 Feedback
|
Table Of Contents
Release Notes for Cisco NAC Appliance (Cisco Clean Access) for Version 4.1(0)
Cisco NAC Appliance Service Contract/Licensing Support
System and Hardware Requirements
Supported Switches for Cisco NAC Appliance
VPN Components Supported for Single Sign-On (SSO)
Software Compatibility Matrixes
Release 4.1(0) Compatibility Matrix
Release 4.1(0) CAM/CAS Upgrade Compatibility Matrix
Release 4.1(0) Agent Upgrade Compatibility Matrix
Determining the Software Version
Clean Access Manager (CAM) Version
Clean Access Server (CAS) Version
Cisco Clean Access Updates Versioning
Enhancements in Release 4.1.0.2
Clean Access Agent Enhancements (4.1.0.2)
Supported AV/AS Product List Enhancements (Version 50)
Enhancements in Release 4.1.0.1
Upgrade Instructions for 4.1.0.1
New Features and Enhancements in Release 4.1(0)
Clean Access Agent/ActiveX/Applet DHCP Release/Renew
Support for GPO Update Trigger
Online Update to Retrieve Switch OIDs
Qualified Remediation Program Launch
Clean Access Agent for Mac OS X Authentication
Clean Access Agent Installation Options
Clean Access Agent Language Template Support
Clean Access Agent Silent Auditing
Searchable Clean Access Agent Reports
Certified Devices Timer Enhancements for Periodic Assessment
DHCP Global Option Enhancements
Clean Access Agent Enhancements (4.1.0.0)
Port Profile Management for OOB Users
Enhancements to Check Parameters
Supported AV/AS Product List Enhancements (Version 42)
Deprecated IPsec/L2TP/PPTP/PPP Features
Cisco Pre-Configured Rules ("pr_")
Using Cisco Rules to Check for CSA
Clean Access Supported AV/AS Product List
Clean Access AV Support Chart (Windows XP / 2000)
Clean Access AV Support Chart (Windows ME / 98)
Clean Access AS Support Chart (Windows XP / 2000)
Supported AV/AS Product List Version Summary
Clean Access Agent Version Summary
Open Caveats - Release 4.1.0.2
Resolved Caveats - Release 4.1.0.2
Resolved Caveats - Release 4.1.0.1
Resolved Caveats - Release 4.1(0)
Known Issues for Cisco NAC Appliance
Known Issue with NAT/PAT Devices and L3 Deployments
Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)
Known Issues with Broadcom NIC 5702/5703/5704 Chipsets
Known Issue with Windows 98/ME/2000 and Windows Script 5.6
New Installation of Release 4.1(0)
Settings That May Change With Upgrade
General Preparation for Upgrade
In-Place Upgrade from 3.5(7)+ to 4.1(0)—Standalone Machines
Mount the CD-ROM and Run the Upgrade File
Swap Ethernet Cables (if Necessary)
In-Place Upgrade from 3.5(7)+ to 4.1(0)—HA-Pairs
Determine Active and Standby Machines
Shut Down Standby Machine and Upgrade Active Machine In-Place
Shut Down Active Machine and Upgrade Standby Machine In-Place
Complete the HA In-Place Upgrade
Upgrading from 3.6(x)/4.0(x)—Standalone Machines
Web Console Upgrade—Standalone Machines
Console/SSH Upgrade—Standalone Machines
Upgrading from 3.6(x)/4.0(x)—HA Pairs
Access Web Consoles for High Availability
Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs
Recovering Root Password for CAM/CAS (Release 4.1.0/4.0.x/3.6.x)
No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM
Agent Error: "Network Error SSL Certificate Rev Failed 12057"
Clean Access Agent AV/AS Rule Troubleshooting
Enable Debug Logging on the Clean Access Agent
Troubleshooting Switch Support Issues
Troubleshooting Network Card Driver Support Issues
Other Troubleshooting Information
Obtaining Documentation, Obtaining Support, and Security Guidelines
Release Notes for Cisco NAC Appliance (Cisco Clean Access) for Version 4.1(0)
Revised: January 30, 2008, OL-11384-01Contents
These release notes provide late-breaking and release information for Cisco® NAC Appliance, formerly known as Cisco Clean Access (CCA), release 4.1(0). This document describes new features, changes to existing features, limitations a nd restrictions ("caveats"), upgrade instructions, and related information. These release notes supplement the Cisco NAC Appliance documentation included with the distribution. Read these release notes carefully and refer to the upgrade instructions prior to installing the software.
•
Cisco NAC Appliance Service Contract/Licensing Support
•
•
•
•
•
•
Cisco NAC Appliance Releases
4.1.0.2 ED
February 9, 2007
4.1.0.1 ED [obsoleted by 4.1.0.2]
December 4, 2006
4.1(0) ED [obsoleted by 4.1.0.2]
November 14, 2006
Note
Cisco NAC Appliance Service Contract/Licensing Support
For complete details on licensing, including service contract support, new licenses, evaluation licenses, legacy licenses and RMA, refer to the following web page:
http://www.cisco.com/en/US/products/ps6128/prod_pre_installation_guide09186a008073136b.html
System and Hardware Requirements
This section describes the following:
•
•
System Requirements
See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on:
•
•
•
•
Hardware Supported
See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on:
•
•
•
•
See Troubleshooting for further details.
Supported Switches for Cisco NAC Appliance
See Switch Support for Cisco NAC Appliance for complete details on:
•
•
•
•
VPN Components Supported for Single Sign-On (SSO)
Table 1 lists VPN components supported for Single Sign-On (SSO) with Cisco NAC Appliance. Elements in the same row are compatible with each other.
Table 1 VPN and Wireless Components Supported By Cisco NAC Appliance For SSO
4.1(0)
Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)1
N/A
Cisco ASA 5500 Series Adaptive Security Appliances, Version 7.2(0)81 or above
•
•
Cisco WebVPN Service Modules for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco VPN 3000 Series Concentrators, Release 4.7
Cisco PIX Firewall
1 For additional details, see also Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs).
Note
For further details, see the Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide and the Cisco NAC Appliance - Clean Access Server Installation and Administration Guide available at:
http://www.cisco.com/en/US/products/ps6128/products_user_guide_list.html
Software Compatibility
This section describes software compatibility for releases of Cisco NAC Appliance:
•
•
For details on Clean Access Agent client software versions and AV integration support, see:
•
•
Software Compatibility Matrixes
This section describes the following:
•
•
•
Release 4.1(0) Compatibility Matrix
Table 2 shows Clean Access Manager and Clean Access Server compatibility and the Agent version bundled with each CCA 4.1(0) release (if applicable). CAM/CAS/Agent versions displayed in the same row are compatible with one another. Cisco recommends synchronizing your software images to match those shown as compatible in the table.
Note
4.1.0.2 4
4.1.0.2 4
4.1.0.2 5
4.1.0.0
4.1.0.1 6 [obsoleted by 4.1.0.2]
4.1(0) [obsoleted by 4.1.0.2]
4.1(0) [obsoleted by 4.1.0.2]
1 Releases 4.1(0), 4.1.0.1, and 4.1.0.2 do not support Windows Vista. Only 4.0(x) releases starting from 4.0(4) and 4.0.x.x Agent versions starting from 4.0.4.0 support Windows Vista. See the "Clean Access Agent System Requirements" section of the Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) Guide for details.
2 Release 4.1(0), 4.1.0.1, and 4.1.0.2 do not support and cannot be installed on Cisco NAC Appliance 3300 Series platforms. You will be able to upgrade NAC 3300 Series appliances to upcoming release 4.1(1) (which includes Cavium SSL accelerator support). Refer to the Release Notes for Cisco NAC Appliance (Cisco Clean Access) for Version 4.1(1) for details.
3 4.1.0.x versions of the Clean Access Agent are compatible with the latest 4.1(0) CAM/CAS release, unless otherwise specified. See Clean Access Agent Version Summary for details and caveats resolved for each Agent version.
4 Release 4.1.0.2 obsoletes and replaces releases 4.1.0.1 and 4.1(0). If your system is running 4.0(x), 3.6(x) or 3.5(x), and you wish to upgrade to release 4.1(0), upgrade to release 4.1.0.2 directly. See Enhancements in Release 4.1.0.2.
5 For CAM/CAS release 4.1.0.2, upgrade to 4.1.0.2 Agent only applies for Windows OS. The Mac OS version of the Agent remains at 4.1.0.0.
6 4.1.0.1 is a CAM-only patch release applied to 4.1(0) CAMs that resolves caveat CSCsg89516. See Enhancements in Release 4.1.0.1 for details.
For upgrade instructions, see Upgrading to 4.1(0).
Release 4.1(0) CAM/CAS Upgrade Compatibility Matrix
Table 3 shows 4.1(0) CAM/CAS upgrade compatibility. You can upgrade/migrate your CAM/CAS from the previous release(s) specified to the latest release shown in the same row.
Table 3 Release 4.1(0) CAM/CAS Upgrade Compatibility Matrix 1 ,2
Upgrade From:
4.1.0.2 5
4.1.0.2 5
4.1(0)
4.1.0.1 6
4.1(0)
4.0(x) 3
3.6(x)
3.5(7)+4.1(0)
1 Releases 4.1(0), 4.1.0.1, and 4.1.0.2 do not support Windows Vista. Only 4.0(x) releases starting from 4.0(4) and 4.0.x.x Agent versions starting from 4.0.4.0 support Windows Vista. See the "Clean Access Agent System Requirements" section of the Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) Guide for details.
2 Release 4.1(0), 4.1.0.1, and 4.1.0.2 do not support and cannot be installed on Cisco NAC Appliance 3300 Series platforms. You will be able to upgrade NAC 3300 Series appliances to upcoming release 4.1(1) (which includes Cavium SSL accelerator support). Refer to the Release Notes for Cisco NAC Appliance (Cisco Clean Access) for Version 4.1(1) for details. .
3 In order to use the web upgrade package on Clean Access Managers running 3.6.x and 4.0.x, it is necessary to first apply the patch for CSCsg24153. (Please visit http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches for more information regarding CCA patches). If you have not applied the patch, you can upgrade the CAM via console/SSH upgrade instead.
Web upgrade of Clean Access Servers running 3.6.x and 4.0.x to release 4.1(0) is not supported. Use console/SSH upgrade only to upgrade the CAS. (See Notes on 4.1(0) Upgrade.)4 To upgrade from release 3.5(7) and above, you must use the in-place upgrade procedure. See Upgrading to 4.1(0).
5 Release 4.1.0.2 obsoletes and replaces releases 4.1.0.1 and 4.1(0). If your system is running 4.0(x), 3.6(x) or 3.5(x), and you wish to upgrade to release 4.1(0), upgrade to release 4.1.0.2 directly. See Enhancements in Release 4.1.0.2.
