Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco NAC Appliance (Clean Access)

Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(1)

Downloads

Table Of Contents

Release Notes for Cisco NAC Appliance (Cisco Clean Access) for Version 4.1(1)

Contents

Cisco NAC Appliance Releases

Cisco NAC Appliance Service Contract/Licensing Support

System and Hardware Requirements

System Requirements

Hardware Supported

Release 4.1(1) and NAC-3300 Series Appliances

Important Installation Information for NAC-3310

Additional Hardware Support Information

Supported Switches for Cisco NAC Appliance

VPN Components Supported for Single Sign-On (SSO)

Software Compatibility

Software Compatibility Matrixes

Release 4.1(1) Compatibility Matrix

Release 4.1(1) CAM/CAS Upgrade Compatibility Matrix

Release 4.1(1) Agent Upgrade Compatibility Matrix

Determining the Software Version

Clean Access Manager (CAM) Version

Clean Access Server (CAS) Version

Clean Access Agent Versioning

Cisco Clean Access Updates Versioning

New and Changed Information

Enhancements in Release 4.1(1)

General Enhancements

Support for Windows Vista Operating System

RADIUS Challenge-Response Support

Layer 2 Traffic Policy Support

Multiple Active Directory Server Support in AD SSO

Restricted Administrator Web Console Options Hidden from View

Proxy Server Basic/Digest/NTLM Authentication Support

VLAN Profiles

VLAN Pruning

Event Logs Enhancement

Agent Report Retrieval API Operation

Supported AV/AS Product List Enhancements (Version 59)

Out-of-Band Enhancements

Out-of-Band IP Refresh Enhancement

Switch Port Configuration Enhancements

SNMP Receiver Settings Enhancement

Windows Clean Access Agent Enhancements (4.1.1.0)

Support for Windows Vista Operating System

Windows Update Upon Agent Login

Agent Reports Show System and User Information

Agent IP Address Refresh/Renew Enhancement

CAS-Agent Discovery (SWISS) Enhancements

4.1.0.x Agent Support on Release 4.1(1)

Mac OS Clean Access Agent Enhancements (4.1.1.0)

RADIUS Challenge-Response Support

Automatically Close Message Dialog After Successful Login

IP Refresh Support for Out-of-Band Deployments

Allow Only One Mac OS Agent to Run on the Client at a Time

Clean Access Supported AV/AS Product List

Clean Access AV Support Chart (Windows Vista / XP / 2000)

Clean Access AV Support Chart (Windows ME / 98)

Clean Access AS Support Chart (Windows Vista / XP / 2000)

Supported AV/AS Product List Version Summary

Clean Access Agent Version Summary

Caveats

Open Caveats - Release 4.1(1)

Resolved Caveats - Release 4.1(1)

Known Issues for Cisco NAC Appliance

Known Issue with NAT/PAT Devices and L3 Deployments

Known Issues with HP ProLiant DL140 G3 Servers

Known Issue with NAC-3310 CD Installation

Known Issues with NAC-3300 Series Appliances and Serial HA (Failover) Connection

Known Issues with Switches

Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)

Known Issues with Broadcom NIC 5702/5703/5704 Chipsets

Known Issue with MSI Agent Installer File Name

Known Issue with Windows 98/ME/2000 and Windows Script 5.6

New Installation of Release 4.1(1)

Upgrading to 4.1(1)

Notes on 4.1(1) Upgrade

Settings That May Change With Upgrade

General Preparation for Upgrade

In-Place Upgrade from 3.5(7)+ to 4.1(1)—Standalone Machines

Create the Installation CD

Mount the CD-ROM and Run the Upgrade File

Swap Ethernet Cables (if Necessary)

Complete the In-Place Upgrade

In-Place Upgrade from 3.5(7)+ to 4.1(1)—HA-Pairs

Prepare for HA Upgrade

Determine Active and Standby Machines

Shut Down Standby Machine and Upgrade Active Machine In-Place

Shut Down Active Machine and Upgrade Standby Machine In-Place

Complete the HA In-Place Upgrade

Upgrading from 3.6(x)/4.0(x)/4.1(0)+—Standalone Machines

Create CAM DB Backup Snapshot

Download the Upgrade File

Web Console Upgrade—Standalone Machines

Console/SSH Upgrade—Standalone Machines

Upgrading from 3.6(x)/4.0(x)/4.1(0)+—HA Pairs

Access Web Consoles for High Availability

Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs

Troubleshooting

Creating CAM DB Snapshot

Creating CAM/CAS Support Logs

Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x)

No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM

Agent Error: "Network Error SSL Certificate Rev Failed 12057"

Clean Access Agent AV/AS Rule Troubleshooting

Enable Debug Logging on the Clean Access Agent

Generate Windows Agent Debug Log

Generate Mac OS Agent Debug Log

Troubleshooting Switch Support Issues

Troubleshooting Network Card Driver Support Issues

Other Troubleshooting Information

Documentation Updates

Related Documentation

Obtaining Documentation, Obtaining Support, and Security Guidelines


Release Notes for Cisco NAC Appliance (Cisco Clean Access) for Version 4.1(1)

Revised: January 30, 2008, OL-12454-01

Contents

These release notes provide late-breaking and release information for Cisco® NAC Appliance, formerly known as Cisco Clean Access (CCA), release 4.1(1). This document describes new features, changes to existing features, limitations and restrictions ("caveats"), upgrade instructions, and related information. These release notes supplement the Cisco NAC Appliance documentation included with the distribution. Read these release notes carefully and refer to the upgrade instructions prior to installing the software.

