CISCO Clean Access Agent
Frequently Asked Questions
CISCO Clean Access Agent
Frequently Asked Questions
CISCO Clean Access Agent -- Network Validation Solution
Last updated July 15, 2005
NSUnet: NSU's internal network (Intranet).
Authentication: The process of verifying your access to the network by confirming your username and password and associating it with your computer.
Validation: The process of confirming that certain security measures are in place on your computer.
Validation Solution: The process of ensuring that your computer meets the requirements to access NSUnet and the Internet
Quarantine: The role a computer is placed in if it fails validation. In this role, the user will only be able to access sites that will allow them to complete validation.
Trap: The process of examining network traffic to prevent computers, which have not been validated, from connecting to NSUnet/Internet.
Student Residential Network: Seminary Suites, Family Housing, and Residence Halls.
Remediation Sites: Web sites from which the requesting PC may download software required to meet the minimum security standards.
Minimum Security Standards: All Microsoft Critical Updates must be installed and approved antivirus software with the latest updates must be installed and running.
OS: Operating System - software that controls the execution of computer programs and may provide various services (e.g., Windows XP/2000/98/ME, Macintosh OSX, Linux, etc.)
University Approved Antivirus software: Approved antivirus programs are; Symantec (all versions), Micro Trend, McAfee (all versions) Note: NSU is only able to support and troubleshoot the Symantec antivirus provided by the University .
Session Timer: Controls how frequently re-validation must occur.
Heartbeat Timer: Controls how long the network connection is valid.
Cisco Clean Access Agent: A software agent which downloads and processes the validation rules.
Cisco System: Software provided by CISCO Systems, Inc. that performs network validation and checks the PC for standard security software .
What is Cisco Clean Access ?
Clean Access is a solution provided by CISCO Systems, Inc. that performs network validation and checks the PC for standard security software necessary to access NSUnet. The software performs the following functions:
• Require users to authenticate (login) to access NSUnet.
• Validate whether the system connecting to NSUnet meets the minimum-security standards .
• Quarantines the system until it meets the minimum-security standards
• Provides access to the remediation sites
• Once the system is validated as "clean," allows access to NSUnet.
Cisco Clean Access Process on a Windows PC
What Networks Require Validation?
We are deploying Cisco Clean Access to the student residential network in the summer 2005 semester.
Why Are We Introducing this Solution Now?
NSUnet experienced numerous virus problems originating from student PCs at the start of the fall 2003 semester. Just prior to move-in weekend, the Blaster worm was introduced. We did not have a solution that could effectively quarantine systems until proven "clean"; thus, many unprotected systems infected the NSUnet as soon as they were physically plugged into the network. It has been determined that the best way to prevent this from happening again is to insure that virus software and OS critical update/patches are current and maintained.
Users who did connect systems that were current with both OS patches and anti-virus software also suffered delays in Internet and other network access due to the excessive traffic caused by the infected machines.
How Does Cisco Clean Access Work?
Cisco Clean Access will "trap" any network access. The user's web browser is redirected to a web page that instructs them to download and install the validation client known as "CISCO Clean Access Agent".
Once launched, the client downloads and processes the validation rules. If the computer fails to validate, it is all owed limited network access to the remediation sites. Once corrected, full network access is provided and a timer is set for the connection.
The connection remains intact until the timer expires; at that time, the connection is reset and the user must re-validate by launching the client.
What is CISCO Clean Access Agent?
CISCO Clean Access Agent is the client application that can check certain security settings on any Microsoft Windows PC to make sure that the system is up-to-date with required security patches and report this status to the Clean Access Server. No information about the user or the content of user files is sent to the server. Each user must use CISCO Clean Access Agent for his/her Microsoft Windows PC in order to authenticate and use NSUnet.
What Validation Checks are Being Performed?
Starting summer 2005, we are configuring CISCO Clean Access Agent to validate the following:
• Check for current release of approved anti-virus software and current virus definitions.
• Check for current Windows OS Patches for Windows 98, ME, 2000 and Windows XP machines.
How Long Do the Validation Checks Take?
In our pilot tests to date, the checks take between 15 and 30 seconds.
What is the Process for Changing the Minimum Security Requirements?
