 Feedback
|
Table Of Contents
Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(3)
Cisco NAC Appliance Service Contract/Licensing Support
System and Hardware Requirements
Release 4.1(3) and Cisco NAC Profiler
Important Installation Information for NAC-3310
Additional Hardware Support Information
Supported Switches for Cisco NAC Appliance
VPN and Wireless Components Supported for Single Sign-On (SSO)
Software Compatibility Matrixes
Release 4.1(3) Compatibility Matrix
Release 4.1(3) CAM/CAS Upgrade Compatibility Matrix
Release 4.1(3) Clean Access Agent Upgrade Compatibility Matrix
Determining the Software Version
Clean Access Manager (CAM) Version
Clean Access Server (CAS) Version
Cisco NAC Appliance Agents Versioning
Cisco Clean Access Updates Versioning
Enhancements in Release 4.1.3.2
Windows Clean Access Agent Language Template Support Enhancement (Version 4.1.3.2)
Enhancements in Release 4.1.3.1
Enhancements in Release 4.1(3)
Support for Clients with Multiple Active NICs
Clean Access Server HA Heartbeat Link Enhancement
Clean Access Manager HA Configuration and Heartbeat Link Enhancements
Guest User Login and Registration Enhancements
LDAP Authentication Enhancement
Clean Access Server and WSUS Interaction Enhancement
Agent Restricted User Access Enhancement
Device Filter List Display and Import/Export Enhancement
Agent Report Information Display and Export Enhancement
Syslog Configuration Enhancement
Debug Log Download Enhancement
ARP Broadcast Packet Handling Improvement
Clean Access Server HA ARP Broadcast Enhancement
Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature
Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
Clean Access Agent Auto Remediation
64-bit Windows Operating System Agent Support
Supported AV/AS Product List Enhancements (Version 67)
Access to Authentication VLAN Change Detection Enhancement
SNMP Inform Notification Enhancement
SNMP "MAC Move Notification" Switch Port Configuration Support
Cisco NAC Appliance Agent Enhancements
Windows Clean Access Agent Language Template Support Enhancement (Version 4.1.3.0)
Windows Clean Access Agent Enhancements
Windows Clean Access Agent Version 4.1.3.2
Windows Clean Access Agent Version 4.1.3.1
Windows Clean Access Agent Version 4.1.3.0
Mac OS X Clean Access Agent Enhancements
Mac OS X Clean Access Agent Version 4.1.3.1
Mac OS X Clean Access Agent Version 4.1.3.0
Cisco NAC Web Agent Enhancements
Cisco NAC Web Agent Version 4.1.3.10
Cisco NAC Web Agent Version 4.1.3.9
Clean Access Supported AV/AS Product List
Clean Access AV Support Chart (Windows Vista/XP/2000)
Clean Access AV Support Chart (Windows ME/98)
Clean Access AS Support Chart (Windows Vista/XP/2000)
Supported AV/AS Product List Version Summary
Resolved Caveats - Windows Clean Access Agent 4.1.3.2
Resolved Caveats - Mac OS X Agent 4.1.3.1
Resolved Caveats - Release 4.1.3.1
Resolved Caveats - Cisco NAC Web Agent 4.1.3.10
Resolved Caveats - Windows Clean Access Agent 4.1.3.1
Resolved Caveats - Release 4.1(3)
Known Issues for Cisco NAC Appliance
Known Issues with HP ProLiant DL140 G3 Servers
Known Issue with NAC-3310 CD Installation
Known Issues with NAC-3300 Series Appliances and Serial HA (Failover) Connection
Known Issues with Cisco NAC Profiler Release 2.1.7
Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)
Known Issues with Broadcom NIC 5702/5703/5704 Chipsets
Known Issues for Windows Vista and Agent Stub
Use "No UI" or "Reduced UI" Installation Option
"Interactive Services Dialog Detection" and Uninstall
Known Issues with MSI Agent Installer
Known Issue with Windows 2000 Clean Access Agent/Local DB Authentication
Known Issue with Windows 98/ME/2000 and Windows Script 5.6
New Installation of Release 4.1(3)
Settings That May Change With Upgrade
General Preparation for Upgrade
Upgrading from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+—Standalone Machines
Web Console Upgrade—Standalone Machines
Console/SSH Upgrade—Standalone Machines
Upgrading from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+—HA Pairs
Access Web Consoles for High Availability
Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs
Vista/IE 7 Certificate Revocation List
Windows Vista Agent Stub Installer Error
Agent Stub Upgrade and Uninstall Error
Clean Access Agent AV/AS Rule Troubleshooting
Generating Windows Installer Log Files for Agent Stub
Debug Logging for Cisco NAC Appliance Agents
Generate Windows Agent Debug Log
Generate Mac OS X Agent Debug Log
Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x)
No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM
Troubleshooting Switch Support Issues
Troubleshooting Network Card Driver Support Issues
Other Troubleshooting Information
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(3)
Revised: November 25, 2010, OL-14508-01Contents
These release notes provide late-breaking and release information for Cisco® NAC Appliance, formerly known as Cisco Clean Access (CCA), release 4.1(3). This document describes new features, changes to existing features, limitations and restrictions ("caveats"), upgrade instructions, and related information. These release notes supplement the Cisco NAC Appliance documentation included with the distribution. Read these release notes carefully and refer to the upgrade instructions prior to installing the software.
•
Cisco NAC Appliance Service Contract/Licensing Support
•
•
•
•
•
Cisco NAC Appliance Releases
Note
Cisco NAC Appliance Service Contract/Licensing Support
For complete details on service contract support, new licenses, evaluation licenses, legacy licenses and RMA, refer to the Cisco NAC Appliance Service Contract / Licensing Support.
System and Hardware Requirements
This section describes the following:
•
•
System Requirements
See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for system requirement information for the Clean Access Manager (CAM), Clean Access Server (CAS), and Cisco NAC Appliance Agents.
Hardware Supported
This section describes the following:
•
•
Cisco NAC Network Module
Release 4.1(3) supports the Cisco NAC Appliance network module (NME-NAC-K9) on the next generation service module for the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers (ISRs). The Cisco NAC Network Module for Integrated Services Routers supports the same software features as the Clean Access Server on a NAC Appliance, with the exception of high availability. NME-NAC-K9 does not support failover from one module to another.
For hardware installation instructions (how to install the NAC network module in an Integrated Service Router), refer to the following sections of the Cisco Network Modules Hardware Installation Guide.
•
•
For software installation instructions (how to install the Clean Access Server software on the NAC network module) refer to Getting Started with Cisco NAC Network Modules in Cisco Access Routers.
Note
While upgrading to release 4.1(3) and later is not required to support Cisco NAC network modules, if you are supporting 64-bit Windows Vista client systems, you must upgrade to release 4.1.2.1 or later.
NAC-3300 Series Appliances
Release 4.1(3) supports Cisco NAC Appliance 3300 Series platforms.
Customers have the option to upgrade NAC-3310, NAC-3350, or NAC-3390 MANAGER and SERVER appliances to release 4.1(3) using a single upgrade file, cca_upgrade-4.1.3.x.tar.gz.
CD installation of release 4.1(3) is also supported:
•
Note
•
Note
Release 4.1(3) and Cisco NAC Profiler
Release 4.1(3) includes the Cisco NAC Profiler Collector component that resides on Clean Access Server installations.
Refer to the Release Notes for Cisco NAC Profiler for updated product information.
See also Known Issues with Cisco NAC Profiler Release 2.1.7.
Important Installation Information for NAC-3310
•
•
NAC-3310 Required BIOS/Firmware Upgrade
The NAC-3310 appliance is based on the HP ProLiant DL140 G3 server and is subject to any BIOS/firmware upgrades required for the DL140 G3. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for detailed instructions.
NAC-3310 Required DL140 or serial_DL140 CD Installation Directive
The NAC-3310 appliance (MANAGER and SERVER) requires you to enter the DL140 or serial_DL140 installation directive at the "boot:" prompt when you install new system software from a CD-ROM. For more information, refer ro Known Issue with NAC-3310 CD Installation.
Additional Hardware Support Information
See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on:
•
•
•
•
See Troubleshooting for further details.
Supported Switches for Cisco NAC Appliance
See Switch Support for Cisco NAC Appliance for complete details on:
•
•
•
•
VPN and Wireless Components Supported for Single Sign-On (SSO)
Table 1 lists VPN and wireless components supported for Single Sign-On (SSO) with Cisco NAC Appliance. Elements in the same row are compatible with each other.
Table 1 VPN and Wireless Components Supported By Cisco NAC Appliance For SSO
4.1(3)
Cisco WiSM Wireless Service Module for the Cisco Catalyst 6500 Series Switches
N/A
Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)1
N/A
Cisco ASA 5500 Series Adaptive Security Appliances, Version 8.0(3)7 or later2
AnyConnect
Cisco ASA 5500 Series Adaptive Security Appliances, Version 7.2(0)81 or later
•
•
Cisco WebVPN Service Modules for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco VPN 3000 Series Concentrators, Release 4.7
Cisco PIX Firewall
1 For additional details, see also Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs).
2 Release 4.1(3) supports existing AnyConnect clients accessing the network via Cisco ASA 5500 Series devices running release 8.0(3)7 or later. For more information, see VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal and CSCsi75507.
Note
For further details, see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(3) and the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(3).
Software Compatibility
This section describes software compatibility for releases of Cisco NAC Appliance:
•
•
For details on Clean Access Agent and Cisco NAC Web Agent client software versions and AV integration support, see:
•
Software Compatibility Matrixes
This section describes the following:
•
•
•
Release 4.1(3) Compatibility Matrix
Table 2 shows Clean Access Manager and Clean Access Server compatibility and the Clean Access Agent version supported with each CCA 4.1(3) release (if applicable). CAM/CAS/Clean Access Agent versions displayed in the same row are compatible with one another. Cisco recommends that you synchronize your software images to match those shown as compatible in the table.
Table 2 Release 4.1(3) Compatibility Matrix
4.1.3.1 6
4.1.3.1 6
4.1.3.2
4.1.3.1
4.1.3.04.1.3.1
4.1.3.04.1.3.10
4.1.3.94.1.2.x
4.1.1.0
4.1.0.x 74.1.2.x
4.1.1.0
4.1.0.x 7-
-
4.1(3)
4.1(3)
4.1.3.2
4.1.3.1
4.1.3.04.1.3.1
4.1.3.04.1.3.10
4.1.3.94.1.2.x
4.1.1.0
4.1.0.x 7-
-
1 Make sure both CAS and CAM are of same version.
2 See Cisco NAC Appliance Agents for details on version updates for each Windows/Mac OS X/Web Agent.
3 Version 4.1.3.0 and later of the Windows Clean Access Agent is compatible with the 4.1(3) CAM and 4.1(3) and later CAS releases. See Cisco NAC Appliance Agents for details and caveats resolved for each Agent version.
4 Mac OS X Clean Access Agent supports authentication only (no posture assessment) and auto-upgrade starting from version 4.1.3.0. See Mac OS X Clean Access Agent Version 4.1.3.0 for details.
5 Cisco NAC Web Agent 4.1.3.9 is a new user access option introduced in release 4.1(3). See Cisco NAC Web Agent Enhancements for more information.
6 Cisco NAC Appliance Release 4.1.3.1 is a general and important bug fix release that resolves issues as described in Enhancements in Release 4.1.3.1.
7 Cisco strongly recommends running version 4.1.3.0 of the Clean Access Agent with release 4.1(3) of the CAM/CAS. If necessary, release 4.1(3) allows administrators to optionally configure the 4.1(3) CAM/CAS to allow 4.1.0.x Agent authentication and posture assessment (Windows only). Note that by default, 4.1.0.x Agents are not allowed to log into a 4.1(3) Cisco NAC Appliance system. However, an Agent upgraded to 4.1.3.0 and later can still log into a 4.1(0) CAM/CAS. See 4.1.0.x Agent Support on Release 4.1(1) in the 4.1(1) release notes for details.
Release 4.1(3) CAM/CAS Upgrade Compatibility Matrix
Table 3 shows 4.1(3) CAM/CAS upgrade compatibility. You can upgrade/migrate your CAM/CAS from the previous release(s) specified to the latest release shown in the same row. When you upgrade your system software, Cisco recommends you upgrade to the most current release available whenever possible.
Table 3 Release 4.1(3) CAM/CAS Upgrade Compatibility Matrix
Upgrade From:
4.1.3.1 3
4.1(3)4.1.3.1 3
4.1(3)
1 Release 4.1(0), 4.1.0.1, and 4.1.0.2 do not support and cannot be installed on Cisco NAC Appliance 3300 Series platforms.
2 "In-place" upgrade from version 3.5(11) to 4.1(3) is not supported. Customers wishing to upgrade a system from 3.5(11) to 4.1(3) must use the supported in-place upgrade procedure to upgrade from 3.5(11) to 4.0(6), and then upgrade to 4.1(3). (See CSCsl76977.)
3 Cisco NAC Appliance Release 4.1.3.1 is a general and important bug fix release that resolves issues as described in Enhancements in Release 4.1.3.1.
.
Release 4.1(3) Clean Access Agent Upgrade Compatibility Matrix
Table 4 shows Clean Access Agent upgrade compatibility when upgrading existing versions of the Agent after 4.1(3) CAM/CAS upgrade. You can auto-upgrade any 3.5.1+ Windows Agent directly to the latest 4.1.3.x Windows Agent. You can auto-upgrade Mac OS X Agents starting from version 4.1.3.0 and later.
Note
Refer to the "Cisco NAC Appliance Agents Systems Requirements" section of the Supported Hardware and System Requirements for Cisco NAC Appliance for additional compatibility details.
Table 4 Release 4.1.3.x Agent Upgrade Compatibility Matrix
4.1.3.1
4.1(3)4.1.3.1
4.1(3)4.1.2.x
4.1.1.0
4.1.0.x 44.1.3.2
4.1.3.1 5
4.1.3.04.1.3.1 6
4.1.3.04.0.x.x
3.6.x.x
3.5.1 and later4.1.3.1 5
4.1.3.0—
1 Clean Access Agent versions are not supported across major releases. Do not use 4.1.3.x Agents with 4.0(x) or prior releases. However, auto-upgrade is supported from any 3.5.1 and later Agent directly to the latest 4.1.3.x Agent.
2 See Cisco NAC Appliance Agents for details on version updates for each Windows/Mac OS X/Web Agent.
3 For checks/rules/requirements, version 4.1.1.0 and later Clean Access Agents can detect "N" (European) versions of the Windows Vista operating system, but the CAM/CAS treat "N" versions of Vista as their US counterpart.
4 Cisco strongly recommends running the latest 4.1.3.x version of the Clean Access Agent with release 4.1(3) of the CAM/CAS. If necessary, release 4.1(3) allows administrators to optionally configure the 4.1(3) CAM/CAS to allow 4.1.0.x Agent authentication and posture assessment. Note that by default, 4.1.0.x Agents are not allowed to log into a 4.1(3) Cisco NAC Appliance system. However, an Agent upgraded to 4.1.3.0 and later can still log into a 4.1(0) CAM/CAS. See 4.1.0.x Agent Support on Release 4.1(1) in the 4.1(1) release notes for details.
5 Windows Clean Access Agent version 4.1.3.1 resolves caveat CSCsm05207. See Windows Clean Access Agent Version 4.1.3.1 and Resolved Caveats - Windows Clean Access Agent 4.1.3.1 for details.
6 Auto-upgrade of the Mac OS X Agent is supported starting from version 4.1.3.0 and later. Release 4.1(1) and release 4.1(2)+ do not support auto-upgrade for the Mac OS X Agent. Users can upgrade client machines to the latest Mac OS X Agent by downloading the Agent via web login and running the Agent installation. For more information, see Mac OS X Clean Access Agent Enhancements.
Determining the Software Version
There are several ways to determine the version of software running on your Clean Access Manager (CAM), Clean Access Server (CAS), or Clean Access Agent, as described below.
•
•
•
•
Clean Access Manager (CAM) Version
The top of the CAM web console displays the software version installed. After you add the CAM license, the top of the CAM web console displays the license type (Lite, Standard, Super). Additionally, the Administration > CCA Manager > Licensing page displays the types of licenses present after they are added.
The software version is also displayed as follows:
•
•
CAM Lite, Standard, Super
The NAC Appliance Clean Access Manager (CAM) is licensed based on the number of NAC Appliance Clean Access Servers (CASes) it supports. You can view license details under Administration > CCA Manager > Licensing. The top of CAM web console identifies the type of CAM license installed:
•
•
•
Note the following:
•
•
•
Clean Access Server (CAS) Version
You can determine the CCA software version running on the Clean Access Server (whether NAC-3300 appliances or Cisco NAC network modules) using the following methods:
•
•
•
Note
Cisco NAC Appliance Agents Versioning
On the CAM web console, you can determine versioning for the Cisco NAC Appliance Agents from the following pages:
•
•
•
•
From the Clean Access Agent itself on the client machine, you can view the following information from the Agent taskbar menu icon:
•
•
Cisco Clean Access Updates Versioning
To view the latest version of Updates downloaded to your CAM, including Cisco Checks & Rules, Cisco NAC Web Agent, Clean Access Agent Upgrade Patch, Supported AV/AS Product List, go to Device Management > Clean Access > Update > Summary on the CAM web console. See Clean Access Supported AV/AS Product List and Clean Access Supported AV/AS Product List for additional details.