Cisco NAC Appliance Releases

Cisco NAC Appliance Service Contract/Licensing Support

System and Hardware Requirements

Software Compatibility

New and Changed Information

Clean Access Supported AV/AS Product List

Clean Access Agent Version Summary

Caveats

Known Issues for Cisco NAC Appliance

New Installation of Release 4.1(1)

Upgrading to 4.1(1)

Troubleshooting

Documentation Updates

Obtaining Documentation, Obtaining Support, and Security Guidelines

Cisco NAC Appliance Releases

Cisco NAC Appliance Version
Availability
Release Notes

4.1(1) ED

April 30, 2007

(this document)

4.1.0.2 ED

February 9, 2007

Release Notes for Cisco NAC Appliance (Cisco Clean Access) Version 4.1(0)

4.1.0.1 ED [obsoleted by 4.1.0.2]

December 4, 2006

4.1(0) ED [obsoleted by 4.1.0.2]

November 14, 2006


Note Any ED release of software should be utilized first in a test network before being deployed in a production network.

Cisco NAC Appliance Service Contract/Licensing Support

For complete details on service contract support, new licenses, evaluation licenses, legacy licenses and RMA, refer to the Cisco NAC Appliance Service Contract / Licensing Support.

System and Hardware Requirements

This section describes the following:

System Requirements

Hardware Supported

Supported Switches for Cisco NAC Appliance

VPN Components Supported for Single Sign-On (SSO)

System Requirements

See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on:

Clean Access Manager (CAM) system requirements

Clean Access Server (CAS) system requirements

Clean Access Agent (CAA) system requirements

CAS High Availability Requirements

Hardware Supported

This section describes the following:

Release 4.1(1) and NAC-3300 Series Appliances

Important Installation Information for NAC-3310

Additional Hardware Support Information

Release 4.1(1) and NAC-3300 Series Appliances

Release 4.1(1) is an important software release and upgrade which supports Cisco NAC Appliance 3300 Series platforms. Refer to Enhancements in Release 4.1(1) for complete enhancement details

Customers have the option to upgrade NAC-3310, NAC-3350, or NAC-3390 MANAGER and SERVER appliances to release 4.1(1) using a single upgrade file, cca_upgrade-4.1.1.tar.gz.

CD installation of release 4.1(1) is also supported:

For NAC-3310 and NAC-3350, the cca-4.1_1-K9.iso file is required for new CD installation of the Clean Access Server or Clean Access Manager.

Note The NAC-3310 appliance requires special installation directives, as well as a firmware upgrade. Refer to Important Installation Information for NAC-3310 for details.

For NAC-3390, a separate ISO file, supercam-cca-4.1_1-K9.iso, is required for CD installation of the Clean Access Super Manager.

Note Super CAM software is supported only on the NAC-3390 platform.

Important Installation Information for NAC-3310

NAC-3310 Required BIOS/Firmware Upgrade

NAC-3310 Required DL140 or serial_DL140 CD Installation Directive

NAC-3310 Required BIOS/Firmware Upgrade

The NAC-3310 appliance is based on the HP ProLiant DL140 G3 server and is subject to any BIOS/firmware upgrades required for the DL140 G3. Refer to Known Issues with HP ProLiant DL140 G3 Servers for detailed instructions.

NAC-3310 Required DL140 or serial_DL140 CD Installation Directive

The NAC-3310 appliance (MANAGER and SERVER) requires you to enter the DL140 or serial_DL140 installation directive at the "boot:" prompt when you install new system software from a CD-ROM. For more information, refer ro Known Issue with NAC-3310 CD Installation.

Additional Hardware Support Information

See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on:

Cisco NAC Appliance 3300 Series hardware platforms

Supported server hardware configurations

Pre-installation instructions for applicable server configurations

Troubleshooting information for network card driver support

See Troubleshooting for further details.

Supported Switches for Cisco NAC Appliance

See Switch Support for Cisco NAC Appliance for complete details on:

Switches and NME service modules that support Out-of-Band (OOB) deployment

Switches/NMEs that support VGW VLAN mapping

Known issues with switches/WLCs

Troubleshooting information

VPN Components Supported for Single Sign-On (SSO)

Table 1 lists VPN components supported for Single Sign-On (SSO) with Cisco NAC Appliance. Elements in the same row are compatible with each other.

Table 1 VPN and Wireless Components Supported By Cisco NAC Appliance For SSO

Cisco NAC Appliance Version
VPN Concentrator/Wireless Controller
VPN Clients

4.1(1)

Cisco WiSM Wireless Service Module for the Cisco Catalyst 6500 Series Switches

N/A

Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)1

N/A

Cisco ASA 5500 Series Adaptive Security Appliances, Version 7.2(0)81 or later

Cisco SSL VPN Client (Full Tunnel)

Cisco VPN Client (IPSec)

Cisco WebVPN Service Modules for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Cisco VPN 3000 Series Concentrators, Release 4.7

Cisco PIX Firewall

1 For additional details, see also Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs).


Note Only the SSL Tunnel Client mode of the Cisco WebVPN Services Module is currently supported.

For further details, see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(1) and the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(1).

Software Compatibility

This section describes software compatibility for releases of Cisco NAC Appliance:

Software Compatibility Matrixes

Determining the Software Version

For details on Clean Access Agent client software versions and AV integration support, see:

Clean Access Supported AV/AS Product List

Clean Access Agent Version Summary

Software Compatibility Matrixes

This section describes the following:

Release 4.1(1) Compatibility Matrix

Release 4.1(1) CAM/CAS Upgrade Compatibility Matrix

Release 4.1(1) Agent Upgrade Compatibility Matrix

Release 4.1(1) Compatibility Matrix

Table 2 shows Clean Access Manager and Clean Access Server compatibility and the Agent version supported with each CCA 4.1(1) release (if applicable). CAM/CAS/Agent versions displayed in the same row are compatible with one another. Cisco recommends that you synchronize your software images to match those shown as compatible in the table.

