 Feedback
|
Table Of Contents
Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(6)
Cisco NAC Appliance Service Contract/Licensing Support
System and Hardware Requirements
Cisco NAC-3300 Series Appliances
Release 4.1(6) and Cisco NAC Profiler
Important Installation Information for NAC-3310
Additional Hardware Support Information
Supported Switches for Cisco NAC Appliance
VPN and Wireless Components Supported for Single Sign-On (SSO)
Software Compatibility Matrixes
Release 4.1(6) Compatibility Matrix
Release 4.1(6) CAM/CAS Upgrade Compatibility Matrix
Release 4.1(6) Clean Access Agent Upgrade Compatibility Matrix
Determining the Software Version
Clean Access Manager (CAM) Version
Clean Access Server (CAS) Version
Cisco NAC Appliance Agents Versioning
Cisco Clean Access Updates Versioning
Enhancements in Release 4.1(6)
Trusted Certificate Authority Enhancement for Production Environments
Enhanced CAM/CAS Web Console Features Certificate Warning Messages
Ability to View and Remove Certificate Authorities from CAM/CAS Without Rebooting
Enhanced Security with Server Identity Based Authorization
JMX Over SSL Secured with Mutual Authentication
HTTPS Connections Enhanced with Mutual Authentication
Supported AV/AS Product List Enhancements (Version 69)
Cisco NAC Appliance Agent Enhancements
Windows Clean Access Agent Enhancements
Windows Clean Access Agent Version 4.1.7.0
Windows Clean Access Agent Version 4.1.6.0
Mac OS X Clean Access Agent Enhancements
Cisco NAC Web Agent Enhancements
Clean Access Supported AV/AS Product List
Clean Access AV Support Chart (Windows Vista/XP/2000)
Clean Access AV Support Chart (Windows ME/98)
Clean Access AS Support Chart (Windows Vista/XP/2000)
Supported AV/AS Product List Version Summary
Resolved Caveats - Agent Version 4.1.7.0
Resolved Caveats - Agent Version 4.1.6.0
Resolved Caveats - Release 4.1(6)
Known Issues for Cisco NAC Appliance
Known Issues with HP ProLiant DL140 G3 Servers
Known Issue with NAC-3310 CD Installation
Known Issues with NAC-3300 Series Appliances and Serial HA (Failover) Connection
Known Issues with Cisco NAC Profiler Release 2.1.7
Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)
Known Issues with Broadcom NIC 5702/5703/5704 Chipsets
Known Issues for Windows Vista and Agent Stub
Use "No UI" or "Reduced UI" Installation Option
"Interactive Services Dialog Detection" and Uninstall
Known Issues with MSI Agent Installer
Known Issue with Windows 2000 Clean Access Agent/Local DB Authentication
Known Issue with Windows 98/ME/2000 and Windows Script 5.6
New Installation of Release 4.1(6)
Settings That May Change With Upgrade
General Preparation for Upgrade
Upgrading to Release 4.1(6)—Standalone Machines
Web Console Upgrade—Standalone Machines
Console/SSH Upgrade—Standalone Machines
Access Web Consoles for High Availability
Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs
Vista/IE 7 Certificate Revocation List
Windows Vista Agent Stub Installer Error
Agent Stub Upgrade and Uninstall Error
Clean Access Agent AV/AS Rule Troubleshooting
Generating Windows Installer Log Files for Agent Stub
Debug Logging for Cisco NAC Appliance Agents
Generate Windows Agent Debug Log
Generate Mac OS X Agent Debug Log
Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x)
No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM
Troubleshooting Switch Support Issues
Troubleshooting Network Card Driver Support Issues
Other Troubleshooting Information
Obtaining Documentation and Submitting a Service Request
Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(6)
Revised: November 30, 2010, OL-16660-01Contents
These release notes provide late-breaking and release information for Cisco® NAC Appliance, formerly known as Cisco Clean Access (CCA), release 4.1(6). This document describes new features, changes to existing features, limitations and restrictions ("caveats"), upgrade instructions, and related information. These release notes supplement the Cisco NAC Appliance documentation included with the distribution. Read these release notes carefully and refer to the upgrade instructions prior to installing the software.
•
Cisco NAC Appliance Service Contract/Licensing Support
•
•
•
•
•
Cisco NAC Appliance Releases
4.1.7.0 Cisco Clean Access Agent
September 30, 2008
4.1(6) ED
July 31, 2008
Note
Cisco NAC Appliance Service Contract/Licensing Support
For complete details on service contract support, new licenses, evaluation licenses, legacy licenses and RMA, refer to the Cisco NAC Appliance Service Contract / Licensing Support.
System and Hardware Requirements
This section describes the following:
•
•
System Requirements
See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for system requirement information for the Clean Access Manager (CAM), Clean Access Server (CAS), and Cisco NAC Appliance Agents.
Hardware Supported
This section describes the following:
•
•
•
Cisco NAC Network Module
Release 4.1(6) supports the Cisco NAC Appliance network module (NME-NAC-K9) on the next generation service module for the Cisco 2811, 2821, 2851, 3825, and 3845 Integrated Services Routers (ISRs). The Cisco NAC Network Module for Integrated Services Routers supports the same software features as the Clean Access Server on a NAC Appliance, with the exception of high availability. NME-NAC-K9 does not support failover from one module to another.
For hardware installation instructions (how to install the Cisco NAC network module in an Integrated Service Router), refer to the following sections of the Cisco Network Modules Hardware Installation Guide.
•
•
For software installation instructions (how to install the Clean Access Server software on the NAC network module) refer to Getting Started with Cisco NAC Network Modules in Cisco Access Routers.
Note
While upgrading to release 4.1(6) is not required to support Cisco NAC network modules, if you are supporting 64-bit Windows Vista client systems, you must upgrade to release 4.1.2.1 or later.
Cisco NAC-3300 Series Appliances
Release 4.1(6) supports Cisco NAC Appliance 3300 Series platforms.
Customers have the option to upgrade NAC-3310, NAC-3350, or NAC-3390 MANAGER and SERVER appliances to release 4.1(6) using a single upgrade file, cca_upgrade-4.1.6.tar.gz.
CD installation of release 4.1(6) is also supported:
•
Note
•
Note
Release 4.1(6) and Cisco NAC Profiler
Release 4.1(6) includes version 2.1.8-37 of the Cisco NAC Profiler Collector component that resides on Clean Access Server installations.
Refer to the Release Notes for Cisco NAC Profiler for updated product information.
See also Known Issues with Cisco NAC Profiler Release 2.1.7.
Important Installation Information for NAC-3310
•
•
NAC-3310 Required BIOS/Firmware Upgrade
The NAC-3310 appliance is based on the HP ProLiant DL140 G3 server and is subject to any BIOS/firmware upgrades required for the DL140 G3. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details.
NAC-3310 Required DL140 or serial_DL140 CD Installation Directive
The NAC-3310 appliance (MANAGER and SERVER) requires you to enter the DL140 or serial_DL140 installation directive at the "boot:" prompt when you install new system software from a CD-ROM. For more information, refer ro Known Issue with NAC-3310 CD Installation.
Additional Hardware Support Information
See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on:
•
•
•
•
See Troubleshooting for further details.
Supported Switches for Cisco NAC Appliance
See Switch Support for Cisco NAC Appliance for complete details on:
•
•
•
•
VPN and Wireless Components Supported for Single Sign-On (SSO)
Table 1 lists VPN and wireless components supported for Single Sign-On (SSO) with Cisco NAC Appliance. Elements in the same row are compatible with each other.
Table 1 VPN and Wireless Components Supported By Cisco NAC Appliance For SSO
4.1(6)
Cisco WiSM Wireless Service Module for the Cisco Catalyst 6500 Series Switches
N/A
Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)1
N/A
Cisco ASA 5500 Series Adaptive Security Appliances, Version 8.0(3)7 or later2
AnyConnect
Cisco ASA 5500 Series Adaptive Security Appliances, Version 7.2(0)81 or later
•
•
Cisco WebVPN Service Modules for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Cisco VPN 3000 Series Concentrators, Release 4.7
Cisco PIX Firewall
1 For additional details, see also Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs).
2 Release 4.1(6) supports existing AnyConnect clients accessing the network via Cisco ASA 5500 Series devices running release 8.0(3)7 or later. For more information, see the Release Notes for Cisco NAC Appliance, Version 4.1(3), and CSCsi75507.
Note
For further details, see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(6) and the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(6).
Software Compatibility
This section describes software compatibility for releases of Cisco NAC Appliance:
•
•
For details on Clean Access Agent and Cisco NAC Web Agent client software versions and AV integration support, see:
•
Software Compatibility Matrixes
This section describes the following:
•
•
•
Release 4.1(6) Compatibility Matrix
Table 2 shows Clean Access Manager and Clean Access Server compatibility and the Clean Access Agent version supported with each CCA 4.1(6) release (if applicable). CAM/CAS/Clean Access Agent versions displayed in the same row are compatible with one another. Cisco recommends that you synchronize your software images to match those shown as compatible in the table.
Table 2 Release 4.1(6) Compatibility Matrix
4.1(6) 5
4.1(6) 5
4.1.7.0
4.1.6.0
4.1.3.x
4.1.2.x
4.1.1.0
4.1.0.x 64.1.3.x
4.1.2.x
4.1.1.0
4.1.0.x 64.1.6.0
4.1.3.x
1 Make sure that both CAM and CAS are of same version.
2 See Cisco NAC Appliance Agents for details on version updates for each Windows/Mac OS X/Web Agent.
3 Version 4.1.6.0 of the Windows Clean Access Agent is compatible with the 4.1(6) CAM and CAS releases. See Cisco NAC Appliance Agents for details and caveats resolved for each Agent version.
4 Mac OS X Clean Access Agent supports authentication only (no posture assessment) and auto-upgrade starting from version 4.1.3.0.
5 Cisco NAC Appliance Release 4.1(6) is a general and important bug fix release that resolves issues as described in Enhancements in Release 4.1(6).
6 Cisco strongly recommends running the latest 4.1.6.x version of the Clean Access Agent with release 4.1(6) of the CAM/CAS. If necessary, release 4.1(6) allows administrators to optionally configure the 4.1(6) CAM/CAS to allow 4.1.0.x Agent authentication and posture assessment (Windows only). Note that by default, 4.1.0.x Agents are not allowed to log into a 4.1(6) Cisco NAC Appliance system. However, an Agent upgraded to 4.1.6.0 can still log into a 4.1(0) CAM/CAS. See 4.1.0.x Agent Support on Release 4.1(1) in the 4.1(1) release notes for details.