As new critical Microsoft updates become available, the security requirements will be updated to reflect the new patches. Typically, we will not immediately set the validation check for the new patches, but allow some time (typically a week) for people to update their systems in due course. If a vulnerability is reported or the threat of a virus storm or worm attack emerges, we will update the validation check immediately and force all users to re-logon.
Please note that we may cancel all network connections for a particular subnet in response to an attack. We will only resort to these actions in very urgent conditions.
There are two timers. The network heartbeat timer controls how long the network connection is valid. The session timer controls how frequently re-validation must occur.
The network heartbeat timer will time out under two conditions.
The session timer will time-out after 14 days.
How Does a User Re-Validate Before the Timer Expires?
Windows users can logout from the network and then log back into the network by right-clicking the CISCO Clean Access Agent, in the system tray, then choose Logout from the pop-up menu. Once the validation is complete, the login process will reconnect the system back to the network, and the heartbeat and session timers will be reset.
How Does Validation Work for Macintosh Users?
Macintosh users will be redirected to a web page requesting a NSU UserID and NSU password to authenticate. There is no client that is downloaded to Macintosh systems. The heartbeat and session timers for Macintosh systems are set. When they expire, you will have to re-authenticate.
How Does Validation Work for Linux Users?
Linux users will be redirected to a web page requesting a NSU UserID and NSU password to authenticate. There is no client that is downloaded to Linux systems. The heartbeat and session timers for Linux systems are set. When they expire, you will have to re-authenticate.
What About Xboxes, PlayStations, etc.?
The Cisco Clean Access system is set to allow game console play over the internet. If you experience any problems, please call the Help Desk at x5678.
What Remediation is Available?
What Happens If an "Infected" System Behaves Badly on the Network?
The Cisco Clean Access can not prevent all infections. In addition, we have experienced denial-of-service attacks originating from within the university network. For those subnets controlled by Cisco Clean Access, the process will be to disconnect the offending system using the management console. Unless the system is demonstrating a vulnerability for which there is no patch, there should be no need to block the physical switch port, as the user will not be able to reconnect until the problem is corrected.
Why do I have to go through this process?
The University is making every effort to make your network experience productive and secure. This will assist us in protecting the network resources and reducing excessive downtime and cleanup efforts due to virus outbreaks and vulnerabilities.
Last spring, students, through no fault of their own in most cases, were not able to access the Internet/NSUnet due to computer virus infections and OS vulnerabilities. From investigations on the causes of the problems experienced, it has been determined that the best way to prevent this from happening again is to insure that virus software and OS critical update/patches are current and maintained.
Am I required to install any software on my computer?
All Microsoft Windows computers are required to install the CISCO Clean Access Agent client software to connect to the Internet/NSUnet. You will also be required to use a "university approved" anti-virus program and install all critical Microsoft OS patches and updates.
Complete List of Cisco-approved Antivirus Software
Below is a list of currently supported AntiVirus Solutions supported by the Cisco Clean Access Agent. Please note that this list is subject to change. While all listed antivirus clients are supported by the Clean Access Agent, only the current version of Symantec Antivirus Corporate edition will be supported by the NSU Help Desk.
Windows 2000/XP Supported Antivirus Solutions
Norton/Symantec
Norton AntiVirus Corporate Edition 7.0 for Windows NT 7.x
Norton AntiVirus Corporate Edition 7.x
Symantec AntiVirus Client 8.x
Symantec AntiVirus 9.x
Symantec Client Security 9.x
Norton AntiVirus 2002 Professional Edition 8.x
Norton AntiVirus 2002 Professional 8.x
Norton AntiVirus 2002 8.00.x
Norton AntiVirus 2003 Professional Edition 9.x
Norton AntiVirus 2003 Professional 9.x
Norton AntiVirus 2003 9.x
Norton AntiVirus 10.x
Norton AntiVirus 2004 Professional Edition 10.x
Norton AntiVirus 2004 Professional 10.x
Norton AntiVirus 2004 10.x
Norton AntiVirus 2004 (Symantec Corporation) 10.x
Norton AntiVirus 2005 11.0.x
Norton Internet Security 7.x
Norton Internet Security 8.0.x
McAfee
McAfee VirusScan 4.5.x
McAfee VirusScan 8.x
McAfee VirusScan 9.x
McAfee VirusScan 8xxx
McAfee VirusScan 9xxx
McAfee VirusScan Enterprise 7.0.x
McAfee VirusScan Enterprise 7.1.x
McAfee VirusScan Enterprise 7.5.x
McAfee VirusScan Enterprise 8.0.x
McAfee VirusScan Professional Edition 7.x
McAfee VirusScan Professional 8xxx
McAfee VirusScan Professional 8.x
McAfee VirusScan Professional 9.x
Note: McAfee Internet Security and other Security Packages offered by McAfee are not supported at this time.