Note For additional details on compatibility of later 4.1.x.x Agent releases with 4.1.x CAM/CAS servers, refer to the Release Notes applicable to the Agent release.

Table 2 Release 4.1(1) Compatibility Matrix  

Clean Access Manager
Clean Access Server
Clean Access Agent 1

4.1(1)

4.1(1)

4.1.1.0
4.1.0.x 2

1 The 4.1.1.0 and later Agent is compatible with the 4.1(1) CAM/CAS release. See Clean Access Agent Version Summary for details and caveats resolved for each Agent version.

2 Cisco strongly recommends running version 4.1.1.0 and later of the Clean Access Agent with release 4.1(1) of the CAM/CAS. If necessary, release 4.1(1) allows administrators to optionally configure the 4.1(1) CAM/CAS to allow 4.1.0.x Agent authentication and posture assessment. Note that by default, 4.1.0.x Agents are not allowed to log into a 4.1(1) CCA system. However, an Agent upgraded to 4.1.1.0 can still log into a 4.1(0) CAM/CAS. See 4.1.0.x Agent Support on Release 4.1(1).


Release 4.1(1) CAM/CAS Upgrade Compatibility Matrix

Table 3 shows 4.1(1) CAM/CAS upgrade compatibility. You can upgrade/migrate your CAM/CAS from the previous release(s) specified to the latest release shown in the same row. When you upgrade your system software, Cisco recommends you upgrade to the most current release available whenever possible.

Table 3 Release 4.1(1) CAM/CAS Upgrade Compatibility Matrix

Clean Access Manager
Clean Access Server

Upgrade From:

To:
Upgrade From:
To:

4.1(0)+ 1
4.0(x)
3.6(x)
3.5(7)+ 2

4.1(1)

4.1(0)+ 1
4.0(x)
3.6(x)
3.5(7)+ 2

4.1(1)

1 Release 4.1(0), 4.1.0.1, and 4.1.0.2 do not support and cannot be installed on Cisco NAC Appliance 3300 Series platforms.

2 To upgrade from 3.5(7) and later, you must use In-Place Upgrade from 3.5(7)+ to 4.1(1)—Standalone Machines or In-Place Upgrade from 3.5(7)+ to 4.1(1)—HA-Pairs, as appropriate.


.

Release 4.1(1) Agent Upgrade Compatibility Matrix

Table 4 shows Clean Access Agent upgrade compatibility when upgrading existing versions of the Agent after 4.1(1) CAM/CAS upgrade. Except where noted, you can auto-upgrade any 3.5.1+ Agent directly to the latest 4.1.1.x Agent.

Table 4 Release 4.1.1.x Agent Upgrade Compatibility Matrix

Clean Access Manager
Clean Access Server
Clean Access Agent 1
Upgrade From:
To Latest Compatible Windows Version:
To Latest Compatible Mac OS Version:

4.1(1)

4.1(1)

4.1.0.x 2

4.1.1.0 3 , 4

4.1.1.0 5

4.0.x.x
3.6.x.x
3.5.1 and later

4.1.1.0 3

1 Agent versions are not supported across major releases. Do not use 4.1.1.x Agents with 4.0(x) or prior releases. However, auto-upgrade is supported from any 3.5.1 and later Agent directly to the latest 4.1.1.x Agent. See Clean Access Agent Version Summary for further details.

2 Cisco strongly recommends running version 4.1.1.0 and later of the Clean Access Agent with release 4.1(1) of the CAM/CAS. If necessary, release 4.1(1) allows administrators to optionally configure the 4.1(1) CAM/CAS to allow 4.1.0.x Agent authentication and posture assessment. Note that by default, 4.1.0.x Agents are not allowed to log into a 4.1(1) CCA system. However, an Agent upgraded to 4.1.1.0 can still log into a 4.1(0) CAM/CAS. See 4.1.0.x Agent Support on Release 4.1(1).

3 For checks/rules/requirements, the Agent can detect "N" (European) versions of the Windows Vista operating system, but the CAM/CAS treat "N" versions of Vista as their US counterpart.

4 4.1.1.0 Agent Stub installer is not supported on Windows Vista. Refer to Clean Access Agent System Requirements for additional compatibility details.

5 Release 4.1(1) does not support auto-upgrade for the Mac OS Agent. Users can upgrade client machines to the latest Mac OS Agent by downloading the Agent via web login and running the Agent installation.


Determining the Software Version

There are several ways to determine the version of software running on your Clean Access Manager (CAM), Clean Access Server (CAS), or Clean Access Agent, as described below.

Clean Access Manager (CAM) Version

Clean Access Server (CAS) Version

Clean Access Agent Versioning

Cisco Clean Access Updates Versioning

Clean Access Manager (CAM) Version

The top of the CAM web console displays the software version installed. After you add the CAM license, the top of the CAM web console displays the license type (Lite, Standard, Super). Additionally, the Administration > CCA Manager > Licensing page displays the types of licenses present after they are added.

The software version is also displayed as follows:

From the CAM web console, go to Administration > CCA Manager > System Upgrade | Current Version

SSH to the machine and type: cat /perfigo/build

CAM Lite, Standard, Super

The NAC Appliance Clean Access Manager (CAM) is licensed based on the number of NAC Appliance Clean Access Servers (CASes) it supports. You can view license details under Administration > CCA Manager > Licensing. The top of CAM web console identifies the type of CAM license installed:

Cisco Clean Access Lite Manager supports 3 Clean Access Servers (or 3 HA-CAS pairs)

Cisco Clean Access Standard Manager supports 20 Clean Access Servers (or 20 HA-CAS pairs)

Cisco Clean Access Super Manager supports 40 Clean Access Servers (or 40 HA-CAS pairs)

Note the following:

The Super CAM software runs only on the Cisco NAC Appliance 3390 MANAGER.