Release 4.1(6) CAM/CAS Upgrade Compatibility Matrix
Table 3 shows 4.1(6) CAM/CAS upgrade compatibility. You can upgrade/migrate your CAM/CAS from the previous release(s) specified to the latest release shown in the same row. When you upgrade your system software, Cisco recommends you upgrade to the most current release available whenever possible.
Table 3 Release 4.1(6) CAM/CAS Upgrade Compatibility Matrix
Upgrade From:
4.1(6) 3
4.1(6) 3
1 Release 4.1(0), 4.1.0.1, and 4.1.0.2 do not support and cannot be installed on Cisco NAC Appliance 3300 Series platforms.
2 "In-place" upgrade from version 3.5(11) to 4.1(6) is not supported. Customers wishing to upgrade a system from 3.5(11) to 4.1(6) must use the supported in-place upgrade procedure to upgrade from 3.5(11) to 4.0(6), and then upgrade to 4.1(6).
3 Cisco NAC Appliance Release 4.1(6) is a general and important bug fix release that resolves issues as described in Enhancements in Release 4.1(6).
.
Release 4.1(6) Clean Access Agent Upgrade Compatibility Matrix
Table 4 shows Clean Access Agent upgrade compatibility when upgrading existing versions of the Agent after 4.1(6) CAM/CAS upgrade. You can auto-upgrade any 3.5.1+ Windows Agent directly to the latest 4.1.6.0 Windows Agent. You can auto-upgrade Mac OS X Agents starting from version 4.1.3.0 and later.
Note
Refer to the "Cisco NAC Appliance Agents Systems Requirements" section of the Supported Hardware and System Requirements for Cisco NAC Appliance for additional compatibility details.
1 Clean Access Agent versions are not supported across major releases. Do not use 4.1.3.x Agents with 4.0(x) or prior releases. However, auto-upgrade is supported from any 3.5.1 and later Agent directly to the latest 4.1.6.0 Agent.
2 See Cisco NAC Appliance Agents for details on version updates for each Windows/Mac OS X/Web Agent.
3 For checks/rules/requirements, version 4.1.1.0 and later Clean Access Agents can detect "N" (European) versions of the Windows Vista operating system, but the CAM/CAS treat "N" versions of Vista as their US counterpart.
4 Auto-upgrade of the Mac OS X Agent is supported starting from version 4.1.3.0 and later. Release 4.1(1) and release 4.1(2)+ do not support auto-upgrade for the Mac OS X Agent. Users can upgrade client machines to the latest Mac OS X Agent by downloading the Agent via web login and running the Agent installation. For more information, see Mac OS X Clean Access Agent Enhancements.
5 Cisco strongly recommends running the latest 4.1.6.x version of the Clean Access Agent with release 4.1(6) of the CAM/CAS. If necessary, release 4.1(6) allows administrators to optionally configure the 4.1(6) CAM/CAS to allow 4.1.0.x Agent authentication and posture assessment. Note that by default, 4.1.0.x Agents are not allowed to log into a 4.1(6) Cisco NAC Appliance system. However, an Agent upgraded to 4.1.6.0 can still log into a 4.1(0) CAM/CAS. See 4.1.0.x Agent Support on Release 4.1(1) in the 4.1(1) release notes for details.
Determining the Software Version
There are several ways to determine the version of software running on your Clean Access Manager (CAM), Clean Access Server (CAS), or Clean Access Agent, as described below.
•
•
•
•
Clean Access Manager (CAM) Version
The top of the CAM web console displays the software version installed. After you add the CAM license, the top of the CAM web console displays the license type (Lite, Standard, Super). Additionally, the Administration > CCA Manager > Licensing page displays the types of licenses present after they are added.
The software version is also displayed as follows:
•
•
CAM Lite, Standard, Super
The NAC Appliance Clean Access Manager (CAM) is licensed based on the number of NAC Appliance Clean Access Servers (CASes) it supports. You can view license details under Administration > CCA Manager > Licensing. The top of CAM web console identifies the type of CAM license installed:
•
•
•
Note the following:
•
•
•
Clean Access Server (CAS) Version
You can determine the CCA software version running on the Clean Access Server (whether NAC-3300 appliances or Cisco NAC network modules) using the following methods:
•
•
•
Note
Cisco NAC Appliance Agents Versioning
On the CAM web console, you can determine versioning for the Cisco NAC Appliance Agents from the following pages:
•
•
•
•
From the Clean Access Agent itself on the client machine, you can view the following information from the Agent taskbar menu icon:
•
•
Cisco Clean Access Updates Versioning
To view the latest version of Updates downloaded to your CAM, including Cisco Checks & Rules, Cisco NAC Web Agent, Clean Access Agent Upgrade Patch, Supported AV/AS Product List, go to Device Management > Clean Access > Update > Summary on the CAM web console. See Clean Access Supported AV/AS Product List and Clean Access Supported AV/AS Product List for additional details.
New and Changed Information
This section describes enhancements added to the following releases of Cisco NAC Appliance for the Clean Access Manager and Clean Access Server.
•
See Cisco NAC Appliance Agents for new features and enhancements to Cisco NAC Appliance Agents.
For additional details, see also:
•
•
Enhancements in Release 4.1(6)
This section details the enhancements delivered with Cisco NAC Appliance release 4.1(6) for the Clean Access Manager and Clean Access Server.
General Enhancements
•
•
•
•
•
•
•
Cisco NAC Appliance Agent Enhancements
•
Trusted Certificate Authority Enhancement for Production Environments
Cisco NAC Appliance release 4.1(6) addresses a known security issue that can allow outside unauthenticated entities access to the Cisco NAC Appliance network via the same end entity certificate used to initially configure and provide access to newly installed Clean Access Managers and Clean Access Servers.
When you first access your CAM/CAS web console, security warning messages prompt you to address this situation before deploying your CAM/CAS in a production environment. The "EMAILADDRESS=info@perfigo.com, CN=www.perfigo.com, OU=Product, O="Perfigo, Inc.", L=San Francisco, ST=California, C=US" Certificate Authority is required during initial configuration so that you can produce local Temporary Certificates on the CAM and CAS. After initial configuration, however, Cisco strongly recommends removing the "www.perfigo.com" Certificate Authority before deploying your CAM/CAS in a production environment. After you have imported a third-party CA-signed certificate, use the search function on the new Administration > CCA Manager > SSL > Trusted Certificate Authorities CAM web console page and Administration > SSL > Trusted Certificate Authorities CAS administrator web console page to isolate and delete the "www.perfigo.com" Certificate Authority.
Note
The primary elements of this enhancement include the following topics:
•
•
•
Note
Enhanced CAM/CAS Web Console Features Certificate Warning Messages
Release 4.1(6) provides three new types of warning messages to administrators, two of which are designed to address the presence of a potentially harmful Trusted CA in the CAM and/or CAS trusted store.
The "EMAILADDRESS=info@perfigo.com, CN=www.perfigo.com, OU=Product, O="Perfigo, Inc.", L=San Francisco, ST=California, C=US" Certificate Authority is required during initial configuration so that you can produce local Temporary Certificates on the CAM and CAS. However, this same CA can also introduce a security risk for the CAM/CAS and client production networks. Based on this potential security issue, the CAM/CAS web console now displays two types of certificate warning messages that appear after you install and/or upgrade to release 4.1(6):
•
•
In addition, the CAM/CAS web console provides a third type of warning message informing you that your trusted certificate is either expired or going to expire within 30 days.
Note
This enhancement affects the following page of the CAM web console:
•
This enhancement affects the following page of the CAS web console:
•
Note
Ability to View and Remove Certificate Authorities from CAM/CAS Without Rebooting
Cisco NAC Appliance Release 4.1(6) enables administrators to view and delete Trusted Certificate Authorities from both the CAM and CAS trust stores. Using the CAM or CAS web console, you can now access the local Trusted CA database, filter the list of current Trusted CAs, and select one or more CAs to remove. Once you have refined the list to only the CAs you want to keep in the trust store, you can now also restart CA services on the CAM or CAS without rebooting the system.
Note
Note
The new View/Remove CA feature is intended to allow administrators to remove Trusted CAs that may introduce a potential security threat within the Cisco NAC Appliance system. For more information, see Enhanced CAM/CAS Web Console Features Certificate Warning Messages.
Note
This feature adds the following page to the CAM web console:
•
This feature adds the following page to the CAS web console:
•
Enhanced Security with Server Identity Based Authorization
In Cisco NAC Appliance release 4.1(6), administrators can now enforce explicit Authorization between the CAM and CAS in the network. If you enable this feature on the CAM, you must enter the Distinguished Names (DNs) of all of the CASs managed by the CAM on the Authorization page, and enable the same function on all of the CASs managed by the CAM in the CAS Authorization page.
Note
If you have deployed your CAMs/CASs in an HA environment, you can enable authorization for both the HA-Primary and HA-Secondary machines in the HA pair by specifying the DN of only the HA-Primary appliance. For example, if the CAM manages a CAS HA pair, you only need to list the HA-Primary CAS on the CAM's Authorization page. Likewise, if you are enabling this feature on a CAS managed by a CAM HA-pair, you only need to list the HA-Primary CAM on the CAS's Authorization page.)
This feature is optional, but Cisco recommends enabling Authorization for your CAM/CASs to enhance secure communication within the Cisco NAC Appliance system.
This feature adds the following page to the CAM web console:
•
This feature adds the following page to the CAS web console:
•
JMX Over SSL Secured with Mutual Authentication
Starting from release 4.1(6), the CAM now authenticates with the CAS using Java Management Extensions (JMX) over the Secure Sockets Layer (SSL). In prior releases of Cisco NAC Appliance, communications between the CAM and CAS only utilized HTTPS, making it possible (however unlikely) that an outside party could "act" as the CAM in the network and gain unauthorized access. By ensuring that encrypted JMX communications now require the CAM and CAS to use SSL for two-way authentication, Cisco NAC Appliance transmissions from the CAM to the CAS are secure from outside entities.
Note
HTTPS Connections Enhanced with Mutual Authentication
HTTPS communications from the CAS to the CAM have been improved to require mutual authentication from both appliances via SSL before allowing two-way access:
•
•
Note
Features Optimized/Removed
The following functions have been optimized or removed in Cisco NAC Appliance Release 4.1(6):
•
•
•
•
•
Supported AV/AS Product List Enhancements (Version 69)
•
•
Cisco NAC Appliance Agent Enhancements
See Cisco NAC Appliance Agents for enhancement details per Agent version.
Cisco NAC Appliance Agents
This section consolidates information for Clean Access Agent and Cisco NAC Web Agent client software versions, as follows:
•
•
•
Refer to Resolved Caveats - Agent Version 4.1.6.0 for additional information.
Enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions, unless otherwise noted. For all Agents:
•
•
Note
•
–
–
–
For additional details refer to Known Issues for Cisco NAC Appliance and Troubleshooting for Agent-related information.
Windows Clean Access Agent Enhancements
This section contains the latest enhancements per version of the Windows Clean Access Agent.
•
•
Enhancements are cumulative and apply both to the version introducing the feature and to subsequent later versions, unless otherwise noted.
Windows Clean Access Agent Version 4.1.7.0
This section summarizes the latest enhancements for version 4.1.7.0 of the Windows Clean Access Agent. Refer to the following links for additional information:
•
•
•
Windows Clean Access Agent Version 4.1.6.0
This section contains the latest enhancements for the Windows Clean Access Agent. Refer to Resolved Caveats - Agent Version 4.1.6.0 for additional information.
•
•
–
–
Note
–
AA:BB:CC:DD:EE:FF,11:22:33:44:55:66For more information, see CSCsm87761.
Mac OS X Clean Access Agent Enhancements
There are no new features or enhancements in the Mac OS X Agent for Release 4.1(6).
Note
Cisco NAC Web Agent Enhancements
There are no new features or enhancements in the Cisco NAC Web Agent for Release 4.1(6). Refer to Resolved Caveats - Agent Version 4.1.6.0 for additional information.
See Release 4.1(6) Compatibility Matrix for general compatibility details.
Clean Access Supported AV/AS Product List
This section describes the Supported AV/AS Product List that is downloaded to the Clean Access Manager via Device Management > Clean Access > Updates > Update to provide the latest antivirus (AV) and anti-spyware (AS) product integration support for Cisco NAC Appliance Agents that support AV/AS posture assessment/remediation. The Supported AV/AS Product List is a versioned XML file distributed from a centralized update server that provides the most current matrix of supported AV/AS vendors and product versions used to configure AV/AS Rules and AV/AS Definition Update requirements.
The Supported AV/AS Product List contains information on which AV/AS products and versions are supported in each Windows Clean Access Agent release along with other relevant information. It is updated regularly to bring the relevant information up to date and to include newly added products for new releases. Cisco recommends keeping your list current, especially when you upload a new Agent Setup version or Agent Patch version to your CAM. Having the latest Supported AV/AS list ensures your AV/AS rule configuration pages list all the new products supported in the new Agent.
Note
The following charts list the AV and AS product/version support per client OS as of the latest Clean Access release:
•
•
•
The charts show which AV/AS product versions support virus or spyware definition checks and automatic update of client virus/spyware definition files via the user clicking the Update button on the Clean Access Agent.
For a summary of the product support that is added per version of the Supported AV/AS Product List or Clean Access Agent, see also:
•
You can access additional AV and AS product support information from the CAM web console under Device Management > Clean Access > Clean Access Agent > Rules > AV/AS Support Info.
Note
Note that Clean Access works in tandem with the installation schemes and mechanisms provided by supported AV/AS vendors. In the case of unforeseen changes to underlying mechanisms for AV/AS products by vendors, the Cisco NAC Appliance team will update the Supported AV/AS Product List and/or Clean Access Agent in the timeliest manner possible in order to support the new AV/AS product changes. In the meantime, administrators can always use the "custom" rule workaround for the AV/AS product (such as pc_checks/pr_ rules) and configure the requirement for "Any selected rule succeeds."
Clean Access AV Support Chart (Windows Vista/XP/2000)
Table 5 lists Windows Vista/XP/2000 Supported AV Products as of the latest release of the Cisco NAC Appliance software. (See Table 6 for Windows ME/98).
Table 5 Clean Access Antivirus Product Support Chart (Windows Vista/XP/2000)
Version 72, 4.1.7.0 Agent, CAM/CAS Release 4.1(6) (Sheet 1 of 13)
(Minimum Agent Version Needed)1TrustPort Antivirus
2.x
yes (4.0.6.0)
-
yes
avast! Antivirus
4.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
avast! Antivirus (managed)
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
avast! Antivirus Professional
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
AVG 8.0 [AntiVirus]
8.x
yes (4.1.3.2)
yes (4.1.7.0)
yes
AVG Anti-Virus Free
8.x
yes (4.1.6.0)
yes (4.1.7.0)
yes
AhnLab Security Pack
2.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
AhnLab V3 Internet Security 2007
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
AhnLab V3 Internet Security 2007 Platinum
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
AhnLab V3 Internet Security 2008 Platinum
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
AhnLab V3 Internet Security 7.0 Platinum Enterprise
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
V3 VirusBlock 2005
6.x
yes (4.1.2.0)
yes (4.1.2.0)
-
V3Pro 2004
6.x
yes (3.5.10.1)
yes (3.5.12)
yes
AOL Safety and Security Center Virus Protection
1.x
yes (3.5.11.1)
yes (3.5.11.1)
-
AOL Safety and Security Center Virus Protection
102.x
yes (4.0.4.0)
yes (4.0.4.0)
-
AOL Safety and Security Center Virus Protection
2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Virus Protection
210.x
yes (4.0.4.0)
yes (4.0.4.0)
-
Active Virus Shield
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Command Anti-Virus Enterprise
4.x
yes (3.5.0)
yes (3.5.0)
yes
Command AntiVirus for Windows
4.x
yes (3.5.0)
yes (3.5.0)
yes
Command AntiVirus for Windows Enterprise
4.x
yes (3.5.2)
yes (3.5.2)
yes
Cox High Speed Internet Security Suite
3.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Avira AntiVir PersonalEdition Classic
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Avira AntiVir PersonalEdition Premium
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Avira AntiVir Premium
8.x
yes (4.1.6.0)
yes (4.1.6.0)
yes
Avira AntiVir Professional
8.x
yes (4.1.6.0)
yes (4.1.6.0)
yes
Avira AntiVir Windows Workstation
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Avira Premium Security Suite
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
Avira Premium Security Suite
8.x
yes (4.1.6.0)
yes (4.1.6.0)
yes
Rising Antivirus Network Edition
20.x
yes (4.1.7.0)
yes (4.1.7.0)
-
Rising Antivirus Software AV
17.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Rising Antivirus Software AV
18.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Rising Antivirus Software AV
19.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Rising Antivirus Software AV
20.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BellSouth Internet Security Anti-Virus
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
BullGuard 7.0
7.x
yes (4.1.2.0)
yes (4.1.2.0)
-
BullGuard 8.0
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BullGuard Gamers Edition
8.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
Quick Heal AntiVirus Lite
9.5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Quick Heal AntiVirus Plus
9.5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
ZoneAlarm (AntiVirus)
7.0.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
ZoneAlarm (AntiVirus)
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Anti-virus
7.0.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
ZoneAlarm Anti-virus
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Security Suite Antivirus
7.0.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
ZoneAlarm Security Suite Antivirus
7.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
ZoneAlarm Security Suite Antivirus
8.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
ClamAV
devel-x
yes (4.0.6.0)
yes (4.0.6.0)
yes
ClamWin Antivirus
0.x
yes (3.5.2)
yes (3.5.2)
yes
ClamWin Free Antivirus
0.x
yes (3.5.4)
yes (3.5.4)
yes
Comodo BOClean Anti-Malware
4.25.x
yes (4.1.6.0)
-
yes
CA Anti-Virus
10.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
CA Anti-Virus
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA Anti-Virus
9.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
CA eTrust Antivirus
7.x
yes (3.5.0)
yes (3.5.0)
yes
CA eTrust Internet Security Suite AntiVirus
7.x
yes (3.5.11)
yes (3.5.11)
yes
CA eTrustITM Agent
8.x
yes (3.5.12)
yes (3.5.12)
yes
eTrust Antivirus
6.0.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
eTrust EZ Antivirus
6.1.x
yes (3.5.3)
yes (3.5.8)
yes
eTrust EZ Antivirus
6.2.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
6.4.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
7.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Armor
6.1.x
yes (3.5.0)
yes (3.5.8)
yes
eTrust EZ Armor
6.2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eTrust EZ Armor
7.x
yes (3.5.0)
yes (3.5.0)
yes
Defender Pro Anti-Virus
5.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Aluria Security Center AntiVirus
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
EarthLink Protection Control Center AntiVirus
1.x
yes (3.5.10.1)
yes (3.5.10.1)
-
EarthLink Protection Control Center AntiVirus
2.x
yes (4.0.5.1)
yes (4.0.5.1)
-
EarthLink Protection Control Center AntiVirus
3.x
yes (4.1.3.0)
yes (4.1.3.0)
-
ESET NOD32 Antivirus
3.x
yes (4.1.3.2)
yes (4.1.3.2)
-
ESET Smart Security
3.x
yes (4.1.6.0)
yes (4.1.6.0)
-
NOD32 Antivirus System
x
yes (4.1.3.2)
yes (4.1.3.2)
yes
NOD32 antivirus System
x
yes (4.1.3.2)
yes (4.1.3.2)
yes
NOD32 antivirus system
2.x
yes (3.5.5)
yes (3.5.5)
yes
NOD32 antivirus system
x
yes (4.1.3.2)
yes (4.1.3.2)
yes
F-Secure Anti-Virus
5.x
yes (3.5.0)
yes (3.5.0)
yes
F-Secure Anti-Virus
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus
7.x
yes (4.0.4.0)
yes (4.0.4.0)
-
F-Secure Anti-Virus 2005
5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus Client Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Anti-Virus for Windows Servers
5.x
yes (4.1.3.2)
yes (4.1.3.2)
-
F-Secure Internet Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
F-Secure Internet Security
7.x
yes (4.0.4.0)
yes (4.0.4.0)
-
F-Secure Internet Security
8.x
yes (4.1.6.0)
yes (4.1.6.0)
-
F-Secure Internet Security 2005
5.x
yes (4.1.3.0)
yes (4.1.3.0)
-
F-Secure Internet Security 2006 Beta
6.x
yes (3.5.8)
yes (3.5.8)
yes
FortiClient Consumer Edition
3.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
F-PROT Antivirus for Windows
6.0.x
yes (4.0.5.1)
yes (4.0.5.1)
-
F-Prot for Windows
3.14e
yes (3.5.0)
yes (3.5.0)
yes
F-Prot for Windows
3.15
yes (3.5.0)
yes (3.5.0)
yes
F-Prot for Windows
3.16c
yes (3.5.11)
yes (3.5.11)
yes
F-Prot for Windows
3.16d
yes (3.5.11)
yes (3.5.11)
yes
F-Prot for Windows
3.16x