6 4.1.0.1 is a CAM-only patch release that resolves caveat CSCsg89516. See Enhancements in Release 4.1.0.1 for details.
.
For upgrade instructions, see Upgrading to 4.1(0).
Release 4.1(0) Agent Upgrade Compatibility Matrix
Table 4 shows Clean Access Agent upgrade compatibility when upgrading existing versions of the Agent after 4.1(0) CAM/CAS upgrade. Except where noted, you can auto-upgrade any 3.5.1+ Agent directly to the latest 4.1.0.x Agent.
Table 4 Release 4.1.0.x Agent Upgrade Compatibility Matrix 1
4.1.0.2
4.1.0.2
4.1.0.0
4.1.0.2 3 (Windows OS only)
4.1.0.1
4.1(0)
4.0.x.x
3.6.x.x
3.5.1 and above4.1.0.0
4.1(0)
1 Releases 4.1(0), 4.1.0.1, and 4.1.0.2 do not support Windows Vista. Only 4.0(x) releases starting from 4.0(4) and 4.0.x.x Agent versions starting from 4.0.4.0 support Windows Vista. See the "Clean Access Agent System Requirements" section of the Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) Guide for details.
2 Agent versions are not supported across major releases. Do not use 4.1.0.x Agents with 4.0(x) or prior releases. However, auto-upgrade is supported from any 3.5.1 or above Agent directly to the latest 4.1.0.x Agent. See Clean Access Agent Version Summary for further details.
3 For CAM/CAS release 4.1.0.2, upgrade to 4.1.0.2 Agent only applies for Windows OS. The Mac OS version of the Agent remains at 4.1.0.0.
Determining the Software Version
There are several ways to determine the version of software running on your Clean Access Manager (CAM), Clean Access Server (CAS), or Clean Access Agent, as described below.
•
•
•
•
Clean Access Manager (CAM) Version
The top of the CAM web console displays the software version installed. Starting from release 4.1(0), after you add the CAM license, the top of the CAM web console displays the license type (Lite, Standard, Super). Additionally, the Administration > CCA Manager > Licensing page displays the types of licenses present after they are added.
The software version is also displayed as follows:
•
•
CAM Lite, Standard, Super
The NAC Appliance Clean Access Manager (CAM) is licensed based on the number of NAC Appliance Clean Access Servers (CASes) it supports. You can view license details under Administration > CCA Manager > Licensing. The top of CAM web console identifies the type of CAM license installed:
•
•
•
Note the following:
•
•
•
Clean Access Server (CAS) Version
•
•
(CAS direct console is accessed via https://<CAS_eth0_IP>/admin)•
Note
Clean Access Agent Versioning
On the CAM web console, you can determine Clean Access Agent versioning from the following pages:
•
•
•
•
From the Clean Access Agent itself on the client machine, you can view the following information from the Agent taskbar menu icon:
•
•
Cisco Clean Access Updates Versioning
To view the latest version of Updates downloaded to your CAM, including Cisco Checks & Rules, CCA Agent Upgrade Patch, Supported AV/AS Product List, go to Device Management > Clean Access > Clean Access Agent > Updates on the CAM web console. See Clean Access Supported AV/AS Product List and Cisco Pre-Configured Rules ("pr_") for additional details.
New and Changed Information
This section describes any new features or enhancements added to the following releases of Cisco NAC Appliance for the Clean Access Manager and Clean Access Server.
•
•
•
For additional details, see also:
•
•
•
Enhancements in Release 4.1.0.2
Note
Release 4.1.0.2 is a general and important bug fix release for the Clean Access Manager (CAM) and Clean Access Server (CAS) that resolves the caveats described in Resolved Caveats - Release 4.1.0.2. No new features are added.
Note
•
•
•
For additional details, see the following sections:
•
•
•
Enhancements
•
•
Clean Access Agent Enhancements (4.1.0.2)
Note
•
•
See also Clean Access Agent Version Summary.
Supported AV/AS Product List Enhancements (Version 50)
•
•
Enhancements in Release 4.1.0.1
Warning
Release 4.1.0.1 is a general and important bug fix release and patch for the Clean Access Manager (CAM) only that resolves the caveats described in Resolved Caveats - Release 4.1.0.1. No new features are added.
Note
•
•
Note
This affects the following page of the CAM web console: Device Management > Clean Access > Clean Access Agent > Reports (new Check and Success/Failure option is removed).See the following sections:
•
•
See also Software Compatibility Matrixes for additional details.
Upgrade Instructions for 4.1.0.1
To upgrade your CAM to 4.1.0.1, perform the following steps.
Step 1
Step 2
–
–
–
New Features and Enhancements in Release 4.1(0)
Warning
Warning
This section details the new features delivered with Cisco NAC Appliance release 4.1(0) for the Clean Access Manager and Clean Access Server, as well as enhancements from release 4.0(x).
New Features
•
•
•
•
•
•
•
•
•
Enhancements
•
•
•
•
•
•
•
•
Deprecated Features
•
CAS Policy Fallback
Release 4.1(0) provides CAS Fallback to allow administrators to configure the behavior of the Clean Access Server (CAS) when the Clean Access Manager (CAM) becomes unreachable to the CAS. For example, if a remote CAS attempts to reach the CAM, but the WAN link fails, the CAS Fallback feature can be used to specify the user access policy.
With release 4.1(0), the CAS checks the status of the CAM periodically, according to the Detect Interval specified. If the CAM is not reachable before the specified Detect Timeout, the CAS declares the CAM as dead, and sets the traffic policy of every user role to "Allow All, "Block All" or "Ignore" based on the Fallback Policy chosen. The CAS Fallback Policy can be configured as:
•
•
•
This affects the following page of the CAM web console:
•
Note
Clean Access Agent/ActiveX/Applet DHCP Release/Renew
Release 4.1(0) provides complete support for L2/L3 OOB deployments in IP telephony environments. With release 4.1(0) and version 4.1.0.0 of Agent, port bouncing is no longer required to release or renew client DHCP addresses in an OOB deployment. For devices with the 4.1.0.0 Agent installed, the Agent will automatically trigger the device to perform DHCP release/renew. For Agent-less devices, the web login page will trigger the device to perform DHCP release/renew via ActiveX/Java Applet.
To enable this feature:
•
•
•
–
–
–
–
–
•
–
–
–
For Agent users, the Agent login success dialog displays "Refreshing IP address, please wait." and "Refreshing IP address succeeded" messages after login credentials are entered.
For web login users, "Renewing IP address..." and web redirect time interval messages will displays after user login credentials are entered in the login page. When successfully logged in, the redirect page appears.
Support for GPO Update Trigger
With release 4.1(0), administrators can configure the Clean Access Agent to retrigger Group Policy update after the user login is complete. In effect, the 4.1.0.0+ Agent will execute a "gpupdate" command to re-trigger the Group Policy update.
Note
This affects the following CAM web console page:
•
Online Update to Retrieve Switch OIDs
To help simplify support for an OOB deployment, Release 4.1(0) allows administrators to update the object IDs (OIDs) of supported switches through the CAM. For example, if a new switch (such as C3750-XX-NEW) of a supported model (Catalyst 3750 series) is released, customers only need to update the switch OIDs online to obtain support, instead of performing an upgrade.
This feature affects the following CAM web console page:
•
Note
Qualified Remediation Program Launch
Release 4.1(0) adds a new "Requirement Type" that allows administrators to launch a qualified remediation program from the Clean Access Agent. The administrator can create a check/rule condition; upon its failure, the administrator can configure to launch any remediation program to fix the machine. Multiple programs are permitted, and they are launched in the same sequence as specified by the administrator.
The Clean Access Agent launches the programs in two ways, depending on the user privileges of the device. If the user has admin rights on his or her machine, the program is launched directly. If the user does not have administrative rights, the Clean Access stub must be installed to launch the program. In this case, the Clean Access stub will verify that the program is signed by a trusted certificate authority before launching the program. This feature is applicable to Windows 2000 and Windows XP machines only. These options are configurable at:
•
Clean Access Agent for Mac OS X Authentication
Release 4.1(0) introduces a Clean Access Agent that performs authentication on Mac OS X machines. The Agent is in the form of a universal binary that supports Mac OS 10.2 to 10.4. The Mac OS X Clean Access Agent supports single-sign on with VPN deployments but does not support single-sign on with Active Directory. You can view the distribution options for the Mac OS X Clean Access Agent in the following page of the CAM web console:
•
Clean Access Agent Installation Options
Release 4.1(0) introduces Clean Access Agent installation options to allow the administrator control over the level of user interaction when the Agent is initially installed. The installation options apply to both direct installation of the Agent (where the user installs the Agent directly on the client machine), and stub installation (where the Agent installer is launched through the stub installer), and are as follows:
•
–
–
–
•
–
–
Note
This adds the following page to the CAM web console:
•
See also Clean Access Agent Enhancements (4.1.0.0).
Clean Access Agent Language Template Support
With release 4.1(0), the Clean Access Agent supports multiple European languages using language templates. In addition to English, version 4.1.0.0 of the Clean Access Agent supports German, Italian, Finnish, Czech, Norwegian, Spanish, Danish, French, Russian, Swedish, Turkish, Serbian, and Catalan for text-based Agent user dialog displays.
In addition, Agent error messages warnings and Properties data are all based on the supported language templates.
The Agent picks the correct template based on the Locale settings of the local computer. To use the localized Agent, the user needs to change the Windows locale setting to the corresponding language under Control Panel > Regional and Language Options. For example, to use the Agent in French, the user needs to set the Windows locale to French.
In addition, Agent error messages warnings and Properties data are all based on the supported language templates.
Cisco recommends using the localized Agent in a localized version of Windows, for example, Russian Agent in Russian Windows, as the English version of Windows may not be able to display all characters correctly.
For administrators, the name of requirements/ descriptions are as configured on the CAM. On the CAM, these can be configured using characters of the appropriate language.
Note
Note
Clean Access Agent Silent Auditing
Release 4.1(0) introduces silent auditing functionality for Clean Access Agent posture assessment. The silent Audit feature quietly executes the checks configured for the requirement in the background and submits the failed or passed status in the client report on the CAM. This allows administrators to review the user reports and determine the effectiveness of any new configured rule/check before making a requirement mandatory for user access. For example, if the administrator wants to block use of an instant messenger program on the network, the administrator can use silent audit first to determine how many users are on the program and how the network will be affected if a requirement is enforced. The Clean Access Agent does not present any dialogs to the user when the silent audit is performed in the background.
