Frequently Asked Questions
Cisco Clean Access Agent -- Network Validation Solution |
Glossary of Key Terms |
NSUnet: NSU's internal network (Intranet). Authentication: The process of verifying your access to the network by confirming your username and password and associating it with your computer. Validation: The process of confirming that certain security measures are in place on your computer. Validation Solution: The process of ensuring that your computer meets the requirements to access NSUnet and the Internet Quarantine: The role a computer is placed in if it fails validation. In this role, the user will only be able to access sites that will allow them to complete validation. Trap: The process of examining network traffic to prevent computers, which have not been validated, from connecting to NSUnet/Internet. Remediation Sites: Web sites from which the requesting PC may download software required to meet the minimum security standards. Minimum Security Standards: All Microsoft Critical Updates must be installed and approved antivirus software with the latest updates must be installed and running. OS: Operating System - software that controls the execution of computer programs and may provide various services (e.g., Windows XP/2000/98/ME, Macintosh OSX, Linux, etc.) University/Cisco-approved antivirus software: A list of approved antivirus programs can be found at >click here<. Note: NSU is only able to support and troubleshoot the Sophos antivirus provided by the University. Session Timer: Controls how frequently re-validation must occur. Heartbeat Timer: Controls how long the network connection is valid. Cisco Clean Access Agent (CCAA): A software agent which downloads and processes the validation rules. Cisco System: Software provided by Cisco Systems, Inc. that performs network validation and checks the PC for standard security software . |
|
Clean Access is a solution provided by Cisco Systems, Inc. that performs network validation and checks the PC for standard security software necessary to access NSUnet. The software performs the following functions: • Require users to authenticate (login) to access NSUnet. • Validate whether the system connecting to NSUnet meets the minimum-security standards . • Quarantines the system until it meets the minimum-security standards • Provides access to the remediation sites • Once the system is validated as "clean," allows access to NSUnet.
|
|
What Networks Require Validation? All NSUnet networks accessed via NSU's VPN Pro. Why Are We Introducing this Solution Now? NSUnet experienced numerous virus problems originating from student PCs at the start of the fall 2003 semester. Just prior to move-in weekend, the Blaster worm was introduced. We did not have a solution that could effectively quarantine systems until proven "clean"; thus, many unprotected systems infected the NSUnet as soon as they were physically plugged into the network. It has been determined that the best way to prevent this from happening again is to insure that virus software and OS critical update/patches are current and maintained. Users who did connect systems that were current with both OS patches and antivirus software also suffered delays in Internet and other network access due to the excessive traffic caused by the infected machines. Off-campus and wireless access to the NSUnet creates the same possibility of viral injection and circulation, therefore the same solution is being effected. How Does Cisco Clean Access Work? Cisco Clean Access will "trap" any NSUnet network access. The user's web browser is redirected to a web page that instructs them to download and install the validation client known as "Cisco Clean Access Agent". Once launched, the client downloads and processes the validation rules. If the computer fails to validate, it is all owed limited network access to the remediation sites. Once corrected, full network access is provided and a timer is set for the connection. The connection remains intact until the user logs out of NSU's VPN Pro; at that time, the connection is reset and the user must re-validate at the next of NSU's VPN Pro log on. What is Cisco Clean Access Agent? Cisco Clean Access Agent is the client application that can check certain security settings on any Microsoft Windows PC to make sure that the system is up-to-date with required security patches and report this status to the Clean Access Server. No information about the user, or the user file content, or user antivirus activity is sent to the server. Each user must use Cisco Clean Access Agent for his/her Microsoft Windows PC in order to authenticate and use NSUnet. What Validation Checks are Being Performed? The Cisco Clean Access Agent will validate the following: • Check for current release of approved antivirus software and current virus definitions. • Check for current Windows OS Patches for Windows 98, ME, 2000 and Windows XP machines. How Long Do the Validation Checks Take? The CCAA validation process may take between 2-60 minutes, based on broadband connection, depending on the number of critical updates, service packs, availability of CCAA approved antivirus software, and current virus definitions you may need. What is the Process for Changing the Minimum Security Requirements? As new critical Microsoft updates become available, the security requirements will be updated to reflect the new patches. Typically, we will not immediately set the validation check for the new patches, but allow some time (typically a week) for people to update their systems in due course. If a vulnerability is reported or the threat of a virus storm or worm attack emerges, we will update the validation check immediately and force all users to re-logon. Please note that we may cancel all network connections for a particular subnet in response to an attack. We will only resort to these actions in very urgent conditions. How Does a User Re-Validate Before the Timer Expires? You will need to re-establish VPN connection before a new Clean Access validation can occur. How Does Validation Work for Macintosh Users? Presently, NSU's VPN Pro validation services are unavailable to Macintosh users. You are encouraged to access NSUnet via NSU's VPN Basic >click here<. How Does Validation Work for Linux Users? Presently, NSU's VPN Pro validation services are unavailable to Linux users. You are encouraged to access NSUnet via NSU's VPN Basic >click here<. What About Xboxes, PlayStations, etc.? Presently, NSU's VPN Pro services are unavailable to online games. What Remediation is Available?
