How it all works 30,000 foot view
Cisco Clean Access checks our users computers for Anti-Virus (Trend Micro) and Windows Patches (also check for many as well as forces sign on before access to the network can begin. Cisco Clean Access uses several applications and devices to make this all work:
• Clean Access Manager
• Clean Access Server
• Clean Access Agent
• Clean Access Stub
• SMS
• Policy Base Routes
• Traffic Control
• Microsoft Active Directory (Single Sign On, SSO)
Let’s touch on each of these and its role in enhancing our security posture.
The Clean Access Manager (CAM @ 10.80.2.131) controls the Clean Access Server (CAS @ 10.90.2.2 & 10.90.2.10). When a user plugs into our network they are placed in an un-trusted VLAN – All traffic is Policy Base Routed (PBR) to the CAS while the user is in the un-trusted VLAN. This means all traffic must be read, routed and acted upon by the CAS. After authentication takes place the Cisco Clean Access Agent (CAA) scans the users registry settings and ensures Anti-virus is up-to-date as well as critical windows patches.
The Clean Access Stub allows non admin accounts to install patches. The Clean Access Stub should be installed prior to installing the agent. Using SMS to install the stub and client is highly recommended. If you can’t use SMS to install the full package then you need to install the stub and then let the CAS install the agent. The CAS will install the agent when a user accesses the untrusted VLAN and doesn’t have CAA installed.
Policy Base routes are used to “force” traffic to the CAS when users are in the un-trusted VLAN. So times PBR must be used to get traffic back to the clients.
Clean Access utilizes Traffic Control within the CAS to manage what users in the unauthenticated VLAN have access to. It’s used just like an access control list in a firewall or router.
When authenticating users Clean Access will first try to access Microsoft Active Directory and use the key acquired by the computer upon windows domain login. If this isn’t possible the user will be prompted with username and password authentication from the local DB on the CAM.
The flow is as follows:
Flow when no remediation required
User PC boots up Cisco Switch puts them in un-trusted VLAN CAA talks to CAM CAA logs in user and checks updates User PC passes validation Cisco Switch places user PC in the normal VLAN
Flow when remediation is required
User PC boots up Cisco Switch puts them in un-trusted VLAN CAA talks to CAM CAA logs in user and checks updates PC gets updates all traffic is passed through CAS and limited by CAS User PC passes validation Cisco Switch places user PC in the normal VLAN
Now when it comes to adding new offices or new devices you have to ask yourself, self, is this a layer 2 or layer 3 set up. Layer 2 is defined as any configuration where a device is connected to the CAM via Layer 2 hops only, IE no routers. Layer 3 setup is defined as any configuration where the PC is separated from the CAM by a router.