This affects the following pages of the CAM web console:
•
Searchable Clean Access Agent Reports
Clean Access Agent report logging and searching is enhanced in release 4.1(0) to facilitate information gathering for the administrator. The Reports page now provides an "Advanced/Simple" toggle option that expands the search criteria to include the following options:
•
The AV/AS Software dropdown menu allows you to search/display client reports for the following cases:–
–
–
•
The Requirement dropdown lists all Clean Access Agent requirements configured in the system, and the Success/Failure dropdown option allows you to search/display success or failure client reports for the chosen requirement.•
The Check dropdown lists all Clean Access Agent checks in the system (system "pc_" or "av_" checks, or administrator-created custom checks). The Success/Failure dropdown option allows you to search/display reports for success or failure of the check on client systems.
Note
Clicking the Show button after selecting any of the Simple or expanded Advanced search options will display a summary of all entries that match the criteria as well the detailed administrator report for each client. This affects the following page of the CAM web console:
•
Certified Devices Timer Enhancements for Periodic Assessment
Release 4.1(0) enhances Certified Devices Timer configuration to provide better periodic assessment capabilities. The Certified Devices List no longer needs to be cleared in its entirety each time the timer is applied. Administrators can now clear the Certified Devices List per Clean Access Server, per User Role, per Auth Provider, or a combination of all three.
The Timer page also provides the following new options:
•
•
•
This affects the following page of the CAM web console:
•
DHCP Renewal Enhancements
Release 4.1(0) offers two new DHCP enable/disable enhancements to ensure client IP addresses are renewed properly when the CAS is configured as the DHCP server for your network:
•
•
This affects the following page of the CAM web console:
•
Note
DHCP Subnet List Enhancements
With release 4.1(0), the warning messages for too many IPs/subnets are changed.
This affects the following page of the CAM web console:
•
Note
DHCP Global Option Enhancements
Release 4.1(0) adds new server directives to the DHCP Global Options "option type" menu. These directives instruct the server to behave in new ways, respond to new protocols, or change data sent outside of the DHCP options list
When specifying DHCP Global Options, you may select a particular DHCP option by entering its number in the "Option #" input box. If the desired option number is not known, or if specifying a server directive which changes server behavior but has no corresponding DHCP option number then you can select the name of the option or directive from the dropdown menu next to the "set option type" button. Click the "set option type" button after the desired DHCP option type has been selected.
This affects the following pages of the CAM web console:
•
Note
IE 7.0 Support
Release 4.1(0) and Clean Access Agent 4.1.0.0 support Internet Explorer 7.0 for the CAM web console, web login user page, Agent login/logout, Agent install/uninstall/upgrade, Agent requirements (e.g. Windows Update, Launch URL, File Download), and for L3 OOB (ActiveX, Applet, Agent).
Clean Access Agent Enhancements (4.1.0.0)
Version 4.1.0.0 adds the following enhancements to the Clean Access Agent:
•
•
–
Automatically close login success screen after [] secs (for Windows)
Automatically close logout success screen after [] secs (for Windows)See also Clean Access Agent Version Summary.
Port Profile Management for OOB Users
Release 4.1(0) includes a new option for managing port profiles in out-of-band deployments. The enhancement enables administrators to remove other online out-of-band users on the switch port when a new user is detected on the same port. It also allows for the modification of the port profile if an existing user is seen on a different switchport.
This enhancement affects the following pages of the CAM web console:
•
Enhancements to Check Parameters
For three types of checks, Release 4.1(0) allows users to specify "older than" or "newer than" by more than or fewer than x days to the current date. The check types include registry value, file date, and Windows update.
Daylight Savings Time Support
Release 4.1(0) and above support the Daylight Savings Time (DST) change to March (second Sunday) and November (first Sunday) starting in 2007. Prior to 2007, DST started in April (first Sunday) and ended in October (last Sunday). See also CSCsg44268 for details.
Note
Supported AV/AS Product List Enhancements (Version 42)
•
•
Deprecated IPsec/L2TP/PPTP/PPP Features
The IPsec/L2TP/PPTP/PPP features (for encrypted connection between the CAS and end users) have been deprecated and will be removed in upcoming releases.
This affects the following pages of the CAM web console:
•
Deprecated Roaming Features
The Roaming feature (for roaming between Clean Access Servers) has been deprecated and will be removed in upcoming releases.
This affects the following pages of the CAM web console:
•
Cisco Pre-Configured Rules ("pr_")
Cisco NAC Appliance provides a set of pre-configured rules and checks that are downloaded to the CAM via the Updates page on the CAM web console (under Device Management > Clean Access > Clean Access Agent > Updates).
Pre-configured rules have a prefix of "pr" in their names (e.g. "pr_XP_Hotfixes"), and can be copied (for use as a template), but cannot be edited or removed. You can click the Edit button for any "pr_" rule to view the rule expression that defines it. The rule expression for a pre-configured rule will be composed of pre-configured checks (e.g. "pc_Hotfix835732") and boolean operators. The rule expression for pre-configured rules is updated via Cisco Updates. For example, when new Critical Windows OS hotfixes are released for Windows XP, the pr_XP_Hotfixes rule will be updated with the corresponding hotfix checks.
Pre-configured rules are listed under Device Management > Clean Access > Clean Access Agent > Rules > Rule List. Pre-configured checks have a prefix of "pc" in their names and in turn are listed under Device Management > Clean Access > Clean Access Agent > Rules > Check List
Note
Note
Using Cisco Rules to Check for CSA
You can use Cisco rules to create a Clean Access Agent requirement that checks if the Cisco Security Agent (CSA) is already installed and/or running on a client (from version 14663 and above of the Cisco Updates ruleset). To do this:
1.
2.
–
–
3.
Clean Access Supported AV/AS Product List
This section describes the Supported AV/AS Product List that is downloaded to the Clean Access Manager via Device Management > Clean Access > Clean Access Agent > Updates to provide the latest antivirus (AV) and anti-spyware (AS) product integration support. The Supported AV/AS Product List is a versioned XML file distributed from a centralized update server that provides the most current matrix of supported AV/AS vendors and product versions used to configure AV/AS Rules and AV/AS Definition Update requirements.
The Supported AV/AS Product List contains information on which AV/AS products and versions are supported in each Clean Access Agent release along with other relevant information. It is updated regularly to bring the relevant information up to date and to include newly added products for new releases. Cisco recommends keeping your list current, especially when you upload a new Agent Setup version or Agent Patch version to your CAM. Having the latest Supported AV/AS list ensures your AV/AS rule configuration pages list all the new products supported in the new Agent.
Note
The following charts list the AV and AS product/version support per client OS as of the latest Clean Access release:
•
•
•
The charts show which AV/AS product versions support virus or spyware definition checks and automatic update of client virus/spyware definition files via the user clicking the Update button on the Clean Access Agent.
For a summary of the product support that is added per version of the Supported AV/AS Product List or Clean Access Agent, see also:
•
•
You can access additional AV and AS product support information from the CAM web console under Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info.
Note
Note that Clean Access works in tandem with the installation schemes and mechanisms provided by supported AV/AS vendors. In the case of unforeseen changes to underlying mechanisms for AV/AS products by vendors, the Cisco NAC Appliance team will update the Supported AV/AS Product List and/or Clean Access Agent in the timeliest manner possible in order to support the new AV/AS product changes. In the meantime, administrators can always use the "custom" rule workaround for the AV/AS product (such as pc_checks/pr_ rules) and configure the requirement for "Any selected rule succeeds."
Clean Access AV Support Chart (Windows XP / 2000)
Table 5 lists Windows XP/2000 Supported AV Products as of the latest release of the Cisco NAC Appliance software. (See Table 6 for Windows ME/98).
