• Home
  • Systems
  • Networking
  • WordPress
  • Web
  • Geekery

Analysis and Review

Cisco Clean Access Review

June 2, 2009 by Kurt Turner

How it all works 30,000 foot view

Cisco Clean Access checks our users computers for Anti-Virus (Trend Micro) and Windows Patches (also check for many as well as forces sign on before access to the network can begin. Cisco Clean Access uses several applications and devices to make this all work:

• Clean Access Manager
• Clean Access Server
• Clean Access Agent
• Clean Access Stub
• SMS
• Policy Base Routes
• Traffic Control
• Microsoft Active Directory (Single Sign On, SSO)

Let’s touch on each of these and its role in enhancing our security posture.

Cisco Clean Access Agent
Cisco Clean Access Agent

The Clean Access Manager (CAM @ 10.80.2.131) controls the Clean Access Server (CAS @ 10.90.2.2 & 10.90.2.10). When a user plugs into our network they are placed in an un-trusted VLAN – All traffic is Policy Base Routed (PBR) to the CAS while the user is in the un-trusted VLAN. This means all traffic must be read, routed and acted upon by the CAS. After authentication takes place the Cisco Clean Access Agent (CAA) scans the users registry settings and ensures Anti-virus is up-to-date as well as critical windows patches.

The Clean Access Stub allows non admin accounts to install patches. The Clean Access Stub should be installed prior to installing the agent. Using SMS to install the stub and client is highly recommended. If you can’t use SMS to install the full package then you need to install the stub and then let the CAS install the agent. The CAS will install the agent when a user accesses the untrusted VLAN and doesn’t have CAA installed.

Policy Base routes are used to “force” traffic to the CAS when users are in the un-trusted VLAN. So times PBR must be used to get traffic back to the clients.

Clean Access utilizes Traffic Control within the CAS to manage what users in the unauthenticated VLAN have access to. It’s used just like an access control list in a firewall or router.

When authenticating users Clean Access will first try to access Microsoft Active Directory and use the key acquired by the computer upon windows domain login. If this isn’t possible the user will be prompted with username and password authentication from the local DB on the CAM.

The flow is as follows:

Flow when no remediation required

User PC boots up  Cisco Switch puts them in un-trusted VLAN  CAA talks to CAM  CAA logs in user and checks updates  User PC passes validation  Cisco Switch places user PC in the normal VLAN

Flow when remediation is required

User PC boots up  Cisco Switch puts them in un-trusted VLAN  CAA talks to CAM  CAA logs in user and checks updates  PC gets updates  all traffic is passed through CAS and limited by CAS  User PC passes validation  Cisco Switch places user PC in the normal VLAN

Now when it comes to adding new offices or new devices you have to ask yourself, self, is this a layer 2 or layer 3 set up. Layer 2 is defined as any configuration where a device is connected to the CAM via Layer 2 hops only, IE no routers. Layer 3 setup is defined as any configuration where the PC is separated from the CAM by a router.

Filed Under: Networking

Latest and Greatest

Apache vs Nginx for WordPress

Certbot Lets Encrypt And WordPress MU Multi-Site

How To Find and Replace Multiple File in MS Word

How To Get Stretch Res on Windows 10 AMD Radeon For Game Play

This is the ASUS Chromebox we've been running for 2 years as our "brain" for our home grown digital display kiosk.

DIY Digital Signage Bulletin Board or Kiosk

© Copyright Analysis And Review · All Rights Reserved ·