As it develops the next-generation of network security infrastructure, Cisco Systems Inc. Is planning to cease development on its network admission control (NAC) client, the Cisco Trust Agent (CTA), and submit the source code for the software client to the open-source community, Bob Gleichauf, chief technology officer of Cisco's Security Technology Group, told InfoWorld.

Cisco has a goal of making the CTA open source within 'a couple months,' allowing the company to free up development resources for other areas of NAC, Gleichauf said. Cisco's decision is more evidence that Cisco will cede control of the desktop to Microsoft Corp.'

S Vista, following a deal in September to use the Microsoft Network Access Protection Agent (NAP) as the client for both Cisco NAC and NAP. 'CTA will be something that's open source. That's just logically where it should end up,' Gleichauf told InfoWorld.

'We don't want to be in the CTA business, so we're going to just open it up.' Further reading: In September, Cisco and Microsoft to integrate their network access control architectures. The called for computers running Windows Vista or Windows Server to include the NAP Agent component as part of the core operating system, and to use that agent for both NAP and NAC.

The NAP added support for Extensible Authentication Protocol over UDP and EAP-FAST support, developed by Cisco and distributed over Windows Update in addition to native EAP methods and an 802.1X supplicant to enable it to work for both NAC and NAP. Computers running Windows XP with Service Pack 2, as well as non-Windows systems, would need to run the Cisco Trust Agent for NAC and run the NAP Agent for NAP. Cisco also promised to continue developing CTA for non-Windows Vista and non-Windows Server 'Longhorn' platforms. Since then, however, Microsoft and Cisco have extended both 802.1x and EAP support to Windows XP, reducing the need for the CTA, said Mark Ashida, General Manager of Enterprise Networking Servers at Microsoft.

Open-sourcing the CTA agent is just part of a much larger effort at Cisco to push beyond mere network access control to a much broader security architecture that addresses problems such as data leaks and policy enforcement - architecture in which Cisco's Security Agent (CSA) will play a much bigger role, Gleichauf said. 'Data leakage is about things crossing boundaries from areas you control to areas where you have less control: e-mail attachments going over IM, or data going from someone in human resources to someone in manufacturing who shouldn't see it,' he said. 'For us, it's all about modeling based on how data moves around. We recognize that data has its own identity, and we want to use the controls we've built up around where users can go - role based access - to figure out where data can and can't go,' he said. Components like the technology Cisco recently will provide some of the intelligence to stop messaging and Web based leaks, and Cisco will use intelligence in its routers and switches to control data flows and in the CSA agent to enforce data-level policies on the desktop, Gleichauf said.

'CSA is the next area where you're going to see us make go to market announcements that offer real value in the data leak space,' he said. 'Cisco's getting out of the desktop plumbing business and focusing on areas on the desktop where they can add value to what they're doing on the network,' said Jon Oltsik, an analyst at Enterprise Strategy Group. But Gleichauf's comment may also be an indication that Cisco, which has been a tough sell with enterprises largely because of the cost of upgrading Cisco and non-Cisco networking infrastructure in order to take advantage of the access control features. While the company has found plenty of buyers for its NAC appliance, formerly known as 'Clean Access,' it has had far fewer takers for the full-fledged NAC solution. In the meantime, the company has found competition from a wide range of niche NAC vendors, security mainstays like Symantec Corp.

As well as Microsoft, Juniper Networks Inc. And the Trusted Computing Group's standards-based Trusted Network Connect architecture. Gleichauf acknowledged that his company hadn't executed well in selling NAC to partners, but said the solution was for Cisco to close the loop even tighter on which firms it will tap to be a part of its solution.

'With NAC we got caught in the vendor program race with TNC and Microsoft, where you want to get as many vendors as possible. But there are only a minority of vendors who are value added. The majority of them are just looking for stickers to put on their booth,' he said. Going forward with its data leakage solution, Cisco will rely on a small number of main vendors that offer it more value with license arrangements, rather than rely on open standards, Gleichauf said. That vision concerned Steve Hannah of the Trusted Computing Group, which promotes open standards for network access control that allow third party software to speak a common language when making access control decisions. Releasing the NAC client as an open source application was a fine gesture, but it has little value to the community at large until Cisco agreed to submit its NAC protocols as open standards, he said.