Trend Micro
Trend Micro OfficeScan Corporate Edition 5.x
Trend Micro OfficeScan Corporate Edition 6.x
PC-cillin 2002 9.x
PC-cillin 2003 10.x
Trend Micro PC-cillin 2004 11.x
Trend Micro Antivirus 11.x
Trend Micro Internet Security 11.x
Trend Micro Internet Security 12.x
Windows 98/ME Supported AntiVirus Solutions
Norton AntiVirus 2002 8.00.x
Norton AntiVirus 2003 9.x
Norton AntiVirus 2004 10.x
Norton AntiVirus 2004 (Symantec Corporation) 10.x
Norton AntiVirus 10.x
Norton AntiVirus 2005 11.0.x
Norton Internet Security 8.0.x
McAfee VirusScan 4.5.x
McAfee VirusScan Professional Edition 7.x
McAfee VirusScan Professional 8xxx
Note: McAfee Internet Security and other Security Packages offered by McAfee are not supported at this time.
Trend Micro Internet Security 11.x
Trend Micro Internet Security 12.x
PC-cillin 2003 10.x
Trend Micro PC-cillin 2004 11.x
What is CISCO Clean Access Agent?
CISCO Clean Access Agent is an application that will check certain security settings on your Windows PC to make sure that your system is up-to-date with required security patches and report this status to the server. No information about you is sent to the server. You must use CISCO Clean Access Agent for your Microsoft Windows PC in order to authenticate and use the Internet/NSUnet. Current required security settings include "university approved" anti-virus program and current definitions, critical Microsoft OS patches and updates.
When do I have to login? How often do I have to login?
Three things can occur that will require you to login.
We recommend that you logoff every 5-7 days to prevent an unexpected disconnection.
How will I know when my login session expires?
On Microsoft Windows clients, the Cisco Clean Access Agent will proactively notify you that your network connection will timeout shortly. In addition, you will know that your login session has expired when your browser redirects you to the login page. Other indications that your network connection has been terminated are:
If you choose "logout" from CISCO Clean Access Agent, you expire your login session.
Non-Microsoft Windows users will not receive any notification of an expired login session. You may see some of the same indicators listed above if your login session has expired.
A screen just popped up saying my connection will time out shortly, what should I do?
This message is displayed when the login session is close to expiring. To prevent lose of data and unplanned interruption of network access, please save all unsaved data, log off and back on using the Cisco Clean Access Agent.
Each time I try to use my computer to access the Internet, my browser tells me that I need to login. Why do I have to login frequently?
Many computers are configured to "sleep" when not in use, if your computer is set this way, you will be logged off the network and must authenticate to regain access each time your computer "sleeps" more than 10 minutes.
How do I tell if I am already logged in?
The best way is to try to go to an Internet site. In most cases, if you are ABLE to access a website such as www.google.com, you are online and logged in.
How do I tell if I am Quarantined/Unauthenticated?
The best way is to try to go to an Internet site. In most cases, if you are UNABLE to access an external site, such as www.google.com, you are Unauthenticated or might be Quarantined (the CISCO Clean Access Agent should indicate this status). On a Microsoft Windows PC, you will need to finish the validation process, or on a non-Microsoft Windows computer, you will need to login using your NSU UserID and NSU password.
I use a personal firewall; will this cause a problem?
In most cases, a personal firewall will work fine. Depending upon the firewall product, you may receive several pop-up windows requesting "ok to proceed". Some of the personal firewalls are:
I cannot access the login page. I get the redirection page but then my browser gives an error and stops.
Generally, this is caused by an encryption (SSL) problem with your browser. Encryption is required to for authentication to complete. Try another browser if you are unable to correct the problem with the first browser. (IE -> Netscape; Netscape -> IE). Usually, Netscape has fewer encryption problems.