yes (3.5.11.1)
yes (3.5.11.1)
yes
AntiVirusKit 2006
2006.x
yes (4.1.0.0)
yes (4.1.0.0)
-
G DATA AntiVirus 2008
18.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
G DATA AntiVirusKit
17.x
yes (4.1.3.0)
yes (4.1.3.0)
-
G DATA InternetSecurity [Antivirus]
17.x
yes (4.1.3.0)
yes (4.1.3.0)
-
G DATA InternetSecurity [Antivirus]
18.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
G DATA TotalCare [Antivirus]
18.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
AVG 6.0 Anti-Virus - FREE Edition
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 6.0 Anti-Virus System
6.x
yes (3.5.0)
yes (3.5.0)
-
AVG 7.5
7.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
AVG Anti-Virus 7.0
7.x
yes (3.5.0)
yes (3.5.0)
yes
AVG Anti-Virus 7.1
7.x
yes (3.6.3.0)
yes (3.6.3.0)
yes
AVG Antivirensystem 7.0
7.x
yes (3.5.0)
yes (3.5.0)
yes
AVG Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
Antivirussystem AVG 6.0
6.x
yes (3.5.0)
yes (3.5.0)
-
AntiVir PersonalEdition Classic Windows
7.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
AntiVir/XP
6.x
yes (3.5.0)
yes (3.5.0)
yes
ViRobot Desktop
5.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ViRobot Desktop
5.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
IKARUS Guard NT
2.x
yes (4.0.6.0)
yes (4.0.6.0)
-
IKARUS virus utilities
5.x
yes (4.0.6.0)
yes (4.0.6.0)
-
Proventia Desktop
10.x
yes (4.1.6.0)
yes (4.1.6.0)
-
Proventia Desktop
8.x
yes (4.0.6.0)
-
-
Proventia Desktop
9.x
yes (4.0.6.0)
yes (4.0.6.0)
-
Jiangmin AntiVirus KV2007
10.x
yes (4.1.3.0)
-
yes
Jiangmin AntiVirus KV2008
11.x
yes (4.1.7.0)
-
yes
K7 Total Security
9.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
K7AntiVirus 7.0
7.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
Kaspersky Anti-Virus 2006 Beta
6.0.x
yes (3.5.8)
yes (3.5.8)
-
Kaspersky Anti-Virus 2009
8.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
Kaspersky Anti-Virus 6.0
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Anti-Virus 6.0 Beta
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Anti-Virus 7.0
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Kaspersky Anti-Virus Personal
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky Anti-Virus Personal
5.0.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky Anti-Virus Personal Pro
5.0.x
yes (3.5.11)
yes (3.5.11)
yes
Kaspersky Anti-Virus for Windows File Servers
5.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Kaspersky Anti-Virus for Windows File Servers
6.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Kaspersky Anti-Virus for Windows Servers
6.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Kaspersky Anti-Virus for Windows Workstations
5.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Kaspersky Anti-Virus for Windows Workstations
6.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
Kaspersky Anti-Virus for Workstation
5.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Kaspersky Internet Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kaspersky Internet Security 7.0
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Kaspersky Internet Security 8.0
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Kaspersky(TM) Anti-Virus Personal 4.5
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kaspersky(TM) Anti-Virus Personal Pro 4.5
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
Kingsoft AntiVirus 2004
2004.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kingsoft AntiVirus 2007 Free
2007.x
yes (4.1.3.2)
yes (4.1.3.2)
-
Kingsoft Internet Security
7.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
Kingsoft Internet Security 2006 +
2006.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kingsoft Internet Security 9
2008.x
yes (4.1.7.0)
yes (4.1.7.0)
-
Lavasoft Ad-Aware 2008 Professional [Antivirus]
7.x
yes (4.1.6.0)
yes (4.1.6.0)
yes
McAfee Internet Security 6.0
8.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee Managed VirusScan
3.x
yes (3.5.8)
yes (3.5.8)
yes
McAfee Managed VirusScan
4.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
McAfee VirusScan
10.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee VirusScan
11.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee VirusScan
12.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
McAfee VirusScan
13.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
McAfee VirusScan
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
8.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
9.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan
9xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.0.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.1.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
7.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Enterprise
8.7.x
yes (4.1.6.0)
yes (4.1.6.0)
yes
McAfee VirusScan Enterprise
8.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
McAfee VirusScan Home Edition
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
McAfee VirusScan Professional
8.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan Professional
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Professional
9.x
yes (3.5.1)
yes (3.5.1)
yes
McAfee VirusScan Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
Total Protection for Small Business
4.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
eScan Anti-Virus (AV) for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Corporate for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Internet Security for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Professional for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
eScan Virus Control (VC) for Windows
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Microsoft Forefront Client Security
1.5.x
yes (4.0.5.0)
yes (4.0.5.0)
-
Windows Live OneCare
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Windows Live OneCare
2.x
yes (4.1.3.2)
yes (4.1.3.2)
-
Windows OneCare Live
0.8.x
yes (3.5.11.1)
-
-
Virus Chaser
5.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
Norman Virus Control
5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norman Virus Control
7.x
yes (4.1.6.0)
yes (4.1.6.0)
yes
Omniquad Total Security AV
9.x
yes (4.1.7.0)
yes (4.1.7.0)
-
PC Tools AntiVirus 2.0
2.x
yes (4.1.3.0)
yes (4.1.3.0)
-
PC Tools AntiVirus 2007
3.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
PC Tools AntiVirus 2008
4.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
PC Tools AntiVirus 2008
5.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
PC Tools Internet Security [Antivirus]
5.x
yes (4.1.3.0)
yes (4.1.3.0)
-
PC Tools Internet Security [Antivirus]
6.x
yes (4.1.7.0)
yes (4.1.7.0)
-
PC Tools Spyware Doctor [Antivirus]
5.x
yes (4.1.3.2)
-
-
PC Tools Spyware Doctor [Antivirus]
6.x
yes (4.1.7.0)
-
-
Spyware Doctor [Antivirus]
5.x
yes (4.1.3.2)
yes (4.1.3.2)
-
ThreatFire 3.0
3.x
yes (4.1.3.0)
-
-
ThreatFire 3.5
3.5.x
yes (4.1.6.0)
yes (4.1.6.0)
yes
Panda Antivirus + Firewall 2007
6.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Antivirus + Firewall 2008
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Panda Antivirus 2007
2.x
yes (4.0.4.0)
yes (4.0.4.0)
-
Panda Antivirus 2008
3.x
yes (4.0.6.1)
yes (4.0.6.1)
-
Panda Antivirus 6.0 Platinum
6
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus Lite
1.x
yes (3.5.0)
yes (3.5.0)
-
Panda Antivirus Lite
3.x
yes (3.5.9)
yes (3.5.9)
-
Panda Antivirus Platinum
7.04.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus Platinum
7.05.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus Platinum
7.06.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Antivirus Pro 2009
8.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
Panda Client Shield
4.x
yes (4.0.4.0)
yes (4.0.4.0)
-
Panda Internet Security 2007
11.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Internet Security 2008
12.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Panda Internet Security 2009
14.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
Panda Platinum 2005 Internet Security
9.x
yes (3.5.3)
yes (3.5.3)
yes
Panda Platinum 2006 Internet Security
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
Panda Platinum Internet Security
8.03.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium 2006 Antivirus + Antispyware
5.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Panda Titanium Antivirus 2004
3.00.00
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium Antivirus 2004
3.01.x
yes (3.5.0)
yes (3.5.0)
yes
Panda Titanium Antivirus 2004
3.02.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Panda Titanium Antivirus 2005
4.x
yes (3.5.1)
yes (3.5.1)
yes
Panda TruPrevent Personal 2005
2.x
yes (3.5.3)
yes (3.5.3)
yes
Panda TruPrevent Personal 2006
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
WebAdmin Client Antivirus
3.x
yes (3.5.11)
yes (3.5.11)
-
Radialpoint Security Services Virus Protection
6.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Radialpoint Security Services Virus Protection
7.x
yes (4.1.7.0)
yes (4.1.7.0)
-
Radialpoint Virus Protection
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Zero-Knowledge Systems Radialpoint Security Services Virus Protection
6.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
BitDefender 8 Free Edition
8.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 8 Professional Plus
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 8 Standard
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 9 Internet Security AntiVirus
9.x
yes (3.5.11.1)
yes (3.5.11.1)
-
BitDefender 9 Professional Plus
9.x
yes (3.5.8)
yes (3.5.8)
yes
BitDefender 9 Standard
9.x
yes (3.5.8)
yes (3.5.8)
yes
BitDefender Antivirus 2008
11.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BitDefender Antivirus Plus v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Antivirus v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Client Professional Plus
8.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BitDefender Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Free Edition v10
10.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BitDefender Internet Security 2008
11.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BitDefender Internet Security v10
10.x
yes (4.0.4.0)
yes (4.0.4.0)
yes
BitDefender Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Standard Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Total Security 2008
11.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
BitDefender Total Security 2009
12.x
yes (4.1.7.0)
yes (4.1.7.0)
-
Dr.Web
4.32.x
yes (3.5.0)
yes (3.5.0)
yes
Dr.Web
4.33.x
yes (3.5.11.1)
yes (3.5.11.1)
yes
Dr.Web
4.44.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
SecureIT [Antivirus]
1.x
yes (4.1.7.0)
yes (4.1.7.0)
-
Sereniti Antivirus
1.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
The River Home Network Security Suite