Initial configuration is the same for the Standard CAM and Super CAM.

Software upgrades of the Super CAM use the same upgrade file and procedure as the Standard CAM. You can use web upgrade or console/SSH instructions to upgrade a Super CAM to the latest release. However, a new CD installation of the Super CAM requires a separate .ISO file.

Clean Access Server (CAS) Version

From the CAM web console, go to Device Management > CCA Servers > List of Servers > Manage [CAS_IP] > Misc > Update | Current Version

Or, from CAS direct access console, go to: Administration > Software Update | Current Version
(CAS direct console is accessed via https://<CAS_eth0_IP>/admin)

Or, SSH to the machine and type: cat /perfigo/build

Note If configuring High Availability CAM or CAS pairs, see also Access Web Consoles for High Availability for additional information.

Clean Access Agent Versioning

On the CAM web console, you can determine Clean Access Agent versioning from the following pages:

Monitoring > Summary (Setup and Patch Version)

Device Management > Clean Access > Clean Access Agent > Distribution (Setup and Patch Version)

Device Management > Clean Access > Clean Access Agent > Updates (Patch Version; see also Cisco Clean Access Updates Versioning)

Device Management > Clean Access > Clean Access Agent > Reports | View (individual report shows username, OS, Agent version, client AV/AS version)

From the Clean Access Agent itself on the client machine, you can view the following information from the Agent taskbar menu icon:

Right-click About to view the Agent version.

Right-click Properties to view AV/AS version information for any AV/AS software installed, and the Discovery Host (used for L3 deployments)

Cisco Clean Access Updates Versioning

To view the latest version of Updates downloaded to your CAM, including Cisco Checks & Rules, CCA Agent Upgrade Patch, Supported AV/AS Product List, go to Device Management > Clean Access > Clean Access Agent > Updates on the CAM web console. See Clean Access Supported AV/AS Product List and Clean Access Supported AV/AS Product List for additional details.

New and Changed Information

This section describes enhancements added to the following releases of Cisco NAC Appliance for the Clean Access Manager and Clean Access Server.

Enhancements in Release 4.1(1)

For additional details, see also:

Hardware Supported

Clean Access Supported AV/AS Product List

Clean Access Agent Version Summary

Caveats

Known Issues for Cisco NAC Appliance

Enhancements in Release 4.1(1)

This section details the enhancement delivered with Cisco NAC Appliance release 4.1(1) for the Clean Access Manager and Clean Access Server.

General Enhancements

Support for Windows Vista Operating System

RADIUS Challenge-Response Support

Layer 2 Traffic Policy Support

Multiple Active Directory Server Support in AD SSO

Restricted Administrator Web Console Options Hidden from View

Proxy Server Basic/Digest/NTLM Authentication Support

VLAN Profiles

VLAN Pruning

Event Logs Enhancement

Agent Report Retrieval API Operation

Supported AV/AS Product List Enhancements (Version 59)

Out-of-Band Enhancements

Out-of-Band IP Refresh Enhancement

Switch Port Configuration Enhancements

SNMP Receiver Settings Enhancement

Windows Agent Enhancements

Support for Windows Vista Operating System

Windows Update Upon Agent Login

Agent Reports Show System and User Information

Agent IP Address Refresh/Renew Enhancement

CAS-Agent Discovery (SWISS) Enhancements

4.1.0.x Agent Support on Release 4.1(1)

MAC OS Agent Enhancements

RADIUS Challenge-Response Support

Automatically Close Message Dialog After Successful Login

IP Refresh Support for Out-of-Band Deployments

Allow Only One Mac OS Agent to Run on the Client at a Time

General Enhancements

Support for Windows Vista Operating System

Release 4.1(1) adds the following new Clean Access Agent configuration support for Windows Vista operating systems:

Full Clean Access Agent support for Windows Vista Home Basic, Vista Home Premium, Vista Business, Vista Ultimate, and Vista Enterprise operating systems.

Administrators can configure Agent checks/rules/requirements and hotfixes for Windows Vista with release 4.1(1) and version 4.1.1.0 of the Agent.

This enhancement affects the following pages of the CAM web console:

Device Management > Clean Access > Clean Access Agent > [Rules/Requirements/Reports] now feature Operating System checkboxes/dropdown menus for the Windows Vista operating system, including Windows Vista (All), Vista Home Basic, Vista Home Premium, Vista Business, Vista Ultimate, and Vista Enterprise.

RADIUS Challenge-Response Support

With release 4.1(1), administrators can use additional RADIUS challenge-response mechanisms beyond the standard user ID and password authentication prompts for both web login and Clean Access Agent users. If the RADIUS server is configured to authenticate based on additional user credentials (such as verifying a token-generated PIN, for example), the CAM/CAS passes the challenge on to the user during a normal authentication session.

This additional interaction is due to the user authentication profile on the RADIUS server itself, and does not require any additional configuration on the CAM or CAS for the additional login prompts to appear as part of the login session.

Note When configuring RADIUS Challenge-Response authentication, make sure you set the "Authentication Cache Timeout" under User Management > Auth Servers > Auth Servers > List to 0 (disabled). If the Authentication Cache Timeout option is greater than 0, and depending on how fast a user goes through the login process, the system may cache credentials and not actually perform the full RADIUS challenge-response process.