'Ultimately, Cisco retains control, and you end up with Cisco as the center of the universe. So customers are stuck buying Cisco gear and looking for things that plug into Cisco gear, but they don't really have a choice of different vendors,' said Hannah, who is a distinguished engineer at Cisco competitor Juniper Networks. TCG is happy to talk with Cisco about moving NAC protocols to open standards, perhaps blending NAC technologies from Cisco and TCG to give software vendors and enterprises the most choice, he said. In the end, submitting CTA as an open source application may just be a politically correct way of throwing in the towel on an application that had become irrelevant, said Oltsik. 'It's a feel-good move,' Oltsik said, but one without much force as long as the NAC protocols used by CTA remain firmly in Cisco's grasp.

This story, 'Cisco going open source with NAC client' was originally published.

Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment This chapter describes how to configure Agent distribution and installation for client machines, as well as configure client posture assessment in the Cisco NAC Appliance system. Overview The Cisco NAC Agent and Cisco NAC Web Agent provide local posture assessment and remediation for client machines. Users download and install the Cisco NAC Agent (read-only client software), which can check the host registry, processes, applications, and services. The Agent can be used to perform antivirus or antispyware definition updates, distribute files uploaded to the Clean Access Manager, distribute website links to websites in order for users to download files to fix their systems, or simply distribute information/instructions. Unlike the Cisco NAC Agent, the Cisco NAC Web Agent is not 'persistent,' thus it only exists on the client machine long enough to accommodate a single user session.

Instead of downloading and installing an Agent application, once the user opens a browser window, logs in to the NAC Appliance web login page, and chooses to launch the temporal Cisco NAC Web Agent, a self-extracting Agent installer downloads files to the client machine's temporary directory, performs posture assessment/scans the system to ensure security compliance, and report compliance status back to the Cisco NAC Appliance system. For more information on Cisco NAC Appliance Agents, see Agent posture assessment is configured in the CAM by creating requirements based on rules and (optionally) checks, then applying the requirements to user roles/client operating systems. For an illustrated overview, see. Note Most requirement remediation actions (like Windows Updates and AV/AS support updates) require the user to have administrator privileges on the client machine. Therefore, Cisco recommends you ensure that users of client machines undergoing posture assessment and remediation have administrator-level privileges.

Cisco Nac Agent Download 4.8 Cisco Nac Client For Mac Pro

Users in L3 Deployments Cisco NAC Appliance supports multi-hop L3 deployment and VPN concentrator/L3 access from the Agent. This enables clients to discover the CAS when the network configuration puts clients one or more L3 hops away from the CAS (instead of in L2 proximity).

You must Enable L3 Support on the CAS and ensure there is a valid Discovery Host for the Agent to function in multihop L3 environments or behind a Cisco VPN concentrator. Distribution The Cisco NAC Agent Installation files and the Cisco NAC Web Agent are part of the Clean Access Manager software and are automatically published to all Clean Access Servers.

To distribute the Agent to clients for initial installation, you require the use of the Agent for a user role and operating system in the General Setup Agent Login tab. The CAS then distributes the Agent Setup file when the client requests the Agent. (This behavior does not apply to the Cisco NAC Web Agent.) If the CAS has an outdated version of the Agent, the CAS acquires the newest version available from the CAM before distributing it to the client.

Auto Upgrade By configuring Agent auto-upgrade in the CAM, you can allow users to automatically upgrade upon login to the latest version of the Agent available on the CAM. With the Cisco NAC Web Agent, users automatically download the latest version of the temporal Agent available on the CAM. Installation You can configure the level of user interaction required when users initially install the Agent. Out-of-Band Users Because Out-of-Band users only encounter the Agent during the time they are In-Band for authentication and certification, Agent configuration is the same for In-Band and Out-of-Band users. Rules and Checks With pre-configured Cisco checks and rules, or custom checks and rules that you configure, the Agent can check if any application or service is running, whether a registry key exists, and/or the value of a registry key.

Cisco pre-configured rules provide support for Critical Windows OS hotfixes. Agent Updates Through the Updates page of your CAM web console, Cisco tracks and provides multiple updates per hour, including the latest versions of Cisco NAC Agent installers and Cisco NAC Web Agent installation packages as they become available. See for complete details. Agent Configuration Steps The basic steps needed to configure Agent distribution, installation, and posture assessment are: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Add Default Login Page In order for both web login users and Agent users to obtain the list of authentication providers, a login page must be added and present in the system in order for user to authenticate via the Agent.