1.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Sophos Anti-Virus
3.x
yes (3.5.3)
yes (3.5.3)
-
Sophos Anti-Virus
4.x
yes (3.6.3.0)
yes (3.6.3.0)
-
Sophos Anti-Virus
5.x
yes (3.5.3)
yes (3.5.3)
yes
Sophos Anti-Virus
6.x
yes (4.0.1.0)
yes (4.0.1.0)
yes
Sophos Anti-Virus
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Sophos Anti-Virus version 3.80
3.8
yes (3.5.0)
yes (3.5.0)
-
Norton 360 (Symantec Corporation)
1.x
yes (4.1.1.0)
yes (4.1.1.0)
yes
Norton 360 (Symantec Corporation)
2.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Norton AntiVirus
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus
14.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norton AntiVirus
15.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Norton AntiVirus
16.x
yes (4.1.7.0)
yes (4.1.7.0)
-
Norton AntiVirus 2002
8.00.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton AntiVirus 2002 Professional
8.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002 Professional Edition
8.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional Edition
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 (Symantec Corporation)
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 Professional
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 Professional Edition
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2005
11.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2006
12.0.x
yes (3.5.5)
yes (3.5.5)
yes
Norton AntiVirus 2006
12.x
yes (3.5.5)
yes (3.5.5)
yes
Norton AntiVirus Corporate Edition
7.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
16.x
yes (4.1.7.0)
yes (4.1.7.0)
-
Norton Internet Security
7.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.2.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton Internet Security
9.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Norton Internet Security (Symantec Corporation)
10.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Norton Security Scan
1.x
yes (4.1.3.0)
yes (4.1.3.0)
-
Norton SystemWorks 2003
6.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2004 Professional
7.x
yes (3.5.4)
yes (3.5.4)
yes
Norton SystemWorks 2005
8.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2005 Premier
8.x
yes (3.5.3)
yes (3.5.3)
yes
Norton SystemWorks 2006 Premier
12.0.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Symantec AntiVirus
10.x
yes (3.5.3)
yes (3.5.3)
yes
Symantec AntiVirus
9.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec AntiVirus Client
8.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec AntiVirus Server
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Symantec AntiVirus Win64
10.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Symantec Client Security
10.x
yes (3.5.3)
yes (3.5.3)
yes
Symantec Client Security
9.x
yes (3.5.0)
yes (3.5.0)
yes
Symantec Endpoint Protection
11.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Symantec Scan Engine
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
PC-cillin 2002
9.x
yes (3.5.1)
yes (3.5.1)
-
PC-cillin 2003
10.x
yes (3.5.0)
yes (3.5.0)
-
ServerProtect
5.x
yes (4.1.0.0)
yes (3.6.5.0)
-
Trend Micro Anti-Virus
17.x
yes (4.1.7.0)
yes (4.1.7.0)
-
Trend Micro AntiVirus
15.x
yes (3.6.5.0)
yes (3.6.5.0)
-
Trend Micro AntiVirus
16.x
yes (4.1.3.0)
yes (4.1.3.0)
-
Trend Micro Antivirus
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro Client/Server Security
6.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Trend Micro Client/Server Security Agent
15.x
yes (4.1.6.0)
yes (4.1.6.0)
-
Trend Micro Client/Server Security Agent
7.x
yes (3.5.12)
yes (3.5.12)
yes
Trend Micro HouseCall
1.x
yes (4.0.1.0)
yes (4.0.1.0)
-
Trend Micro Internet Security
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro Internet Security
12.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
16.x
yes (4.1.3.0)
yes (4.1.3.0)
-
Trend Micro Internet Security
17.x
yes (4.1.6.0)
yes (4.1.6.0)
-
Trend Micro OfficeScan Client
5.x
yes (3.5.1)
yes (3.5.1)
yes
Trend Micro OfficeScan Client
6.x
yes (3.5.1)
yes (3.5.1)
yes
Trend Micro OfficeScan Client
7.x
yes (3.5.3)
yes (3.5.3)
yes
Trend Micro OfficeScan Client
8.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Trend Micro PC-cillin 2004
11.x
yes (3.5.0)
yes (3.5.0)
yes
Trend Micro PC-cillin Internet Security 12
12.x
yes (4.0.1.0)
yes (4.0.1.0)
-
Trend Micro PC-cillin Internet Security 14
14.x
yes (4.0.1.0)
yes (4.0.1.0)
yes
Trend Micro PC-cillin Internet Security 2005
12.x
yes (3.5.3)
yes (3.5.3)
yes
Trend Micro PC-cillin Internet Security 2006
14.x
yes (3.5.8)
yes (3.5.8)
yes
Trend Micro PC-cillin Internet Security 2007
15.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Fix-It Utilities 7 Professional [AntiVirus]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Fix-It Utilities 8 Professional [AntiVirus]
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
SystemSuite 7 Professional [AntiVirus]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
SystemSuite 8 Professional [AntiVirus]
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
VCOM Fix-It Utilities Professional 6 [AntiVirus]
6.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
VCOM SystemSuite Professional 6 [AntiVirus]
6.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Verizon Internet Security Suite Anti-Virus
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Vba32 Personal
3.x
yes (4.1.6.0)
yes (4.1.6.0)
-
VirusBuster Professional
5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
VirusBuster for Windows Servers
5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
Webroot Spy Sweeper Enterprise Client with AntiVirus
4.x
yes (4.1.3.2)
-
-
Webroot Spy Sweeper with AntiVirus
5.x
yes (4.1.3.0)
yes (4.1.3.0)
-
AT&T Yahoo! Online Protection [AntiVirus]
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
SBC Yahoo! Anti-Virus
7.x
yes (3.5.10.1)
yes (3.5.10.1)
yes
Verizon Yahoo! Online Protection [AntiVirus]
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
ZoneAlarm Anti-virus
6.x
yes (3.5.5)
yes (3.5.5)
-
ZoneAlarm Security Suite
5.x
yes (3.5.0)
yes (3.5.0)
-
ZoneAlarm Security Suite
6.x
yes (3.5.5)
yes (3.5.5)
-
ZoneAlarm with Antivirus
5.x
yes (3.5.0)
yes (3.5.0)
-
eEye Digital Security Blink Personal
3.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
eEye Digital Security Blink Personal
4.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
eEye Digital Security Blink Professional
3.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
eEye Digital Security Blink Professional
4.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
1 "Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
3 For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.
Clean Access AV Support Chart (Windows ME/98)
Table 6 lists Windows ME/98 Supported AV Products as of the latest release of the Cisco NAC Appliance software. (See Table 5 for Windows Vista/XP/2000.)
Table 6 Clean Access Antivirus Product Support Chart (Windows ME/98)
Version 72, 4.1.6.0 Agent, CAM/CAS Release 4.1(6) (Sheet 1 of 2)
(Minimum Agent Version Needed)1Rising Antivirus Software AV
18.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
CA eTrust Antivirus
7.x
yes (3.5.3)
yes (3.5.3)
yes
eTrust EZ Antivirus
6.1.x
yes (3.5.0)
yes (3.5.8)
yes
eTrust EZ Antivirus
6.2.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
6.4.x
yes (3.5.0)
yes (3.5.0)
yes
eTrust EZ Antivirus
7.x
yes (3.5.3)
yes (3.5.3)
yes
eTrust EZ Armor
6.1.x
yes (3.5.3)
yes (3.5.8)
yes
McAfee Managed VirusScan
3.x
yes (3.5.8)
yes (3.5.8)
yes
McAfee VirusScan
10.x
yes (3.5.4)
yes (3.5.4)
yes
McAfee VirusScan
4.5.x
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan
8.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan
9.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional
8.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional
8xxx
yes (3.5.0)
yes (3.5.0)
yes
McAfee VirusScan Professional
9.x
yes (3.5.3)
yes (3.5.3)
yes
McAfee VirusScan Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
yes
BitDefender 8 Free Edition
8.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 8 Professional Plus
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 8 Standard
8.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender 9 Professional Plus
9.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender 9 Standard
9.x
yes (3.5.8)
yes (3.5.8)
-
BitDefender Free Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Professional Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
BitDefender Standard Edition
7.x
yes (3.5.0)
yes (3.5.0)
-
Norton AntiVirus
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.00.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2002
8.x
yes (3.5.1)
yes (3.5.1)
yes
Norton AntiVirus 2003
9.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2003 Professional Edition
9.x
yes (3.5.3)
yes (3.5.3)
yes
Norton AntiVirus 2004
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2004 (Symantec Corporation)
10.x
yes (3.5.0)
yes (3.5.0)
yes
Norton AntiVirus 2005
11.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.0.x
yes (3.5.0)
yes (3.5.0)
yes
Norton Internet Security
8.x
yes (3.5.1)
yes (3.5.1)
yes
Symantec AntiVirus
10.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Symantec AntiVirus
9.x
yes (3.5.8)
yes (3.5.3)
yes
Symantec AntiVirus Client
8.x
yes (3.5.9)
yes (3.5.9)
yes
PC-cillin 2003
10.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
11.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro Internet Security
12.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro OfficeScan Client
7.x
yes (4.0.5.0)
yes (4.0.5.0)
-
Trend Micro PC-cillin 2004
11.x
yes (3.5.0)
yes (3.5.0)
-
Trend Micro PC-cillin Internet Security 2005
12.x
yes (3.5.3)
yes (3.5.3)
-
1 "Yes" in the AV Checks Supported columns indicates the Agent supports the AV Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AV Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AV product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
3 For Symantec Enterprise products, the Clean Access Agent can initiate AV Update when Symantec Antivirus is in unmanaged mode. If using Symantec AV in managed mode, the administrator must allow/deny managed clients to run LiveUpdate via the Symantec management console (right-click the primary server, go to All Tasks -> Symantec Antivirus, select Definition Manager, and configure the policy to allow clients to launch LiveUpdate for agents managed by that management server.) If managed clients are not allowed to run LiveUpdate, the update button will be disabled on the Symantec GUI on the client, and updates can only be pushed from the server.
Clean Access AS Support Chart (Windows Vista/XP/2000)
Table 7 lists Windows Vista/XP/2000 Supported Antispyware Products as of the latest release of the Cisco Clean Access software.