New and Changed Information
This section describes enhancements added to the following releases of Cisco NAC Appliance for the Clean Access Manager and Clean Access Server.
•
•
•
See Cisco NAC Appliance Agents for new features and enhancements to Cisco NAC Appliance Agents.
For additional details, see also:
•
•
Enhancements in Release 4.1.3.2
Windows Clean Access Agent Language Template Support Enhancement (Version 4.1.3.2)
Added Agent language template support for Russian, Turkish, and Serbian (Cyrillic) for Windows Agents. The Agent will display localized text for these languages if run from localized Windows operating system.
Note
Note
See Cisco NAC Appliance Agents for enhancement details per Agent version.
Enhancements in Release 4.1.3.1
Release 4.1.3.1 is a general and important bug fix release for the Clean Access Manager and Clean Access Server that addresses the caveats described in Resolved Caveats - Release 4.1.3.1. No new features are added.
For upgrade instructions, please refer to Upgrading to 4.1(3).
Enhancements in Release 4.1(3)
This section details the enhancements delivered with Cisco NAC Appliance release 4.1(3) for the Clean Access Manager and Clean Access Server.
General Enhancements
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Out-of-Band Enhancements
•
•
•
Cisco NAC Appliance Agent Enhancements
•
General Enhancements
Cisco NAC Web Agent
Warning
Cisco NAC Appliance release 4.1(3) introduces a new temporal Agent for Windows client machines. Unlike the Clean Access Agent, the Cisco NAC Web Agent is not a "persistent" entity, thus it only exists on the client machine long enough to accommodate a single user session. Instead of downloading and installing an Agent application, once the user opens a browser window, logs in to the Cisco NAC Appliance web login page, and chooses to launch the Cisco NAC Web Agent, an ActiveX control or Java applet (you specify the preferred method using the Web Client (Active X/Applet) option in the Administration > User Pages > Login Page configuration page) initiates a self-extracting stub installer on the client machine to install Agent files in a client's temporary directory, perform posture assessment/scan the system to ensure security compliance, and report compliance status back to the Cisco NAC Appliance system. During this period, the user is granted access only to the Temporary Role and if the client machine is not compliant for one or more reasons, the user is informed of the issues preventing network access and may do one of the following:
•
•
Note
Once the user has provided appropriate login credentials and the Web Agent ensures the client machine meets the NAC Appliance security requirements, the browser session remains open and the user is logged in to the network until the user clicks the Logout button in the Web Agent browser window, shuts off their system, or the NAC Appliance administrator terminates the session from the CAM. After the session terminates, the Web Agent "removes" itself from the client machine and the temporary files used to install are deleted from the system.
Note
The Cisco NAC Web Agent enhancement affects the following page of the CAM web console:
•
Note
Support for Clients with Multiple Active NICs
Cisco NAC Appliance release 4.1(3) includes an enhancement to help stabilize connection problems from client machines with more than one active Network Interface Card (NIC). For example, a client machine may have an active LAN Ethernet connection and an active wireless NIC connection where each interface sends SWISS UDP discovery packets to initiate a connection to a network CAS. To address this potential situation, the CAS now examines the SWISS packets from the client machine to record the requesting NIC IP address and verifies all subsequent SWISS UDP packets for the NIC IP address to ensure the same client only logs in from one interface.
Without this enhancement, the following scenario can occur:
The client machine A sends out SWISS UDP discovery packets to the CAS and receives a response directing the user to enter their authentication credentials. During this process, another active NIC on client machine A sends SWISS UDP discovery plackets to the same CAS even though the first interface is already establishing a connection. After the first client session is established, the user sees a login screen again, despite having already successfully established connection. Until the secondary NIC is disabled or the client machine does something to halt SWISS UDP packet transmission, the user can continually see login screen after login screen.
For information regarding clients with multiple active NICs and how to configure them to interoperate with the Access to Authentication VLAN change detection feature, see Access to Authentication VLAN Change Detection Interoperability with Clients Featuring More Than One Active NIC.
For more information, see the "Supporting Multiple Active NICs on the Clean Access Agent Client Machine" section in the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(3).
Clean Access Server HA Heartbeat Link Enhancement
Clean Access Server HA heartbeat link capabilities have been enhanced in release 4.1(3). In addition to the existing serial interface and optional trusted (eth0 and eth2/eth3) interface heartbeat connections, you can now also configure the CAS to employ the (untrusted side) eth1 interface to provide redundant HA heartbeat monitoring.
This enhancement affects the following page of the CAS web console:
•
Clean Access Manager HA Configuration and Heartbeat Link Enhancements
In release 4.1(3), the Clean Access Manager web console interface now features a new (separate) Failover tab as well as additional failover configuration settings to support up to three optional redundant Heartbeat UDP Interfaces. In addition to the existing optional serial interface and dedicated eth1 interface heartbeat connections, you can now also configure the CAM to employ the (trusted side) eth0 interface and an additional optional Ethernet link to provide redundant HA heartbeat monitoring.
This enhancement affects the following pages of the CAM web console:
•
•
Guest User Login and Registration Enhancements
Release 4.1(3) enhances the way the CAM handles Guest user login, registration, and access with a new Guest Registration feature. Rather than allow users to simply gain undifferentiated Guest access to the system, the administrator can now configure guest users to register their own local accounts on the CAM using a variety of fields, including email, phone number, or affiliation. The new feature provides a customizable level of guest authentication using a new Guest Auth Server Type, new Guest Registration configuration pages, and the default guest role.
The CAM can automatically time out guest accounts using token expiration, or flush out unused guest accounts from the local database after a configurable number of days. Administrators can view newly created guest accounts on a new Guest Users local users list, and on the Certified Device List and Online Users List by configured Guest Auth Provider and Guest role.
Note
To update any existing Guest user access model on the CAM to take advantage of the enhancements in release 4.1(3), administrators can perform the following tasks:
1.
2.
3.
4.
5.
This enhancement affects the following pages of the CAM web console:
•
•
•
LDAP Authentication Enhancement
Release 4.1(3) enhances the authentication settings available when authenticating user credentials against an LDAP server. Administrators can now specify either the "Simple" or Generic Security Services Application Programming Interface (GSSAPI) authentication mechanism to better provide secure credential authentication in the network.
This enhancement affects the following pages of the CAM web console:
•
–
–
Clean Access Server and WSUS Interaction Enhancement
Release 4.1(3) improves message text for Windows Server Update Services (WSUS) requirements. When the Clean Access Agent encounters a WSUS requirement compliance issue, the Agent launches a secondary client remediation frame from which the user can download the required Windows Update during client posture assessment.
Note
Agent Restricted User Access Enhancement
Cisco NAC Appliance Agent login behavior has been enhanced in release 4.1(3) to allow users "restricted" network access if/when their client machine does not pass posture assessment as configured in the requirements associated with the user's login role. If this function is enabled by the administrator, a new button labeled "Limited" now appears in the Clean Access Agent login dialog and "Get Restricted Network Access" (or another configurable text string) in the Cisco NAC Web Agent dialog to give the user the option to gain access to a restricted set of network resources via the NAC Appliance system. The administrator has control over which resources are available to users with restricted network access, according to the configuration settings specified in an existing user role. For example, the administrator can create a new user role called "Restricted" in User Management > User Roles that allows users who choose to accept restricted network access to launch their Email program and gain access to the WWW, but nothing else.
This enhancement affects the following web console page:
•
Device Filter List Display and Import/Export Enhancement
Starting from release 4.1(3), Cisco NAC Appliance administrators can export device filter lists to CSV files that can be searched, viewed, and manipulated in Microsoft Excel spreadsheets whenever the administrator needs them to troubleshoot connection issues or compile statistical reports, and the administrator can import device filter list information to populate (or repopulate) the CAMs device filter database from existing CSV files. In addition, the layout and function of the device filter list display (Device Management > Filters > Devices > List) has been updated in release 4.1(3) to give the administrator more direct control over the specific device entries displayed.
This enhancement affects the following page of the CAM web console:
•
Agent Report Information Display and Export Enhancement
Starting from release 4.1(3), Cisco NAC Appliance administrators can export Agent report information to CSV files that can be searched, viewed, and manipulated in Microsoft Excel spreadsheets whenever the administrator needs them to troubleshoot connection issues or compile statistical reports. In addition, the layout and function of the Agent report display list (Device Management > Clean Access > Clean Access Agent > Reports) has been updated in release 4.1(3) to give the administrator more direct control over the specific Agent report entries displayed.
This enhancement affects the following page of the CAM web console:
•
Note
The Export (with text) option provides an extra column containing the raw HTML code of the full Agent report that you can open for each report by clicking on view in the viewer.
VPN SSO Login Enhancement
Release 4.1(3) features a VPN SSO enhancement to ensure that users logging in via VPN are not erroneously presented with the Agent login dialog when signing in. When the user initiates a login session, the CAS passes information alerting the Agent that the user is already part of the VPN login list, thus enabling the CAM to avoid presenting the Agent login screen on the client machine. In network topologies that employ VPN concentrators, this potential situation can be made even more complex if the VPN concentrator delays sending the appropriate VPN login list notification to the CAS. To address this problem, the CAS is now able to specify a delay in the SWISS packet that tells the Agent to wait a short time before presenting the login screen.
VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal
Release 4.1(3) adds accounting update functionality to support existing AnyConnect clients accessing the network via Cisco ASA 5500 Series Adaptive Security Appliances platforms. To support VPN SSO, you must be running Cisco NAC Appliance release 4.1(3) or later and the Cisco ASA 5500 Series device must be running release 8.0(3)7 or later and be configured to send interim accounting update packets.
For example, your Cisco ASA 5500 Series configuration should include:
aaa-server radius protocol radiusinterim-accounting-updateFor VPN/Wireless SSO support information, refer to VPN and Wireless Components Supported for Single Sign-On (SSO)
Note
Syslog Configuration Enhancement
Release 4.1(3) features a Syslog Settings page configuration enhancement allowing you to specify the Syslog Facility setting for a designated Syslog server where you direct Syslog messages originating from the CAM. You can use the default "User-Level" facility type, or you can assign any of the "local use" Syslog facility types defined in the Syslog RFC ("Local use 0" to "Local use 7"). This feature gives you the ability to differentiate Cisco NAC Appliance Syslog messages from "User-Level" Syslog entries you may already generate and direct to your Syslog server from other network components.
This enhancement affects the following page of the CAM web console:
•
Debug Log Download Enhancement
With release 4.1(3), you can now specify the number of days of collected debug logs to download in order to aid troubleshooting efforts when working with Cisco technical support. The default setting is one week (7 days). Previously, debug logs included all recorded log entries in the CAM/CAS database.
This enhancement adds a new field, "Download technical support logs for the last [] days" to the following web console pages:
•
•
cisco_api.jsp Enhancement
In Release 4.1(3), the Cisco NAC Appliance API (https://<CAM-IP-address or hostmame>/admin/cisco_api.jsp) adds the following new functions which provide support for Cisco NAC Profiler deployments:
•
•
•
•
•
The API also includes the following enhancements:
•
•
See also CSRF Protection. For further details on the Cisco NAC Appliance API, see Appendix B "API Support" in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(3).
CSRF Protection
Release 4.1(3) enhances protection from Cross-Site Request Forgery attacks, which maliciously exploit web browser sessions. Release 4.1(3) provides the following enhancements:
•
•
•
Proxy Support Enhancements
Starting with release 4.1(3), proxy-related enhancements enable you to configure the Clean Access Server to allow proxy support for user login sessions using the Unauthenticated role:
•
Note
•
•
•
Note
These enhancements affect the following pages of the CAM web console:
•
•
ARP Broadcast Packet Handling Improvement
Release 4.1(3) features an ARP broadcast enhancement that helps alleviate erroneous ARP broadcast "re-broadcasting." When an ARP broadcast packet arrives at the untrusted eth1 interface on the CAS, the CAS now checks to verify the nature of the broadcast packet. If the destination IP address is a known IP address or a valid IP address as part of a managed subnet, the CAS "re-broadcasts" the packet on to the appropriate managed subnet. If the packet in question is an ARP broadcast itself (a request for the owner of x.y.z.255, for example), then the CAS does not forward/rebroadcast the request because no host on the managed subnet will be able to respond appropriately.
Therefore, the NAC Appliance system now performs as follows when we receive a broadcast message (with a broadcast destination IP address) at the trusted side of the CAS:
1.
2.
3.
Clean Access Server HA ARP Broadcast Enhancement
Release 4.1(3) features an ARP broadcast enhancement to improve Clean Access Server HA capabilities. In the event of a CAS failover, the HA-Secondary CAS (which assumes the HA-Primary role) now sends ARP request broadcast messages to all managed subnets on the untrusted (eth1) interface instead of just the primary subnet. These gratuitous ARPs help ensure that all clients on the untrusted side of the NAC Appliance network have a chance to update their ARP tables with the IP and MAC address of the new active CAS instead of first experiencing a session time-out and having to re-establish connection to the new active CAS.
Deprecated "Retag Trusted-side Egress Traffic with VLAN (In-Band)" Feature
The "Retag Trusted-side Egress Traffic with VLAN (In-Band)" feature for User Roles is deprecated in Release 4.1(3) and will be removed completely in a future release.
This affects the following page of the CAM web console:
•
Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
The "Roaming" and "IPSec/L2TP/PPTP/PPP" features that have been deprecated in previous Cisco NAC Appliance releases now no longer appear in the web console interface for release 4.1(3). This change affects many pages of the CAM and CAS web user interfaces, most notably:
•
•
•
•
•
•
Clean Access Agent Auto Remediation
Release 4.1(3) introduces a new configurable Remediation Type[Manual | Automatic] option when configuring Clean Access Agent Requirements for the following requirement types:
•
•
•
•
•
•
Choosing the Manual Remediation Type preserves the previous Agent behavior. The user has to click through each of the requirements using the Next button.
Choosing the Automatic Remediation Type sets the Agent to perform Auto Remediation. When Auto Remediation is configured, the Clean Access Agent automatically performs updates or launches required programs on the client after the user logs in.
During Auto Remediation, the Agent dialog displays only two buttons: Details and Manual. Clicking Details shows additional progress messages for the auto remediation. Clicking Manual changes the Agent back to Manual mode, where the user has to click through each requirement.
The auto-remediation actions the Agent performs depend on the requirement type, such as:
•
•
•
•
•
This enhancement affects the following pages of the CAM web console:
•
Note
•
Note
Delay Agent Logoff on CAM/CAS
User logoff behavior for the Windows Clean Access Agent in In-Band deployments has been enhanced in release 4.1(3) to ensure that all scripts necessary to log the user out of the NAC Appliance system have had a chance to complete before the CAS restricts user traffic. The drawback of users not having had a chance to successfully log out of the CAM/CAS before Windows shuts down is that the user session may remain "active" on the CAM (the user ID and session information still appear in the Monitoring > Online Users > View Online Users display) and the user suffers connection issues the next time they attempt to connect to the network from the same client machine. To address this situation, the administrator can now configure a period of time to delay Agent logout from the CAS/CAM to ensure enough time to complete the logout script(s).
This enhancement affects the following page CAM web console:
•
64-bit Windows Operating System Agent Support
In release 4.1(3), the Windows Clean Access Agent and Cisco NAC Web Agent perform authentication only on 64-bit Windows Vista and Windows XP client operating systems.
Note
Supported AV/AS Product List Enhancements (Version 67)
•
•
Out-of-Band Enhancements
Access to Authentication VLAN Change Detection Enhancement
Cisco NAC Appliance release 4.1(3) further enhances VLAN change detection mechanisms for Clean Access Agent machines in Out-of-Band (OOB) deployments to allow the client port to change from the Access to the Authentication VLAN without having to bounce the port.
Caution
This feature applies to the Clean Access Agent only and does not apply to web login or to the Cisco NAC Web Agent. This feature is designed to enhance support for the following deployments:
•
•
•
In OOB, when the user is logged out and the client port changes from the Access VLAN to the Authentication VLAN, the IP address for the client machine typically needs to change to coincide with the Authentication VLAN. In OOB, when the user is in the Access VLAN, the Clean Access Agent no longer communicates with the CAM or CAS, so the Agent is not aware when the CAM changes the VLAN for the client port. Although the CAM can bounce the port to change the IP address on the client, this solution is not recommended for IP Phone environments, as it can disrupt voice services.
Versions earlier than 4.1.3.0 of the Windows Clean Access Agent could only learn of a change from the Access VLAN to the Authentication VLAN once the current DHCP lease had expired and the client was forced to re-establish connection. With release 4.1(3), the Agent detects that the client has the wrong IP address for the current VLAN and automatically triggers an IP address change (release/renew) to maintain connection. No additional configuration on the CAM is required to use this enhancement.
Note
Version 4.1.3.2 of the Windows Clean Access Agent modifies the Access to Authentication VLAN Change Detection feature as follows:
•
•
•
•
•
Note
•
•
•
Agent users with non-admin privileges and no Clean Access Agent Stub service installed on the client can use ICMP to detect the VLAN and then enable DHCP services (net dhcp stop/start) to change the client IP address. In order to utilize the option, however, you must configure a Group Policy Object (GPO) granting domain users full control of the DHCP client. Once DHCP control is enabled, the Agent attempts to restart the DHCP client to get a new IP address after failing IP address release/renew. See Table 5 for more information.
