Saturday, December 22, 2007

NEW 4.1(3) Feature - Cisco NAC Web Agent


One of the much waited for features in the NAC 4.1(3) release is the NAC Web Agent. "The Cisco NAC Web Agent provides temporal vulnerability assessment for client machines. Users launch the Cisco NAC Web Agent executable, which installs the Web Agent files in a temporary directory on the client machine via ActiveX control or Java applet. When the user terminates the Web Agent session, the Web Agent logs the user off of the network and their user ID disappears from the Online Users list."

In short, it is a temporary agent that gives the ability to have a detailed posture assessment performed on a machine that it is not desired to or can't install software on.

Figure 1 – Cisco NAC Web Agent

The Spotlight:

The NAC Web Agent is a great addition to the capabilities of Cisco NAC Portfolio.
The following is a functionality to agent type(CAA vs. Web Agnet) comparison. It includes some of the major benefits of each agent type to give everyone a better idea of where the new NAC Web Agent fits into their deployment.

Cisco Clean Access Agent

- Favorable end user experience - After the CAA is installed, the user does NOT have to open up a web browser every time NAC has to perform Authentication and Posture Assessment.

- Active Directory SSO - Without the CAA, internal users cannot perform ADSSO.

- Automatic Remediation - CAA walks users step-by-step through what they need to do to become compliant.

Cisco NAC Web Agent

- No Administrative Rights Required -
The Web Agent only requires the rights to run Java or Active-X by the browser for it to successfully install and perform posture assessment. Some guests/visitors do not have the administrator rights necessary to install the full blown CAA, which makes the Web Agent very attractive.

- No permanent software installation - Using the Web agent takes away any chance of someone complaining of the software they downloaded at your location is the reason their computer crashed.

- Detailed Posture Assessment - The Web Agent can perform the same exact checks(Registry, File, Service, and Application) as the CAA. The only caveat is that the remediation is a manual process. The administrator may present a link to the user, but after remediation the user must click "Re-Scan" to be permitted access.

- Scan cannot be blocked by a personal firewall - As basic as this sounds, the Network Scanning capability is used a lot in the field to perform scans of guests and contractors. The problem is that a majority of users today are running some form of personal firewall rendering the network scanning useless. The NAC Web Agent is run locally on the machine to enforce posture assessment, which puts network scanning on the back burner.

Configuring Cisco NAC Web Agent:

The good news is if you have ever configured posture assessment for the CAA, then you have already configured posture assessment for the Cisco NAC Web Agent. For more information on configuring Posture Assessment, check out the CAM Installation & Configuration Guide or Cisco NAC Chalk Talk 5. The only background that should be mentioned is when creating requirements for the Web Agent it is a best practice to use a Link type requirement, so that the end user can click on the appropriate link to remediate.

The first step to enabling the web agent is to create a or modify your existing User Page. The most important option is the "Web Client (ActiveX/Applet)" setting which tells NAC which type of web agent to use or prefer. e.g. Active X or Java

The next step is to require the use of the Web Agent for the relevant Roles.

Figure 2 – Require the use of the Cisco NAC Web Agent
The final step is to assign requirements to the roles that requires the web agent.

The end user experience:

Figure 3 – Cisco NAC Web Agent end user process flow


The Cisco NAC Web Agent is definitely going to be a highly used feature in most Cisco NAC deployments. It is fairly straight forward to understand and configure. I encourage everyone to check it out along with all the great new features in 4.1(3).

Sources: 4.1(3) Release Notes; 4.1(3) CAM Installation & Configuration Guide

Friday, December 21, 2007

NAC Version 4.1(3)

4.1.3 is available and you can download it here:

Cisco NAC Appliance Software Download Page
Requires a valid Smartnet contract in order to download

4.1.3 Release Notes
As with all NAC Upgrades, the release notes are extremely important!

4.1.3 CAM Installation & Configuration Guide

4.1.3 CAS Installation & Configuration Guide

Enhancements in Release 4.1(3)

General Enhancements

Cisco NAC Web Agent

Support for Clients with Multiple Active NICs

Clean Access Server HA Heartbeat Link Enhancement

Clean Access Manager HA Configuration and Heartbeat Link Enhancements

Guest User Login and Registration Enhancements

LDAP Authentication Enhancement

Clean Access Server and WSUS Interaction Enhancement

Agent Restricted User Access Enhancement

Device Filter List Display and Import/Export Enhancement

Agent Report Information Display and Export Enhancement

VPN SSO Login Enhancement

Syslog Configuration Enhancement

Debug Log Download Enhancement

cisco_api.jsp Enhancement

CSRF Protection

Proxy Support Enhancements

ARP Broadcast Packet Handling Improvement

Clean Access Server HA ARP Broadcast Enhancement

Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature

Previously-Deprecated Features Removed from CAM/CAS Web Console Pages

Supported AV/AS Product List Enhancements (Version 67)

Out-of-Band Enhancements

Access to Authentication VLAN Change Detection Enhancement

SNMP Inform Notification Enhancement

SNMP "MAC Move Notification" Switch Port Configuration Support

Clean Access Agent Enhancements

Clean Access Agent Auto Remediation

Windows Clean Access Agent Version

Mac OS X Clean Access Agent Version

Look out for more detailed explainations and configuration examples from the new features and functionality.