Table 7 Clean Access Antispyware Product Support Chart (Windows Vista/XP/2000)
Version 72, 4.1.7.0 Agent, CAM/CAS Release 4.1(6) (Sheet 1 of 7)
(Minimum Agent Version Needed)1AVG 8.0 [AntiSpyware]
8.x
yes (4.1.3.2)
-
yes
Outpost Firewall Pro 2008 [AntiSpyware]
6.x
yes (4.1.3.2)
yes (4.1.3.2)
-
AhnLab SpyZero 2.0
2.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
AhnLab SpyZero 2007
3.x
yes (3.6.5.0)
yes (3.6.5.0)
yes
AhnLab V3 Internet Security 2007 Platinum AntiSpyware
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
AhnLab V3 Internet Security 2008 Platinum AntiSpyware
7.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
AhnLab V3 Internet Security 7.0 Platinum Enterprise AntiSpyware
7.x
yes (4.1.2.0)
yes (4.1.2.0)
yes
AOL Safety and Security Center Spyware Protection
2.0.x
yes (4.1.0.0)
-
-
AOL Safety and Security Center Spyware Protection
2.1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.3.x
yes (4.1.0.0)
yes (4.1.0.0)
-
AOL Safety and Security Center Spyware Protection
2.x
yes (3.6.1.0)
yes (3.6.1.0)
-
AOL Spyware Protection
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
AOL Spyware Protection
2.x
yes (3.6.0.0)
yes (4.1.3.0)
-
Anonymizer Anti-Spyware
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Anonymizer Anti-Spyware
3.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Cox High Speed Internet Security Suite
3.x
yes (4.0.4.0)
-
yes
BellSouth Internet Security Anti-Spyware
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
ZoneAlarm (AntiSpyware)
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Anti-Spyware
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Pro Antispyware
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
ZoneAlarm Pro Antispyware
8.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
ZoneAlarm Security Suite Antispyware
7.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
ZoneAlarm Security Suite Antispyware
8.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
CA eTrust Internet Security Suite AntiSpyware
10.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
CA eTrust Internet Security Suite AntiSpyware
11.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
CA eTrust Internet Security Suite AntiSpyware
5.x
yes (3.6.1.0)
yes (3.6.1.0)
yes
CA eTrust Internet Security Suite AntiSpyware
8.x
yes (4.1.2.0)
yes (4.1.2.0)
yes
CA eTrust Internet Security Suite AntiSpyware
9.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust PestPatrol
5.x
yes (3.6.1.0)
yes (4.0.6.0)
yes
CA eTrust PestPatrol Anti-Spyware
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
CA eTrust PestPatrol Anti-Spyware Corporate Edition
5.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
CA eTrustITM Agent (AntiSpyware)
8.x
yes (4.1.6.0)
yes (4.1.6.0)
yes
PestPatrol Corporate Edition
4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
PestPatrol Standard Edition (Evaluation)
4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Aluria Security Center AntiSpyware
1.x
yes (4.1.0.0)
yes (4.1.0.0)
-
EarthLink Protection Control Center AntiSpyware
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
EarthLink Protection Control Center AntiSpyware
2.x
yes (4.0.6.0)
-
-
EarthLink Protection Control Center AntiSpyware
3.x
yes (4.1.3.0)
-
-
Primary Response SafeConnect
2.x
yes (3.6.5.0)
-
-
F-Secure (AntiSpyware)
7.x
yes (4.1.3.0)
yes (4.1.3.0)
-
F-Secure Internet Security (AntiSpyware)
7.x
yes (4.1.3.0)
yes (4.1.3.0)
-
F-Secure Internet Security (AntiSpyware)
8.x
yes (4.1.7.0)
yes (4.1.7.0)
-
X-Cleaner Deluxe
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
AVG Anti-Malware [AntiSpyware]
7.x
yes (4.1.2.0)
-
-
AVG Anti-Spyware 7.5
7.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Javacool SpywareBlaster
4.x
yes (4.1.6.0)
yes (4.1.6.0)
-
SpywareBlaster v3.1
3.1.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.2
3.2.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.3
3.3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.4
3.4.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
SpywareBlaster v3.5.1
3.5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Kingsoft AntiSpyware 2007 Free
2007.x
yes (4.1.3.2)
yes (4.1.3.2)
-
Kingsoft Internet Security [AntiSpyware]
7.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Ad-Aware 2007
7.x
yes (4.1.3.0)
-
-
Ad-Aware 2007 Professional
7.x
yes (4.0.6.1)
-
yes
Ad-Aware SE Personal
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Ad-Aware SE Professional
1.x
yes (3.6.1.0)
yes (3.6.1.0)
yes
Ad-aware 6 Professional
6.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Lavasoft Ad-Aware 2008
7.x
yes (4.1.6.0)
-
-
Lavasoft Ad-Aware 2008 Professional
7.x
yes (4.1.6.0)
-
yes
McAfee Anti-Spyware Enterprise Module
8.0.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
McAfee AntiSpyware
1.5.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware
1.x
yes (3.6.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware
2.0.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
McAfee AntiSpyware
2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware Enterprise
8.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
McAfee AntiSpyware Enterprise Module
8.5.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
McAfee AntiSpyware Enterprise Module
8.7.x
yes (4.1.6.0)
yes (4.1.6.0)
yes
McAfee VirusScan AS
11.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
McAfee VirusScan AS
12.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
McAfee VirusScan AS
13.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
Spyware Begone
4.x
yes (3.6.0.0)
-
-
Spyware Begone
6.x
yes (4.1.0.0)
-
-
Spyware Begone
8.x
yes (4.1.0.0)
-
-
Spyware Begone Free Scan
7.x
yes (3.6.0.0)
-
-
Spyware Begone V7.30
7.30.x
yes (3.6.1.0)
-
-
Spyware Begone V7.40
7.40.x
yes (3.6.1.0)
-
-
Spyware Begone V7.95
7.95.x
yes (4.1.0.0)
-
-
Spyware Begone V8.20
8.20.x
yes (4.1.0.0)
-
-
Spyware Begone V8.25
8.25.x
yes (4.1.0.0)
-
-
Spyware Begone! Version 9
9.x
yes (4.1.3.2)
-
-
Microsoft AntiSpyware
1.x
yes (4.0.6.0)
-
yes
Windows Defender
1.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Windows Defender Vista
1.x
yes (4.0.5.0)
yes (4.0.5.0)
yes
Spy Emergency 2008
5.x
yes (4.1.7.0)
-
-
Omniquad Total Security
2.0.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Omniquad Total Security
3.0.x
yes (4.1.7.0)
yes (4.1.7.0)
-
PC Tools Internet Security [Antispyware]
5.x
yes (4.1.3.0)
-
-
PC Tools Internet Security [Antispyware]
6.x
yes (4.1.7.0)
-
-
PC Tools Spyware Doctor
5.x
yes (4.1.3.2)
-
yes
PC Tools Spyware Doctor
6.x
yes (4.1.7.0)
-
yes
Spyware Doctor
4.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor
5.x
yes (4.0.6.0)
-
yes
Spyware Doctor 3.0
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.1
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.2
3.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spyware Doctor 3.5
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor 3.8
3.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Spyware Doctor [AntiSpyware]
5.x
yes (4.1.3.2)
-
yes
Panda Titanium 2006 Antivirus + Antispyware [AntiSpyware]
5.x
yes (4.1.3.2)
yes (4.1.3.2)
-
Prevx Home
2.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Prevx1
1.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Prevx1
2.x
yes (4.1.0.0)
yes (4.1.0.0)
yes
Radialpoint Security Services Spyware Protection
6.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Radialpoint Security Services Spyware Protection
7.x
yes (4.1.7.0)
yes (4.1.7.0)
-
Radialpoint Spyware Protection
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Zero-Knowledge Systems Radialpoint Security Services Spyware Protection
6.x
yes (4.0.6.0)
yes (4.0.6.0)
yes
BitDefender 9 Antispyware
9.x
yes (4.1.0.0)
yes (4.1.0.0)
-
BitDefender 9 Internet Security AS
9.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BitDefender Antivirus Plus v10 AS
10.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BitDefender Antivirus v10 AS
10.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
BitDefender Internet Security v10 AS
10.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
SUPERAntiSpyware Free Edition
4.x
yes (4.1.7.0)
yes (4.1.7.0)
-
SUPERAntiSpyware Professional
4.x
yes (4.1.7.0)
yes (4.1.7.0)
-
Spybot - Search & Destroy 1.3
1.3
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spybot - Search & Destroy 1.4
1.4
yes (3.6.0.0)
yes (3.6.0.0)
yes
Spybot - Search & Destroy 1.5
1.x
yes (4.0.6.1)
yes (4.0.6.1)
-
Spybot - Search & Destroy 1.6
1.6.x
yes (4.1.7.0)
yes (4.1.7.0)
yes
Sereniti Antispyware
1.x
yes (4.0.6.0)
-
yes
The River Home Network Security Suite Antispyware
1.x
yes (4.0.6.0)
-
yes
CounterSpy Enterprise Agent
1.8.x
yes (4.0.6.0)
-
-
CounterSpy Enterprise Agent
2.0.x
yes (4.1.3.0)
-
-
Sunbelt CounterSpy
1.x
yes (3.6.0.0)
-
yes
Sunbelt CounterSpy
2.x
yes (4.0.6.0)
-
yes
Norton AntiVirus [AntiSpyware]
16.x
yes (4.1.7.0)
-
-
Norton Internet Security AntiSpyware
15.x
yes (4.1.3.0)
-
-
Norton Internet Security [AntiSpyware]
16.x
yes (4.1.7.0)
-
-
Norton Spyware Scan
2.x
yes (4.1.0.0)
yes (4.1.0.0)
-
Trend Micro Anti-Spyware
3.5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Trend Micro Anti-Spyware
3.x
yes (3.6.0.0)
-
-
Trend Micro PC-cillin Internet Security 2007 AntiSpyware
15.x
yes (4.1.0.0)
yes (4.1.3.2)
yes
Fix-It Utilities 7 Professional [AntiSpyware]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
Fix-It Utilities 8 Professional [AntiSpyware]
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
SystemSuite 7 Professional [AntiSpyware]
7.x
yes (4.0.5.1)
yes (4.0.5.1)
yes
SystemSuite 8 Professional [AntiSpyware]
8.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
VCOM Fix-It Utilities Professional 6 [AntiSpyware]
6.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
VCOM SystemSuite Professional 6 [AntiSpyware]
6.x
yes (4.1.3.0)
yes (4.1.3.0)
yes
Verizon Internet Security Suite Anti-Spyware
5.x
yes (4.0.5.1)
yes (4.0.5.1)
-
Spy Sweeper
3.x
yes (3.6.0.0)
-
-
Spy Sweeper
4.x
yes (3.6.0.0)
-
-
Spy Sweeper
5.0.x
yes (4.1.3.0)
-
-
Spy Sweeper
5.x
yes (4.1.0.0)
-
-
Webroot Spy Sweeper Enterprise Client
1.x
yes (3.6.0.0)
-
-
Webroot Spy Sweeper Enterprise Client
2.x
yes (3.6.1.0)
-
-
Webroot Spy Sweeper Enterprise Client
3.5.x
yes (4.1.3.2)
-
-
Webroot Spy Sweeper Enterprise Client
3.x
yes (4.0.5.1)
-
-
AT&T Yahoo! Online Protection
2006.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
CA Yahoo! Anti-Spy
2.x
yes (4.1.3.2)
yes (4.1.7.0)
yes
SBC Yahoo! Applications
2005.x
yes (3.6.0.0)
yes (3.6.0.0)
yes
Verizon Yahoo! Online Protection
2005.x
yes (4.0.6.1)
yes (4.0.6.1)
yes
Yahoo! Anti-Spy
1.x
yes (3.6.0.0)
yes (3.6.0.0)
-
Integrity Agent
6.x
yes (4.1.2.0)
yes (4.1.2.0)
-
ZoneAlarm Pro (AntiSpyware)
6.x
yes (4.1.6.0)
yes (4.1.6.0)
-
STOPzilla
5.x
yes (4.1.3.2)
yes (4.1.3.2)
yes
1 "Yes" in the AS Checks Supported columns indicates the Agent supports the AS Rule check for the product starting from the version of the Agent listed in parentheses (CAM automatically determines whether to use Def Version or Def Date for the check).