Note
Note
This feature may not be compatible with all Cisco NAC Appliance deployments (such as VPN deployments). Therefore, although you can still enable and configure this feature, versions 4.1.3.1 and 4.1.3.2 of the Clean Access Agent disable this feature by default. Refer to Windows Clean Access Agent Version 4.1.3.1 and Windows Clean Access Agent Version 4.1.3.2 for additional details.
Access to Authentication VLAN Change Detection Interoperability with Clients Featuring More Than One Active NIC
If you use the Access to Authentication VLAN change detection feature on a client machine with more than one active NIC, all active NICs on the client use the feature. By design, the NIC with the lowest metric always takes precedence for routing purposes, and you can determine the metric using the route print command from a command prompt. Client-to-CAS communication depends on the specific scenario:
•
If one of the CASs is in Layer 2 OOB Virtual Gateway mode, and the client somehow switches back to the authentication VLAN (if the client is deleted form the Certified Device List, for example), then the client can no longer ping its default gateway. This situation can result in the client performing unnecessary, repetitive IP refreshes even though that NIC is not the one the client is currently using for traffic.
If this configuration is required, you must configure a traffic policy on the CAM to allow ICMP traffic to the default gateway for the Unauthenticated Role.
•
Configuring Registry Keys on the Windows Client
In order to configure a client machine with multiple NICs to appropriately interact with the Cisco NAC Appliance Access to Authentication VLAN detect feature, you must define the appropriate registry keys on the client, as shown in Table 5. The following required DWORD registry keys are all located in the same HKEY_LOCAL_MACHINE\Software\Cisco\Clean Access Agent\ registry location.
For more information on multiple-NIC client support, see Support for Clients with Multiple Active NICs.
SNMP Inform Notification Enhancement
SNMP notification behavior has been enhanced in release 4.1(3) to feature SNMP "inform request" behavior. Because SNMP traps can be unreliable due to the fact that the SNMP receiver is not required to send an acknowledgment when it receives a trap, the sender cannot determine if the trap was received. In release 4.1(3), the CAM is able to transmit SNMP inform acknowledgements in response to switch SNMP inform requests to ensure reliable information delivery between the switch and the CAM. (The inherent SNMP "inform request/acknowledgement" retry mechanism helps increase the chances of successful information delivery from the managed switch to the CAM.)
SNMP "MAC Move Notification" Switch Port Configuration Support
With release 4.1(3), Cisco NAC Appliance now supports the "MAC Move Notification" switch port configuration and notification feature. When the managed switch sends out a notification trap announcing that a connected host has moved from one port to another within the same VLAN, the CAM responds to the notification by updating the discovered client information and, if necessary, changing the VLAN assignment for the host port to reflect the information in the switch trap notification.
Releases earlier than 4.1(3) depend on "MAC Changed Notification" to detect the client device when it connects to the switch. From the notification, the switch learns a new MAC address on the port, and the Clean Access Manager learns from the switch what device is connected to which port. Based on this learned information, the CAM changes the VLAN for that switch port.
However, when the MAC Move Notification Trap is configured on the switch, the switch sends out the trap when a connected device moves from one port to another on the same VLAN. With CCA versions earlier than 4.1(3), the MAC Move Notification is not supported, and the CAM does not update connected device information when a MAC Move event occurs. As a result, CAM can end up incorrectly setting the VLAN on the switch port from which the device has already disconnected.
With release 4.1(3) and later, OOB deployments now support:
•
•
•
Cisco NAC Appliance Agent Enhancements
Windows Clean Access Agent Language Template Support Enhancement (Version 4.1.3.0)
Added Agent language template support for Dutch, Hungarian, and Portuguese for Windows Agents. The Agent will display localized text for these languages if run from localized Windows operating system.
Note
Note
See Cisco NAC Appliance Agents for enhancement details per Agent version.
Cisco NAC Appliance Agents
This section consolidates information for Clean Access Agent and Cisco NAC Web Agent client software versions, as follows:
•
•
•
Enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions, unless otherwise noted. For all Agents:
•
•
Note
Note
See the "Clean Access Agent Version Summary" section in the Release Notes for Cisco NAC Appliance (Cisco Clean Access) Version 4.1(1) for details on the 4.1.1.0 Agent.For additional details refer to Known Issues for Cisco NAC Appliance and Troubleshooting for Agent-related information.
Windows Clean Access Agent Enhancements
This section contains the latest enhancements per version of the Windows Clean Access Agent.
•
•
•
Enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions, unless otherwise noted.
Windows Clean Access Agent Version 4.1.3.2
Version 4.1.3.2 of the Windows Clean Access Agent resolves caveats CSCsl77778 CSCsl77801, CSCsm04923, CSCsm38529, CSCsm39238, CSCsm54763, CSCsm42572, CSCsm62326, CSCsm67052, and CSCso22399. Refer to Resolved Caveats - Windows Clean Access Agent 4.1.3.2 for additional details.
New features or enhancements for Windows Clean Access Agent version 4.1.3.2 (persistent):
•
–
–
–
–
–
Note
•
•
•
Supported AV/AS Product List Enhancements (Version 68)
•
•
Windows Clean Access Agent Version 4.1.3.1
Version 4.1.3.1 of the Windows Clean Access Agent resolves caveat CSCsm05207. Refer to Resolved Caveats - Windows Clean Access Agent 4.1.3.1 and Access to Authentication VLAN Change Detection Enhancement for additional details.
Note
•
•
Windows Clean Access Agent Version 4.1.3.0
New features or enhancements for Windows Agent version 4.1.3.0 (persistent):
•
•
•
•
•
•
•
Note
Note
Note
This is expected behavior because, unlike earlier Windows operating systems, Windows Vista services run in an isolated session (session 0) from user sessions, and thus do not have access to video drivers. As a workaround for interactive services like the Agent stub installer, Windows Vista uses an Interactive Service Detection Service to prompt users for user input for interactive services and enable access to dialogs created by interactive services. The "Interactive Service Detection Service" will automatically launch by default and, in most cases, users are not required to do anything. If the service is disabled for some reason, however, Agent installation by non-admin users will not function.For more information on the stub installer and its behavior, see the "Configuring Agent Distribution/Installation" section of the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(3). See also Known Issues with MSI Agent Installer.
•
Note
Mac OS X Clean Access Agent Enhancements
This section contains the latest enhancements per version of the Mac OS X Clean Access Agent:
•
•
Enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions, unless otherwise noted.
Note
Mac OS X Clean Access Agent Version 4.1.3.1
Version 4.1.3.1 of the Clean Access Agent resolves caveats CSCsl83353, CSCsl88985, CSCsl98060, CSCsm10311, CSCsm20813, CSCsm26806, and CSCsm47276 for Mac OS X Agents. Refer to Resolved Caveats - Mac OS X Agent 4.1.3.1 for additional details.
Mac OS X Clean Access Agent Version 4.1.3.0
New features or enhancements in Macintosh OS X Clean Access Agent version 4.1.3.0:
•
•
•
•
Note
•
•
•
•
Cisco NAC Web Agent Enhancements
This section contains the latest enhancements per version of the Cisco NAC Web Agent:
•
•
Enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions, unless otherwise noted.
See Release 4.1(3) Compatibility Matrix for general compatibility details.
Cisco NAC Web Agent Version 4.1.3.10
For release 4.1(3) and later, new versions of the Cisco NAC Web Agent are available from the Clean Access Manager via the Updates mechanism (Device Management > Clean Access > Updates > Update). If use of the Cisco NAC Web Agent is required for the role, users will automatically download the latest version that is available on the CAM. If you do not want to distribute the latest version of the Web Agent, you can deselect the "Check for Cisco NAC Web Agent updates" checkbox on the Updates page.
New features or enhancements for Windows Agent version 4.1.3.10:
•
•
•
Signed Certificate Requirements
For version 4.1.3.10, the ActiveX control and Java Applet are signed by a certificate ("Cisco Systems") which is signed by "Thawte Server CA," and should be included in the Trusted Root Certificate Authority store.
If the certificate is not included in the Trusted Root Certificate Authority store, users will see a security alert dialog whenever they launch the Cisco NAC Web Agent. The dialog indicates a secure connection is required, but the certificate issuer is untrusted or unknown. The user can accept the certificate for this session, or install this certificate in the certificate store.
To install the certificate:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
For additional information, see also Vista/IE 7 Certificate Revocation List.
Cisco NAC Web Agent Version 4.1.3.9
Release 4.1(3) introduces the new (temporal) Cisco NAC Web Agent version 4.1.3.9.
Refer to Cisco NAC Web Agent for feature details.
Versions 4.1.3.9 and later of the Cisco NAC Web Agent have the following system requirements:
•
•
•
Operating System Dependencies
You can install and launch the Cisco NAC Web Agent on the following operating systems:
•
•
•
Note
Browser Support
You can install and launch the Cisco NAC Web Agent from the following web browsers:
•
•
ActiveX and Java Applet Requirements
•
•
•
Note
Microsoft Internet Explorer 7 in Windows Vista
By default, Windows Vista checks the server certificate revocation list and prevents the Web Agent from launching on the client machine.
To disable this functionality:
Step 1
Step 2
Step 3
Step 4
For additional information, see also Vista/IE 7 Certificate Revocation List.
Clean Access Supported AV/AS Product List
This section describes the Supported AV/AS Product List that is downloaded to the Clean Access Manager via Device Management > Clean Access > Updates > Update to provide the latest antivirus (AV) and anti-spyware (AS) product integration support for Cisco NAC Appliance Agents that support AV/AS posture assessment/remediation. The Supported AV/AS Product List is a versioned XML file distributed from a centralized update server that provides the most current matrix of supported AV/AS vendors and product versions used to configure AV/AS Rules and AV/AS Definition Update requirements.
The Supported AV/AS Product List contains information on which AV/AS products and versions are supported in each Windows Clean Access Agent release along with other relevant information. It is updated regularly to bring the relevant information up to date and to include newly added products for new releases. Cisco recommends keeping your list current, especially when you upload a new Agent Setup version or Agent Patch version to your CAM. Having the latest Supported AV/AS list ensures your AV/AS rule configuration pages list all the new products supported in the new Agent.
Note
The following charts list the AV and AS product/version support per client OS as of the latest Clean Access release:
•
•
•
The charts show which AV/AS product versions support virus or spyware definition checks and automatic update of client virus/spyware definition files via the user clicking the Update button on the Clean Access Agent.
For a summary of the product support that is added per version of the Supported AV/AS Product List or Clean Access Agent, see also:
•
You can access additional AV and AS product support information from the CAM web console under Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info.
Note
Note that Clean Access works in tandem with the installation schemes and mechanisms provided by supported AV/AS vendors. In the case of unforeseen changes to underlying mechanisms for AV/AS products by vendors, the Cisco NAC Appliance team will update the Supported AV/AS Product List and/or Clean Access Agent in the timeliest manner possible in order to support the new AV/AS product changes. In the meantime, administrators can always use the "custom" rule workaround for the AV/AS product (such as pc_checks/pr_ rules) and configure the requirement for "Any selected rule succeeds."
Clean Access AV Support Chart (Windows Vista/XP/2000)
Table 6 lists Windows Vista/XP/2000 Supported AV Products as of the latest release of the Cisco NAC Appliance software. (See Table 7 for Windows ME/98).
Table 6 Clean Access Antivirus Product Support Chart (Windows Vista/XP/2000)
Version 68, 4.1.3.2 Agent, CAM/CAS Release 4.1.3.1 (Sheet 1 of 12)
(Minimum Agent Version Needed)1TrustPort Antivirus
2.x
yes (4.0.6.0)
-
yes
AhnLab Security Pack
2.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
AhnLab V3 Internet Security 2007
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
AhnLab V3 Internet Security 2007 Platinum
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
AhnLab V3 Internet Security 2008 Platinum
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
AhnLab V3 Internet Security 7.0 Platinum Enterprise
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
V3Pro 2004
6.x
yes (3.5.10.1)
yes (3.5.12)
yes
V3 VirusBlock 2005
6.x
yes (4.1.2.0)
yes (4.1.2.0)
-
avast! Antivirus
4.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
avast! Antivirus (managed)
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
avast! Antivirus Professional
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Active Virus Shield
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
AOL Safety and Security Center Virus Protection
102.x
yes (4.0.4.0)
yes (4.0.4.0)
-
AOL Safety and Security Center Virus Protection
1.x
yes (3.5.11.1)
yes (3.5.11.1)
-
AOL Safety and Security Center Virus Protection
210.x
yes (4.0.4.0)
yes (4.0.4.0)
-
AOL Safety and Security Center Virus Protection
2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Command Anti-Virus Enterprise
4.x
yes (3.5.0)
yes (3.5.0)
yes
Command AntiVirus for Windows
4.x
yes (3.5.0)
yes (3.5.0)
yes
Command AntiVirus for Windows Enterprise
4.x
yes (3.5.2)
yes (3.5.2)
yes
Cox High Speed Internet Security Suite
3.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
AVG 8.0 [AntiVirus]
8.x
yes (4.1.3.2)
-
yes
Avira AntiVir PersonalEdition Classic
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Avira AntiVir PersonalEdition Premium
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Avira AntiVir Windows Workstation
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Avira Premium Security Suite
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
Rising Antivirus Software AV
17.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Rising Antivirus Software AV
18.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Rising Antivirus Software AV
19.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Rising Antivirus Software AV
20.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BellSouth Internet Security Anti-Virus
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
BullGuard 7.0
7.x
yes (4.1.2.0)
yes (4.1.2.0)
-
BullGuard 8.0
8.x
yes (4.1.3.2)
yes (4.1.3.2)
-
Quick Heal AntiVirus Lite
9.5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Quick Heal AntiVirus Plus
9.5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
ZoneAlarm Anti-virus
7.0.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
ZoneAlarm Anti-virus
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm (AntiVirus)
7.0.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
ZoneAlarm (AntiVirus)
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Security Suite Antivirus
7.0.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
ZoneAlarm Security Suite Antivirus
7.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
ClamAV
devel-x
yes (4.0.6.0)
yes (4.0.6.0)
yes
ClamWin Antivirus
0.x
yes (3.5.2)
yes (3.5.2)
yes
ClamWin Free Antivirus
0.x
yes (3.5.4)
yes (3.5.4)
yes
CA Anti-Virus
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA Anti-Virus
9.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
CA eTrust Antivirus
7.x
yes (3.5.0)
yes (3.5.0)
yes
CA eTrust Internet Security Suite AntiVirus
7.x
yes (3.5.11)
yes (3.5.11)
yes
CA eTrustITM Agent
8.x
yes (3.5.12)
yes (3.5.12)
yes
eTrust Antivirus
6.0.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
eTrust EZ Antivirus
6.1.x
yes (3.5.3)
yes (3.5.8)
yes
eTrust EZ Antivirus
6.2.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
6.4.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
7.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Armor
6.1.x
yes (3.5.0)
yes (3.5.8)
yes
eTrust EZ Armor
6.2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eTrust EZ Armor
7.x
yes (3.5.0)
yes (3.5.0)
yes
Defender Pro Anti-Virus
5.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Aluria Security Center AntiVirus
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
EarthLink Protection Control Center AntiVirus
1.x
yes (3.5.10.1)
yes (3.5.10.1)
-
EarthLink Protection Control Center AntiVirus
2.x
yes (4.0.5.1)
yes (4.0.5.1)
-
EarthLink Protection Control Center AntiVirus
3.x
yes (4.1.3.0)
yes (4.1.3.0)
-
eEye Digital Security Blink Personal
3.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
eEye Digital Security Blink Professional
3.x
yes (4.0.6.0)
yes (4.0.6.0)
-
ESET NOD32 Antivirus
3.x
yes (4.1.3.2)
yes (4.1.3.2)
-
NOD32 antivirus system
2.x
yes (3.5.5)
yes (3.5.5)
yes
NOD32 antivirus system
x
yes (4.1.3.2)
yes (4.1.3.2)
yes
NOD32 antivirus System
x
yes (4.1.3.2)
yes (4.1.3.2)
yes
NOD32 Antivirus System
x
yes (4.1.3.2)
yes (4.1.3.2)
yes
FortiClient Consumer Edition
3.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
F-PROT Antivirus for Windows
6.0.x
yes (4.0.5.1)
yes (4.0.5.1)
-
F-Prot for Windows
3.14e
yes (3.5.0)
yes (3.5.0)
yes
F-Prot for Windows
3.15
yes (3.5.0)
yes (3.5.0)
yes
F-Prot for Windows
3.16c
yes (3.5.11)
yes (3.5.11)
yes
F-Prot for Windows
3.16d
yes (3.5.11)
yes (3.5.11)
yes
F-Prot for Windows
3.16x
yes (3.5.11.1)
yes (3.5.11.1)
yes
F-Secure Anti-Virus
5.x
yes (3.5.0)
