Technical Support: Cisco Clean Access - FAQs
| What is Clean Access? |
|
Clean Access is a solution provided by Cisco, Inc. that performs network validation. The software performs the following functions:
- Requires authentication to the network
- Validates whether the system connecting to the network meets the minimum security standards.
- Quarantines the system until it meets the minimum security standards.
- Provides access to the remediation sites. Once the system is validated as “clean,” allows access to the network.
Learn more at http://www.cisco.com/en/US/products/ps6128/index.html.
|
| Why are we introducing this solution now? |
| Computers are introduced to the campus that potentially contain harmful viruses and malware. On move-in weekend in particular, worms and viruses attempt to spread to unpatched/vulnerable machines. Divison of Information Services determined that the best way to prevent this from happening is to ensure that virus software and operating system critical update/patches are current and maintained.
|
| How Does Validation Work? (PC Only) |
This solution will redirect any Internet browser request to a web page that instructs the user to download and install the validation client known as the “Cisco Clean Access Agent”. Once launched, the client downloads the validation rules and processes them. If the computer fails the test, it is allowed Internet access only to the remediation sites for a period of about 60 minutes. Once corrected, full network access is provided.
*Windows Computers Only
|
| What is the Clean Access Agent? (PC Only) |
| Clean Access Agent is the client application that can check certain security settings on any Microsoft Windows PC to make sure that the system is up-to-date with required security patches and report this status to the Clean Access server. No information about the user or the content of user files is sent to the server. Each user must use Clean Access Agent for his/her Microsoft Windows PC in order to authenticate and use the university network.
|
| What Validation Checks are Being Performed? (PC Only) |
|
Fall Term: Authentication via Cisco Clean Access Agent to access the network.
Beginning in October 2006: We are configuring Cisco Clean Access to validate the following:
- Current Microsoft security updates for your computer, including SP2 for Windows XP and SP1 for Windows 2000 and all subsequent updates to these patches.
- Symantec AntiVirus 10 must be installed. If you wish to download Symantec Anti Virus now you can visit the download center.
|
| How Does Validation Work for Macintosh Users? |
| Currently Macintosh users must authenticate by logging in via a web page. At this point there is no client which is downloaded to Macintosh systems. The network connection timer is set for Macintosh systems; however, there is no icon that can be right-clicked to logout and subsequently login again.
|
| Cisco Clean Access on the Macintosh |
|
There are a couple of idiosyncrasies you should be aware of on the Macintosh side:
- You will be logged off the network every time your computer goes to sleep.
- It may not be obvious at times that you are not connected to the network. There is no notification given when you are logged off the network. The only way to tell is to open your web browser, and to browse to another page, using Google, or any other URL. If you are not logged in, you will be re-directed to the login page.
There is one way that you can stop your computer from being logged off the network. This is achieved by setting your “Energy Saver” settings in the System Preferences window to not sleep. However, be aware that if you use these settings on a laptop it will significantly reduce the time you will have available to you on battery use, and may affect the lifetime of your battery overall. By turning these settings off you are also causing your computer to use significantly more energy in general.
|
| How Does Validation Work for Linux Users? |
| Linux users must authenticate by logging in via a web page. There is no client which is downloaded to Linux systems. The network connection timer is set for Linux systems; however, there is no icon that can be right-clicked to logout and subsequently login again.
|
| What if I own a Windows 98/ME/95/3.1/NT Computer? |
|
Microsoft will no longer support or release critical security updates for older versions of the Windows operating system including Windows 3.11, Windows 95, Windows 98, Windows 98 SE, Windows ME, and Windows NT Workstation 4.0 (Windows 2000 is still supported…for now). Without vendor support to patch identified bugs and vulnerabilities, these systems cannot safely continue to be used in a networked environment.
Bottom line: If you are running Microsoft Windows, you should be running Windows XP, Windows 2000, or Windows 2003 Server at this time for both work and home. For obvious reasons, these are the only versions of Windows that are allowed on the University network.
|
| How Often Will I Be Revalidated? |
| We have configured the validation timer for every 7 days, early Monday morning. This means that all previously certified "clean machines" will need to be revalidated to ensure that all updates for the past week have been downloaded and installed.
|
| What Happens If an “Infected” System Behaves Badly on the Network? |
| The validation solution cannot prevent all infections. Also, we have experienced denial of service attacks originating from within and from outside the university network. For those subnet's controlled by Clean Access servers, the process will be to disconnect the offending system using the Clean Access Manager management console. Unless the system is demonstrating a vulnerability for which there is no patch, there should be no need to block the physical switch port, as the user will not be able to reconnect until the problem is corrected.
|
| I’m receiving a message that says I have Error 87 |
You have beta 7 Internet Explorer. You will need to remove it and download a different version.
To uninstall Internet Explorer 7 Beta 2 Preview and to return to the previous version of Internet Explorer in Windows XP, follow these steps:
1. Click Start, click Run, type appwiz.cpl, and then click OK.
2. Click to select the Show updates check box.
3. Scroll through the list of installed programs to the Windows XP – Software Updates section.
4. In the Windows XP – Software Updates section, click Internet Explorer 7 Beta 2 Preview, and then click Remove.
5. In the Software Update Removal Wizard dialog box, click Next.
6. Click Finish when the process has finished, and then restart the computer.
|
| Can I use my PDA to access the Internet? |
| Yes, you need to stop by the Help Desk in BC 18 to fill out the correct paperwork. The Help Desk will then add your PDA to the Cisco Clean Access system; thus, allowing it on the network.
|