Table 5 Clean Access Antivirus Product Support Chart (Windows XP/2K)
Version 50, Release 4.1.0.2 / 4.1.0.2 Agent (Sheet 1 of 8)
(Minimum Agent Version Needed)1AhnLab Security Pack
2.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
AhnLab V3 Internet Security 2007 Platinum
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
V3Pro 2004
6.x
yes (3.5.10.1)
yes (3.5.12)
yes
avast! Antivirus
4.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
avast! Antivirus (managed)
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
avast! Antivirus Professional
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Active Virus Shield
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
AOL Safety and Security Center Virus Protection
102.x
yes (4.0.4.0)
yes (4.0.4.0)
-
AOL Safety and Security Center Virus Protection
1.x
yes (3.5.11.1)
yes (3.5.11.1)
-
AOL Safety and Security Center Virus Protection
210.x
yes (4.0.4.0)
yes (4.0.4.0)
-
AOL Safety and Security Center Virus Protection
2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Command Anti-Virus Enterprise
4.x
yes (3.5.0)
yes (3.5.0)
yes
Command AntiVirus for Windows
4.x
yes (3.5.0)
yes (3.5.0)
yes
Command AntiVirus for Windows Enterprise
4.x
yes (3.5.2)
yes (3.5.2)
yes
Cox High Speed Internet Security Suite
3.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Rising Antivirus Software AV
17.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Rising Antivirus Software AV
18.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
ClamWin Antivirus
0.x
yes (3.5.2)
yes (3.5.2)
yes
ClamWin Free Antivirus
0.x
yes (3.5.4)
yes (3.5.4)
yes
CA Anti-Virus
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust Antivirus
7.x
yes (3.5.0)
yes (3.5.0)
yes
CA eTrust Internet Security Suite AntiVirus
7.x
yes (3.5.11)
yes (3.5.11)
yes
CA eTrustITM Agent
8.x
yes (3.5.12)
yes (3.5.12)
yes
eTrust EZ Antivirus
6.1.x
yes (3.5.3)
yes (3.5.8)
yes
eTrust EZ Antivirus
6.2.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
6.4.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
7.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Armor
6.1.x
yes (3.5.0)
yes (3.5.8)
yes
eTrust EZ Armor
6.2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eTrust EZ Armor
7.x
yes (3.5.0)
yes (3.5.0)
yes
Defender Pro Anti-Virus
5.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Aluria Security Center AntiVirus
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
EarthLink Protection Control Center AntiVirus
1.x
yes (3.5.10.1)
yes (3.5.10.1)
-
NOD32 antivirus system
2.x
yes (3.5.5)
yes (3.5.5)
yes
F-Prot for Windows
3.14e
yes (3.5.0)
yes (3.5.0)
yes
F-Prot for Windows
3.15
yes (3.5.0)
yes (3.5.0)
yes
F-Prot for Windows
3.16c
yes (3.5.11)
yes (3.5.11)
yes
F-Prot for Windows
3.16d
yes (3.5.11)
yes (3.5.11)
yes
F-Prot for Windows
3.16x
yes (3.5.11.1)
yes (3.5.11.1)
yes
F-Secure Anti-Virus
5.x
yes (3.5.0)
yes (3.5.0)
yes
F-Secure Anti-Virus
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus
7.x
yes (4.0.4.0)
yes (4.0.4.0)
-
F-Secure Anti-Virus 2005
5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus Client Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Internet Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Internet Security
7.x
yes (4.0.4.0)
yes (4.0.4.0)
-
F-Secure Internet Security 2006 Beta
6.x
yes (3.5.8)
yes (3.5.8)
yes
AntiVirusKit 2006
2006.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Antivirussystem AVG 6.0
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 6.0 Anti-Virus - FREE Edition
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 6.0 Anti-Virus System
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 7.5
7.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
AVG Antivirensystem 7.0
7.x
yes (3.5.0)
yes (3.5.0)
yes
AVG Anti-Virus 7.0
7.x
yes (3.5.0)
yes (3.5.0)
yes
AVG Anti-Virus 7.1
7.1.x
yes (3.6.3.0)
yes (3.6.3.0)
yes
AVG Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
AntiVir PersonalEdition Classic Windows
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
AntiVir/XP
6.x
yes (3.5.0)
yes (3.5.0)
yes
Avira AntiVir PersonalEdition Premium
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Anti-Virus 2006 Beta
6.0.x
yes (3.5.8)
yes (3.5.8)
-
Kaspersky Anti-Virus 6.0
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Anti-Virus 6.0 Beta
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Anti-Virus Personal
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky Anti-Virus Personal
5.0.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky Anti-Virus Personal Pro
5.0.x
yes (3.5.11)
yes (3.5.11)
yes
Kaspersky Internet Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky(TM) Anti-Virus Personal 4.5
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky(TM) Anti-Virus Personal Pro 4.5
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kingsoft AntiVirus 2004
2004.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kingsoft Internet Security
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
Kingsoft Internet Security 2006 +
2006.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee Internet Security 6.0
8.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee Managed VirusScan
3.x
yes (3.5.8)
yes (3.5.8)
yes
McAfee Managed VirusScan
4.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
McAfee VirusScan
10.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee VirusScan
11.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee VirusScan
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
8.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
9.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan
9xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.0.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.1.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
8.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
McAfee VirusScan Professional
8.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan Professional
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Professional
9.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
Windows Live OneCare
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Windows OneCare Live
0.8.x
yes (3.5.11.1)
-
-
eScan Anti-Virus (AV) for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Corporate for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Internet Security for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Professional for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Virus Control (VC) for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norman Virus Control
5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Panda Software
Panda Antivirus 2007
2.x
yes (4.0.4.0)
yes (4.0.4.0)
-
Panda Antivirus 6.0 Platinum
6
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus + Firewall 2007
6.x
yes (4.0.4.0)
yes (4.0.4.0)
-
Panda Antivirus Lite
1.x
yes (3.5.0)
yes (3.5.0)
-
Panda Antivirus Lite
3.x
yes (3.5.9)
yes (3.5.9)
-
Panda Antivirus Platinum
7.04.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus Platinum
7.05.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus Platinum
7.06.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Client Shield
4.x
yes (4.0.4.0)
yes (4.0.4.0)
-
Panda Internet Security 2007
11.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Platinum 2005 Internet Security
9.x
yes (3.5.3)
yes (3.5.3)
yes
Panda Platinum 2006 Internet Security
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Platinum Internet Security
8.03.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium 2006 Antivirus + Antispyware
5.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Panda Titanium Antivirus 2004
3.00.00
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium Antivirus 2004
3.01.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium Antivirus 2004
3.02.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Panda Titanium Antivirus 2005
4.x
yes (3.5.1)
yes (3.5.1)
yes
Panda TruPrevent Personal 2005
2.x
yes (3.5.3)
yes (3.5.3)
yes
Panda TruPrevent Personal 2006
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
WebAdmin Client Antivirus
3.x
yes (3.5.11)
yes (3.5.11)
-
Dr.Web
4.32.x
yes (3.5.0)
yes (3.5.0)
yes
Dr.Web
4.33.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
BitDefender 8 Free Edition
8.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 8 Professional Plus
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 8 Standard
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 9 Internet Security AntiVirus
9.x
yes (3.5.11.1)
yes (3.5.11.1)
-
BitDefender 9 Professional Plus
9.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 9 Standard
9.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender Antivirus Plus v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Antivirus v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Internet Security v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Standard Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
Sophos Anti-Virus
3.x
yes (3.5.3)
yes (3.5.3)
-
Sophos Anti-Virus
4.x
yes (3.6.3.0)
yes (3.6.3.0)
-
Sophos Anti-Virus
5.x
yes (3.5.3)
yes (3.5.3)
yes
Sophos Anti-Virus
6.x
yes (4.0.1.0)
yes (4.0.1.0)
yes
Sophos Anti-Virus version 3.80
3.8
yes (3.5.0)
yes (3.5.0)
-
Norton AntiVirus
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus
14.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norton AntiVirus 2002
8.00.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton AntiVirus 2002 Professional
8.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002 Professional Edition
8.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional Edition
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 Professional
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 Professional Edition
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 (Symantec Corporation)
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2005
11.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2006
12.0.x
yes (3.5.5)
yes (3.5.5)
yes
Norton AntiVirus 2006
12.x
yes (3.5.5)
yes (3.5.5)
yes
Norton AntiVirus Corporate Edition
7.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
7.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.2.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
9.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Norton Internet Security (Symantec Corporation)
10.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norton SystemWorks 2003
6.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2004 Professional
7.x
yes (3.5.4)
yes (3.5.4)
yes
Norton SystemWorks 2005
8.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2005 Premier
8.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2006 Premier
12.0.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Symantec AntiVirus
10.x
yes (3.5.3)
yes (3.5.3)
yes
Symantec AntiVirus
9.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec AntiVirus Client
8.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec AntiVirus Server
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Symantec Client Security
10.x
yes (3.5.3)
yes (3.5.3)
yes
Symantec Client Security
9.x
yes (3.5.0)
yes (3.5.0)
yes
PC-cillin 2002
9.x
yes (3.5.1)
yes (3.5.1)
-
PC-cillin 2003
10.x
yes (3.5.0)
yes (3.5.0)
-
ServerProtect
5.x
yes (4.1.0.0)
yes (3.6.5.0)
-
Trend Micro Antivirus
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro AntiVirus
15.x
yes (3.6.5.0)
yes (3.6.5.0)
-
Trend Micro Client/Server Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Trend Micro Client/Server Security Agent
7.x
yes (3.5.12)
yes (3.5.12)
yes
Trend Micro HouseCall
1.x
yes (4.0.1.0)
yes (4.0.1.0)
-
Trend Micro Internet Security
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro Internet Security
12.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro OfficeScan Client
5.x
yes (3.5.1)
yes (3.5.1)
yes
Trend Micro OfficeScan Client
6.x
yes (3.5.1)
yes (3.5.1)
yes
Trend Micro OfficeScan Client
7.x
yes (3.5.3)
yes (3.5.3)
yes
Trend Micro PC-cillin 2004
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro PC-cillin Internet Security 12
12.x
yes (4.0.1.0)
yes (4.0.1.0)
-
Trend Micro PC-cillin Internet Security 14
14.x
yes (4.0.1.0)
yes (4.0.1.0)
-
Trend Micro PC-cillin Internet Security 2005
12.x
yes (3.5.3)
yes (3.5.3)
-
Trend Micro PC-cillin Internet Security 2006
14.x
yes (3.5.8)
yes (3.5.8)
-
Trend Micro PC-cillin Internet Security 2007
15.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
SBC Yahoo! Anti-Virus
7.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
ZoneAlarm Anti-virus
6.x
yes (3.5.5)
yes (3.5.5)
-
ZoneAlarm Security Suite
5.x
yes (3.5.0)
yes (3.5.0)
-
ZoneAlarm Security Suite
6.x
yes (3.5.5)
yes (3.5.5)
-
ZoneAlarm with Antivirus
5.x
yes (3.5.0)
yes (3.5.0)
-
1 "Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
3 For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.
Clean Access AV Support Chart (Windows ME / 98)
Table 6 lists Windows ME/98 Supported AV Products as of the latest release of the Cisco NAC Appliance software. (See Table 5 for Windows XP/2000.)
Table 6 Clean Access Antivirus Product Support Chart (Windows ME/98)
Version 50, Release 4.1.0.2 / 4.1.0.2 Agent (Sheet 1 of 2)
(Minimum Agent Version Needed)1CA eTrust Antivirus
7.x
yes (3.5.3)
yes (3.5.3)
yes
eTrust EZ Antivirus
6.1.x
yes (3.5.0)
yes (3.5.8)
yes
eTrust EZ Antivirus
6.2.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
6.4.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
7.x
yes (3.5.3)
yes (3.5.3)
yes
eTrust EZ Armor
6.1.x
yes (3.5.3)
yes (3.5.8)
yes
McAfee Managed VirusScan
3.x
yes (3.5.8)
yes (3.5.8)
yes
McAfee VirusScan
10.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee VirusScan
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
8.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan
9.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional
8.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Professional
9.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
BitDefender 8 Free Edition
8.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 8 Professional Plus
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 8 Standard
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 9 Professional Plus
9.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 9 Standard
9.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Standard Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
Norton AntiVirus
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.00.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton AntiVirus 2003
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional Edition
9.x
yes (3.5.3)
yes (3.5.3)
yes
Norton AntiVirus 2004
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 (Symantec Corporation)
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2005
11.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.x
yes (3.5.1)
yes (3.5.1)
yes
Symantec AntiVirus
9.x
yes (3.5.8)
yes (3.5.3)
yes
Symantec AntiVirus Client
8.x
yes (3.5.9)
yes (3.5.9)
yes
PC-cillin 2003
10.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
11.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
12.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro PC-cillin 2004
11.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro PC-cillin Internet Security 2005
12.x
yes (3.5.3)
yes (3.5.3)
-
1 "Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
3 For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.
Clean Access AS Support Chart (Windows XP / 2000)
Table 7 lists Windows XP/2000 Supported Antispyware Products as of the latest release of the Cisco Clean Access software.