yes (3.5.0)
yes
F-Secure Anti-Virus
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus
7.x
yes (4.0.4.0)
yes (4.0.4.0)
-
F-Secure Anti-Virus 2005
5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus Client Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus for Windows Servers
5.x
yes (4.1.3.2)
yes (4.1.3.2)
-
F-Secure Internet Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Internet Security
7.x
yes (4.0.4.0)
yes (4.0.4.0)
-
F-Secure Internet Security 2005
5.x
yes (4.1.3.0)
yes (4.1.3.0)
-
F-Secure Internet Security 2006 Beta
6.x
yes (3.5.8)
yes (3.5.8)
yes
AntiVirusKit 2006
2006.x
yes (4.1.0.0)
yes (4.1.0.0)
-
G DATA AntiVirus 2008
18.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
G DATA AntiVirusKit
17.x
yes (4.1.3.0)
yes (4.1.3.0)
-
G DATA InternetSecurity [Antivirus]
17.x
yes (4.1.3.0)
yes (4.1.3.0)
-
G DATA InternetSecurity [Antivirus]
18.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
G DATA TotalCare [Antivirus]
18.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Antivirussystem AVG 6.0
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 6.0 Anti-Virus - FREE Edition
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 6.0 Anti-Virus System
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 7.5
7.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
AVG Antivirensystem 7.0
7.x
yes (3.5.0)
yes (3.5.0)
yes
AVG Anti-Virus 7.0
7.x
yes (3.5.0)
yes (3.5.0)
yes
AVG Anti-Virus 7.1
7.x
yes (3.6.3.0)
yes (3.6.3.0)
yes
AVG Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
ViRobot Desktop
5.0.x
yes (4.0.5.1)
yes (4.0.5.1)
-
ViRobot Desktop
5.x
yes (4.1.3.0)
yes (4.1.3.0)
-
AntiVir PersonalEdition Classic Windows
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
AntiVir/XP
6.x
yes (3.5.0)
yes (3.5.0)
yes
IKARUS Guard NT
2.x
yes (4.0.6.0)
yes (4.0.6.0)
-
IKARUS virus utilities
5.x
yes (4.0.6.0)
yes (4.0.6.0)
-
Proventia Desktop
8.x
yes (4.0.6.0)
-
-
Proventia Desktop
9.x
yes (4.0.6.0)
yes (4.0.6.0)
-
Jiangmin AntiVirus KV2007
10.x
yes (4.1.3.0)
-
yes
Kaspersky Anti-Virus 2006 Beta
6.0.x
yes (3.5.8)
yes (3.5.8)
-
Kaspersky Anti-Virus 6.0
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Anti-Virus 6.0 Beta
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Anti-Virus 7.0
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Kaspersky Anti-Virus for Windows File Servers
5.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Kaspersky Anti-Virus for Windows File Servers
6.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Kaspersky Anti-Virus for Windows Servers
6.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Kaspersky Anti-Virus for Windows Workstations
5.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Kaspersky Anti-Virus for Windows Workstations
6.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
Kaspersky Anti-Virus for Workstation
5.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Kaspersky Anti-Virus Personal
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky Anti-Virus Personal
5.0.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky Anti-Virus Personal Pro
5.0.x
yes (3.5.11)
yes (3.5.11)
yes
Kaspersky Internet Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Internet Security 7.0
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Kaspersky Internet Security 8.0
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Kaspersky(TM) Anti-Virus Personal 4.5
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky(TM) Anti-Virus Personal Pro 4.5
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kingsoft AntiVirus 2004
2004.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kingsoft AntiVirus 2007 Free
2007.x
yes (4.1.3.2)
yes (4.1.3.2)
-
Kingsoft Internet Security
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
Kingsoft Internet Security 2006 +
2006.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee VirusScan Enterprise
8.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
McAfee VirusScan Home Edition
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
McAfee VirusScan Professional
8.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan Professional
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Professional
9.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
Total Protection for Small Business
4.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
McAfee Internet Security 6.0
8.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee Managed VirusScan
3.x
yes (3.5.8)
yes (3.5.8)
yes
McAfee Managed VirusScan
4.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
McAfee VirusScan
10.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee VirusScan
11.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee VirusScan
12.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
McAfee VirusScan
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
8.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
9.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan
9xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.0.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.1.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
Microsoft Forefront Client Security
1.5.x
yes (4.0.5.0)
yes (4.0.5.0)
-
Windows Live OneCare
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Windows Live OneCare
2.x
yes (4.1.3.2)
yes (4.1.3.2)
-
Windows OneCare Live
0.8.x
yes (3.5.11.1)
-
-
eScan Anti-Virus (AV) for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Corporate for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Internet Security for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Professional for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Virus Control (VC) for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norman Virus Control
5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Panda Antivirus 2007
2.x
yes (4.0.4.0)
yes (4.0.4.0)
-
Panda Antivirus 2008
3.x
yes (4.0.6.1)
yes (4.0.6.1)
-
Panda Antivirus 6.0 Platinum
6
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus + Firewall 2007
6.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Antivirus + Firewall 2008
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Panda Antivirus Lite
1.x
yes (3.5.0)
yes (3.5.0)
-
Panda Antivirus Lite
3.x
yes (3.5.9)
yes (3.5.9)
-
Panda Antivirus Platinum
7.04.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus Platinum
7.05.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus Platinum
7.06.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Client Shield
4.x
yes (4.0.4.0)
yes (4.0.4.0)
-
Panda Internet Security 2007
11.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Internet Security 2008
12.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Panda Platinum 2005 Internet Security
9.x
yes (3.5.3)
yes (3.5.3)
yes
Panda Platinum 2006 Internet Security
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Platinum Internet Security
8.03.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium 2006 Antivirus + Antispyware
5.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Panda Titanium Antivirus 2004
3.00.00
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium Antivirus 2004
3.01.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium Antivirus 2004
3.02.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Panda Titanium Antivirus 2005
4.x
yes (3.5.1)
yes (3.5.1)
yes
Panda TruPrevent Personal 2005
2.x
yes (3.5.3)
yes (3.5.3)
yes
Panda TruPrevent Personal 2006
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
WebAdmin Client Antivirus
3.x
yes (3.5.11)
yes (3.5.11)
-
PC Tools AntiVirus 2.0
2.x
yes (4.1.3.0)
yes (4.1.3.0)
-
PC Tools AntiVirus 2007
3.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
PC Tools AntiVirus 2008
4.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
PC Tools Internet Security [Antivirus]
5.x
yes (4.1.3.0)
yes (4.1.3.0)
-
PC Tools Spyware Doctor [Antivirus]
5.x
yes (4.1.3.2)
-
-
Spyware Doctor [Antivirus]
5.x
yes (4.1.3.2)
yes (4.1.3.2)
-
ThreatFire 3.0
3.x
yes (4.1.3.0)
-
-
Radialpoint Security Services Virus Protection
6.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Radialpoint Virus Protection
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Zero-Knowledge Systems Radialpoint Security Services Virus Protection
6.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Dr.Web
4.32.x
yes (3.5.0)
yes (3.5.0)
yes
Dr.Web
4.33.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Dr.Web
4.44.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Sereniti Antivirus
1.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
The River Home Network Security Suite
1.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
BitDefender 8 Free Edition
8.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 8 Professional Plus
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 8 Standard
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 9 Internet Security AntiVirus
9.x
yes (3.5.11.1)
yes (3.5.11.1)
-
BitDefender 9 Professional Plus
9.x
yes (3.5.8)
yes (3.5.8)
yes
BitDefender 9 Standard
9.x
yes (3.5.8)
yes (3.5.8)
yes
BitDefender Antivirus 2008
11.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BitDefender Antivirus Plus v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Antivirus v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Client Professional Plus
8.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BitDefender Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Free Edition v10
10.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BitDefender Internet Security 2008
11.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BitDefender Internet Security v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Standard Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Total Security 2008
11.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Sophos Anti-Virus
3.x
yes (3.5.3)
yes (3.5.3)
-
Sophos Anti-Virus
4.x
yes (3.6.3.0)
yes (3.6.3.0)
-
Sophos Anti-Virus
5.x
yes (3.5.3)
yes (3.5.3)
yes
Sophos Anti-Virus
6.x
yes (4.0.1.0)
yes (4.0.1.0)
yes
Sophos Anti-Virus
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Sophos Anti-Virus version 3.80
3.8
yes (3.5.0)
yes (3.5.0)
-
Norton 360 (Symantec Corporation)
1.x
yes (4.1.1.0)
yes (4.1.1.0)
yes
Norton 360 (Symantec Corporation)
2.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Norton AntiVirus
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus
14.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norton AntiVirus
15.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Norton AntiVirus 2002
8.00.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton AntiVirus 2002 Professional
8.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002 Professional Edition
8.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional Edition
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 Professional
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 Professional Edition
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 (Symantec Corporation)
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2005
11.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2006
12.0.x
yes (3.5.5)
yes (3.5.5)
yes
Norton AntiVirus 2006
12.x
yes (3.5.5)
yes (3.5.5)
yes
Norton AntiVirus Corporate Edition
7.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
7.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.2.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
9.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Norton Internet Security (Symantec Corporation)
10.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norton Security Scan
1.x
yes (4.1.3.0)
yes (4.1.3.0)
-
Norton SystemWorks 2003
6.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2004 Professional
7.x
yes (3.5.4)
yes (3.5.4)
yes
Norton SystemWorks 2005
8.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2005 Premier
8.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2006 Premier
12.0.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Symantec AntiVirus
10.x
yes (3.5.3)
yes (3.5.3)
yes
Symantec AntiVirus
9.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec AntiVirus Client
8.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec AntiVirus Server
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Symantec AntiVirus Win64
10.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Symantec Client Security
10.x
yes (3.5.3)
yes (3.5.3)
yes
Symantec Client Security
9.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec Endpoint Protection
11.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Symantec Scan Engine
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
PC-cillin 2002
9.x
yes (3.5.1)
yes (3.5.1)
-
PC-cillin 2003
10.x
yes (3.5.0)
yes (3.5.0)
-
ServerProtect
5.x
yes (4.1.0.0)
yes (3.6.5.0)
-
Trend Micro Antivirus
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro AntiVirus
15.x
yes (3.6.5.0)
yes (3.6.5.0)
-
Trend Micro AntiVirus
16.x
yes (4.1.3.0)
yes (4.1.3.0)
-
Trend Micro Client/Server Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Trend Micro Client/Server Security Agent
7.x
yes (3.5.12)
yes (3.5.12)
yes
Trend Micro HouseCall
1.x
yes (4.0.1.0)
yes (4.0.1.0)
-
Trend Micro Internet Security
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro Internet Security
12.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
16.x
yes (4.1.3.0)
yes (4.1.3.0)
-
Trend Micro OfficeScan Client
5.x
yes (3.5.1)
yes (3.5.1)
yes
Trend Micro OfficeScan Client
6.x
yes (3.5.1)
yes (3.5.1)
yes
Trend Micro OfficeScan Client
7.x
yes (3.5.3)
yes (3.5.3)
yes
Trend Micro OfficeScan Client
8.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Trend Micro PC-cillin 2004
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro PC-cillin Internet Security 12
12.x
yes (4.0.1.0)
yes (4.0.1.0)
-
Trend Micro PC-cillin Internet Security 14
14.x
yes (4.0.1.0)
yes (4.0.1.0)
yes
Trend Micro PC-cillin Internet Security 2005
12.x
yes (3.5.3)
yes (3.5.3)
yes
Trend Micro PC-cillin Internet Security 2006
14.x
yes (3.5.8)
yes (3.5.8)
yes
Trend Micro PC-cillin Internet Security 2007
15.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Fix-It Utilities 7 Professional [AntiVirus]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Fix-It Utilities 8 Professional [AntiVirus]
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
SystemSuite 7 Professional [AntiVirus]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
SystemSuite 8 Professional [AntiVirus]
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
VCOM Fix-It Utilities Professional 6 [AntiVirus]
6.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
VCOM SystemSuite Professional 6 [AntiVirus]
6.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Verizon Internet Security Suite Anti-Virus
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
VirusBuster for Windows Servers
5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
VirusBuster Professional
5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Webroot Spy Sweeper Enterprise Client with AntiVirus
4.x
yes (4.1.3.2)
-
-
Webroot Spy Sweeper with AntiVirus
5.x
yes (4.1.3.0)
yes (4.1.3.0)
-
AT&T Yahoo! Online Protection [AntiVirus]
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
SBC Yahoo! Anti-Virus
7.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Verizon Yahoo! Online Protection [AntiVirus]
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
ZoneAlarm Anti-virus
6.x
yes (3.5.5)
yes (3.5.5)
-
ZoneAlarm Security Suite
5.x
yes (3.5.0)
yes (3.5.0)
-
ZoneAlarm Security Suite
6.x
yes (3.5.5)
yes (3.5.5)
-
ZoneAlarm with Antivirus
5.x
yes (3.5.0)
yes (3.5.0)
-
1 "Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
3 For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.
Clean Access AV Support Chart (Windows ME/98)
Table 7 lists Windows ME/98 Supported AV Products as of the latest release of the Cisco NAC Appliance software. (See Table 6 for Windows Vista/XP/2000.)
Table 7 Clean Access Antivirus Product Support Chart (Windows ME/98)
Version 68, 4.1.3.2 Agent, CAM/CAS Release 4.1.3.1 (Sheet 1 of 2)
(Minimum Agent Version Needed)1Rising Antivirus Software AV
18.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
CA eTrust Antivirus
7.x
yes (3.5.3)
yes (3.5.3)
yes
eTrust EZ Antivirus
6.1.x
yes (3.5.0)
yes (3.5.8)
yes
eTrust EZ Antivirus
6.2.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
6.4.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
7.x
yes (3.5.3)
yes (3.5.3)
yes
eTrust EZ Armor
6.1.x
yes (3.5.3)
yes (3.5.8)
yes
McAfee Managed VirusScan
3.x
yes (3.5.8)
yes (3.5.8)
yes
McAfee VirusScan
10.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee VirusScan
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
8.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan
9.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional
8.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Professional
9.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
BitDefender 8 Free Edition
8.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 8 Professional Plus
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 8 Standard
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 9 Professional Plus
9.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 9 Standard
9.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Standard Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
Norton AntiVirus
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.00.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton AntiVirus 2003
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional Edition
9.x
yes (3.5.3)
yes (3.5.3)
yes
Norton AntiVirus 2004
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 (Symantec Corporation)
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2005
11.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.x
yes (3.5.1)
yes (3.5.1)
yes
Symantec AntiVirus
10.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Symantec AntiVirus
9.x
yes (3.5.8)
yes (3.5.3)
yes
Symantec AntiVirus Client
8.x
yes (3.5.9)
yes (3.5.9)
yes
PC-cillin 2003
10.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
11.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
12.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro OfficeScan Client
7.x
yes (4.0.5.0)
yes (4.0.5.0)
-
Trend Micro PC-cillin 2004
11.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro PC-cillin Internet Security 2005
12.x
yes (3.5.3)
yes (3.5.3)
-
1 "Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
3 For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.
Clean Access AS Support Chart (Windows Vista/XP/2000)
Table 8 lists Windows Vista/XP/2000 Supported Antispyware Products as of the latest release of the Cisco Clean Access software.