2 The Live Update column indicates whether the Agent supports live update for the product via the Agent Update button (configured by AS Definition Update requirement type). For products that support "Live Update," the Agent launches the update mechanism of the AS product when the Update button is clicked. For products that do not support this feature, the Agent displays a message popup. In this case, administrators can configure a different requirement type (such as "Local Check") to present alternate update instructions to the user.
Supported AV/AS Product List Version Summary
Table 8 details enhancements made per version of the Supported Antivirus/Antispyware Product List. See Clean Access Supported AV/AS Product List for the latest Supported AV list as of the latest release. See New and Changed Information for the release feature list.
Caveats
This section describes the following caveats:
•
•
•
•
Note
http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl
To become a registered cisco.com user, go to the following website:
http://tools.cisco.com/RPF/register/register.do
Open Caveats - Release 4.1(6)
Note
Resolved Caveats - Agent Version 4.1.7.0
Refer to Windows Clean Access Agent Version 4.1.7.0 and Enhancements in Release 4.1(6) for additional information.
Resolved Caveats - Agent Version 4.1.6.0
Refer to Cisco NAC Appliance Agents and Enhancements in Release 4.1(6) for additional information.
Resolved Caveats - Release 4.1(6)
Refer to Enhancements in Release 4.1(6) for additional information.
Table 12 List of Resolved Caveats (Sheet 1 of 2)
CSCsm96148
Yes
VPN SSO log out feature does not work
The VPN SSO logo ut feature does not log users out of Cisco NAC Appliance when the VPN session has already closed.
CSCsm82486
Yes
CAM Web Console slow and java process taking 99% CPU
The "Device List" and "Profile" from the web console Administration menu on a release 4.1(3) CAM hosting approximately 1000 users are opening very slowly. Investigation reveals that the CAM is utilizing 99.9% of the CPU for the JAVA process.
Workaround
Turn off the CSRF Filter on the CAM in /perfigo/control/tomcat/normal-webapps/admin/WEB-INF/web.xml:
+ <!--<filter-mapping><filter-name>CSRFFilter</filter-name><url-pattern>/*</url-pattern></filter-mapping>+ -->CSCso16240
Yes
Web Redirect, Cisco NAC Web Agent, and Clean Access Agent do not work in VGW mode with dissimilar IP addresses
An HA-CAS pair configured in VGW mode with dissimilar IP addresses does not support web redirect, Web Agent, or Clean Access Agent in Cisco NAC Appliance Release 4.1.3.1.
Workaround
Install the CASs in a more "common" configuration, with both the eth0 and eth1 interfaces on the CASs in the same network with the same IP address.
Note
CSCso38182
Yes
Deleting a static route on one CAS deletes the same static route on all managed servers
If you create the same static route on two or more CASs and then delete the route on one server, all servers managed by the same CAM delete the route. This behavior has been observed in Cisco NAC Appliance Release 4.1.2.1.
Workaround
Recreate the deleted static routes.
CSCso46353
Yes
Users already in the Certified Device List (CDL) are prompted to enter credentials again
When a user connects to a CAS other than the one to which they were first connected (and they are already in the CDL), the user may be repeatedly prompted for their credentials.
This issue can occurs when there are multiple CASs in a campus network and a user moves from one CAS to another.
Workaround
Ensure that the user has been removed from the CDL.
CSCso68182
Yes
OpenSSH signal handling issue
The OpenSSH version (4.4) on Cisco NAC Appliance releases older than 4.1(6) introduce a potential signal handler race condition that can allow remote attackers to initiate a denial of service (DoS) attack and crash the system. This issue becomes a potential threat when GSSAPI authentication is enabled, thus allowing for unspecified vectors leading to a "double-free."
For more information, go to http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5051
There is no known workaround for this issue.
CSCso72123
Yes
AD SSO listen/accept thread exited on exception and fails to restart
AD SSO thread fails to automatically restart if the thread is abnormally exited.
Workaround
Manually restart the SSO service.
Known Issues for Cisco NAC Appliance
This section describes known issues when integrating Cisco NAC Appliance:
•
•
•
•
•
•
•
•
•
•
Note
Known Issues with HP ProLiant DL140 G3 Servers
The NAC-3310 appliance is based on the HP ProLiant DL140 G3 server and is subject to any BIOS/firmware upgrades required for the DL140 G3. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for detailed instructions.
Known Issue with NAC-3310 CD Installation
The NAC-3310 appliance (MANAGER and SERVER) requires you to enter the DL140 or serial_DL140 installation directive at the "boot:" prompt when you install new system software from a CD-ROM.
When following the CD-ROM system software installation procedures outlined in Chapter 2: "Installing the Clean Access Manager" of the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(6) and Chapter 4: "Installing the Clean Access Server NAC Appliance" of the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(6), users installing release 4.1(6) on a NAC-3310 appliance (both MANAGER and SERVER) from a CD-ROM are presented with the following prompt during the installation process:
Cisco Clean Access Installer (C) 2008 Cisco Systems, Inc.Welcome to the Cisco Clean Access Installer!- To install a Cisco Clean Access device, press the <ENTER> key.- To install a Cisco Clean Access device over a serial console, enter serial at the boot prompt and press the <ENTER> key.boot:The standard procedure asks you to press "Enter" or, if installing via serial console connection, enter serial at the "boot:" prompt, For release 4.1(6), however, NAC-3310 customers are required enter one of the following, instead:
•
•
After you enter either of these commands, the Package Group Selection screen appears where you can then specify whether you are setting up a Clean Access Manager or Clean Access Server and install the system software following the standard installation process.
Known Issues with NAC-3300 Series Appliances and Serial HA (Failover) Connection
When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances and any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.
Known Issues with Cisco NAC Profiler Release 2.1.7
Cisco NAC Appliance Release 4.1(6) does not support Cisco NAC Profiler Release 2.1.7. If you are planning to upgrade, and are currently running Cisco NAC Appliance Release 4.1(2) and Cisco NAC Profiler Release 2.1.7 on your network, it is recommended to upgrade your Cisco NAC Profiler system to a compatible release first (such as upcoming release 2.1.8) before upgrading your Cisco NAC Appliance machines to release 4.1(6).
Note
Note
Refer to the Release Notes for Cisco NAC Profiler for updated product information.
Known Issues with Switches
For complete details, see Switch Support for Cisco NAC Appliance.
Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)
Due to changes in DHCP server operation with Cisco NAC Appliance release 4.0(2) and later, networks with Cisco 2200/4400 Wireless LAN Controllers (also known as Airespace WLCs) which relay requests to the Clean Access Server (operating as a DHCP server) may have issues. Client machines may be unable to obtain DHCP addresses. Refer to the "Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs) and DHCP" section of Switch Support for Cisco NAC Appliance for detailed instructions.
Note
Known Issues with Broadcom NIC 5702/5703/5704 Chipsets
Customers running Cisco NAC Appliance release 4.1(6) on servers with 5702/5703/5704 Broadcom NIC cards may be impacted by caveat CSCsd74376. Server models with Broadcom 5702/5703/5704 NIC cards may include: Dell PowerEdge 850, CCA-3140-H1, HP ProLiant DL140 G2/ DL360/DL380. This issue involves the repeated resetting of the Broadcom NIC cards. The NIC cards do not recover from some of the resets causing the machine to become unreachable via the network.
For details, see the Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).
Known Issues for Windows Vista and Agent Stub
Use "No UI" or "Reduced UI" Installation Option
When installing the 4.1.3.0 or later Clean Access Agent via stub installation on Windows Vista machines only, Cisco recommends not to use the Full UI Stub Installation Option. To avoid the appearance of 5-minute installation dialog delays caused by the Vista Interactive Service Detection Service, Cisco recommends using the No UI or Reduced UI option when configuring Stub Installation Options for Windows Vista client machines.
"Interactive Services Dialog Detection" and Uninstall
When non-admin users install/uninstall the Clean Access Agent through the Agent Stub service on Windows Vista, they will see an "Interactive Services Dialog Detection" dialog. If the user is installing, no input is required in the dialog session—it will automatically disappear. If the client machine is fast, the user may not even see the dialog appear at all, so the resulting behavior is as if the Agent gets silently installed after a few seconds. When uninstalling, however, the uninstall process does not complete until the user responds to a prompt inside the dialog.
This is expected behavior because, unlike earlier Windows operating systems, Windows Vista services run in an isolated session (session 0) from user sessions, and thus do not have access to video drivers. As a workaround for interactive services like the Agent Stub installer, Windows Vista uses an Interactive Service Detection Service to prompt users for user input for interactive services and enable access to dialogs created by interactive services. The "Interactive Service Detection Service" will automatically launch by default and, in most cases, users are not required to do anything. However, if the service is disabled for some reason, Agent installation by non-admin users will not function.
Known Issues with MSI Agent Installer
MSI File Name
The MSI installation package for each version of the full Windows Clean Access Agent (CCAAgent-<version>.msi) is available for download from the Cisco Software Download site at http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-agent
When downloading the Clean Access Agent MSI file from the Cisco Software Download site, you MUST rename the "CCAAgent-<version>.msi" file to "CCAAgent.msi" before installing it.
Renaming the file to "CCAAgent.msi" ensures that the install package can remove the previous version then install the latest version when upgrading the Agent on clients.
Minor Version Updates
You cannot upgrade minor version (4th digit) updates of the Clean Access Agent from the MSI package directly. You must uninstall the program from Add/Remove programs first before installing the new version. Refer to CSCsm20655 for details.
See also Troubleshooting for additional Agent- related information.
Known Issue with Windows 2000 Clean Access Agent/Local DB Authentication
When a user logs in via the Clean Access Agent on a Windows 2000 machine with a username/password linked to the "Local DB" provider and must validate a requirement (in a test environment, for example), the Agent returns a "The application experienced an internal error loading the SSL libraries (12157)" error message. Following the error message, the Agent remains in the login state even though it is not actually logged in and the user must either stop the process or restart the client machine for the Agent login dialog to re-appear. (Requirements are not validated and the CAM does not create an Agent report for the Windows 2000 session, so it can be difficult to determine which requirement fails.)