See to quickly add the default user login page. Note For L3 OOB deployments, you must also. Configure Agent Roles and User Profiles In order for Agent users to log in to Cisco NAC Appliance, you must ensure that user login roles and user profiles are configured in the system. See and to add user roles and individual user login profiles in Cisco NAC Appliance. Require Agent Login for Client Machines Requiring the use of the Agent is configured per user role and operating system.

When an Agent is required for a role, users in that role are forwarded to the Agent download page after authenticating for the first time using web login. The user is then prompted to download and run the Agent installation file or launch the Cisco NAC Web Agent. At the end of the installation, the user is prompted to log into the network using the Agent.

(Cisco NAC Web Agent users are automatically connected to the network as long as their client machine meets Agent Requirements configured for the user role.) Step 1 Go to Device Management Clean Access General Setup Agent Login. Figure 9-1 General Setup Step 2 Select the User Role for which users will be required to use the Agent. Step 3 Select an Operating System from the items available in the dropdown menu. Note Make sure the Operating System is correctly configured for the role to ensure the Agent download page and/or Cisco NAC Web Agent launch page is properly pushed to users. Step 4 If you want to require users to log in to the Cisco NAC Appliance system using the Cisco NAC Agent, click the checkbox for Require use of Agent. For information on Distribution settings, see.

For more information on the Cisco NAC Agent and user dialog examples, see. Step 5 If you want to require users to log in to the NAC Appliance system using the Cisco NAC Web Agent, click the checkbox for Require use of Cisco NAC Web Agent. For more information on the Cisco NAC Web Agent and user dialog examples, refer to.

Note The Require use of Agent and Require use of Cisco NAC Web Agent options are not mutually exclusive. If you choose to enable both options, both choices appear to users when they are directed to the Login Page, Step 6 You can leave the default messages, or optionally type your own HTML message in the Agent Download Page Message (or URL) and/or Cisco NAC Web Agent Launch Page Message (or URL) text fields. Step 7 Click Update.

Note For additional details on configuring the General Setup page, see. Agent users logging in for the first time with the web login page see the Agent Download Page, as shown in. Figure 9-2 Agent Download Page Cisco NAC Web Agent users logging in for the first time with the web login page see the Cisco NAC Web Agent Launch Page, as shown in. Figure 9-3 Cisco NAC Web Agent Launch Page Configure Out-of-Band Logoff Caution To avoid disconnecting users currently logged into the Cisco NAC Appliance network, Cisco strongly recommends disabling the Out-of-Band Heartbeat Timer during a planned network outage, as changing this setting could kick all current users from the Out-of-Band Online Users list. The Out-of-Band logoff feature is disabled in Cisco NAC Appliance by default and is not applicable for the Cisco NAC Web Agent or web login user sessions.

Feature Benefits. Out-of-Band Logoff can be used to monitor and to track users in OOB user list. This feature allows the Agent on the client machines to initiate the log-off process in an Out-of-Band deployment. Out-of-Band Logout is available in the agent tray icon and is useful for the shared environments when one user needs to logout of CAM for another user to be logged into CAM to gain access to a different network.

Out-of-Band Logoff is useful when users are connected behind an IP Phone. When the users disconnect, the managed switch will not send a linkdown trap to the CAM prompting to remove the user from the Out-of-Band Online Users list. You can enable OOB Heartbeat timer, so that after the timer expires, users who are no longer on the network are removed. Feature Dependencies - Mandatory.

For Out-of-Band Logoff to function, both the CAM/CAS should be installed with Release 4.8 or later and the client machine should be running the latest Cisco NAC Agent version (4.8.0.35 or later). In order for Agent Out-of-Band Logoff to function correctly in a deployment requiring VLAN change based on user role (in both Layer 3 Out-of-Band deployments and Layer 2 Out-of-Band environments where the client machine IP address is refreshed following login), you must enable the VLAN change detection option as per the guidelines in. Ensure that the VLANdetectWithoutUI parameter is enabled in the NACAgentCFG.xml Agent configuration file accordingly. (See.) This is enabled for refreshing the IP address in the Authentication VLAN after CAM clears the user and moves the user from Access VLAN to Authentication VLAN.