Table 7 Clean Access Antispyware Product Support Chart (Windows XP/2000)
Version 50, Release 4.1.0.2 / 4.1.0.2 Agent (Sheet 1 of 4)
(Minimum Agent Version Needed)1AhnLab SpyZero 2.0
2.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
AhnLab SpyZero 2007
3.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
AOL Safety and Security Center Spyware Protection
2.0.x
yes (4.1.0.0)
-
-
AOL Safety and Security Center Spyware Protection
2.1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.3.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.x
yes (3.6.1.0)
yes (3.6.1.0)
-
AOL Spyware Protection
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
AOL Spyware Protection
2.x
yes (3.6.0.0)
-
-
Anonymizer Anti-Spyware
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Anonymizer Anti-Spyware
3.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Cox High Speed Internet Security Suite
3.x
yes (4.0.4.0)
-
yes
BPS Spyware & Adware Remover
9.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
BPS Spyware-Adware Remover
8.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
BPS Spyware Remover
9.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust Internet Security Suite AntiSpyware
5.x
yes (3.6.1.0)
yes (3.6.1.0)
yes
CA eTrust Internet Security Suite AntiSpyware
9.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust PestPatrol
5.x
yes (3.6.1.0)
-
yes
CA eTrust PestPatrol Anti-Spyware
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust PestPatrol Anti-Spyware Corporate Edition
5.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
PestPatrol Corporate Edition
4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
PestPatrol Standard Edition (Evaluation)
4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Aluria Security Center AntiSpyware
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
EarthLink Protection Control Center AntiSpyware
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Primary Response SafeConnect
2.x
yes (3.6.5.0)
-
-
X-Cleaner Deluxe
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
SpywareBlaster v3.1
3.1.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.2
3.2.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.3
3.3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.4
3.4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.5.1
3.5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Ad-aware 6 Professional
6.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Ad-Aware SE Personal
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Ad-Aware SE Professional
1.x
yes (3.6.1.0)
yes (3.6.1.0)
yes
McAfee AntiSpyware
1.5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware
1.x
yes (3.6.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware
2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware Enterprise
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Begone
4.x
yes (3.6.0.0)
-
-
Spyware Begone
6.x
yes (4.1.0.0)
-
-
Spyware Begone
8.x
yes (4.1.0.0)
-
-
Spyware Begone Free Scan
7.x
yes (3.6.0.0)
-
-
Spyware Begone V7.30
7.30.x
yes (3.6.1.0)
-
-
Spyware Begone V7.40
7.40.x
yes (3.6.1.0)
-
-
Spyware Begone V7.95
7.95.x
yes (4.1.0.0)
-
-
Spyware Begone V8.20
8.20.x
yes (4.1.0.0)
-
-
Spyware Begone V8.25
8.25.x
yes (4.1.0.0)
-
-
Windows Defender
1.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor 3.0
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.1
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.2
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.5
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor 3.8
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Prevx1
1.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Prevx1
2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Prevx Home
2.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Spybot - Search & Destroy 1.3
1.3
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spybot - Search & Destroy 1.4
1.4
yes (3.6.0.0)
yes (3.6.0.0)
yes
BitDefender 9 Antispyware
9.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Sunbelt CounterSpy
1.x
yes (3.6.0.0)
-
yes
Norton Spyware Scan
2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Trend Micro Anti-Spyware
3.x
yes (3.6.0.0)
-
-
Trend Micro PC-cillin Internet Security 2007 AntiSpyware
15.x
yes (4.1.0.0)
-
yes
Spy Sweeper
3.x
yes (3.6.0.0)
-
-
Spy Sweeper
4.x
yes (3.6.0.0)
-
-
Spy Sweeper
5.x
yes (4.1.0.0)
-
-
Webroot Spy Sweeper Enterprise Client
1.x
yes (3.6.0.0)
-
-
Webroot Spy Sweeper Enterprise Client
2.x
yes (3.6.1.0)
-
-
SBC Yahoo! Applications
2005.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Yahoo! Anti-Spy
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
1 "Yes" in the AS Checks Supported columns indicates the Agent supports the AS Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AS Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AS product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
Supported AV/AS Product List Version Summary
Table 8 details enhancements made per version of the Supported Antivirus/Antispyware Product List. See Clean Access Supported AV/AS Product List for the latest Supported AV list as of the latest release. See New and Changed Information for the release feature list
Clean Access Agent Version Summary
Note
This section consolidates information for the Clean Access Agent client software. Table 9 lists the latest enhancements per version of the Clean Access Agent. Unless otherwise noted, enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions.
See Clean Access Supported AV/AS Product List for details on related AV/AS support.
Table 9 Clean Access Agent Versions
4.1.0.2
•
•
4.1.0.0
Release 4.1.(0) with 4.1.0.0 Agent provides:
•
•
•
•
•
•
•
•
•
1 See Release 4.1(0) Agent Upgrade Compatibility Matrix for upgrade compatibility details.
Caveats
This section describes the following caveats:
•
•
•
•
Note
http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 4.1.0.2
Resolved Caveats - Release 4.1.0.2
Resolved Caveats - Release 4.1.0.1
Resolved Caveats - Release 4.1(0)
Table 13 List of Closed Caveats
CSCse46141
Yes
SSO fail in case Clean Access Server [CAS] cannot reach Active Directory [AD] server during startup
Steps to reproduce:
1. Shutdown CAS
2. Shutdown Active Directory Server
3. Start CAS and make sure it completely comes up
4. Start Active Directory Server
5. CAS cannot login onto AD and SSO failsWorkaround: CAS requires manual login onto AD in case CAS cannot reach AD at startup time. This can be done by clicking "Update" on web page "Device Management > Clean Access Servers > IP Address > Authentication > Windows Auth"
CSCse68178
Yes
ActiveX control version checking fix
IE may request installation of ocget.dll. While using activeX for L3 OOB, in some Windows machines, the IE browser pops up a request to install ocget.dll. This does not occur during initial web login when the ActiveX control is not yet installed on the machine. It occurs in subsequent web logins after the Active X control has already been installed.
This is a Microsoft bug that makes an unnecessary POST request to ocget.dll.
CSCse69355
Yes
DHCP renew fails using new Relay IP feature but release/renew works
This problem is seen when using the new CCA 4.0 feature where DHCP scopes can be defined on the CAS such that IP addresses are allocated based on the Relay IP address (say IP helper).
In this scenario, we can see that when the DHCP client performs a ipconfig/renew, then the CAS sends a NAK. However, when the same client performs an ipconfig/release followed by ipconfig/renew, then the CAS is seen to be sending a ACK.
CSCse84000
Yes
Cron job to sync system time not created or updated on HA-Inactive CAS
The file /etc/cron.daily/sync-time gets created or updated on modifying the time servers for CAS. This cron file does not get created on high availability HA-Inactive CAS, thereby depriving the inactive system to sync the system time from the time servers on a regular basis
Steps to reproduce:
1. Setup CAS in HA-failover mode
2. Go to web page: Device Management > Clean Access Servers > IP Address > Misc > Time
3. Change the time servers to "clock.cisco.com"
4. Verify the changes have been reflected in cron job /etc/cron.daily/sync-time on active CAS
5. Check the HA-Inactive CAS for the cron file /etc/cron.daily/sync-time. The file may either not be present or have old time server settingsExpected Results: The cron job file to sync the system time on HA-Inactive CAS should reflect the changes upon modification of time server settings on HA-Active CAS using either CAM or HA-Active CAS GUI
Workaround: Modify the time servers on HA-Inactive CAS using GUI.
CSCsf01786
Yes
/etc/grub.conf should be a symbolic link to /boot/grub/grub.conf
In 3.6.0~3.6.3 and 4.0.0, grub.conf is not changed correctly when ttyS0 is used as the heartbeat link. Some cutomers manually edited /etc/grub.conf manually as a workaround, and some of them break the symbolic link by mistake.The upgrade script should make sure /etc/grub.conf is a symbolic link to /boot/grub/grub.conf
CSCsf17230
Yes
Link creation from normal-webapps to webapps affects flexlm in HA
The link from admin-webapps & normal-webapps to webapps upon switching from standby to primary is not being created before the licenses are copied from the database.
CSCsg00598
Yes
Private key needs to be imported back when importing signed certificate from CA
When importing signed certificate from the CA, an error appears, stating "The Uploaded CA-Signed Certificate doesn't match the Uploaded Private Key."
Workaround: Import the Private Key that backed up when the CSR was imported
CSCsg11143
Yes
Unless CAS is rebooted, validation_table is not republished
If Active CAS (CAS1) loses connectivity (not rebooted) with the CAM, CAS 2 then becomes active CAS. If user has not enabled heartbeat timer and fails to back to CAS1, the intern_validation_table on CAS1 is not republished from the CAM's database. Instead, it keeps adding to the older entries
Workaround: Enabling heartbeat timer will make sure unused entries are deleted over a period of time.
CSCsg14148
Yes
Swap space is not loaded properly when using CCISS driver
When the CCISS driver is being used, for e.g with Smartarray6i RAID controllers, the installer does not seem to load the swap space information correctly. Executing a free on the boxes shows no swap space. TOP reveals 0K of SWAP.Also, in some cases, the /etc/fstab file shows a jumbled set of characters for the swap space location
CSCsg23778
Yes
SNMP daemon hangs after executing "snmpwalk" from a remote host
Steps to reproduce:
1. Enable SNMP on CAM using web page "Monitoring > SNMP"
2. Verify SNMP daemon running on CAM by executing "snmpwalk -Os -c public -v 2c <CAM_IP_Address> system". The command will NOT timeout & returns output.
3. Execute "snmpwalk -Os -c public -v 2c <CAM_IP_Address> enterprises.16344". Command returns partial response; timeouts and then reports no response.
4. Execute "snmpwalk -Os -c public -v 2c <CAM_IP_Address> system". Command returns no response and timeout. The SNMP daemon hogs 100% CPU on CAM and needs to be restartedCSCsg24153
Yes
"service perfigo config" does not update shared secret in /root/.secret
When changing the shared secret in the CAS and CAM using `service perfigo config', the shared secret between the CAM and CAS is not updated. The existing pre-shared key will remain in use.
Note
Note
Workaround: If the customer needs to change the shared secret between the CAM and CAS, then apply patch-CSCsg24153.tar.gz from http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches.
CSCsg41272
Yes
DHCP server re-assigns abandoned leases
When the CAS is in Real-IP gateway mode and acting as the DHCP server for untrusted client, it will continue to try to hand out an address that someone has statically set on the network even though the DHCP Client sends a decline for the address.
Workaround: Two workarounds are available: 1) Set ping-check to "true" on the DHCP server. This can slow down the connection process in large deployments; 2) Find the static addresses and force the users to use DHCP.
CSCsg41565
Yes
When authenticating w/cookie, cisco_api.jsp not allowed to post to API
When using a cookie to authenticate to cisco_api.jsp, authentication fails. In one of the CCA releases, an additional means of security was added when using a cookie or session to see if POST to the API should be permitted or denied. cisco_api.jsp was accidentally left off this list.
CSCsg44268
Yes
Need to accommodate for new daylight saving time regime from 2007.