Table 8 Clean Access Antispyware Product Support Chart (Windows Vista/XP/2000)
Version 68, 4.1.3.2 Agent, CAM/CAS Release 4.1.3.1 (Sheet 1 of 6)
(Minimum Agent Version Needed)1Outpost Firewall Pro 2008 [AntiSpyware]
6.x
yes (4.1.3.2)
yes (4.1.3.2)
-
AhnLab SpyZero 2.0
2.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
AhnLab SpyZero 2007
3.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
AhnLab V3 Internet Security 2007 Platinum AntiSpyware
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
AhnLab V3 Internet Security 2008 Platinum AntiSpyware
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
AhnLab V3 Internet Security 7.0 Platinum Enterprise AntiSpyware
7.x
yes (4.1.2.0)
yes (4.1.2.0)
yes
AOL Safety and Security Center Spyware Protection
2.0.x
yes (4.1.0.0)
-
-
AOL Safety and Security Center Spyware Protection
2.1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.3.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.x
yes (3.6.1.0)
yes (3.6.1.0)
-
AOL Spyware Protection
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
AOL Spyware Protection
2.x
yes (3.6.0.0)
yes (4.1.3.0)
-
Anonymizer Anti-Spyware
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Anonymizer Anti-Spyware
3.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Cox High Speed Internet Security Suite
3.x
yes (4.0.4.0)
-
yes
AVG 8.0 [AntiSpyware]
8.x
yes (4.1.3.2)
-
yes
BellSouth Internet Security Anti-Spyware
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
ZoneAlarm (AntiSpyware)
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Anti-Spyware
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Pro Antispyware
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Security Suite Antispyware
7.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
CA eTrust Internet Security Suite AntiSpyware
10.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
CA eTrust Internet Security Suite AntiSpyware
5.x
yes (3.6.1.0)
yes (3.6.1.0)
yes
CA eTrust Internet Security Suite AntiSpyware
8.x
yes (4.1.2.0)
yes (4.1.2.0)
yes
CA eTrust Internet Security Suite AntiSpyware
9.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust PestPatrol
5.x
yes (3.6.1.0)
yes (4.0.6.0)
yes
CA eTrust PestPatrol Anti-Spyware
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust PestPatrol Anti-Spyware Corporate Edition
5.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
PestPatrol Corporate Edition
4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
PestPatrol Standard Edition (Evaluation)
4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Aluria Security Center AntiSpyware
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
EarthLink Protection Control Center AntiSpyware
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
EarthLink Protection Control Center AntiSpyware
2.x
yes (4.0.6.0)
-
-
EarthLink Protection Control Center AntiSpyware
3.x
yes (4.1.3.0)
-
-
Primary Response SafeConnect
2.x
yes (3.6.5.0)
-
-
X-Cleaner Deluxe
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure (AntiSpyware)
7.x
yes (4.1.3.0)
yes (4.1.3.0)
-
F-Secure Internet Security (AntiSpyware)
7.x
yes (4.1.3.0)
yes (4.1.3.0)
-
AVG Anti-Malware [AntiSpyware]
7.x
yes (4.1.2.0)
-
-
AVG Anti-Spyware 7.5
7.x
yes (4.0.5.1)
yes (4.0.5.1)
-
STOPzilla
5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
SpywareBlaster v3.1
3.1.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.2
3.2.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.3
3.3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.4
3.4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.5.1
3.5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kingsoft AntiSpyware 2007 Free
2007.x
yes (4.1.3.2)
yes (4.1.3.2)
-
Kingsoft Internet Security [AntiSpyware]
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Ad-Aware 2007
7.x
yes (4.1.3.0)
-
-
Ad-Aware 2007 Professional
7.x
yes (4.0.6.1)
-
yes
Ad-aware 6 Professional
6.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Ad-Aware SE Personal
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Ad-Aware SE Professional
1.x
yes (3.6.1.0)
yes (3.6.1.0)
yes
McAfee AntiSpyware
1.5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware
1.x
yes (3.6.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware
2.0.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
McAfee AntiSpyware
2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware Enterprise
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee Anti-Spyware Enterprise Module
8.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
McAfee AntiSpyware Enterprise Module
8.5.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
McAfee VirusScan AS
11.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
McAfee VirusScan AS
12.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Spyware Begone
4.x
yes (3.6.0.0)
-
-
Spyware Begone
6.x
yes (4.1.0.0)
-
-
Spyware Begone
8.x
yes (4.1.0.0)
-
-
Spyware Begone Free Scan
7.x
yes (3.6.0.0)
-
-
Spyware Begone V7.30
7.30.x
yes (3.6.1.0)
-
-
Spyware Begone V7.40
7.40.x
yes (3.6.1.0)
-
-
Spyware Begone V7.95
7.95.x
yes (4.1.0.0)
-
-
Spyware Begone V8.20
8.20.x
yes (4.1.0.0)
-
-
Spyware Begone V8.25
8.25.x
yes (4.1.0.0)
-
-
Spyware Begone! Version 9
9.x
yes (4.1.3.2)
-
-
Microsoft AntiSpyware
1.x
yes (4.0.6.0)
-
yes
Windows Defender
1.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Windows Defender Vista
1.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Omniquad Total Security
2.0.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Panda Titanium 2006 Antivirus + Antispyware [AntiSpyware]
5.x
yes (4.1.3.2)
yes (4.1.3.2)
-
PC Tools Internet Security [Antispyware]
5.x
yes (4.1.3.0)
-
-
PC Tools Spyware Doctor
5.x
yes (4.1.3.2)
-
yes
Spyware Doctor
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor
5.x
yes (4.0.6.0)
-
yes
Spyware Doctor 3.0
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.1
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.2
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.5
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor 3.8
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor [AntiSpyware]
5.x
yes (4.1.3.2)
-
yes
Prevx1
1.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Prevx1
2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Prevx Home
2.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Radialpoint Security Services Spyware Protection
6.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Radialpoint Spyware Protection
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Zero-Knowledge Systems Radialpoint Security Services Spyware Protection
6.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
Spybot - Search & Destroy 1.3
1.3
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spybot - Search & Destroy 1.4
1.4
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spybot - Search & Destroy 1.5
1.x
yes (4.0.6.1)
yes (4.0.6.1)
-
Sereniti Antispyware
1.x
yes (4.0.6.0)
-
yes
The River Home Network Security Suite Antispyware
1.x
yes (4.0.6.0)
-
yes
BitDefender 9 Antispyware
9.x
yes (4.1.0.0)
yes (4.1.0.0)
-
BitDefender 9 Internet Security AS
9.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BitDefender Antivirus Plus v10 AS
10.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BitDefender Antivirus v10 AS
10.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BitDefender Internet Security v10 AS
10.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
CounterSpy Enterprise Agent
1.8.x
yes (4.0.6.0)
-
-
CounterSpy Enterprise Agent
2.0.x
yes (4.1.3.0)
-
-
Sunbelt CounterSpy
1.x
yes (3.6.0.0)
-
yes
Sunbelt CounterSpy
2.x
yes (4.0.6.0)
-
yes
Norton Internet Security AntiSpyware
15.x
yes (4.1.3.0)
-
-
Norton Spyware Scan
2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Trend Micro Anti-Spyware
3.5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Trend Micro Anti-Spyware
3.x
yes (3.6.0.0)
-
-
Trend Micro PC-cillin Internet Security 2007 AntiSpyware
15.x
yes (4.1.0.0)
yes (4.1.3.2)
yes
Fix-It Utilities 7 Professional [AntiSpyware]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Fix-It Utilities 8 Professional [AntiSpyware]
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
SystemSuite 7 Professional [AntiSpyware]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
SystemSuite 8 Professional [AntiSpyware]
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
VCOM Fix-It Utilities Professional 6 [AntiSpyware]
6.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
VCOM SystemSuite Professional 6 [AntiSpyware]
6.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Verizon Internet Security Suite Anti-Spyware
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Spy Sweeper
3.x
yes (3.6.0.0)
-
-
Spy Sweeper
4.x
yes (3.6.0.0)
-
-
Spy Sweeper
5.0.x
yes (4.1.3.0)
-
-
Spy Sweeper
5.x
yes (4.1.0.0)
-
-
Webroot Spy Sweeper Enterprise Client
1.x
yes (3.6.0.0)
-
-
Webroot Spy Sweeper Enterprise Client
2.x
yes (3.6.1.0)
-
-
Webroot Spy Sweeper Enterprise Client
3.5.x
yes (4.1.3.2)
-
-
Webroot Spy Sweeper Enterprise Client
3.x
yes (4.0.5.1)
-
-
AT&T Yahoo! Online Protection
2006.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
CA Yahoo! Anti-Spy
2.x
yes (4.1.3.2)
-
-
SBC Yahoo! Applications
2005.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Verizon Yahoo! Online Protection
2005.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Yahoo! Anti-Spy
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Integrity Agent
6.x
yes (4.1.2.0)
yes (4.1.2.0)
-
1 "Yes" in the AS Checks Supported columns indicates the Agent supports the AS Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AS Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AS product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
Supported AV/AS Product List Version Summary
Table 9 details enhancements made per version of the Supported Antivirus/Antispyware Product List. See Clean Access Supported AV/AS Product List for the latest Supported AV list as of the latest release. See New and Changed Information for the release feature list.
Caveats
This section describes the following caveats:
•
•
•
•
•
•
•
Note
http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 4.1(3)
Note
Table 10 List of Open Caveats (Sheet 1 of 8)
CSCsd03509
No
The Time Servers setting is not updated in HA-Standby CAM web console
After updating the "Time Servers" setting in HA-Primary CAM, the counterpart "Time Servers" setting for the HA-Standby CAM does not get updated in the web console even though the "Time Servers" setting is updated in the HA-Standby CAM database.
CSCsd90433
No
Apache does not start on HA-Standby CAM after heartbeat link is restored.
Output from the fostate.sh command shows "My node is standby without web console, peer node is active."
CSCse86581
No
Agent does not correctly recognize def versions on the following Trend AV products:
•
•
•
Tested Clients:
•
•
•
•
CSCsg07369
No
Incorrect "IP lease total" displayed on editing manually created subnets
Steps to reproduce:
1. Add a Managed Subnet having at least 2500+ IP addresses (for example 10.101.0.1/255.255.240.0) using CAM web page Device Management > Clean Access Servers > Manage [IP Address] > Advanced > Managed Subnet.
2. Create a DHCP subnet with 2500+ hosts using CAM web page Device Management > Clean Access Servers > Manage [IP Address] > Network > DHCP > Subnet List > New.
3. Edit the newly created subnet using CAM web page Device Management > Clean Access Servers > Manage [IP Address] > Network > DHCP > Subnet List > Edit.
4. Click Update. The CAM displays a warning informing the administrator that the current IP Range brings IP lease total up to a number that is incorrect. The CAM counts the IP address in the subnet twice, creating the incorrect count.
The issue is judged to be cosmetic and does not affect DHCP functionality.
CSCsg66511
No
Configuring HA-failover synchronization settings on Secondary CAS takes an extremely long time
Once you have configured the Secondary CAS HA attributes and click Update, it can take around 3 minutes for the browser to get the response from the server. (Configuring HA-failover synchronization on the Primary CAS is nearly instantaneous.)
CSCsh77730
No
Clean Access Agent locks up when greyed out OK button is pressed
The Clean Access Agent locks up when the client machine refreshes its IP address. This only occurs when doing an IP release/renew, so the CAS must be in an OOB setup.
If the Automatically close login success screen after <x> secs option is enabled and the duration set to 0 (instantaneous) in the Clean Access > General Setup > Agent Login page and the user clicks on the greyed out OK button while the IP address is refreshing, the Clean Access Agent locks up after refreshing the IP address. The IP address is refreshed and everything else on the client machine works, but the user cannot close the Clean Access Agent without exiting via the system tray icon, thus "killing" the Agent process.
Workaround: Either uncheck the box or set that timer to a non-zero value. If it is set to anything else, and the user hits the greyed out OK button while the IP is refreshing, then the Agent window closes successfully.
CSCsi07595
No
DST fix will not take effect if generic MST, EST, HST, etc. options are specified
Due to a Java runtime implementation, the DST 2007 fix does not take effect for Cisco NAC Appliances that are using generic time zone options such as "EST," "HST," or "MST" on the CAM/CAS UI time settings.
Workaround
If your CAM/CAS machine time zone setting is currently specified via the UI using a generic option such as "EST," "HST," or "MST." change this to a location/city combination, such as "America/Denver."
Note
CSCsk55292
No
Agent not added to system tray during boot up
When the Agent is installed on a Windows client, the Start menu is updated and Windows tries to contact AD (in some cases where the AD credentials are expired) to refresh the Start menu.
Due to the fact that the client machine is still in the Unauthenticated role, AD cannot be contacted and an approximately 60 second timeout ensues, during which the Windows taskbar elements (Start menu, System Tray, and Task Bar) are locked. As a result, the Agent displays a "Failed to add Clean Access Agent icon to taskbar status area" error message.
Workaround
•
•
CSCsk58244
No
Clean Access Report for WSUS shows failed
This situation applies to Windows XP and Windows Vista client machines. The Agent report on the CAM does not show any on the updates required for the client.
CSCsl00736
No
Download of the Cisco NAC Web Agent fails if the link speed is below 50Kbits/s
Note
CSCsl13782
No
Microsoft Internet Explorer 7.0 browser pop-ups on Windows Vista launched from the Summary Report appear behind the Summary Report window
This is also seen when you click on the Policy link in the Policy window. This issue appears on Vista Ultimate and Vista Home, but is not seen with Firefox or on Internet Explorer versions running in Windows 2000 or Windows XP.
Note
CSCsl71585
No
DHCP status does not display non-restricted scope with Relay IP restriction
When a DHCP range with no restrictions and a DHCP range with a Relay-IP restriction are created using the Clean Access Manager (CAM) GUI, the DHCP range with no restrictions does not display.
Steps to reproduce:
1. Create a DHCP scope with no restriction, either VLAN ID or Relay-IP on the CAS using the CAM GUI.
2. Add a static route on the CAS using the CAM GUI.
3. Create another DHCP scope with a relay-IP restriction.
4. Go to the DHCP Status web page. The web page only displays the IPs for the relay-IP restriction and does not display the non-restricted IP scope.Workaround: Avoid creating DHCP scopes having both no restrictions and Relay-IP restrictions.
Note
CSCsl17379
No
Multiple Clean Access Agent pop-ups with Multi NIC in L2 VGW OOB role-based VLAN
The user sees multiple Clean Access Agent login dialogs with two or more active NICs on the same client machine pointing to the Unauthenticated network access point (eth1 IP address).
After the first Clean Access Agent pops up and the user logs in, a second Agent login dialog pops up. If the user logs in to this additional Agent instantiation there are now two entries for the same system with both MAC addresses in the CAM's Certified Device List and Online Users List.
Workaround
The user can manually Disable Agent login pop-up after authentication.
CSCsl22653
No
Mac OS X Agent running on 10.2 does not display green colored icons in places like the "About Us" dialog in the Finder.
CSCsl22774
No
Incorrect download filename perfigo_dm_enforce.jsp for the 10.2 version of the Mac OS X Agent
The filename for the agent download file should be "CCAAgent_MacOSX.tar," similar to that in versions 10.3, 10.4, and 10.5.
CSCsl40626
No
Cisco NAC Web Agent should handle certificate revocation dialogs similar to Clean Access Agent
Upon logging in via the Cisco NAC Web Agent (with certificate revocation turned on or with Norton 360 installed), the user is presented with a "Revocation information for the security certificate for this site is not available. Do you want to proceed?" dialog box several times (approximately 40 to 50 times). If the user clicks Yes to proceed enough times, the Web Agent fails to login and reports "You will not be allowed to access the network due to internal error. Please contact your administrator." back to the user.
CSCsl40812
No
The Refresh Windows domain group policy after login option is not functioning for Cisco NAC Web Agent
(It is working fine with the Clean Access Agent.)
This scenario was tested configuring a GPO policy for a Microsoft Internet Explorer browser title. The browser was not refreshed as expected after login in using the Web Agent.
CSCsl75403
No
MAC filter does not work for Macintosh client machines connected to the network in VPN environment
Steps to reproduce:
1. Setup a VPN environment.
2. Get the MAC address of the en0 interface of Macintosh client machine.
3. Put the MAC address in the CAM device filter list with "Deny" access type.
4. Connect the Macintosh client machine to the VPN concentrator.
5. Agent will be allowed to perform VPN SSO [or present login page if no VPN SSO is configured].
6. Traffic originating from the client machine on the untrusted network is allowed to go to the trusted network even though the MAC address of the client machine is denied in the device filter list.CSCsl77701
No
Network Error dialog appears during CAS HA failover
When a user is logged in as ADSSO user on CAS HA system and the CAS experiences a failover event, the user sees is a pop-up message reading, "Network Error! Detail: The network cannot be accessed because your machine cannot connect to the default gateway. Please release/renew IP address manually."
This is not an error message and the user is still logged in to the system. The user simply needs to click on the Close button to continue normal operation.
CSCsl88429
No
User sees Invalid session after pressing [F5] following Temporary role time-out
When a user presses [F5] or [Refresh] to refresh the web page after the Agent Temporary role access timer has expired, the user sees an "Invalid" session message. If the user then attempts to navigate to the originally requested web address, they are prompted with the web login page again and are able to log in.
CSCsl88627
No
Description of removesubnet has "updatesubnet" in op field
The removesubnet API function description has "updatesubnet" listed in its operations field. The description should read "removesubnet."
CSCsm20254
No
CAS duplicates HSRP packets with Cisco NAC Profiler Collector Modules enabled.
SymptomHSRP duplicate frames are sent by CAS in Real-IP Gateway with Collector modules enabled. This causes HSRP issues and the default gateway to go down.
ConditionsReal-IP Gateway and Collector modules enabled on a CAS with ETH0 and or ETH1 configured for NetWatch.
WorkaroundDo not configure the CAS' ETH0 trusted interface or ETH1 untrusted interface in the NetWatch configuration settings for the CAS Collector. It is not a supported configuration.
CSCsm20655
No
Can not do a minor upgrade for Clean Access Agent from MSI package.
When CCAAgent.msi is used and the Clean Access Agent is upgraded to a minor version (e.g. 4.1.2.1 to 4.1.2.2) the following error message will be displayed:
"Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs on the Control Panel."
Reason: Windows Installer uses only the first three fields of the product version. When a fourth field is included in the product version, the installer ignores the fourth field. For details refer to http://msdn2.microsoft.com/en-us/library/aa370859(VS.85).aspx
Workaround
Uninstall the program from Add/Remove Programs before installing it.
CSCsm25788
No
Avast 4.7 showing as not up to date with Cisco NAC Appliance Release 4.1(3)
User is told that Avast needs to be updated, but shows as up to date. This occurs when user is running Avast 4.7 and the Agent version is 4.1.3.0 or 4.1.3.1
Workaround
Create a custom check for Avast that allows the users on without verifying the definition version.
CSCsm53743
No
File ownership of Mac OS X Agent directory and related files should be corrected
File ownership of Mac OS X Agent and related files should be "root:admin."
Currently, the file ownership is with UID 505 and GID 505. Anyone able to assume this UID could potentially modify the Agent application files and introduce a security threat.
CSCsm76779
No
CSRF tag is added to CAS specific MAC Device Filter description field upon edit
Steps to reproduce:
1.