This is used when OOB logoff feature is used with Windows logoff. If you want to enforce Agent Passive Re-assessment (PRA) for your Cisco NAC Appliance Out-of-Band deployment, you must enable the Out-of-Band Logoff function. For more information on Agent Passive Reassessment, see. Note Passive Re-Assessment can be enabled only for Cisco NAC Agent. The Mac OS X Agent does not support PRA. Prior to Release 4.8, deployments using Access Control Lists (ACLs), Layer 3 Out-of-Band Real-IP Gateway mode, and CAS certificates based on the untrusted network IP address need to block UDP ports 8905/8906 to ensure that the access VLAN clients could not communicate with the untrusted side of the CAS and attempt another login.

Policy Based Routing can be used to ensure that all non-NAC Authentication VLAN traffic is sent to the trusted side IP address of the CAS. In Cisco NAC Appliance Release 4.8, if ACLs block access to the CAS, then the OOB Logoff feature will not function as designed. Cisco NAC Appliance network administrators must leave UDP ports 8905/8906 open on network switches to ensure the CAS trusted interface can communicate during the following OOB scenarios: OOB Heartbeat Timers, OOB Logout, and Passive Re-assessment. Use Policy Based Routing to ensure that all non-Authentication client network traffic is forced to the CAS trusted interface.

Verify that the port profile(s) to which reconnecting users are assigned specify the Authentication VLAN for the Change to Auth VLAN Access VLAN if the device is certified, but not in the Out-of-Band user list option as described in. If using third party certificates or self-signed certificates for CAS, ensure that the CA certificate is installed in the root store for every Windows domain user. This is important for OOB Logoff to work in a multi-user environment while logging out from Windows. In Internet Explorer, click Tools Internet Options. Go to the Content tab and click Certificates.

Go to the Trusted Root Certificate Authorities tab and check whether the CA certificate is installed. Note It is not recommended to use self-signed certificates for enterprise deployment.

Cisco Nac Agent Download 4.8 Cisco Nac Client For Mac

Network Requirements. While using self-signed certificates for CAS, ensure that the certificates are installed in the certificate root store of the client machine. In Layer 3 Out-of-Band Real-IP Gateway mode using Virtual Routing and Forwarding (VRF), Policy Based Routing (PBR), or Access Control Lists (ACLs) on the network, Cisco recommends that the CAS certificate should use the untrusted IP or FQDN of the CAS.

In Layer 3 network topology, when users are moving from one location to another using same CAS name as the Discovery Host, it is recommended to use DNS to resolve the name to the IP of the CAS that is closest to the user. Once a device is connected to the Access network, the OOB Logoff heartbeat packets of the NAC Agent must be sent to the same CAS that authenticated the device.

Feature Dependencies - Optional. In order to enforce OOB Heartbeat Timer, you must enable Out-of-Band Logoff. See for more information. The Certified Devices List (CDL) is cleared by Out-of-Band Logoff only when the Require users to be certified at every web login option in the CAM Device Management Clean Access General Setup Web Login web console page is enabled for the user role and appropriate OS. See for more details. To enable logout of the NAC Agent per role basis when a user logs off the Windows domain, ensure that the Logoff NAC Agent users from network on their machine logoff or shutdown after secs option in the CAM Device Management Clean Access General Setup Agent Login web console page has been enabled for the user role. See for more details.

By default, when Logout or Exit options are selected from the Cisco NAC Agent icon in the system tray, the Agent sends a logout request to CAS. Feature Limitations. Release 4.7(x) and earlier versions of the Cisco NAC Agent and Mac OS X Agent do not support the Out-of-Band Logoff feature. User will be logged off if DHCP Renew provides a different IP, or if the client machine moves to second Access VLAN. While using Out-of-Band Logoff in a multi-home environment, the NAC agent can track only one login at a time (PRA, Heartbeat, or Logout). For example, a user logs in to the NAC agent through the wireless connection, and then connects the PC and login through the wired connection.

At this point, the agent uses only the wired IP address for communication. If the user logs out at this point, the entry using IP from wired connection will be removed from the OUL, but the wireless entry will remain in the OUL.

After the OOB Heartbeat Timer expires, the wireless entry will be removed from the OUL. It is recommended to set a short OOB Heartbeat interval to remove the wireless side user appropriately. The following failure scenarios might cause the Cisco NAC Agent to appear following successful user authentication when the client machine roams between CASs in Layer 3 (both In-Band and Out-of-Band) and Layer 2 /Layer 3 Out-of-Band environments.