
Trend Micro Internet Security 11.x
Trend Micro Internet Security 12.x
PC-cillin 2003 10.x
Trend Micro PC-cillin 2004 11.x
What is CISCO Clean Access Agent?
CISCO Clean Access Agent is an application that will check certain security settings on your Windows PC to make sure that your system is up-to-date with required security patches and report this status to the server. No information about you is sent to the server. You must use CISCO Clean Access Agent for your Microsoft Windows PC in order to authenticate and use the Internet/NSUnet. Current required security settings include "university approved" anti-virus program and current definitions, critical Microsoft OS patches and updates.
When do I have to login? How often do I have to login?
Three things can occur that will require you to login.
- Your machine remains powered off or disconnected from the network for more than 30 minutes
- Your login will expire after 14 days of continual activity.
- You choose to logoff using the Cisco Clean Access Agent.
We recommend that you logoff every 5-7 days to prevent an unexpected disconnection.
Back to Top
How will I know when my login session expires?
On Microsoft Windows clients, the Cisco Clean Access Agent will proactively notify you that your network connection will timeout shortly. In addition, you will know that your login session has expired when your browser redirects you to the login page. Other indications that your network connection has been terminated are:
- Email may fail to send or receive.
- Instant messaging fails or suddenly stops working.
- File downloads may suddenly stop.
- Browser may be redirected to login page.
If you choose "logout" from CISCO Clean Access Agent, you expire your login session.
Non-Microsoft Windows users will not receive any notification of an expired login session. You may see some of the same indicators listed above if your login session has expired.
A screen just popped up saying my connection will time out shortly, what should I do?
This message is displayed when the login session is close to expiring. To prevent lose of data and unplanned interruption of network access, please save all unsaved data, log off and back on using the Cisco Clean Access Agent.
Each time I try to use my computer to access the Internet, my browser tells me that I need to login. Why do I have to login frequently?
Many computers are configured to "sleep" when not in use, if your computer is set this way, you will be logged off the network and must authenticate to regain access each time your computer "sleeps" more than 10 minutes.
How do I tell if I am already logged in?
The best way is to try to go to an Internet site. In most cases, if you are ABLE to access a website such as www.google.com, you are online and logged in.
How do I tell if I am Quarantined/Unauthenticated?
The best way is to try to go to an Internet site. In most cases, if you are UNABLE to access an external site, such as www.google.com, you are Unauthenticated or might be Quarantined (the CISCO Clean Access Agent should indicate this status). On a Microsoft Windows PC, you will need to finish the validation process, or on a non-Microsoft Windows computer, you will need to login using your NSU UserID and NSU password.
I use a personal firewall; will this cause a problem?
In most cases, a personal firewall will work fine. Depending upon the firewall product, you may receive several pop-up windows requesting "ok to proceed". Some of the personal firewalls are:
- Windows XP
- BlackIce
- Zone Alarm
- Sygate
Back to Top |