Layer 2 Traffic Policy Support

Release 4.1(1) makes it possible for administrators to control Layer 2 traffic on a Clean Access Server operating in Virtual Gateway (VGW) mode. The Ethernet Control feature allows a CAS in VGW mode to allow or deny Layer 2 traffic depending on the type of Layer 2 packets passing through the CAS, whether or not VLAN mapping is enabled and applies to the Layer 2 packets, and whether or not MAC filtering is enabled for the user's MAC address.

This feature adds the following pages to the CAM web console:

Device Management > CCA Servers > Manage [CAS_IP] > Filter > Roles > Ethernet Control (VGW mode only)

User Management > User Roles > Traffic Control > Ethernet (VGW mode only)

This enhancement affects the following page of the CAM web console:

Device Management > Clean Access > Updates > Summary—new "Default L2 Policies" entry

Multiple Active Directory Server Support in AD SSO

With release 4.1(1), administrators can configure Cisco Clean Access to specify user credentials on more than one Active Directory Domain Controller (server) to support AD SSO. This enhancement helps avoid potential failures where the lone AD server for the authentication system becomes inaccessible, disabling the entire AD SSO feature.

Note If you use the new multiple Active Directory Domain Controller feature, you must also ensure you use the appropriate "KTPass" command syntax, as described in the "Configure the AD Server and Run KTPass Command" section of the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(1).

This enhancement affects the following pages of the CAM web console:

Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Windows Auth | new group option "Domain (All Active Directory Servers)" radio button to accompany existing "Single Active Directory Server"

Restricted Administrator Web Console Options Hidden from View

With release 4.1(1), the Admin Group configuration page provides additional dropdown menu options to allow administrators to hide a module (by setting access rights to "Hidden") or hide a CAS (by setting access rights to "No Access") for restricted-access admin groups. Prior to this enhancement, administrators could disable access, but restricted admin groups still had read-only visibility to CAS management pages and module features.

The general interface is reorganized to better reflect the main modules of the CAM web console. In addition, web console configuration pages are not displayed if admin users directly type the URL to a page for which they do not have access privileges.

This enhancement affects the following pages of the CAM web console:

Administration > Admin Users > Admin Groups > New

Administration > Admin Users > Admin Groups > List > Edit

Proxy Server Basic/Digest/NTLM Authentication Support

In release 4.1(1), the Proxy support update settings applying to Clean Access Updates have been rearranged. The information for this feature now appears on three separate tabs, each addressing a specific function of the update configuration model. The Summary tab continues to list all current versions of default updates available through Cisco Clean Access updates. The new Update tab addresses how often to update and which Agent-related updates to perform. The new HTTP Settings tab allows the administrator to specify Basic, Digest, or NTLM formats for Proxy Authentication when a Proxy server must be configured for the CAM to receive Cisco Clean Access updates.

This enhancement affects the following pages of the CAM web console:

Device Management > Clean Access > Updates—two new tabs: Update and HTTP Settings

VLAN Profiles

Release 4.1(1) enables you to configure VLAN profiles to augment existing Switch profile and Port profile behavior. VLAN profiles enable you to set up a VLAN name-to-VLAN ID mapping scheme that you can associate with user or group profiles to determine Authentication and Access VLAN assignments for remote user sessions.

This feature changes the following CAM web console pages:

Switch Management > Profilesnew VLAN tab

Switch Management > Profiles > Port > New/Edit | new VLAN Profile dropdown menu under "VLAN Settings"

VLAN Pruning

Release 4.1(1) prevents a potential broadcast packet storm issue on Clean Access Servers running in Virtual Gateway mode. This enhancement works in conjunction with VLAN Mapping to ensure that only known VLAN ID packets are allowed to traverse the internal network. Repetitious, self-multiplying broadcast VLAN packets (such as ARP, DHCP, or DNS packets) can flood CAS and switch interfaces that allow unmapped VLAN packets to pass from port to port. The result is a rapidly-developing broadcast storm that can monopolize access ports for otherwise trusted users, and either slow or deny access altogether for these users.

With VLAN Pruning and VLAN Mapping enabled, the CAS directs traffic for only intended VLANs found in the VLAN Mapping table for the corresponding direction of flow, and discards all other VLAN-tagged packets.

When VLAN Pruning is enabled and VLAN Mapping is not enabled, the CAS discards all VLAN packets in either direction.

Note VLAN Pruning is enabled by default for Clean Access Servers running in Virtual Gateway mode.

This enhancement affects the following page of the CAM web console:

Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping—new "VLAN Packet Handling" section with new "Enable VLAN Pruning" option

Event Logs Enhancement

Release 4.1(1) enhances the Event Logs display page to allow administrators to more efficiently search and review Event Log entries:

Navigation is improved for paging through log entries. You can specify the number of logs per page when you page through log entries. (You can choose to view 10, 25, or 100 entries per page.)

Filter display settings remain "sticky" if you view another tool in the CAM web console and return to the Log Viewer later.

The Reset button now resets the filter viewing options on the page and automatically displays any new event logs, but does not reset the specified number of entries per page, nor does it re-import the entire Event Logs database.

This enhancement affects filter user interface behavior on the following page of the CAM web console:

Monitoring > Event Logs > Logs Viewer (tab renamed)

Agent Report Retrieval API Operation

In release 4.1(1), a new Cisco API getreports operation has been added to support retrieving Cisco Clean Access Agent reports matching specified criteria, including user ID, MAC address, IP address, client operating system (including Windows Vista), AV/AS software installed, and Agent requirement name and status.