CSCsg44387
Yes
NAT gateway mode warning inconsistent with CCA documentation
When trying to add a NAT Gateway CAS to the CAM, the warning presented, "NAT Gateway is only recommended for demo/testing purposes. For production deployments, Virtual or Real-IP Gateway is recommended", differs from documentation for the CAM, which states that NAT gateway is neither recommended nor supported for production environments. Warning rephrased to match CAM documentation.
Known Issues for Cisco NAC Appliance
This section describes known issues when integrating Cisco NAC Appliance with the following third-party elements:
•
•
•
•
Known Issue with NAT/PAT Devices and L3 Deployments
Cisco NAC Appliance does not support the use of a NAT/PAT device, such as a Firewall/Router, placed between users and the Clean Access Server in Layer 3 deployments. In Layer 3 deployments, where users are multiple hops away from the Clean Access Server, the CAS needs a unique user IP address for each client on which NAC enforcement is performed.
If NAT/PAT is used between the users and the CAS, all users appear to originate from the same IP address (the NAT/PATed IP) from a CAS perspective. Hence, only the first user goes through NAC enforcement, and after this user is certified, all remaining users are exempted from NAC enforcement.
Known Issues with Switches
For complete details, see Switch Support for Cisco NAC Appliance.
Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)
Due to changes in DHCP server operation with Cisco NAC Appliance release 4.0(2) and above, networks with Cisco 2200/4400 Wireless LAN Controllers (also known as Airespace WLCs) which relay requests to the Clean Access Server (operating as a DHCP server) may have issues. Client machines may be unable to obtain DHCP addresses.
If you have DHCP issues with Airespace controllers after installing/upgrading to release 4.0(2) or above, the following will need to be done to restore DHCP functionality:
Step 1
a.
b.
Step 2
a.
b.
c.
d.
Step 3
a.
b.
Step 4
Note
Known Issues with Broadcom NIC 5702/5703/5704 Chipsets
Customers running Cisco NAC Appliance release 4.0(x) on servers with 5702/5703/5704 Broadcom NIC cards may be impacted by caveat CSCsd74376. Server models with Broadcom 5702/5703/5704 NIC cards may include: Dell PowerEdge 850, CCA-3140-H1, HP ProLiant DL140 G2/ DL360/DL380. This issue involves the repeated resetting of the Broadcom NIC cards. The NIC cards do not recover from some of the resets causing the machine to become unreachable via the network. You will see messages such as the following in /var/log/messages:
Mar 21 11:43:02 cas2b kernel: NETDEV WATCHDOG: eth1: transmit timed out Mar 21 11:43:02 cas2b kernel: tg3: eth1: transmit timed out, resetting Mar 21 11:43:02 cas2b kernel: tg3: tg3_stop_block timed out, ofs=1400 enable_bit=2Mar 21 11:43:02 cas2b kernel: tg3: tg3_stop_block timed out, ofs=c00 enable_bit=2Mar 21 11:43:02 cas2b kernel: tg3: eth1: Link is down.Mar 21 11:43:05 cas2b kernel: tg3: eth1: Link is up at 1000 Mbps, full duplex.Mar 21 11:43:05 cas2b kernel: tg3: eth1: Flow control is off for TX and off for RX.The fundamental cause of this problem is a firmware bug in the Broadcom chipsets used in HP servers. Version 4.0(x) of the CCA software is impacted by this bug.
Solution
1.
2.
For further details, see Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).
Known Issue with Windows 98/ME/2000 and Windows Script 5.6
Windows Script 5.6 is required for proper functioning of the Clean Access Agent in release 3.6(x) and above. Most Windows 2000 and older operating systems come with Windows Script 5.1 components. Microsoft automatically installs the new 5.6 component on performing Windows updates. Windows installer components 2.0 and 3.0 also require Windows Script 5.6. However, PC machines with a fresh install of Windows 98, ME, or 2000 that have never performed Windows updates will not have the Windows Script 5.6 component. Cisco Clean Access cannot redistribute this component as it is not provided by Microsoft as a merge module/redistributable.
In this case, administrators will have to access the MSDN website to get this component and upgrade to Windows Script 5.6. For convenience, links to the component from MSDN are listed below:
Win 98, ME, NT 4.0:
Filename: scr56en.exe
Win 2000, XP:
Filename: scripten.exe
Tip
New Installation of Release 4.1(0)
Note
Warning
If you purchased and/or are performing a new installation of Cisco NAC Appliance (Cisco Clean Access), use the steps described below.
If performing upgrade, refer to the instructions in Upgrading to 4.1(0).
For New Installation:
1.
2.
3.
a.
b.
4.
5.
6.
7.
8.
–
–
Note
Upgrading to 4.1(0)
This section provides instructions for how to upgrade your existing Cisco Clean Access system to release 4.1(0).
Refer to the following general information prior to upgrade:
•
•
Refer to one of the following sets of upgrade instructions for the upgrade you need to perform:
•
•
•
•
If you need to perform a fresh installation of the software, refer instead to New Installation of Release 4.1(0).
If you need to upgrade from a much older version of Cisco Clean Access, you may need to perform an interim upgrade to a version that is supported for upgrade to 4.1(0). In this case, refer to the applicable Release Notes for upgrade instructions for the interim release. Cisco recommends always testing new releases on a different system first before upgrading your production system.
Notes on 4.1(0) Upgrade
Note
Note
Warning
If planning to upgrade to Cisco NAC Appliance (Cisco Clean Access) 4.1(0) ED, note the following:
•
•
Note
If the system has not already been patched, upgrade both your machines via console/SSH. For details on Patch-CSCsg24153, refer to the README-CSCsg24153 file under http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches.Warning
•
•
•
Note
Settings That May Change With Upgrade
•
•
•
Note
•
•
•
General Preparation for Upgrade
Caution
•
You must upgrade your Clean Access Manager and all your Clean Access Servers concurrently. The Cisco NAC Appliance architecture is not designed for heterogeneous support (i.e., some Clean Access Servers running 4.1 software and some running 4.0 software).
•
Depending on the number of Clean Access Servers you have, the upgrade process should be scheduled as downtime. For minor release upgrades (e.g. 4.1.0 to 4.1.0.2), our estimates suggest that it takes approximately 15 minutes for the Clean Access Manager upgrade and 10 minutes for each Clean Access Server upgrade. Use this approximation to estimate your downtime window.
Note
•
While the Clean Access Manager upgrade is being conducted, the Clean Access Server (which has not yet been upgraded, and which loses connectivity to the Clean Access Manager during Clean Access Manager restart or reboot) continues to pass authenticated user traffic.
Caution
•
For additional safekeeping, Cisco recommends manually backing up your current Clean Access Manager installation (using Administration > Backup) both before and after the upgrade and to save the snapshot on your local computer. Make sure to download the snapshots to your desktop/laptop for safekeeping. Backing up prior to upgrade enables you to revert to your previous release database should you encounter problems during upgrade. Backing up immediately following upgrade preserves your upgraded tables and provides a baseline of your 4.1 database. After the migration is completed, go to the database backup page (Administration > Backup) in the CAM web console. Download and then delete all earlier snapshots from there as they are no longer compatible. See also Create CAM DB Backup Snapshot.
Warning
•
Once you have upgraded your software to 4.1, if you wish to revert to your previous version of CCA software, you will need to reinstall the previous CCA version from the CD and recover your configuration based on the backup you performed prior to upgrading to 4.1.
•
For upgrade via console/SSH, you will need your CAM and CAS root user password (default password is cisco123). For web console upgrade, you will need your CAM web console admin user password (and, if applicable, CAS direct access console admin user password).
In-Place Upgrade from 3.5(7)+ to 4.1(0)—Standalone Machines
This section describes the in-place upgrade procedure for upgrading your standalone CAM/CAS from release 3.5(7)/3.5(8)/3.5(9)/3.5(10)/3.5(11)+ to the latest 4.1(0) release. If you have high-availability (HA) pairs of CAM or CAS servers, refer instead to In-Place Upgrade from 3.5(7)+ to 4.1(0)—HA-Pairs.
Note
•
•
In-Place Upgrade Summary
The Cisco Clean Access 4.1 upgrade is different from previous upgrades. Please be sure to read the documentation before proceeding.
The Cisco Clean Access 4.1 upgrade will create a complete snapshot of the configuration of your existing deployment, including failover information.
The Cisco Clean Access 4.1 upgrade will not restore local user directories, log files, manually created database snapshots, or nightly database snapshots older than last nights. Any of the above files that are valuable must be backed up separately prior to upgrading.
The upgrade automatically determines from the upgrade snapshot whether the machine is a CAS or a CAM as well as all normal configuration utility settings, such as IP address.
The upgrade will create a log of its activities in the usual upgrade.html and details.html files.
The upgrade will print a warning and exit if too many large files are stored in your Clean Access Manager database. The limit is currently 90 MB for machines with 256 MB of memory, or available memory/2 for machines with more than 256 MB of memory.
Summary of Steps for In-Place Upgrade (Standalone Machines)
The sequence of steps for in-place upgrade is as follows:
2.
3.
4.
Create the Installation CD
Step 1
Step 2
Step 3
cca-4.1_x_y-K9.iso
Step 4
Mount the CD-ROM and Run the Upgrade File
Once you have a 4.1(0) product or installation CD, perform the following steps on each CAM and CAS to upgrade each machine from 3.5(7)/3.5(8)/3.5(9)/3.5(10)/3.5(11) to release 4.1(0).
Caution
Step 5
a.
b.
Warning
Step 6
Step 7
mount /dev/cdrom /mntStep 8
cd /mntStep 9
./upgrade.sh
Note
Step 10
[root@<ccahostname> root]# /mnt/upgrade.shUpgrade works for 3.5.7-3.5.11, continuing############################################################# Welcome to Cisco Clean Access 4.1 upgrade #############################################################The Cisco Clean Access 4.1 upgrade.The 4.1 upgrade is different from previous upgrades. Pleasebe sure to read the documentation before proceedingThe Cisco Clean Access 4.1 upgrade will create a completesnapshot of the configuration of your existing deployment,including failover information.The Cisco Clean Access 4.1 upgrade will not restore localuser directories, log files, manually created database snapshots,or nightly database snapshots older than last nights. Any of the abovefiles that are valuable must be backed up separately prior to upgrading.Step 11
Continue with upgrade? (y/n)? [y]Step 12
Upgrade continuingBacking up <"Clean Access Manager" or "Clean Access Server IP">Backup complete, system will reboot in 5 secondsStep 13
Cisco Clean Access Installer (C) 2006 Cisco Systems, Inc.Welcome to the Cisco Clean Access Installer!- To install a Cisco Clean Access device, press the <ENTER> key.- To install a Cisco Clean Access device over a serial console,enter serial at the boot prompt and press the <ENTER> key.boot:Step 14
Swap Ethernet Cables (if Necessary)
Step 15
CCA has detected a change in your networking hardware configuration.Please switch the network cables between eth0 and eth1.Press [ENTER] to continue...Step 16
Complete the In-Place Upgrade
Step 17
<ccahostname> login:Step 18
[root@<ccahostname> ~]# cat /perfigo/buildStep 19
Note
"The system detects that it has just been upgraded to a newer version. It is now trying to connect to the Cisco server to get the checks/rules and AV/AS support list update. It might take a few minutes."If the automated update fails (for example, due to incorrect proxy settings on your CAM), you will be prompted to perform Cisco Updates manually from Device Management > Clean Access > Clean Access Agent > Updates. A Cisco Update must be performed (whether automated or manual) before any new AV/AS rules can be configured.