2.
"<a href='http://www.cisco.com'>Cisco</a>"3.
Subsequent entry updates also append the same CSRF tag each time the administrator edits the description. After editing the description 3 times, however, the entry can no longer be edited and the CAS returns an "Updating device MAC failed" error message.
Note
CSCsm79088
No
Mac OS X Agent reports "Unknown user" when sending the second logout request
The Mac OS X Agent specifies an "Unknown user" when it sends a second logout request before receiving a response from the first logout request.
Steps to reproduce:
1.
2.
3.
The Mac Agent displays a "Cisco Clean Access Agent is having a difficulty with the server. Unknown user." error message, resulting in a situation where the client machine no longer appears in the CAM's Online Users list even though the Agent indicates that the user is logged in. In this situation, the Mac Agent essentially "freezes" as the user is no longer able to log out, ether.
Resolved Caveats - Windows Clean Access Agent 4.1.3.2
Refer to Windows Clean Access Agent Version 4.1.3.2 for additional information.
Resolved Caveats - Mac OS X Agent 4.1.3.1
Refer to Mac OS X Clean Access Agent Version 4.1.3.1 for additional information.
Resolved Caveats - Release 4.1.3.1
Refer to Enhancements in Release 4.1.3.1 for additional information.
Table 13 List of Closed Caveats
CSCsm13673
Yes
CAM 4.1(3) upgrade from release 4.0(x) and 3.6(x) takes too long with too many Agent reports
Clean Access Manager (CAM) 4.1(3) upgrade from Cisco NAC Appliance release 4.0(x) and 3.6(x) should not take too long with too many Clean Access Agent reports. The upgrade can take over 90 minutes on a Cisco NAC-3310 appliance with 30,000 Agent reports in the CAM database before the upgrade.
CSCsm27731
Yes
CAM should not send Auth VLAN set request when receiving MAC move notification
Normally, when the CAM receives a MAC move notification, the CAM consults the client database to deduce the original managed port from which the MAC address first became known on the system, and set the port VLAN to Authentication VLAN.
This operation can cause problems in certain situations. If, for example, the port over which the client first authenticated and the port to which the client is moving (per the MAC move notification SNMP trap) are same, the CAM assigns the Authentication VLAN to the port even though the client MAC address has already been certified.
Although the period of time that the port remains assigned to the Authentication VLAN is very short:
•
•
CSCsm55679
Yes
CSRF tag is added to a global MAC device filter's description when edited
If the description of a global MAC filter contains a single quote (`) and you edit the description entry in the CAM web console, a CSRF tag is appended to the description when you save the changes. (The same CSRF tag is appended every time you edit and save the filter from the CAM web console.)
Note
Resolved Caveats - Cisco NAC Web Agent 4.1.3.10
Refer to Cisco NAC Web Agent Version 4.1.3.10 for additional information.
Resolved Caveats - Windows Clean Access Agent 4.1.3.1
Refer to Windows Clean Access Agent Version 4.1.3.1 for additional information.
Resolved Caveats - Release 4.1(3)
Note
Table 16 List of Closed Caveats (Sheet 1 of 12)
CSCpe00141
Yes
Agent does not support multiple NICs to Cisco NAC Appliance
If a client machine is connected to the wired network and a wireless card pointing to the same CAS eth1 address is also enabled, the Agent login dialog keeps popping up, even though you have logged on the wired network. And if you logged on again on the wireless, then it will still continue to popup endlessly until you disable the second NIC.
CSCse63299
Yes
DHCP slp-directory-agent option not recognized
This issue is specific to Cisco NAC Appliance release 4.0(x) where the administrator tries to enable the "slp-directory-agent" on a CAS deployed in Real-IP mode is also set up to be the DHCP server.
Regardless of which string the administrator enters for the option, it is not enabled and the "Option type boolean-ip-address not known" error message is displayed.
CSCse91057
Yes
Non-existent serial ports should not be displayed in HA-Failover setting
Selecting non-existent serial ports for heartbeat communication while configuring high-availability causes the Cisco Clean Access (CCA) machine, either Clean Access Manager (CAM) or Clean Access Server (CAS), not to boot up completely. HA needs to be configured with heartbeat configured on a non-existent serial port and CCA machine should be rebooted for this issue to be observed. If a non-existent serial port is selected for heartbeat serial interface, the CCA machine cannot boot up completely since service perfigo does not start and will wait indefinitely to open the serial port for heartbeat communication on the serial port.
Workaround:1. SSH to CAM and move the files configured for HA to a different location using the following commands
mv /etc/ha.d/perfigo.conf /tmp
mv /etc/ha.d/ha.cf /tmp
2. Reboot the box:
reboot
3. Re-configure HA.CSCsf19976
Yes
Changing hostname causes HA not come up
On a working HA config if you change the hostname of one of the HA pairs and then reboot the box. The change in the hostname is not automatically propagated to the ha.cf file.
So, even if you change the hostname on the peer to the correct value and reboot the peer, HA does not come up. Primary (where name was changed) remains in stand alone mode. The logs on primary say that ha.cf does not have the correct hostname.
Workaround
Go to the HA name on the device (where the name was changed) and just click Update (even though settings are not changed). Then reboot and HA comes up.
CSCsf98683
Yes
CAM does not send Class attribute in RADIUS accounting
The CAM does not include the Class attribute when transmitting user login account information to a RADIUS server.
CSCsg32944
Yes
Active Directory SSO Service does not start when you reboot a CAS in HA mode
This issue is only seen in HA.
CAS-HA mechanism does not initialize the AD service completely on failover. So the SSO service remains as what its previous state was when perfigo service is started.
Sometimes on rebooting the CAS, the Active Directory SSO service does not get started automatically. You have to go to CCA Servers > Manage > Authentication > Windows Auth > Active Directory SSO and manually click the update button to start the service.
The problem is random in nature and is only seen sometimes. It appears to be a timing issue on some boxes where the KRB-Request packet from CAS does not leave the box because some network resource is not available in a timely fashion.
CSCsg38702
Yes
Agent does not recognize Japanese Trend AV installation.
Agent properties shows "Product Name" garbled.Client OS affected:
•
•
AV product affected:
•
(US Product Name: Trend Micro OfficeScan Client)To reproduce, create a new AV rule with the following attributes:
•
•
•
•
CSCsg98960
Yes
The Cisco NAC Appliance Release 4.1(1) installer does not recognize certain SCSI drives
When you install release 4.1(1) code (either CAM or CAS) on certain hardware with SCSI drives, the installation process fails and displays the following message:
"An error has occurred - no valid devices were found on which to create new filesystems. Please check your hardware for the cause of the problem"
Workaround
At the boot prompt that appears during installation, enter "DL140" and then press <Enter>.
Cisco Clean Access Installer (C) 2006 Cisco Systems, Inc.Welcome to the Cisco Clean Access Installer!- To install a Cisco Clean Access device, press the <ENTER> key.- To install a Cisco Clean Access device over a serial console, enter serial at the boot prompt and press the <ENTER> key.boot: DL140Note
CSCsh84260
Yes
User gets redirected to CAS after successful web login using a Safari browser in Mac OS X
When functioning normally, a Mac OS X client browser opens another window that displays the original URL requested at login following successful authentication. The issue in this case, however, is that the Safari 2.0.3 browser on the client opens another window displaying the CAS web login form over again.
CSCsi33630
Yes
CAM/CAS should not pull all old data when getting support logs
When the option to download the support logs from the Clean Access Manager and/or Clean Access Server is used download a .tar archive of the logs, the entire history of that CAM or CAS is downloaded resulting in massive log files with very little relevant content which are downloaded by the customer and sent to Cisco TAC to troubleshoot the Clean Access system.
CSCsi44112
Yes
'service perfigo config' wipes secondary dns servers and host name
'service perfigo config' does not preserve search domain and secondary DNS servers in file /etc/resolv.conf.
If a host domain and more than one DNS server has been entered in the CAM Web Console, these entries are wiped even if the DNS server entry is not modified.
At this point, service perfigo config does not prompt for a host domain value and deletes the entry without verification.
CSCsi47547
Yes
AD SSO does not work if the CAS Account Password contains "()"
When CAS account password contains parentheses "()", the AD SSO service does not start after entering the "Service perfigo restart" command.
CSCsi62063
Yes
SSLVPN Single Sign On with ISR is unsuccessful
The user can log onto the SSLVPN gateway, but is then asked for logon credentials again when trying to access the trusted network.
CSCsi75692
Yes
HTTP 500 error when attempting to upload a file to CAS
When the administrator tries to upload a file to the CAS via the CAM web console, the CAM returns an HTTP 500 error message. This error appears when the admin chooses Authentication > Login Page and clicks File Upload when managing the CAS from the CAM web console.
Note
CSCsi78024
Yes
Guest Access option fails if the provider option is not Local DB
Under Web Login page, the Guest Access option does not work if the Provider is anything other than the local database. To enable the Guest option, change the Provider to "Local DB" and click the Guest Access button.
CSCsi79315
Yes
Nessus Scanner: unable to update "SMB domain (optional)" value
Administrators cannot update or remove the preference value for the SMB domain specified under Device Management > Clean Access > Network Scanner > Options > "Login Configurations" Category > Preference Name SMB.
CSCsi83381
Yes
Clean Access presents an erroneous popup window when case-insensitive is enabled
When the Case-Insensitive option under a user role is enabled, the Clean Access system returns a popup window for users after they log in through the web interface.
CSCsi90893
Yes
No message goes to perfigo-log when user cannot add CAS to CAM
When a user exceeds the maximum number of CAS licenses or there is no CAS license present, the Clean Access system logs an entry in the event log, but not in the perfigo-log. For consistency and ease of troubleshooting, both logs should feature the event as most other CAS/CAM issues are already logged in both places.
CSCsi94224
Yes
When setting up mapping rules for AD SSO where multiple VLANs are also added to the rule, the Clean Access system returns an Internal Server Error.
CSCsi97216
Yes
CAM does not change port to Authentication VLAN when Certified Devices List is cleared using a port bounce
When the CDL is cleared, the CAM does one of the following, depending on the Remove out-of-band online user without bouncing the port profile setting:
•
•
The CAM must change the port to the Authentication VLAN every time the CDL is cleared (i.e., when user is removed from the Online Users list) regardless of whether the port is bounced or not.
CSCsj00939
Yes
Non-URL right frame content not displayed to end users
When using a Frame-based design for the login page, the content on the right frame is not displayed to the end user when the content is HTML or text entered in the CAM web console page. Although the preview displays correctly (as preview is from the CAM), the end user does not see the content on the right frame when it is presented from the CAS.
Workaround options
1.
Note
2.
CSCsj05227
Yes
OOB VGW controlling native VLAN can cause intermittent connectivity
An OOB virtual gateway CAS managing client access via changing a "dot1x" trunk VLAN (rather than the much more common practice of changing the client access VLAN) can introduce connectivity issues due to a potential ARP request loop condition.
The Cisco NAC Appliance system introduces a condition where the ARP request is looped back to the switch from which the request originated. If this repeat packet reaches the client machine before the ARP reply, the client may never receive the ARP reply.
One potential solution is to block broadcasts from the trusted to the untrusted interface originating from the specified client IP or MAC addresses that are already associated with the Access VLAN. This scenario, however, could potentially deny traffic (including DHCP) when users log in from another physical location.
CSCsj05741
Yes
Spaces in Distinguished Name (DN) cause LDAP authentication failure
When attempting an auth test with an LDAP provider, if the DN contains a space, the auth fails and returns a "LDAP: error code 49" message. The space can be anywhere in the DN, and is represented with the %20 escape character found in the perfigo-log.
Note
CSCsj08474
Yes
Release 4.0(x) does not allow same default gateway for multiple subnets
A check was added in release 4.0(x) to prevent administrators from specifying the same default gateway for more than one IP subnet range in the DHCP subnet list. This check can prove problematic for customers upgrading to 4.0(x) from 3.5.7 out of necessity to support Windows Vista because they must modify the setup to have a separate default gateway/VLAN for every /24 network, which can place additional routing burden on CAS.
CSCsj08522
Yes
HA-CAM should check the database schema before sync to prevent corruption
When an administrator upgrades between various 4.x.x releases of CCA and leaves the secondary CAM up during upgrade, the database can become corrupted.
CSCsj13933
Yes
New AV Rules does not work for Japanese Trend Micro AV
When a New AV Rule is created for Japanese Trend Micro under Clean Access > Clean Access Agent > Rules > New AV Rule > Antivirus Vendor: Trend Micro, Inc., Type: "Installation" & "Virus Definition", the created rule does not work (always fails) for AV product Japanese Trend Micro AV.
CSCsj15078
Yes
VLAN profile should accept wildcard specified in port profile
Administrators can enter port profile VLAN names using wildcards, but Cisco NAC Appliance only uses the wildcard on the switch, not the local VLAN profile.
CSCsj18239
Yes
Requirement Description field does not allow double-quotes When adding a description to a requirement if double quotes are used any text after the first double quote will be removed after a save. Also the text will not be included in the agent report.
Single quotes are acceptable.
CSCsj29701
Yes
Agent may pop up again after login in OOB deployment
In an OOB deployment, the Agent login screen may pop up again after login when it gets a SWISS response between successful login and the CAMs authorization-to-access VLAN change. During this period, SWISS thinks Agent is not authenticated and continues sending UDP discovery packets while the CAM is about to set the access VLAN for the Agent.
CSCsj33552
Yes
fostate.sh shows incorrect UI status
The fostate.sh command displays a result of "My node is standby without web console, peer node is active" when the web console is unavailable. This occurs after the standby CAM recovers from an active-active CAM HA status.
Steps to reproduce
1. Unplug the heartbeat interface of the CAM HA pair.
2. Both CAMs become active.
3. Reconnect the heartbeat interface.
4. The new standby CAM will show "My node is standby without web console, peer node is active", but actually the web console is unavailable.Workaround
Reboot the standby CAM to start the web console and correct the status.
CSCsj36082
Yes
Device Filter assigns incorrect user role
With Device Filters configured for MAC addresses in the network, the Clean Access system assigns incorrect roles to user profiles.
CSCsj36576
Yes
VLAN Passthrough should be disabled in Real-IP Gateway mode
Pass through VLAN ID to trusted network is not a valid setting for Real-IP Gateway mode and should be either greyed out or hidden when the CAS is configured as a Real-IP Gateway.
Note
CSCsj49408
Yes
Clean Access Agent lists Microsoft Forefront as an "Unknown" Microsoft Product
Clean Access Agent 4.0.5.1 and 4.1.1.0 do not properly detect the Microsoft Forefront Client even though it is listed as a supported product for these platforms.
CSCsj50387
Yes
AD SSO service may stop on the CAS if the DC has dynamic IP
When the "Domain" option is selected for Windows Authentication, the CAS does not query DNS for the domain once the TGT is expired. If the DC IP address changes during this time, the ADSSO service fails because the CAS tries to connect using the old IP address.
CSCsj54337
Yes
No guest access for PocketPC devices
Customer has a wireless PocketPC devices connected for guest access. Cisco NAC Appliance displays the web login page that the administrator has configured, but the guest access button i only appears as text. (There is no button to click to continue the authentication process.)
CSCsj62927
Yes
ADSSO service stops on the CAS if the CAS Admin password is changed
CSCsj76706
Yes
Clicking refresh on the switch management screen can reset all parameters to factory default settings
Clicking the Refresh button repeatedly on the browser while editing an OOB switch in a Virtual Gateway environment eventually results in an "Unable to control this switch" error message and the switch is reset to default values.
CSCsj84398
Yes
"hda" error appears with specific Seagate hard drive model on Cisco NAC-3310
An "hda" error message shows up on Cisco NAC-3310s with a specific Seagate hard drive model. (A known test issue was discovered and recorded with the Seagate hard drive model ST380815AS featuring "HPFO" firmware.)
As a result, the following error message appears on the user console and is logged in the /var/log/messages file:
hda: status timeout: status=0xd0 { Busy }ide: failed opcode was: unknownhda: no DRQ after issuing MULTWRITE_EXTide0: reset: successCSCsk05330
Yes
Clean Access Agent does not work in 64-bit Windows operating systems
CSCsk07841
Yes
AD/LDAP Auth test does not display all attributes used for mapping
CSCsk08870
Yes
Web proxy settings are erroneously cached
The proxy password update fails when the proxy password expires and is changed in a Cisco NAC Appliance system using basic authentication.
Note
CSCsk09542
Yes
Subnet filter allows a space at the end of the network address
Under Device Management > Filters > Subnets, the user interface allows you to add subnet address with a space at the end.
When CAM publishes the configuration, you should see the following error in write handler "'publish_add' for 'Filter_table::Linear IP Filter2' argument 2 takes IP addresses"
CSCsk11463
Yes
4.1.2.0 Mac OS X Agent does not start on login
CSCsk15081
Yes
Apple iPhone should not be categorized as Mac OS X
Apple iPhone users are categorized as Mac OS X users (in the online user list, for example). Because the Mac Agent does not support iPhone, we should not categorize iPhone users as Mac OS X.