You can access the Clean Access API for your CAM from a web browser as follows: https://<ccam-ip-or-name>/admin/cisco_api.jsp. For detailed information on the parameters and syntax of the getreports operation, see the "API Support" section of the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(1).

Supported AV/AS Product List Enhancements (Version 59)

See Clean Access Supported AV/AS Product List for the latest AV/AS product charts.

See Supported AV/AS Product List Version Summary for details on each update to the list.

Out-of-Band Enhancements

Out-of-Band IP Refresh Enhancement

This enhancement improves the 4.1.(0) release "Clean Access Agent/ActiveX/Applet DHCP Release/Renew" IP telephony support feature that allows for circumstances where administrators do not want the Clean Access Agent to perform an IP release/renew on a client machine.

The new behavior stipulates that if the CAS is operating as a Layer 2 Virtual Gateway in an Out-of-Band deployment, the Agent does not renew the IP address following authentication and posture assessment if the administrator disables the "Refresh IP After Login (OOB)" option on the user role. This option is enabled by default.

The resulting behavior is as follows:

1. If the "Bounce the Port after VLAN is changed" option is enabled on the Switch Management > Profiles > Port > New/Edit page, the switch automatically bounces the port through which the user is accessing the network when the VLAN switches from the authentication to the access VLAN and the Agent does not renew the IP address on the client machine after login and posture assessment.

Note If the "Bounce the Port after VLAN is changed" option is enabled, the "Bounce the port based on role settings after VLAN is changed" option on the same page is inaccessible.

2. If the "Bounce the port based on role settings after VLAN is changed" option is enabled on the Switch Management > Profiles > Port > New/Edit page, the switch defers to the associated user role to determine port bouncing and/or IP address refresh/renew behavior when the VLAN of the port through which the user is accessing the network switches from the authentication to the access VLAN. Both of the user role options are on the User Management > User Roles > New Role page:

Bounce Switch Port After Login (OOB)—If enabled, the Agent does not renew the IP address on the client machine after login and posture assessment.

Refresh IP After Login (OOB)—This option only applies to Layer 2 OOB Virtual Gateway deployments. With this option, the switch port through which the user is accessing the network is not bounced when the VLAN changes from authentication to access VLAN. Instead, if you have enabled this feature, the Agent renews/refreshes the IP address on the client machine following login and posture assessment.

This enhancement affects the following pages of the CAM web console:

Switch Management > Profiles > Port > New/Edit | new "Bounce the port based on role settings after VLAN is changed" option

User Management > User Roles > New/Edit Role | two new options to enable or disable—"Bounce Switch Port After Login (OOB)" and "Refresh IP After Login (OOB)"

Switch Port Configuration Enhancements

Enhancements to the Cisco Clean Access system in release 4.1(1) include improved switch port management user interface that enables you to more effectively perform familiar switch port management functions (retrieve and compile MAC notification traps for managed ports and store the running configuration in non-volatile (startup) memory to preserve configuration changes, for example) by separating the elements of the Switch Management > Devices > Switches > [IP address] > Ports tab into two new subtabs.

This enhancement affects the following page of the CAM web console:

Switch Management > Devices > Switches > [IP address] > Ports tab enhanced with the introduction of the List and Manage subtabs

SNMP Receiver Settings Enhancement

Release 4.1(1) features an enhancement to the switch management capabilities in the CAM that enables you to specify the SNMP timeout value (in seconds) for SNMP trap message response from a managed switch that saves its current (running) configuration when instructed by the CAM. This enhancement addresses Caveat CSCsh47327 in Resolved Caveats - Release 4.1(1).

This enhancement affects the following page of the CAM web console:

Switch Management > Profiles > SNMP Receiver > Advanced Settings | new "SNMP Timeout" value field

Windows Clean Access Agent Enhancements (4.1.1.0)

Support for Windows Vista Operating System

Version 4.1.1.0 of the Clean Access Agent supports users running the Windows Vista operating system. (See Support for Windows Vista Operating System.)

Note When a Windows Vista user attempts to access the system with Internet Explorer 7 running in "protected mode," an error message appears explaining that the CAS IP address/domain name is not in the list of IE's Trusted sites and prompts the user to add it. This is because IE 7 enables by default the "Check for server certificate revocation" option. To resolve this issue, refer to Agent Error: "Network Error SSL Certificate Rev Failed 12057".

Note Clean Access Agent stub is not supported on Windows Vista.

Windows Update Upon Agent Login

To ensure remote users' client machines feature critical Windows OS updates before they are allowed to access the secured network, you can configure the CAM to implement the latest Microsoft Windows Server Update Service (WSUS) updates when users sign in and attempt to authenticate using the Clean Access Agent. You can configure the CAM to perform updates based on the security severity of the update(s) in question as well as whether updates are mandatory or optional.

If you configure the CAM to make updates "Mandatory," the Agent requires the user to install Windows updates before they can access the network.

This feature affects the following page of the CAM web console:

Device Management > Clean Access > Clean Access Agent > Requirements > New/Edit Requirement | Windows Server Update Service option in Requirement Type dropdown menu

Agent Reports Show System and User Information

When the 4.1.1.0 Windows Agent is used with release 4.1(1), administrators can immediately view the user ID and domain information when they view Agent report entries. The new fields in the pop up report window include the System Name, System Domain, System User, and User Domain. This enhancement is intended to facilitate reviewing AD SSO client reports.