In-Place Upgrade from 3.5(7)+ to 4.1(0)—HA-Pairs
This section describes the in-place upgrade procedure for upgrading high-availability (HA) pairs of CAM or CAS servers from release 3.5(7)/3.5(8)/3.5(9)/3.5(10)/3.5(11)+ to the latest 4.1(0) release.
If you have standalone CAM/CAS servers, refer instead to In-Place Upgrade from 3.5(7)+ to 4.1(0)—Standalone Machines.
Note
•
•
•
Summary of Steps for In-Place Upgrade (HA Pairs)
The sequence of steps for HA in-place upgrade is as follows:
2.
3.
4.
5.
Warning
Prepare for HA Upgrade
Step 1
Step 2
Warning
Determine Active and Standby Machines
Step 3
Note
a.
cd /store/cca_upgrade_3.5.x
b.
c.
./fostate.shThe results should be either "My node is active, peer node is standby" or "My node is standby, peer node is active". No nodes should be dead. This should be done on both boxes, and the results should be that one box considers itself active and the other box considers itself in standby mode. Future references in these instructions that specify "active" or "standby" refer to the results of this test as performed at this time.
Shut Down Standby Machine and Upgrade Active Machine In-Place
Step 4
shutdown -h nowStep 5
Step 6
Step 7
mount /dev/cdrom /mntStep 8
cd /mntStep 9
./upgrade.sh
Note
Step 10
[root@<ccahostname> root]# /mnt/upgrade.shUpgrade works for 3.5.7-3.5.11, continuing############################################################# Welcome to Cisco Clean Access 4.1 upgrade #############################################################The Cisco Clean Access 4.1 upgrade.The 4.1 upgrade is different from previous upgrades. Pleasebe sure to read the documentation before proceedingThe Cisco Clean Access 4.1 upgrade will create a completesnapshot of the configuration of your existing deployment,including failover information.The Cisco Clean Access 4.1 upgrade will not restore localuser directories, log files, manually created database snapshots,or nightly database snapshots older than last nights. Any of the abovefiles that are valuable must be backed up separately prior to upgrading.Step 11
Continue with upgrade? (y/n)? [y]Step 12
Upgrade continuingBacking up <"Clean Access Manager" or "Clean Access Server IP">Backup complete, system will reboot in 5 secondsStep 13
Cisco Clean Access Installer (C) 2006 Cisco Systems, Inc.Welcome to the Cisco Clean Access Installer!- To install a Cisco Clean Access device, press the <ENTER> key.- To install a Cisco Clean Access device over a serial console,enter serial at the boot prompt and press the <ENTER> key.boot:Step 14
Step 15
Note
Step 16
For an upgraded Active HA-CAM:
Starting perfigo: Starting High-Availability services:[OK]Please wait while bringing up service IP.Heartbeat service is running.Service IP is up on local node.[OK]Fedora Core release 4 (Stentz)Kernel 2.6.11-perfigo on an i686camanager1 login:For an upgraded Active HA-CAS:
Starting perfigo: Starting IPSec...click: starting router thread pid 2826 (f7576800)Starting High-Availability services:[OK][OK]Fedora Core release 4 (Stentz)Kernel 2.6.11-perfigo on an i686caserver1 login:Step 17
[root@<ccahostname> ~]# /perfigo/common/bin/fostate.shMy node is active, peer node is deadShut Down Active Machine and Upgrade Standby Machine In-Place
Step 18
shutdown -h nowStep 19
Stopping High-Availability services:[OK]Step 20
Step 21
Step 22
mount /dev/cdrom /mntStep 23
cd /mntStep 24
./upgrade.sh
Note
Step 25
[root@<ccahostname> root]# /mnt/upgrade.shUpgrade works for 3.5.7-3.5.11, continuing############################################################# Welcome to Cisco Clean Access 4.1 upgrade #############################################################The Cisco Clean Access 4.1 upgrade.The 4.0 upgrade is different from previous upgrades. Pleasebe sure to read the documentation before proceedingThe Cisco Clean Access 4.1 upgrade will create a completesnapshot of the configuration of your existing deployment,including failover information.The Cisco Clean Access 4.1 upgrade will not restore localuser directories, log files, manually created database snapshots,or nightly database snapshots older than last nights. Any of the abovefiles that are valuable must be backed up separately prior to upgrading.Step 26
Continue with upgrade? (y/n)? [y]Step 27
Upgrade continuingBacking up <Clean Access Manager or Clean Access Server IP>Backup complete, system will reboot in 5 secondsStep 28
Cisco Clean Access Installer (C) 2006 Cisco Systems, Inc.Welcome to the Cisco Clean Access Installer!- To install a Cisco Clean Access device, press the <ENTER> key.- To install a Cisco Clean Access device over a serial console,enter serial at the boot prompt and press the <ENTER> key.boot:Step 29
Step 30
Note
Step 31
For an upgraded Standby HA-CAM:
Starting perfigo: Starting High-Availability services:[OK]Please wait while bringing up service IP.Heartbeat service is running.Service IP is up on local node.[OK]Fedora Core release 4 (Stentz)Kernel 2.6.11-perfigo on an i686camanager2 login:For an upgraded Standby HA-CAS:
Starting perfigo: Starting IPSec...click: starting router thread pid 2826 (f7576800)Starting High-Availability services:[OK][OK]Fedora Core release 4 (Stentz)Kernel 2.6.11-perfigo on an i686caserver2 login:Step 32
[root@<ccahostname> ~]# /perfigo/common/bin/fostate.shMy node is active, peer node is deadComplete the HA In-Place Upgrade
Step 33
shutdown -h nowStep 34
Step 35
Note
Step 36
[root@<ccahostname> ~]# /perfigo/common/bin/fostate.shMy node is standby, peer node is active
Note
"The system detects that it has just been upgraded to a newer version. It is now trying to connect to the Cisco server to get the checks/rules and AV/AS support list update. It might take a few minutes."If the automated update fails (for example, due to incorrect proxy settings on your CAM), you will be prompted to perform Cisco Updates manually from Device Management > Clean Access > Clean Access Agent > Updates. A Cisco Update must be performed (whether automated or manual) before any new AV/AS rules can be configured.
Upgrading from 3.6(x)/4.0(x)—Standalone Machines
This section describes the upgrade procedure for upgrading your standalone CAM/CAS machine from release 3.6(x) or 4.0(x) to the latest 4.1(0) release. You can upgrade 3.6(x)/4.0(x) standalone machines to the latest 4.1(0) release using one of the following two methods:
•
•
Note
•
Note
•
•
Summary of Steps for 3.6/4.0 Upgrade
The sequence of steps for standalone 3.6(x)/4.0(x) system upgrade is as follows:
1.
3.
Console/SSH Upgrade—Standalone MachinesCreate CAM DB Backup Snapshot
Perform a full backup of your CAM database by creating a backup snapshot both before and after the upgrade. Make sure to download the snapshots to your desktop/laptop for safekeeping. Backing up prior to upgrade enables you to revert to your previous database should you encounter problems during upgrade. Backing up immediately following upgrade preserves your upgraded tables and provides a baseline of your 3.6 database.
Warning
Step 1
Step 2
Step 3
Note
Step 4
Step 5
Download the Upgrade File
For Cisco NAC Appliance upgrades from 3.6(x)/4.0(x), a single .tar.gz upgrade file is downloaded to each Clean Access Manager (CAM) and Clean Access Server (CAS) machine to be upgraded. The upgrade script automatically determines whether the machine is a CAM or CAS.
For Cisco NAC Appliance minor release or patch upgrades, the upgrade file can be for the CAM only, CAS only, or for both CAM/CAS, depending on the patch upgrade required.
Step 1
Step 2
–
–
–
Step 3
Web Console Upgrade—Standalone Machines
Note
When upgrading from 3.6(x)/4.0(x) to the latest 4.1(0) release, you can only perform web console upgrade on standalone non-HA CAM machines if they have been patched for caveat CSCsg24153. Standalone CAS machines will still need to be upgraded from 3.6(x)/4.0(x) to the latest 4.1(0) release using the console/SSH upgrade procedure.
If the system has not already been patched, upgrade both your machines via console/SSH. For details on Patch-CSCsg24153, refer to the README-CSCsg24153 file under http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches.Warning
With web upgrade, administrators can perform software upgrade on standalone CAS and CAM machines using the following web console interfaces:
•
•
–
–
For web console upgrade, you will need your CAM web console admin user password.
If using the CAS direct access web console, you will need your CAS direct access console admin user password.
Note
•
•
•
With web upgrade, the CAM and CAS automatically perform all the upgrade tasks that are done manually for console/SSH upgrade (for example, untar file, cd to /store, run upgrade script). The CAM also automatically creates snapshots before and after upgrade. When upgrading via web console only, the machine automatically reboots after the upgrade completes. The steps for web upgrade are as follows:
1.
2.
3.
Upgrade CAS from CAS Management Pages
You can upgrade your CAS from release 3.6(x)/4.0(x) or above to release 4.1(0) using web upgrade via the CAS management pages as described below or, if preferred, using the instructions for Upgrade CAS from CAS Direct Access Web Console.
Step 1
Step 2
Step 3
a.
b.
c.
Step 4
Step 5
Step 6
Note
Step 7
Step 8
Step 9
Note
Upgrade CAS from CAS Direct Access Web Console
You can upgrade the CAS from the CAS direct access web console using the following instructions. To upgrade the CASes from the CAM web console, see Upgrade CAS from CAS Management Pages.
Step 1
Step 2
Step 3
a.
a.
Step 4
Step 5
Step 6
Step 7
Note
Step 8
Step 9
Step 10
Note
Upgrade CAM from CAM Web Console
Upgrade your standalone CAM from the CAM web console using the following instructions.