CSCsk18401
Yes
Clean Access Agent incorrectly categorizes the Windows Vista "32-bit" operating system as "64-bit"
An installed 32-bit Windows Vista Agents appears to be a "64-bit" Agent in the debug log. The operating system also appears incorrectly in the CAM Online User list, Agent report file, and Agent debug logs.
CSCsk20213
Yes
The Windows Vista Clean Access Agent fails Windows Update check in the Korean time zone
The Clean Access Agent for clients running the Windows Vista operating system fail the Windows Update check because the Agent and operating system use different delimiters for date formats. (The Windows Vista operating system uses a (yyyy-mm-dd) date format while the Clean Access Agent uses (yyyy/mm/dd).
CSCsk31476
Yes
Windows Server Update Services Requirement "Show UI" option not working on Windows XP client machines
When you configure the Windows Server Update Services (WSUS) Requirement to show the update interface session to users with the "Show UI" Installation Wizard Interface Setting, Windows XP client machines install the latest windows update software (currently wuaueng.dll version 7.0.6000.381), but the Clean Access Agent only displays a grey window instead of the expected "Download and Install Updates" window.
Workaround
To avoid this issue, be sure to specify "No UI" for the Installation Wizard Interface Setting on your CAM's Windows Server Update Services Requirement configuration page (Device Management > Clean Access > Clean Access Agent > Requirements > New/Edit).
CSCsk35149
Yes
Cisco NAC Appliance needs an error check to see if the server is reachable
This situation applies to the Clean Access Agent as well as CAM and CAS, where the report on the CAM either indicates a failure with no accompanying information, or indicates a failure with the messages "Failed to find Windows Updates" and "Missing Windows updates: 0."
CSCsk46439
Yes
Clean Access Server does not replicate all CAM settings
Not all parameters are properly replicated to the secondary CAS when configuring an HA pair.
CSCsk46672
Yes
CAS stops listening on 8910 after threads in CLOSE_WAIT state
The Agent cannot perform AD SSO when the CAS is no longer listening on port 8910 due to a large number of threads in CLOSE_WAIT state.
Workaround
Under Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Windows Auth, click Update on the SSO service to flush the CLOSE_WAIT states.
Note
CSCsk53735
Yes
Trend Micro Client/Server Security Agent 7.6 not detected
The Cisco NAC Appliance release 4.1(2) Agent does not correctly detect version 7.6 of the Trend Micro Client Security Agent.
CSCsk58244
Yes
Clean Access Report for WSUS shows failed
This situation applies to Windows XP and Windows Vista client machines. The Agent report on the CAM does not show any on the updates required for the client.
CSCsk66548
Yes
Ports revert to default profile values if the CAM fails to appropriately retrieve the port list from the switch.
CSCsk83429
Yes
Vista client machines are not able to renew their IP address if UAC is enabled
When using the 4.12.1 Clean Access Agent on a Vista client in an OOB setup, the client machine should receive a new IP address when it moves to a different VLAN, but the client is unable to refresh the IP address if UAC (Vista User Account Control) is enabled. Once UAC is disabled, the client is able to successfully retrieve the new IP address.
CSCsk88803
Yes
Cannot enter quotations when configuring Launch Program requirement
If you configure a Launch Programs requirement type to start a service on a client and use the "net start" command, you need to use quotations if the Service Name is more than one word. However, if you enter quotes, as soon as you save the requirement, everything after the first quotation mark disappears.
CSCsk91135
Yes
SNMP walk takes too much CPU
The "snmpwalk" function used by HP Openview (and other SNMP-based management platforms) results in very high CPU utilization on the Clean Access Manager.
CSCsk96328
Yes
Configuration update initializes /etc/hosts file
Clicking Update in CAS HA configuration causes /etc/hosts file initialization without any alerts.
Note
CSCsk98601
Yes
iPod Touch recognized as Mac OS X
The new iPod Touch is recognized as Mac OS X instead of Mac_All. This is similar to CSCsk15081.
CSCsl04222
Yes
Clean Access fails to check a file modification date against the CAM date
If a check is created to check a file modification date and it is selected to compare the date to be +/- days from the current date on the CAM, then the check fails even if the file is up to date.
CSCsl06922
Yes
Cannot add a more specific static route when managed subnet exists in Virtual Gateway mode
If you define a managed subnet for a subnet range, but want one host (DC, etc.) on the trusted side, you can define a static route. However, once you reboot the CAS, the managed subnet entry gets deleted from the real_routing_table and leaves the /32 route in the table.
Note
CSCsl10185
Yes
CAM is unable to get port list from switch
After a period of time, memory use climbs and the CAM becomes unable to control a switch until it can be restarted.
CSCsl52603
Yes
Clean Access failover does not work with HA CAS pair behind a NAT device
CAS failover does not work when the CASes are deployed behind a NAT device and the CAM only knows of the translated IP address.
Whenever a Secondary CAS takes over a service IP in an HA pair environment, it automatically tries to connect to the CAM and send a key and the service IP address it is taking over (via https). The CAM then attempts to verify this IP address against the known service IP address found in its /etc/hosts file. Since the CAS has pushed out the untranslated service IP to the CAM, and the CAM does not know that address (because it has been NATed), communication between the CAM and CAS fails.
CSCsl76977
Yes
Direct upgrade from 3.5(11) to 4.1(3) is not supported
"In-place" upgrade from version 3.5(11) to 4.1(3) is not supported. Customers wishing to upgrade a system from 3.5(11) to 4.1(3) must use the supported in-place upgrade procedure to upgrade from 3.5(11) to 4.0(6), and then upgrade to 4.1(3) via the instructions in Upgrading to 4.1(3).
Refer to the "In-Place Upgrade from 3.5(7)+ to 4.0(x)" instructions for Standalone Machines or HA-pairs in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.0(6) for details.
You can download the upgrade from 3.5(11) to 4.0(6) at:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cleanaccess-4.0.6
CSCsl80459
Yes
Auto updates for Cisco Checks and Rules fail on Clean Access Manager
Known Issues for Cisco NAC Appliance
This section describes known issues when integrating Cisco NAC Appliance:
•
•
•
•
•
•
•
•
•
•
Note
Known Issues with HP ProLiant DL140 G3 Servers
The NAC-3310 appliance is based on the HP ProLiant DL140 G3 server and is subject to any BIOS/firmware upgrades required for the DL140 G3. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for detailed instructions.
Known Issue with NAC-3310 CD Installation
The NAC-3310 appliance (MANAGER and SERVER) requires you to enter the DL140 or serial_DL140 installation directive at the "boot:" prompt when you install new system software from a CD-ROM.
When following the CD-ROM system software installation procedures outlined in Chapter 2: "Installing the Clean Access Manager" of the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(3) and Chapter 4: "Installing the Clean Access Server NAC Appliance" of the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(3), users installing release 4.1(3) on a NAC-3310 appliance (both MANAGER and SERVER) from a CD-ROM are presented with the following prompt during the installation process:
Cisco Clean Access Installer (C) 2007 Cisco Systems, Inc.Welcome to the Cisco Clean Access Installer!- To install a Cisco Clean Access device, press the <ENTER> key.- To install a Cisco Clean Access device over a serial console, enter serial at the boot prompt and press the <ENTER> key.boot:The standard procedure asks you to press "Enter" or, if installing via serial console connection, enter serial at the "boot:" prompt, For release 4.1(3) and later, however, NAC-3310 customers are required enter one of the following, instead:
•
•
After you enter either of these commands, the Package Group Selection screen appears where you can then specify whether you are setting up a Clean Access Manager or Clean Access Server and install the system software following the standard installation process.
Known Issues with NAC-3300 Series Appliances and Serial HA (Failover) Connection
When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances and any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.
Known Issues with Cisco NAC Profiler Release 2.1.7
Cisco NAC Appliance Release 4.1(3) does not support Cisco NAC Profiler Release 2.1.7. If you are currently running Cisco NAC Appliance Release 4.1(2) and Cisco NAC Profiler Release 2.1.7 on your network, it is recommended to upgrade your Cisco NAC Profiler system to a compatible release first (such as upcoming release 2.1.8) before upgrading your Cisco NAC Appliance machines to release 4.1(3).
Note
Note
Refer to the Release Notes for Cisco NAC Profiler for updated product information.
Known Issues with Switches
For complete details, see Switch Support for Cisco NAC Appliance.
Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)
Due to changes in DHCP server operation with Cisco NAC Appliance release 4.0(2) and later, networks with Cisco 2200/4400 Wireless LAN Controllers (also known as Airespace WLCs) which relay requests to the Clean Access Server (operating as a DHCP server) may have issues. Client machines may be unable to obtain DHCP addresses. Refer to the "Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs) and DHCP" section of Switch Support for Cisco NAC Appliance for detailed instructions.
Note
Known Issues with Broadcom NIC 5702/5703/5704 Chipsets
Customers running Cisco NAC Appliance release 4.1(3) and later on servers with 5702/5703/5704 Broadcom NIC cards may be impacted by caveat CSCsd74376. Server models with Broadcom 5702/5703/5704 NIC cards may include: Dell PowerEdge 850, CCA-3140-H1, HP ProLiant DL140 G2/ DL360/DL380. This issue involves the repeated resetting of the Broadcom NIC cards. The NIC cards do not recover from some of the resets causing the machine to become unreachable via the network.
For details, see the Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).
Known Issues for Windows Vista and Agent Stub
Use "No UI" or "Reduced UI" Installation Option
When installing the 4.1.3.0 Clean Access Agent via stub installation on Windows Vista machines only, Cisco recommends not to use the Full UI Stub Installation Option. To avoid the appearance of 5-minute installation dialog delays caused by the Vista Interactive Service Detection Service, Cisco recommends using the No UI or Reduced UI option when configuring Stub Installation Options for Windows Vista client machines.
"Interactive Services Dialog Detection" and Uninstall
When non-admin users install/uninstall the Clean Access Agent through the Agent Stub service on Windows Vista, they will see an "Interactive Services Dialog Detection" dialog. If the user is installing, no input is required in the dialog session—it will automatically disappear. If the client machine is fast, the user may not even see the dialog appear at all, so the resulting behavior is as if the Agent gets silently installed after a few seconds. When uninstalling, however, the uninstall process does not complete until the user responds to a prompt inside the dialog.
This is expected behavior because, unlike earlier Windows operating systems, Windows Vista services run in an isolated session (session 0) from user sessions, and thus do not have access to video drivers. As a workaround for interactive services like the Agent Stub installer, Windows Vista uses an Interactive Service Detection Service to prompt users for user input for interactive services and enable access to dialogs created by interactive services. The "Interactive Service Detection Service" will automatically launch by default and, in most cases, users are not required to do anything. However, if the service is disabled for some reason, Agent installation by non-admin users will not function.
Known Issues with MSI Agent Installer
MSI File Name
The MSI installation package for each version of the full Windows Clean Access Agent (CCAAgent-<version>.msi) is available for download from the Cisco Software Download site at http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-agent
When downloading the Clean Access Agent MSI file from the Cisco Software Download site, you MUST rename the "CCAAgent-<version>.msi" file to "CCAAgent.msi" before installing it.
Renaming the file to "CCAAgent.msi" ensures that the install package can remove the previous version then install the latest version when upgrading the Agent on clients.
Minor Version Updates
You cannot upgrade minor version (4th digit) updates of the Clean Access Agent from the MSI package directly. You must uninstall the program from Add/Remove programs first before installing the new version. Refer to CSCsm20655 for details.
See also Troubleshooting for additional Agent- related information.
Known Issue with Windows 2000 Clean Access Agent/Local DB Authentication
When a user logs in via the Clean Access Agent on a Windows 2000 machine with a username/password linked to the "Local DB" provider and must validate a requirement (in a test environment, for example), the Agent returns a "The application experienced an internal error loading the SSL libraries (12157)" error message. Following the error message, the Agent remains in the login state even though it is not actually logged in and the user must either stop the process or restart the client machine for the Agent login dialog to re-appear. (Requirements are not validated and the CAM does not create an Agent report for the Windows 2000 session, so it can be difficult to determine which requirement fails.)
Known Issue with Windows 98/ME/2000 and Windows Script 5.6
Windows Script 5.6 is required for proper functioning of the Clean Access Agent in release 3.6(x) and later. Most Windows 2000 and older operating systems come with Windows Script 5.1 components. Microsoft automatically installs the new 5.6 component on performing Windows updates. Windows installer components 2.0 and 3.0 also require Windows Script 5.6. However, PC machines with a fresh install of Windows 98, ME, or 2000 that have never performed Windows updates will not have the Windows Script 5.6 component. Cisco Clean Access cannot redistribute this component as it is not provided by Microsoft as a merge module/redistributable.
In this case, administrators will have to access the MSDN website to get this component and upgrade to Windows Script 5.6. For convenience, links to the component from MSDN are listed below:
Win 98, ME, NT 4.0:
Filename: scr56en.exe
Win 2000, XP:
Filename: scripten.exe
Tip
New Installation of Release 4.1(3)
If you are performing a new CD software installation of Cisco NAC Appliance (Cisco Clean Access) on the Cisco NAC Appliance 3300 Series server hardware platform, use the steps described below.
If re-imaging a Cisco NAC Network Module, refer to the instructions in the Getting Started with Cisco NAC Network Modules in Cisco Access Routers.
If performing upgrade on an existing NAC Appliance or NAC Network Module, refer to the instructions in Upgrading to 4.1(3).
For New Installation:
1.
2.
3.
–
–
4.
5.
6.
7.
8.
–
–
Note
Upgrading to 4.1(3)
This section provides instructions for how to upgrade your existing Cisco Clean Access system to release 4.1(3).
Refer to the following general information prior to upgrade:
•
•
Refer to one of the following sets of upgrade instructions for the upgrade you need to perform:
•
•
If you need to perform a fresh installation of the software, refer instead to New Installation of Release 4.1(3).
If you need to upgrade from a much older version of Cisco Clean Access, you may need to perform an interim upgrade to a version that is supported for upgrade to 4.1(3). In this case, refer to the applicable Release Notes for upgrade instructions for the interim release. Cisco recommends always testing new releases on a different system first before upgrading your production system.
Notes on 4.1(3) Upgrade
If planning to upgrade to Cisco NAC Appliance (Cisco Clean Access) 4.1(3) ED and later, note the following:
Warning
To help avoid longer upgrade times, delete Agent Report entries (under Device Management > Clean Access > Clean Access Agent > Reports) before upgrading from release 3.6(x) or 4.0(x) to release 4.1(3) and later. Alternatively, you can upgrade from release 3.6(x) or 4.0(x) to release 4.1.2.1 and then upgrade to release 4.1(3) and later.
•
•
Note
•
•
•
Caution
Refer to the "In-Place Upgrade from 3.5(7)+ to 4.0(x)" instructions for Standalone Machines or HA-pairs in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.0(6) for details.
•
•
–
–
–
For further details on Patch-CSCsg24153, refer to the README-CSCsg24153 file under http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches and the associated Resolved Caveats table entry in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(0).
Warning
•
Note
Settings That May Change With Upgrade
•
•
•
•
Note
•
•
General Preparation for Upgrade
Caution
•
You must upgrade your Clean Access Manager and all your Clean Access Servers (including NAC Network Modules) concurrently. The Cisco NAC Appliance architecture is not designed for heterogeneous support (i.e., some Clean Access Servers running 4.1(3) and later software and some running 4.1(2), 4.1(1), 4.1(0), or 4.0(x) software).
•
Depending on the number of Clean Access Servers you have, the upgrade process should be scheduled as downtime. For minor release upgrades (e.g. 4.1(3) to 4.1.3.x), our estimates suggest that it takes approximately 10 to 20 minutes for the Clean Access Manager upgrade and 10 minutes for each Clean Access Server upgrade. Use this approximation to estimate your downtime window.
Warning
To help avoid longer upgrade times, delete Agent Report entries (under Device Management > Clean Access > Clean Access Agent > Reports) before upgrading from release 3.6(x) or 4.0(x) to release 4.1(3) and later. Alternatively, you can upgrade from release 3.6(x) or 4.0(x) to release 4.1.2.1 and then upgrade to release 4.1(3) and later.
•
While the Clean Access Manager upgrade is being conducted, the Clean Access Server (which has not yet been upgraded, and which loses connectivity to the Clean Access Manager during Clean Access Manager restart or reboot) continues to pass authenticated user traffic.
Caution
•
When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.
•
For additional safekeeping, Cisco recommends manually backing up your current Clean Access Manager installation (using Administration > Backup) both before and after the upgrade and to save the snapshot on your local computer. Backing up prior to upgrade enables you to revert to your previous release database should you encounter problems during upgrade. Backing up immediately following upgrade preserves your upgraded tables and provides a baseline of your 4.1(3) database. After the migration is completed, go to the database backup page (Administration > Backup) in the CAM web console. Download and then delete all earlier snapshots from there as they are no longer compatible. See Create CAM DB Backup Snapshot for details.
Warning
•
Once you have upgraded your software to 4.1(3) or later, if you wish to revert to your previous version of CCA software, you will need to reinstall the previous CCA version from the CD and recover your configuration based on the backup you performed prior to upgrading to 4.1(3) or later.
•
For upgrade via console/SSH, you will need your CAM and CAS root user password (default CAM root password is cisco123). For web console upgrade, you will need your CAM web console admin user password (and, if applicable, CAS direct access console admin user password).