This enhancement affects the following page of the CAM web console:

Device Management > Clean Access > Clean Access Agent > Reports > View (magnifying glass icon) corresponding to the desired report entry

Agent IP Address Refresh/Renew Enhancement

The 4.1.1.0 Agent enhances and clarifies the hierarchy of IP address release/renew options available for users with and without admin privileges on their client machines:

1. If the user has admin privileges on the client, the Agent first attempts to release and renew the IP address using the existing Windows API. (Admin privileges are required for the Windows API)

2. If the user does not have admin privileges on the client, the Cisco Clean Access administrator can create a Windows Active Directory group policy allowing users to run the "net stop dhcp" and "net start dhcp" services on the client to release and renew the IP address.

3. Finally, for users who do not have admin privileges on the client and for whom an Active Directory group policy will not work, the administrator can configure the CAM/CAS to automatically install and launch the Agent Stub which, in turn, enables users to run the DHCP release/renew service on the client. (The Clean Access Agent stub must have already been installed on the client machine to support this method.)

CAS-Agent Discovery (SWISS) Enhancements

The CAS discovery method has been updated in the 4.1.1.0 Agent to help cut down on excess UDP packets traversing the network when the CAS is unreachable or temporarily unavailable. In a Cisco Clean Access environment where the Agent cannot locate a CAS using standard Layer 2 discovery and the Discovery Host feature has been configured, the Agent initiates Layer 3 discovery and sends out SWISS UDP packets every 5 seconds. If the Agent still cannot find a CAS on the network, the Agent increases the period of time between SWISS UDP packets with each subsequent transmission until the period between UDP packets reaches 30 minutes. After the gradually-increased interval reaches 30 minutes, the Agent stops sending SWISS UDP discovery packets altogether until a network event (an IP event, routing change, etc.) occurs, in which case the Agent resumes sending UDP packets every five seconds and starts the discovery cycle over again.

Note This behavior applies only to deployments where Discovery Host has been configured. The standard Layer 2 CAS discovery process remains unchanged.

To support Cisco Clean Access SSO capabilities for users logging into the network via VPN, the administrator can specify a value for the "Agent VPN Detection Delay" option in the CAM web console. This new option alleviates a potential situation where the CAS prompts the user to re-authenticate through the Clean Access Agent after the user already signs on to the network via VPN.

With release 4.1(1), when the CAS receives a SWISS UDP discovery request from the Clean Access Agent and hasn't received any RADIUS accounting notification from VPN concentrator that this particular user has logged in through VPN, the CAS checks with the CAM to see whether or not the "Agent VPN Detection Delay" option has been enabled. If so, the CAS responds to the Agent indicating that VPN SSO is configured and that the Agent needs to wait the specified period of time before it prompts the user with an authentication dialog. (During this waiting period, the Agent continues to send SWISS UDP packets every 5 seconds, as it normally does. If the Agent receives an indication that user has been logged in through VPN before the waiting the full delay period, the Agent yields to the VPN SSO function and stops sending SWISS UDP discovery packets. Otherwise, it prompts the user for authentication credentials.)

This enhancement affects the following page of the CAM web console:

Device Management > CCA Servers > Manage [CAS_IP] > Authentication > VPN Auth > General | new "Agent VPN Detection Delay" time period field

4.1.0.x Agent Support on Release 4.1(1)

Cisco strongly recommends running version 4.1.1.0 and later of the Clean Access Agent with release 4.1(1) of the CAM/CAS. If necessary, release 4.1(1) allows administrators to optionally configure the 4.1(1) CAM/CAS to allow 4.1.0.x Agent authentication and posture assessment. In addition, a 4.1.1.0 Agent can still log into a 4.1(0) system.

Note By default, 4.1.0.x Agents are not allowed to log into a 4.1(1) CCA system.

This enhancement affects the following page of the CAM web console:

Device Management > Clean Access > Clean Access Agent > Distribution features a new "Allow 4.1.0.x Agents to log in" option

Mac OS Clean Access Agent Enhancements (4.1.1.0)

RADIUS Challenge-Response Support

Administrators can use additional RADIUS challenge-response mechanisms beyond the standard user ID and password authentication. If the RADIUS server is configured to authenticate based on additional user credentials (like verifying a token-generated PIN, for example), you can set up Cisco Clean Access to pass the challenge on to the Agent during a normal authentication session.

Automatically Close Message Dialog After Successful Login

This enhancement automatically closes the dialog informing the user that their login session was successful in case they do not click OK to close the dialog.

IP Refresh Support for Out-of-Band Deployments

To ensure users can access the internal network following authentication, the Mac OS Agent must refresh/renew the client's IP address as the connection switches from the authentication VLAN to the Access VLAN.

Allow Only One Mac OS Agent to Run on the Client at a Time

The Agent has been enhanced so that only one instance of the Agent can run on the client at any given time. When the user attempts to launch a new instance of the Agent while an Agent is already running, the new instance automatically closes and a "Cisco Clean Access Agent is already running" message appears. This method also keeps the user from having to re-authenticate with Cisco Clean Access before they are allowed to access the internal network again.

Note Release 4.1(1) does not support auto-upgrade for the Mac OS Agent. Users can upgrade client machines to the latest Mac OS Agent by downloading the Agent via web login and running the Agent installation.

See also Clean Access Agent Version Summary.

Clean Access Supported AV/AS Product List

This section describes the Supported AV/AS Product List that is downloaded to the Clean Access Manager via Device Management > Clean Access > Clean Access Agent > Updates to provide the latest antivirus (AV) and anti-spyware (AS) product integration support. The Supported AV/AS Product List is a versioned XML file distributed from a centralized update server that provides the most current matrix of supported AV/AS vendors and product versions used to configure AV/AS Rules and AV/AS Definition Update requirements.