Warning
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Note
Step 7
Step 8
Note
Console/SSH Upgrade—Standalone Machines
This section describes the standard console/SSH upgrade procedure when upgrading your standalone CAM/CAS from release 3.6(x) or 4.0(x) to the latest 4.1(0) release. For this procedure, you need to access the command line of the CAM or CAS machine using one of the following methods:
•
•
•
Warning
Note
•
For upgrade via console/SSH, you will need your CAM and CAS root user password.
Note
A single file, cca_upgrade-4.1.0.y.tar.gz, is downloaded to each installation machine. The upgrade script automatically determines whether the machine is a Clean Access Manager (CAM) or Clean Access Server (CAS), and executes if the current system is running release 3.6(0) or above.
For patch upgrades, the upgrade file can be for the CAM only, CAS only, or for both CAM/CAS, depending on the patch upgrade required.
Note
•
•
Summary of Steps for Console/SSH Upgrade from 3.6(x)/4.0(x)
Steps are as follows:
1.
2.
3.
Download the Upgrade File and Copy to CAM/CAS
Step 1
Step 2
Step 3
If using WinSCP or SSH File Transfer (replace .x with upgrade version number):
a.
b.
If using PSCP (replace .x with upgrade version number):
a.
b.
c.
pscp cca_upgrade-4.1.0.y.tar.gz root@ipaddress_manager:/stored.
pscp cca_upgrade-4.1.0.y.tar.gz root@ipaddress_server:/storePerform Console/SSH Upgrade on the CAM
Step 4
a.
b.
c.
cd /stored.
tar xzvf cca_upgrade-4.1.0.y.tar.gz4.
cd cca_upgrade-4.1.0.y./UPGRADE.sh
Note
For more information on the nature and workaround for Patch-CSCsg24153, see the associated table entry in Resolved Caveats - Release 4.1(0).e.
Note
f.
rebootPerform Console/SSH Upgrade on the CAS
Warning
Step 5
a.
b.
c.
cd /stored.
tar xzvf cca_upgrade-4.1.0.y.tar.gz5.
cd cca_upgrade-4.1.0.y./UPGRADE.sh
Note
For more information on the nature and workaround for Patch-CSCsg24153, see the associated table entry in Resolved Caveats - Release 4.1(0).e.
f.
rebootg.
Upgrading from 3.6(x)/4.0(x)—HA Pairs
This section describes the upgrade procedure for upgrading high-availability (HA) pairs of CAM or CAS servers from release 3.6(x) or 4.0(x) to the latest 4.1(0) release.
If you have standalone CAM/CAS servers, refer instead to Upgrading from 3.6(x)/4.0(x)—Standalone Machines.
Note
Warning
Warning
Note
•
•
Steps for HA 3.6/4.0 Upgrade
The steps to upgrade HA 3.6(x)/4.0(x) systems are described in the following sections:
•
•
Note
Access Web Consoles for High Availability
Determining Active and Standby CAM
Access the web console for each CAM in the HA pair by typing the IP address of each individual CAM (not the Service IP) in the URL/Address field of a web browser. You should have two browsers open. The web console for the Standby (inactive) CAM will only display the Administration module menu.
Note
Determining Primary and Secondary CAM
In each CAM web console, go to Administration > CCA Manager > Network & Failover | High Availability Mode.
•
•
Note
Determining Active and Standby CAS
From the CAM web console, go to Device Management > CCA Servers > List of Servers to view your HA-CAS pairs. The List of Servers page displays the Service IP of the CAS pair first, followed by the IP address of the Active CAS in brackets. When a secondary CAS takes over, its IP address will be listed in the brackets as the Active server.
Note
Determining Primary and Secondary CAS
Open the direct access console for each CAS in the pair by typing the following in the URL/Address field of a web browser (you should have two browsers open):
•
•
In each CAS web console, go to Administration > Network Settings > Failover | Clean Access Server Mode.
•
•
Note
Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs
The following steps show the recommended way to upgrade an existing high-availability (failover) pair of Clean Access Managers or Clean Access Servers.
Warning
Step 1
Warning
Step 2
Step 3
a.
tar xzvf cca_upgrade-4.1.0.y.tar.gzb.
c.
./fostate.shThe results should be either "My node is active, peer node is standby" or "My node is standby, peer node is active". No nodes should be dead. This should be done on both boxes, and the results should be that one box considers itself active and the other box considers itself in standby mode. Future references in these instructions that specify "active" or "standby" refer to the results of this test as performed at this time.
Note
•
•
Step 4
shutdown -h nowStep 5
Step 6
cd cca_upgrade-4.1.0Step 7
./fostate.shMake sure this returns "My node is active, peer node is dead" before continuing.
Step 8
a.
b.
./UPGRADE.sh
Note
For more information on the nature and workaround for Patch-CSCsg24153, see the associated table entry in Resolved Caveats - Release 4.1(0).c.
Note
Step 9
shutdown -h nowStep 10
Step 11
Step 12
a.
b.
cd cca_upgrade-4.1.0.yc.
./UPGRADE.shStep 13
shutdown -h nowStep 14
Step 15
Note
Troubleshooting
This section discusses the following:
•
•
•
•
•
•
•
•
•
Creating CAM DB Snapshot
See the instructions in Create CAM DB Backup Snapshot for details.
Creating CAM/CAS Support Logs
The Support Logs web console pages for the CAM and CAS allow administrators to combine a variety of system logs (such as information on open files, open handles, and packages) into one tarball that can be sent to TAC to be included in the support case. Administrators should Download the CAM and CAS support logs from the CAM and CAS web consoles respectively and include them with their customer support request, as follows:
•
•
Note
•
•
Recovering Root Password for CAM/CAS (Release 4.1.0/4.0.x/3.6.x)
Use the following procedure to recover the root password for a 4.1.0/4.0.x/3.6.x CAM or CAS machine. The following password recovery instructions assume that you are connected to the CAM/CAS via a keyboard and monitor (i.e. console or KVM console, NOT a serial console)
1.
2.
3.
4.
root (hd0,0)kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 console=ttyS0,9600n8Initrd /initrd-2.6.11-perfigo.img5.
6.
kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 single7.
8.
9.
No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM
•
Clean Access Server is not properly configured, please report to your administrator
A login page must be added and present in the system in order for both web login and Clean Access Agent users to authenticate. If a default login page is not present, Clean Access Agent users will see the following error dialog when attempting login:
Clean Access Server is not properly configured, please report to your administratorTo resolve this issue, add a default login page on the CAM under Administration > User Pages > Login Page > Add.
Clean Access Server could not establish a secure connection to the Clean Access Manager at <IP/domain>
The following client connection errors can occur if the CAS does not trust the certificate of the CAM, or vice-versa:
•
•
Clean Access Server could not establish a secure connection to the Clean Access Manager at <IPaddress or domain>These errors typically indicate one of the following certificate-related issues:
•
•
•
•
To identify common issues:
1.
(under Administration > CCA Manager > SSL Certificate > Export CSR/Private Key/Certificate | Currently Installed Certificate | Details)2.
(under Administration > CCA Manager > System Time, and
Device Management > CCA Servers > Manage [CAS_IP] > Misc > TimeTo resolve these issues:
1.
2.
3.
4.
5.
Agent Error: "Network Error SSL Certificate Rev Failed 12057"
The "Network error: SSL certificate rev failed 12057" error can occur and prevent login for Agent users in either of the following cases:
1.
2.
–
–
To resolve the error, perform the following actions:
Step 1
Step 2
a.
b.
Clean Access Agent AV/AS Rule Troubleshooting
When troubleshooting AV/AS Rules:
•
•
When troubleshooting AV/AS Rules, please provide the following information:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Enable Debug Logging on the Clean Access Agent
For version 4.1.0.0+ of the Clean Access Agent (and 4.0.x.x/3.6.1.0+), you can enable debug logging on the Agent by adding a LogLevel registry value on the client with value "debug," as described in the following sections:
•
•
You can copy this event log to include it in a customer support case.
Generate Windows Agent Debug Log
Note
•
Step 1
Step 2
Step 3
Note
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
a.
b.
c.
Step 11
Note
•
Generate Mac OS Agent Debug Log
For Mac OS Agents (4.1.0.0+), the Agent event.log file and setting.plist user preferences file are available under <username> > Library > Application Support > Cisco Systems > CCAAgent.app.
To view and specify the Agent LogLevel, however, you must access a global setting.plist system preferences file (which is different from the user-level setting.plist file).
Note
To view and/or change the Agent LogLevel:
Step 1
Step 2
Step 3
Step 4
Step 5
•
•
•
•
Note
Note
Property List Editor is an application included in the Apple Developer Tools for editing .plist files. You can find it at <CD-ROM>/Developer/Applications/Utilities/Property List Editor.app.
If the setting.plist file is editable, you can use a standard text editor like vi to edit the LogLevel value in the file.
You must be the root user to edit the file.
Troubleshooting Switch Support Issues
To troubleshoot switch issues, see Switch Support for Cisco NAC Appliance.
Troubleshooting Network Card Driver Support Issues
For network card driver troubleshooting, see Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access)
Other Troubleshooting Information
For general troubleshooting tips, see the following Technical Support webpage:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
Documentation Updates
Table 14 Updates to Release Notes for Cisco Clean Access (NAC Appliance) Version 4.1.0.x
1/30/08
Applied new template and updated trademark information
1/11/08
Added caveat CSCsi97216 to Open Caveats - Release 4.1.0.2
9/11/07
5/21/07
Removed Caveat CSCsg02412 (Unreproducible)
5/11/07
Add Caveat CSCsi86205 to Open Caveats - Release 4.1.0.2
4/26/07
Add Caveat CSCsg98960 to Open Caveats - Release 4.1.0.2
4/24/07
•
•
•
3/19/07
Moved Caveat CSCsi07595 to Open Caveats - Release 4.1.0.2.
3/9/07
Added Caveat CSCsi07595 to address the DST 2007 fix.
2/9/07
Updates for release 4.1.0.2
•
•
•
•
•
•
•
1/18/07
Added Symantec Enterprise products AntiVirus update footnote to Clean Access AV Support Chart (Windows XP / 2000).
1/11/07
Added caveat CSCsh39119 to Open Caveats - Release 4.1.0.2.
1/5/07
Various updates/corrections:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
12/4/06
Updates for patch release 4.1.0.1
•
•
•
•
•
Also:
•
•
•
Removed sections:
•
•
•
11/14/06
Release 4.1(0)
Related Documentation
For the latest updates to Cisco NAC Appliance (Cisco Clean Access) documentation on Cisco.com see:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
or simply http://www.cisco.com/go/cca
•
•
•
•
•
•
•
Obtaining Documentation, Obtaining Support, and Security Guidelines
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
CCDE, CCVP, Cisco Eos, Cisco StadiumVision, the Cisco logo, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn is a service mark; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0801R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