Upgrading from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+—Standalone Machines
This section describes the upgrade procedure for upgrading your standalone CAM/CAS machine from release 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+ to the latest 4.1(3) release. You can upgrade 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+ standalone machines to the latest 4.1(3) release using one of the following two methods:
•
•
Warning
To help avoid longer upgrade times, delete Agent Report entries (under Device Management > Clean Access > Clean Access Agent > Reports) before upgrading from release 3.6(x) or 4.0(x) to release 4.1(3) and later. Alternatively, you can upgrade from release 3.6(x) or 4.0(x) to release 4.1.2.1 and then upgrade to release 4.1(3) and later.
Note
•
Note
•
•
Summary of Steps for 3.6/4.0/4.1(0)+/4.1(1)+/4.1(2)+ Upgrade
The sequence of steps for standalone 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+ system upgrade is as follows:
1.
3.
Console/SSH Upgrade—Standalone MachinesCreate CAM DB Backup Snapshot
Cisco recommends creating a manual backup snapshot of your CAM database. Backing up prior to upgrade enables you to revert to your previous database should you encounter problems during upgrade. Backing up immediately following upgrade preserves your upgraded tables and provides a baseline of your database. Make sure to download the snapshots to another machine for safekeeping.
Note that Cisco NAC Appliance automatically creates daily snapshots of the CAM database and preserves the most recent from the last 30 days (starting from release 3.5(3)). It also automatically creates snapshots before and after software upgrades and failover events. For upgrades and failovers, only the last 5 backup snapshots are kept. (For further details, see "Database Recovery Tool" in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(3).
Note
To create a manual backup snapshot:
Step 1
Step 2
Step 3
Step 4
Step 5
Download the Upgrade File
For Cisco NAC Appliance upgrades from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+, a single .tar.gz upgrade file is downloaded to each Clean Access Manager (CAM) and Clean Access Server (CAS) machine to be upgraded. The upgrade script automatically determines whether the machine is a CAM or CAS.
For Cisco NAC Appliance minor release or patch upgrades, the upgrade file can be for the CAM only, CAS only, or for both CAM/CAS, depending on the patch upgrade required.
Step 1
Step 2
Step 3
Note
–
–
–
For patch upgrades, replace the .x in the file name with the minor release version numbers to which you are upgrading, for example, cca-upgrade-4.1.3.1.tar.gz.
Web Console Upgrade—Standalone Machines
Note
When upgrading from 3.6(x)/4.0(x) to the latest 4.1(x) release:
•
•
•
For further details on Patch-CSCsg24153, refer to the README-CSCsg24153 file under http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches and the associated Resolved Caveats table entry in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(0).
Warning
With web upgrade, administrators can perform software upgrade on standalone CAS and CAM machines using the following web console interfaces:
•
•
–
–
For web console upgrade, you will need your CAM web console admin user password.
If using the CAS direct access web console, you will need your CAS direct access console admin user password.
Note
•
•
•
With web upgrade, the CAM and CAS automatically perform all the upgrade tasks that are done manually for console/SSH upgrade (for example, untar file, cd to /store, run upgrade script). The CAM also automatically creates snapshots before and after upgrade. When upgrading via web console only, the machine automatically reboots after the upgrade completes. The steps for web upgrade are as follows:
1.
2.
3.
Upgrade CAS from CAS Management Pages
You can upgrade your CAS from release 3.6(x)/4.0(x)/4.1(0)+)/4.1(1)+/4.1(2)+ to release 4.1(3) and later using web upgrade via the CAS management pages as described below or, if preferred, using the instructions for Upgrade CAS from CAS Direct Access Web Console.
Step 1
Step 2
Step 3
a.
b.
c.
Step 4
Step 5
Step 6
Note
Step 7
Step 8
Step 9
Note
Upgrade CAS from CAS Direct Access Web Console
You can upgrade the CAS from the CAS direct access web console using the following instructions. To upgrade the CASes from the CAM web console, see Upgrade CAS from CAS Management Pages.
Step 1
Step 2
Step 3
a.
b.
Step 4
Step 5
Step 6
Step 7
Note
Step 8
Step 9
Step 10
Note
Upgrade CAM from CAM Web Console
Upgrade your standalone CAM from the CAM web console using the following instructions.
Warning
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Note
Step 7
Step 8
Note
Console/SSH Upgrade—Standalone Machines
This section describes the standard console/SSH upgrade procedure when upgrading your standalone CAM/CAS from release 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+ to the latest 4.1(3) release. For this procedure, you need to access the command line of the CAM or CAS machine using one of the following methods:
•
•
•
Warning
Note
•
For upgrade via console/SSH, you will need your CAM and CAS root user password.
Note
A single upgrade .tar.gz file is downloaded to each installation machine. The upgrade script automatically determines whether the machine is a Clean Access Manager (CAM) or Clean Access Server (CAS), and executes if the current system is running release 3.6(0) or later.
For patch upgrades, the upgrade file can be for the CAM only, CAS only, or for both CAM/CAS, depending on the patch upgrade required.
Note
•
•
Summary of Steps for Console/SSH Upgrade from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+
Steps are as follows:
1.
2.
3.
Download the Upgrade File and Copy to CAM/CAS
Step 1
Step 2
Step 3
If using WinSCP or SSH File Transfer:
a.
b.
If using PSCP:
a.
b.
c.
pscp cca_upgrade-4.1.3.tar.gz root@ipaddress_manager:/stored.
pscp cca_upgrade-4.1.3.tar.gz root@ipaddress_server:/storePerform Console/SSH Upgrade on the CAM
Step 4
a.
b.
c.
cd /stored.
tar xzvf cca_upgrade-4.1.3.tar.gz4.
cd cca_upgrade-4.1.3./UPGRADE.sh
Note
For more information on the nature and workaround for Patch-CSCsg24153, see the associated Resolved Caveats table entry in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(0).e.
Note
f.
rebootPerform Console/SSH Upgrade on the CAS
Warning
Step 5
a.
b.
c.
cd /stored.
tar xzvf cca_upgrade-4.1.3.tar.gz5.
cd cca_upgrade-4.1.3./UPGRADE.sh
Note
For more information on the nature and workaround for Patch-CSCsg24153, see the associated Resolved Caveats table entry in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(0).e.
f.
rebootg.
Upgrading from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+—HA Pairs
This section describes the upgrade procedure for upgrading high-availability (HA) pairs of CAM or CAS servers from release 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+ to the latest 4.1(3) release.
Warning
To help avoid longer upgrade times, delete Agent Report entries (under Device Management > Clean Access > Clean Access Agent > Reports) before upgrading from release 3.6(x) or 4.0(x) to release 4.1(3) and later. Alternatively, you can upgrade from release 3.6(x) or 4.0(x) to release 4.1.2.1 and then upgrade to release 4.1(3) and later.
If you have standalone CAM/CAS servers, refer instead to Upgrading from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+—Standalone Machines.
Note
"In-place" upgrade from version 3.5(11) to 4.1(3) and later is not supported. Customers wishing to upgrade a system from 3.5(11) to 4.1(3) and later must use the supported in-place upgrade procedure to upgrade from 3.5(11) to 4.0(6), and then upgrade to 4.1(3) and later. (See CSCsl76977.)Warning
If you are using serial connection for HA, do not attempt to connect serially to the CAS during the upgrade procedure. When serial connection is used for HA, serial console/login will be disabled and serial connection cannot be used for installation/upgrade.
If you are using serial connection for HA, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.
Warning
Note
•
•
Steps for HA 3.6/4.0/4.1(0)+/4.1(1)+/4.1(2)+ Upgrade
The steps to upgrade HA 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+ systems are described in the following sections:
•
•
Note
Access Web Consoles for High Availability
Determining Active and Standby CAM
Access the web console for each CAM in the HA pair by typing the IP address of each individual CAM (not the Service IP) in the URL/Address field of a web browser. You should have two browsers open. The web console for the Standby (inactive) CAM will only display the Administration module menu.
Note
Determining Primary and Secondary CAM
In each CAM web console, go to Administration > CCA Manager > Network & Failover | High Availability Mode.
•
•
Note
Determining Active and Standby CAS
From the CAM web console, go to Device Management > CCA Servers > List of Servers to view your HA-CAS pairs. The List of Servers page displays the Service IP of the CAS pair first, followed by the IP address of the Active CAS in brackets. When a secondary CAS takes over, its IP address will be listed in the brackets as the Active server.
Note
Determining Primary and Secondary CAS
Open the direct access console for each CAS in the pair by typing the following in the URL/Address field of a web browser (you should have two browsers open):
•
•
In each CAS web console, go to Administration > Network Settings > Failover | Clean Access Server Mode.
•
•
Note
Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs
The following steps show the recommended way to upgrade an existing high-availability (failover) pair of Clean Access Managers or Clean Access Servers.
Warning
Step 1
Warning
If you are using serial connection for HA, do not attempt to connect serially to the CAS during the upgrade procedure. When serial connection is used for HA, serial console/login will be disabled and serial connection cannot be used for installation/upgrade.
If you are using serial connection for HA, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.
Step 2
Step 3
a.
tar xzvf cca_upgrade-4.1.3.tar.gzb.
c.
./fostate.shThe results should be either "My node is active, peer node is standby" or "My node is standby, peer node is active". No nodes should be dead. This should be done on both boxes, and the results should be that one box considers itself active and the other box considers itself in standby mode. Future references in these instructions that specify "active" or "standby" refer to the results of this test as performed at this time.
Note
•
•
Step 4
shutdown -h nowStep 5
Step 6
cd cca_upgrade-4.1.3Step 7
./fostate.shMake sure this returns "My node is active, peer node is dead" before continuing.
Step 8
a.
b.
./UPGRADE.sh
Note
If you are performing this upgrade on the CAS, the upgrade script prompts you to enter the web console administrator password in addition to the shared secret. (As with the CAM, only the first eight characters of the shared secret are used.)
For more information on the nature and workaround for Patch-CSCsg24153, see the associated Resolved Caveats table entry in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(0).c.
Note
Step 9
shutdown -h nowStep 10
Step 11
Step 12
a.
b.
cd cca_upgrade-4.1.3c.
./UPGRADE.shStep 13
shutdown -h nowStep 14
Step 15
Note
Troubleshooting
This section provides troubleshooting information for the following topics:
•
•
•
•
•
•
•
•
•
•
•
•
•
Note
Vista/IE 7 Certificate Revocation List
Note
The "Network error: SSL certificate rev failed 12057" error can occur and prevent login for Clean Access Agent or Cisco NAC Web Agent users in either of the following cases:
1.
2.
–
–
To resolve the error, perform the following actions:
Step 1
Step 2
a.
b.
Windows Vista Agent Stub Installer Error
When initiating the Agent stub installer on the Windows Vista operating system, the user may encounter the following error message:
"Error 1722: There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor."
The possible cause is that there are remnants of a partial previous Agent stub installation present on the client machine stub. The user must take steps to remove the previous partial installation before attempting to run the Agent stub installer again.
To solve the problem:
Step 1
Step 2
Step 3
Step 4
Step 5
Agent Stub Upgrade and Uninstall Error
To resolve the situation where a user receives an "Internal error 2753:ccaagentstub.exe" message during stub installation:
Step 1
Step 2
Step 3
Note
Clean Access Agent AV/AS Rule Troubleshooting
When troubleshooting AV/AS Rules:
•
•
When troubleshooting AV/AS Rules, please provide the following information:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Generating Windows Installer Log Files for Agent Stub
Users can compile the Windows Installer logs generated by the InstallShield application when the Windows Agent is installed on a client machine using the MSI or EXE installer packages.
MSI Installer
To compile the logs generated by a Windows Agent MSI installer session as the installation takes place, enter the following at a command prompt:
ccaagent.msi /log C:\ccainst.log
This function creates an installer session log file called "ccainst.txt" in the client machine's C:\ drive when the MSI Installer installs the Agent files on the client.
EXE Installer
You can use the Windows Installer /v CLI option to pass arguments to the msiexec installer within CCAAgent_Setup.exe by entering the following at a command prompt:
CCAAgent_Setup.exe /v"/L*v \"C:\ccainst.log\""
This command saves an installation session log file called "ccainst.log" in the client machine's C:\ drive when the embedded msiexec command installs the Agent files on the client.
For more information, refer to the Windows Installer CLI reference page.
Debug Logging for Cisco NAC Appliance Agents
This section describes how to view and/or enable debug logging for Cisco NAC Appliance Agents. Refer to the following sections for steps for each Agent type:
•
•
Copy these event logs to include them in a customer support case.
Cisco NAC Web Agent Logs
The Cisco NAC Web Agent version 4.1.3.9 and later can generate logs when downloaded and executed. By default, the Cisco NAC Web Agent writes the log file upon startup with debugging turned on. The Cisco NAC Web Agent (see Cisco NAC Web Agent) generates the following log files for troubleshooting purposes: webagent.log and webagentsetup.log. These files should be included in any TAC support case for the Web Agent. Typically, these files are located in the user's temp directory, in the form:
C:\Document and Settings\<user>\Local Settings\Temp\webagent.log
C:\Document and Settings\<user>\Local Settings\Temp\webagentsetup.log
If these files are not visible, check the TEMP environment variable setting. From a command-prompt, type "echo %TEMP%" or "cd %TEMP%".
When the client uses Microsoft Internet Explorer, the Cisco NAC Web Agent is downloaded to the C:\Documents and Settings\<user>\Local Settings\Temporary internet files directory.
Generate Windows Agent Debug Log
For 4.1.x.x versions of the persistent Clean Access Agent (and 4.0.x.x/3.6.1.0+), you can enable debug logging on the Agent by adding a LogLevel registry value on the client with value "debug." For Windows Agents (see Cisco NAC Appliance Agents), the event log is created in the directory %APPDATA%\CiscoCAA, where %APPDATA% is the Windows environment variable.
Note
To view and/or change the Agent LogLevel setting:
Step 1
Step 2
Step 3
Note
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
a.
b.
Step 11
Note
•
Generate Mac OS X Agent Debug Log
For Mac OS X Agents (see Mac OS X Clean Access Agent Version 4.1.3.0), the Agent event.log file and preference.plist user preferences file are available under <username> > Library > Application Support > Cisco Systems > CCAAgent.app. To change or specify the LogLevel setting, however, you must access the global setting.plist file (which is different from the user-level preference.plist file).
Because Cisco does not recommend allowing individual users to change the LogLevel value on the client machine, you must be a superuser or root user to alter the global setting.plist system preferences file and specify a different Agent LogLevel.
Note
To view and/or change the Agent LogLevel:
Step 1
Step 2
Step 3
Step 4
Step 5
•
•
•
•
Note
Note
Property List Editor is an application included in the Apple Developer Tools for editing .plist files. You can find it at <CD-ROM>/Developer/Applications/Utilities/Property List Editor.app.
If the setting.plist file is editable, you can use a standard text editor like vi to edit the LogLevel value in the file.
You must be the root user to edit the file.
Creating CAM DB Snapshot
See the instructions in Create CAM DB Backup Snapshot for details.
Creating CAM/CAS Support Logs
The Support Logs web console pages for the CAM and CAS allow administrators to combine a variety of system logs (such as information on open files, open handles, and packages) into one tarball that can be sent to TAC to be included in the support case. Administrators should Download the CAM and CAS support logs from the CAM and CAS web consoles respectively and include them with their customer support request, as follows:
•
•
Note
•
•
Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x)
Use the following procedure to recover the root password for a 4.1/4.0/3.6 CAM or CAS machine. The following password recovery instructions assume that you are connected to the CAM/CAS via a keyboard and monitor (i.e. console or KVM console, NOT a serial console)
1.
2.
3.
4.
root (hd0,0)kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 console=ttyS0,9600n8Initrd /initrd-2.6.11-perfigo.img5.
6.
kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 single7.
8.
9.
No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM
•
Clean Access Server is not properly configured, please report to your administrator
A login page must be added and present in the system in order for both web login and Clean Access Agent users to authenticate. If a default login page is not present, Clean Access Agent users will see the following error dialog when attempting login:
Clean Access Server is not properly configured, please report to your administratorTo resolve this issue, add a default login page on the CAM under Administration > User Pages > Login Page > Add.
Clean Access Server could not establish a secure connection to the Clean Access Manager at <IP/domain>
The following client connection errors can occur if the CAS does not trust the certificate of the CAM, or vice-versa:
•
•
Clean Access Server could not establish a secure connection to the Clean Access Manager at <IPaddress or domain>These errors typically indicate one of the following certificate-related issues:
•
•
•
•
To identify common issues:
1.
(under Administration > CCA Manager > SSL Certificate > Export CSR/Private Key/Certificate | Currently Installed Certificate | Details).2.
To resolve these issues:
1.
2.
3.
4.
5.
Troubleshooting Switch Support Issues
To troubleshoot switch issues, see Switch Support for Cisco NAC Appliance.
Troubleshooting Network Card Driver Support Issues
For network card driver troubleshooting, see Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).
Other Troubleshooting Information
For general troubleshooting tips, see the following Technical Support webpage:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
Documentation Updates
Related Documentation
For the latest updates to Cisco NAC Appliance (Cisco Clean Access) documentation on Cisco.com see:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
or simply http://www.cisco.com/go/cca
•
•
•
•
•
•
•
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