The Supported AV/AS Product List contains information on which AV/AS products and versions are supported in each Clean Access Agent release along with other relevant information. It is updated regularly to bring the relevant information up to date and to include newly added products for new releases. Cisco recommends keeping your list current, especially when you upload a new Agent Setup version or Agent Patch version to your CAM. Having the latest Supported AV/AS list ensures your AV/AS rule configuration pages list all the new products supported in the new Agent.

Note Cisco recommends keeping your Supported AV/AS Product List up-to-date on your CAM by configuring the Update Settings under Device Management > Clean Access > Clean Access Agent > Updates to "Automatically check for updates every 1 hour."

The following charts list the AV and AS product/version support per client OS as of the latest Clean Access release:

Clean Access AV Support Chart (Windows Vista / XP / 2000)

Clean Access AV Support Chart (Windows ME / 98)

Clean Access AS Support Chart (Windows Vista / XP / 2000)

The charts show which AV/AS product versions support virus or spyware definition checks and automatic update of client virus/spyware definition files via the user clicking the Update button on the Clean Access Agent.

For a summary of the product support that is added per version of the Supported AV/AS Product List or Clean Access Agent, see also:

Supported AV/AS Product List Version Summary

Clean Access Agent Version Summary

You can access additional AV and AS product support information from the CAM web console under Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info.

Note Where possible, Cisco recommends using AV Rules mapped to AV Definition Update Requirements when checking antivirus software on clients, and AS Rules mapped to AS Definition Update Requirements when checking anti-spyware software on clients. In the case of non-supported AV or AS products, or if an AV/AS product/version is not available through AV Rules/AS Rules, administrators always have the option of creating their own custom checks, rules, and requirements for the AV/AS vendor (and/or using Cisco provided pc_ checks and pr_rules) through Device Management > Clean Access > Clean Access Agent (use New Check, New Rule, and New File/Link/Local Check Requirement). See the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(1) for configuration details.

Note that Clean Access works in tandem with the installation schemes and mechanisms provided by supported AV/AS vendors. In the case of unforeseen changes to underlying mechanisms for AV/AS products by vendors, the Cisco NAC Appliance team will update the Supported AV/AS Product List and/or Clean Access Agent in the timeliest manner possible in order to support the new AV/AS product changes. In the meantime, administrators can always use the "custom" rule workaround for the AV/AS product (such as pc_checks/pr_ rules) and configure the requirement for "Any selected rule succeeds."

Clean Access AV Support Chart (Windows Vista / XP / 2000)

Table 5 lists Windows Vista/XP/2000 Supported AV Products as of the latest release of the Cisco NAC Appliance software. (See Table 6 for Windows ME/98).

Table 5 Clean Access Antivirus Product Support Chart (Windows Vista/XP/2000)
Version 59, 4.1.1.0 Agent/Release 4.1(1) (Sheet 1 of 8)

Product Name
Product Version
AV Checks Supported
(Minimum Agent Version Needed)1
Live Update 2 , 3
Installation
Virus Definition
AhnLab, Inc.

AhnLab Security Pack

2.x

yes (3.5.10.1)

yes (3.5.10.1)

yes

AhnLab V3 Internet Security 2007 Platinum

7.x

yes (3.6.5.0)

yes (3.6.5.0)

yes

V3Pro 2004

6.x

yes (3.5.10.1)

yes (3.5.12)

yes

ALWIL Software

avast! Antivirus

4.x

yes (3.5.10.1)

yes (3.5.10.1)

yes

avast! Antivirus (managed)

4.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

avast! Antivirus Professional

4.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

America Online, Inc.

Active Virus Shield

6.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

AOL Safety and Security Center Virus Protection

102.x

yes (4.0.4.0)

yes (4.0.4.0)

-

AOL Safety and Security Center Virus Protection

1.x

yes (3.5.11.1)

yes (3.5.11.1)

-

AOL Safety and Security Center Virus Protection

210.x

yes (4.0.4.0)

yes (4.0.4.0)

-

AOL Safety and Security Center Virus Protection

2.x

yes (4.1.0.0)

yes (4.1.0.0)

-

Authentium, Inc.

Command Anti-Virus Enterprise

4.x

yes (3.5.0)

yes (3.5.0)

yes

Command AntiVirus for Windows

4.x

yes (3.5.0)

yes (3.5.0)

yes

Command AntiVirus for Windows Enterprise

4.x

yes (3.5.2)

yes (3.5.2)

yes

Cox High Speed Internet Security Suite

3.x

yes (4.0.4.0)

yes (4.0.4.0)

yes

Beijing Rising Technology Corp. Ltd.

Rising Antivirus Software AV

17.x

yes (3.5.11.1)

yes (3.5.11.1)

yes

Rising Antivirus Software AV

18.x

yes (3.5.11.1)

yes (3.5.11.1)

yes

Rising Antivirus Software AV

19.x

yes (4.0.5.0)

yes (4.0.5.0)

yes

Check Point, Inc

ZoneAlarm Security Suite Antivirus

7.x

yes (4.0.5.0)

yes (4.0.5.0)

-

ClamWin

ClamWin Antivirus

0.x

yes (3.5.2)

yes (3.5.2)

yes

ClamWin Free Antivirus

0.x

yes (3.5.4)

yes (3.5.4)

yes

Computer Associates International, Inc.

CA Anti-Virus

8.x

yes (4.1.0.0)

yes (4.1.0.0)

yes

CA eTrust Antivirus

7.x

yes (3.5.0)

yes (3.5.0)

yes

CA eTrust Internet Security Suite AntiVirus

7.x

yes (3.5.11)

yes (3.5.11)

yes

CA eTrustITM Agent

8.x

yes (3.5.12)

yes (3.5.12)

yes

eTrust EZ Antivirus

6.1.x

yes (3.5.3)

yes (3.5.8)