I am unable to ping the default gateway address; should I not be able to do this?
No, you will not be able to ping the default gateway. This is normal. Until you are completely logged in you will not be able to ping any address.
What am I allowed to access when Unauthenticated or Quarantined?
For the most part, remediation and help sites such as http://windowsupdate.microsoft.com, antivirus update sites, and NSU resources like dorm-sav, and netnotes.
I'm on a Macintosh or Linux machine. I've opened my browser but I am not redirected to a login page. What do I do?
You must try to go to a non-local site such as www.google.com .
I'm on a Windows machine. Sometimes I can login using the web page and at other times, the web page tells me that I must use CISCO Clean Access Agent, why?
It depends on when the last time your computer was "validated" to the network. You can always use the CISCO Clean Access Agent client.
I am able to access the Internet but the CISCO Clean Access Agent still allows me to "login". Am I logged in?
Yes, the CISCO Clean Access Agent may not always detect your network status. If you can access normal Internet sites such as www.google.com, then you are authenticated.
I am NOT able to access the Internet but the CISCO Clean Access Agent only allows me to "logout". What's going on?
The CISCO Clean Access Agent may not always detect your network status. Please choose "logout" and then choose "login".
Currently, the only way to manually logout is to use the CISCO
Clean Access Agent "logout" feature. Right-click the CISCO Clean Access
Agent icon in the system tray and choose logout. The CISCO Clean Access Agent
icon appears as follows in the system tray:
I do not have a "logout" option in CISCO Clean Access Agent.
The CISCO Clean Access Agent does not always detect your network status. Once you login through the CISCO Clean Access Agent, you will have the "logout" feature.
Can I update Windows before I login?
Yes, You should be able to go to http://windowsupdate.microsoft.com . You may not be able to use the direct link in your browser to on your desktop. This is normal.
Why, when I run Windows Update, do I get a message stating that the product key used to install windows is invalid?
Windows Update will fail if your Windows OS is not properly licensed. You must have a legal copy of the operating system to connect to the university network.
Can I update McAfee before I have logged in?
Yes, The best way is to "tell" McAfee to update/upgrade now.
Do I have to use the CISCO Clean Access Agent client?
Yes. All Windows PCs are required to use CISCO Clean Access Agent for network access.
What happens if I uninstall the CISCO Clean Access Agent client?
You will be required to reinstall the client to re-authenticate when your login expires.
The CISCO Clean Access Agent client does not offer a "login," just a "logout," and the web page tells me that I must now use CISCO Clean Access Agent to login; what do I do?
The CISCO Clean Access Agent does not always detect your network status. Please choose "logout", and then you will have the "login" feature.
I keep trying to install the CISCO Clean Access Agent but it tells me that I can either Modify/Repair or Remove the program. Why is this?
CISCO Clean Access Agent is currently installed on your machine. You do not need to install it again.
How do I know CISCO Clean Access Agent is running?
Look in the "System Tray" for in the lower right corner near the time display. You may need to select the "<<" to expand the list and show CISCO Clean Access Agent.
I do not see the CISCO Clean Access Agent icon in my system tray; what do I do?
There are a few possibilities:
1. CISCO Clean Access Agent has not been installed.
-> Please install CISCO Clean Access Agent to continue.
2. CISCO Clean Access Agent has been install ed but you did not select "Launch" at the end of the installation.
-> From the "Start" menu, then "Programs", then "Cisco", then "Clean Access", then "Clean Access Agent" to launch the program.
3. CISCO Clean Access Agent is "hidden" in the Systray.
-> Please click on "<<" to expand the system tray list and show CISCO Clean Access Agent, then login.
4. Your computer has a problem showing Systray icons.
-> You may be able to use "taskmanager" to halt CISCO Clean Access Agent and then launch it again.
5. CISCO Clean Access Agent is installed but not running.
-> From the "Start" menu, then "Programs", then "Cisco", then "Clean Access", then "Clean Access Agent" to launch the program.
Why don't my network games work any more?
The recent network upgrade now performs address translation; this may be interfering with network games. Please call the Help Desk at x5678 and provide them the name of the game. We will do our best to accommodate network games on a case-by-case basis.