What Happens If an "Infected" System Behaves Badly on the Network? Using the NSUnet constitutes that you have read and accept the terms and conditions contained in this notice and that NSU has the right to disconnect access to users violating the terms and conditions. What are the terms and conditions of using the NSUnet? 1. Northeastern State University is providing you access to our WLAN as a complimentary service for your convenience. You acknowledge that (i) the WLAN service provides unencrypted wireless access to the Internet, and agree you are responsible for the security of your system and any transmissions you make or receive; and (ii) that you understand the risks of unencrypted access to the Internet, and will take any necessary security precautions, including encrypting confidential transmissions, backing up any data and protecting your system with a firewall and robust user authentication. 2. You agree that your activities on the WLAN shall not introduce any computer programming routines that may damage, detrimentally interfere with, surreptitiously intercept or expropriate any system, data or personal information; a) create any liability for us or cause us to lose (in whole or in part) the services we provide to the NSU community; b) violate any law, statute, ordinance or regulation (including, but not limited to, those governing export control c) be defamatory, trade libelous, unlawfully threatening or harassing; d) be obscene or contain child pornography; e) infringe any third party's copyright, patent, trademark, trade secret or other proprietary rights; or f) involve any attempt to access any data or system which you are not authorized to access. 3. AS A COMPLIMENTARY SERVICE, THIS WLAN IS PROVIDED “AS-IS” AND “WHERE-IS,” WITHOUT ANY WARRANTIES, EXPRESS OR IMPLIED. Gaming is not supported. Why do I have to go through this process? The University is making every effort to make your network experience productive and secure, as well as protecting your computer. Am I required to install any software on my computer? All Microsoft Windows computers are required to install the Cisco Clean Access Agent client software to connect to the Internet/NSUnet. You will also be required to use a "University approved" antivirus program (click here to view list) and install all critical Microsoft OS patches and updates (click here to visit). Complete List of Cisco-approved antivirus Software What is Cisco Clean Access Agent? Cisco Clean Access Agent is an application that will check certain security settings on your Windows PC to make sure that your system is up-to-date with required security patches and report this status to the server. No information about you is sent to the server. You must use Cisco Clean Access Agent for your Microsoft Windows PC in order to authenticate and use the NSUnet. Current required security settings include "university approved" antivirus program and current definitions, critical Microsoft OS patches and updates. When do I have to login? How often do I have to login? You should be automatically loged in each time you successfully logon to WebVPN Pro. How do I tell if I am already logged in? The best way is to try to go to an Internet site. In most cases, if you are ABLE to access a website such as www.nsuok.edu you are online and logged in. If you check the CCAA it should say "Login".
How do I tell if I am Quarantined/Unauthenticated? You will be unable to access your NSUnet drives (e.g., L:, I:, etc.), or browse to www.nsuok.edu. I use a personal firewall; will this cause a problem? In most cases, a personal firewall will work fine. Depending upon the firewall product, you may receive several pop-up windows requesting "ok to proceed". Some of the personal firewalls are:
|
Troubleshooting |
I cannot access the login page. I get the redirection page but then my browser gives an error and stops. Generally, this is caused by an encryption (SSL) problem with your browser. Encryption is required to for authentication to complete. Try another browser if you are unable to correct the problem with the first browser. (IE -> Netscape; Netscape -> IE). Usually, Netscape has fewer encryption problems. I am unable to ping the default gateway address; should I not be able to do this? No, you will not be able to ping the default gateway. This is normal. Until you are completely logged in you will not be able to ping any address. What am I allowed to access when Unauthenticated or Quarantined? For the most part, remediation and help sites such as http://windowsupdate.microsoft.com, antivirus update sites, and NSU resources like dorm-sav, and netnotes. Check you CCAA in the systray. Chose login if available.
I'm on a Windows machine. Sometimes I can login using the web page and at other times, the web page tells me that I must use Cisco Clean Access Agent, why? It depends on when the last time your computer was "validated" to the network. You can always use the Cisco Clean Access Agent client. The only way to logout of CCAA is to logoff WebVPN Pro (in the system tray, right-click the key icon>Disconnect). The "logout" option in Cisco Clean Access Agent is greyed out. The Cisco Clean Access Agent does not always detect your network status. Once you login through the Cisco Clean Access Agent, you will have the "logout" feature. Can I update Windows before I login? Yes, You should be able to go to http://update.microsoft.com . Why, when I run Windows Update, do I get a message stating that the product key used to install windows is invalid? Windows Update will fail if your Windows OS is not properly licensed. You must have a legal copy of the operating system to connect to the university network. Please contact your system manufacturer for further support. Can I update McAfee before I have logged in? Yes, The best way is to "tell" McAfee to update/upgrade now. Do I have to use the Cisco Clean Access Agent client? Yes. All Windows PCs are required to use Cisco Clean Access Agent for NSUnet access. What happens if I uninstall the Cisco Clean Access Agent client? You will be required to reinstall the client to re-authenticate next time you logon to WebVPN Pro. I keep trying to install the CCAA but it tells me that I can either Modify/Repair or Remove the program. Why is this? Cisco Clean Access Agent is currently installed on your machine. You do not need to install it again. How do I know Cisco Clean Access Agent is running? Look in the "System Tray" for I do not see the Cisco Clean Access Agent icon in my system tray; what do I do? There are a few possibilities: 1. Cisco Clean Access Agent has not been installed. -> Please install Cisco Clean Access Agent to continue. 2. Cisco Clean Access Agent has been installed but you did not select "Launch" at the end of the installation. -> From the "Start" menu, then "Programs", then "Cisco", then "Clean Access", then "Clean Access Agent" to launch the program. 3. Cisco Clean Access Agent is "hidden" in the Systray. -> Please click on "<<" to expand the system tray list and show Cisco Clean Access Agent, then login. 4. Your computer has a problem showing Systray icons. -> You may be able to use "taskmanager" to halt Cisco Clean Access Agent and then launch it again. 5. Cisco Clean Access Agent is installed but not running. -> From the "Start" menu, then "Programs", then "Cisco", then "Clean Access", then "Clean Access Agent" to launch the program. |
