So now that we’ve created a Check, a Rule, and have associated the Check with the Rule, we can move on to the next phase: create a Requirement. Think about a Requirement as the remediation process your users will have to go through if they fail the check. In other words, what do you want the user to do if they do not meet the requirement?
Under Clean Access Agent > Requirements > New Requirement in the NAM is where we’ll start the configuration. Notice that in 4.5.1 version of the code there are several options for remediation as shown below:
Here is a quick breakdown of each Requirement Type:
- File Distribution – If a client fails the requirement we want them to have a file pushed from the NAM to the client “on the fly”.
- Link Distribution – If a client fails the requirement we will provide a hyperlink in the agent software on the users’ PC that the can click on to download files.
- Local Check – Just checks for the associated requirement. There is no remediation here, just checking for items.
- AV/AS Def Update - Just that. Just remember that the NAC Agent is just triggering the AV software to update itself the Agent is not doing the updating itself.
- Windows Update - If the client has the windows update service running it will trigger the update.
- Launch Program – This is a goodie, it will launch an executable on the LOCAL users host, or from a mapped drive.
- Windows Update Service - Launches the WSUS updates. Remember that your WSUS settings have to be setup ahead of time to use this.
Ok so although it seems pretty straightforward don’t let this fool you. There are a lot of little quirky “gotchas” with these options. I’ll begin with File Distribution. This is going to be the closest you’ll get to patch management with the Cisco NAC. Yes, the NAM will push executable files to the clients on the fly. Things to watch here are that the NAM needs to have bi-directional communication to each client in order to push the files which will lead to a tad bit of exposure of the manager.
The other gotcha is that the executable has to be uploaded to the NAM itself. Cisco did provide a nice GUI to upload the file, however keep it in the back of your mind that the executable will be a part of the Postgress database, causing it to grow pretty large very quickly depending on what you are pushing to the clients. Here is a snapshot of the database backed up before a File Distribution, and after one was created with a 2.5 MB file uploaded to the NAM. Makes you want to think long and hard before using the File distribution option. I like to call it the “quick and dirty” patch management to just deliver “one-offs”. For a long term solution, purchase patch management software. By the way, in Cisco’s defense here, they never claimed to be providing patch management with NAC.
The nice thing to remember with this option is that the installation rights required to launch the software is invoked by the Stub Installer (which previous blog posts said should have been installed at the same time as the NAC Agent to help with these types of remediation). That basically means your users can be logged in with their standard rights and not need admin privileges to have the software installed.
I’ll run through the other Requirement types in the next blog post.
Author: Jim Thomas
0 Responses to “NAC Requirements”