Known Issue with Windows 98/ME/2000 and Windows Script 5.6
Windows Script 5.6 is required for proper functioning of the Clean Access Agent in release 3.6(x) and later. Most Windows 2000 and older operating systems come with Windows Script 5.1 components. Microsoft automatically installs the new 5.6 component on performing Windows updates. Windows installer components 2.0 and 3.0 also require Windows Script 5.6. However, PC machines with a fresh install of Windows 98, ME, or 2000 that have never performed Windows updates will not have the Windows Script 5.6 component. Cisco Clean Access cannot redistribute this component as it is not provided by Microsoft as a merge module/redistributable.
In this case, administrators will have to access the MSDN website to get this component and upgrade to Windows Script 5.6. For convenience, links to the component from MSDN are listed below:
Win 98, ME, NT 4.0:
Filename: scr56en.exe
Win 2000, XP:
Filename: scripten.exe
Tip
New Installation of Release 4.1(6)
If you are performing a new CD software installation of Cisco NAC Appliance (Cisco Clean Access) on the Cisco NAC Appliance 3300 Series server hardware platform, use the steps described below.
If re-imaging a Cisco NAC Network Module, refer to the instructions in the Getting Started with Cisco NAC Network Modules in Cisco Access Routers.
If performing upgrade on an existing NAC Appliance or NAC Network Module, refer to the instructions in Upgrading to 4.1(6).
Warning
For New Installation:
1.
2.
3.
a.
b.
c.
4.
5.
Note
6.
7.
8.
–
–
Note
Upgrading to 4.1(6)
This section provides instructions for how to upgrade your existing Cisco Clean Access system to release 4.1(6).
Refer to the following general information prior to upgrade:
•
•
Refer to one of the following sets of upgrade instructions for the upgrade you need to perform:
•
If you need to perform a fresh installation of the software, refer instead to New Installation of Release 4.1(6).
If you need to upgrade from a much older version of Cisco Clean Access, you may need to perform an interim upgrade to a version that is supported for upgrade to 4.1(6). In this case, refer to the applicable Release Notes for upgrade instructions for the interim release. Cisco recommends always testing new releases on a different system first before upgrading your production system.
Notes on 4.1(6) Upgrade
If planning to upgrade to Cisco NAC Appliance (Cisco Clean Access) 4.1(6) ED, note the following:
•
•
•
Warning
Certificate chains can only be 10 certificates long (including intermediate and root certificates) in Cisco NAC Appliance Release 4.1(6).
Warning
•
•
Note
•
•
•
Note
•
•
•
–
–
–
For further details on Patch-CSCsg24153, refer to the README-CSCsg24153 file under http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches and the associated Resolved Caveats table entry in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(0).
Warning
•
Note
Caution
Settings That May Change With Upgrade
Refer to Notes on 4.1(6) Upgrade for additional information.
•
•
•
•
Note
•
•
General Preparation for Upgrade
Caution
•
You must upgrade your Clean Access Manager and all your Clean Access Servers (including NAC Network Modules) concurrently. The Cisco NAC Appliance architecture is not designed for heterogeneous support (i.e., some Clean Access Servers running 4.1(6) software and some running 4.1(3), 4.1(2), 4.1(1), 4.1(0), or 4.0(x) software).
•
Depending on the number of Clean Access Servers you have, the upgrade process should be scheduled as downtime. For minor release upgrades (e.g. 4.1(6) to 4.1.6.x), our estimates suggest that it takes approximately 10 to 20 minutes for the Clean Access Manager upgrade and 10 minutes for each Clean Access Server upgrade. Use this approximation to estimate your downtime window.
•
Starting with Cisco NAC Appliance release 4.1(6), the Clean Access Manager and Clean Access Server require encrypted communication. Therefore, you must upgrade CASs before the CAM that manages them to ensure the CASs have the same (upgraded) release when the CAM comes back online and attempts to reconnect to the managed CASs.
If you upgrade the Clean Access Manager by itself, the Clean Access Server (which loses connectivity to the CAM during Clean Access Manager restart or reboot) continues to pass authenticated user traffic only if the CAS Fallback Policy specifies that Cisco NAC Appliance should "ignore" traffic from client machines.
Caution
•
When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.
•
For additional safekeeping, Cisco recommends manually backing up your current Clean Access Manager installation (using Administration > Backup) both before and after the upgrade and to save the snapshot on your local computer. Backing up prior to upgrade enables you to revert to your previous release database should you encounter problems during upgrade. Backing up immediately following upgrade preserves your upgraded tables and provides a baseline of your 4.1(6) database. After the migration is completed, go to the database backup page (Administration > Backup) in the CAM web console. Download and then delete all earlier snapshots from there as they are no longer compatible. See Create CAM DB Backup Snapshot for details.
Warning
•
Once you have upgraded your software to 4.1(6), if you wish to revert to your previous version of CCA software, you will need to reinstall the previous CCA version from the CD and recover your configuration based on the backup you performed prior to upgrading to 4.1(6).
•
For upgrade via console/SSH, you will need your CAM and CAS root user password (default CAM root password is cisco123). For web console upgrade, you will need your CAM web console admin user password (and, if applicable, CAS direct access console admin user password).
Upgrading to Release 4.1(6)—Standalone Machines
Note
This section describes the upgrade procedure for upgrading your standalone CAM/CAS machine from release 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+/4.1(3)+ to the latest 4.1(6) release. You can upgrade 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+/4.1(3)+ standalone machines to the latest 4.1(6) release using one of the following two methods:
•
•
Note
Note
•
•
Summary of Steps for 3.6/4.0/4.1(0)+/4.1(1)+/4.1(2)+ Upgrade
The sequence of steps for standalone 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+ system upgrade is as follows:
1.
3.
Console/SSH Upgrade—Standalone MachinesCreate CAM DB Backup Snapshot
Cisco recommends creating a manual backup snapshot of your CAM database. Backing up prior to upgrade enables you to revert to your previous database should you encounter problems during upgrade. Backing up immediately following upgrade preserves your upgraded tables and provides a baseline of your database. Make sure to download the snapshots to another machine for safekeeping.
Note that Cisco NAC Appliance automatically creates daily snapshots of the CAM database and preserves the most recent from the last 30 days (starting from release 3.5(3)). It also automatically creates snapshots before and after software upgrades and failover events. For upgrades and failovers, only the last 5 backup snapshots are kept. (For further details, see "Database Recovery Tool" in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(6).
Note
To create a manual backup snapshot:
Step 1
Step 2
Step 3
Step 4
Step 5
Download the Upgrade File
For Cisco NAC Appliance upgrades from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+, a single .tar.gz upgrade file is downloaded to each Clean Access Manager (CAM) and Clean Access Server (CAS) machine to be upgraded. The upgrade script automatically determines whether the machine is a CAM or CAS.
For Cisco NAC Appliance minor release or patch upgrades, the upgrade file can be for the CAM only, CAS only, or for both CAM/CAS, depending on the patch upgrade required.
Step 1
Step 2
Step 3
Note
•
•
•
Major release upgrade file names do not feature the fourth (.x) digit. A major release file name example would be cca-upgrade-4.1.6.tar.gz. For patch upgrades, however, replace the .x in the file name with the minor release version number to which you are upgrading, for example, cca-upgrade-4.1.6.1.tar.gz.
Web Console Upgrade—Standalone Machines
Note
If you are upgrading the CAS to release 4.1(6) via the CAM web console where the CAM's available memory is less than 1GB, you may see an HTTP status 500 error message reading "java.lang.OutofMemoryError."
Note
When upgrading from 3.6(x)/4.0(x) to the latest 4.1(x) release:
•
•
•
For further details on Patch-CSCsg24153, refer to the README-CSCsg24153 file under http://www.cisco.com/pcgi-bin/tablebuild.pl/cca-patches and the associated Resolved Caveats table entry in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(0).
Warning
With web upgrade, administrators can perform software upgrade on standalone CAS and CAM machines using the following web console interfaces:
•
•
–
–
For web console upgrade, you will need your CAM web console admin user password.
If using the CAS direct access web console, you will need your CAS direct access console admin user password.
Note
•
•
•
With web upgrade, the CAM and CAS automatically perform all the upgrade tasks that are done manually for console/SSH upgrade (for example, untar file, cd to /store, run upgrade script). The CAM also automatically creates snapshots before and after upgrade. When upgrading via web console only, the machine automatically reboots after the upgrade completes. The steps for web upgrade are as follows:
1.
2.
3.
Upgrade CAS from CAS Management Pages
You can upgrade your CAS from release 3.6(x)/4.0(x)/4.1(0)+)/4.1(1)+/4.1(2)+/4.1(3)+ to release 4.1(6) using web upgrade via the CAS management pages as described below or, if preferred, using the instructions for Upgrade CAS from CAS Direct Access Web Console.
Step 1
Step 2
Step 3
a.
b.
c.
Step 4
Step 5
Step 6
Note
Step 7
Step 8
Step 9
Note
Upgrade CAS from CAS Direct Access Web Console
You can upgrade the CAS from the CAS direct access web console using the following instructions. To upgrade the CASes from the CAM web console, see Upgrade CAS from CAS Management Pages.
Step 1
Step 2
Step 3
a.
b.
Step 4
Step 5
Step 6
Step 7
Note
Step 8
Step 9
Step 10
Note
Upgrade CAM from CAM Web Console
Upgrade your standalone CAM from the CAM web console using the following instructions.
Warning
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Note
Step 7
Step 8
Note
Console/SSH Upgrade—Standalone Machines
This section describes the standard console/SSH upgrade procedure when upgrading your standalone CAM/CAS from release 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+/4.1(3)+ to the latest 4.1(6) release. For this procedure, you need to access the command line of the CAM or CAS machine using one of the following methods:
•
•
•
Note
•
For upgrade via console/SSH, you will need your CAM and CAS root user password.
Note
A single upgrade .tar.gz file is downloaded to each installation machine. The upgrade script automatically determines whether the machine is a Clean Access Manager (CAM) or Clean Access Server (CAS), and executes if the current system is running release 3.6(0) or later.
For patch upgrades, the upgrade file can be for the CAM only, CAS only, or for both CAM/CAS, depending on the patch upgrade required.
Note
•
•
Summary of Steps for Console/SSH Upgrade from 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+
Steps are as follows:
1.
2.
3.
Download the Upgrade File and Copy to CAM/CAS
Step 1
Step 2
Step 3
If using WinSCP or SSH File Transfer:
a.
b.
If using PSCP:
a.
b.
c.
pscp cca_upgrade-4.1.6.tar.gz root@ipaddress_manager:/stored.
pscp cca_upgrade-4.1.6.tar.gz root@ipaddress_server:/storePerform Console/SSH Upgrade on the CAM
Step 4
a.
b.
c.
cd /stored.
tar xzvf cca_upgrade-4.1.6.tar.gz4.
cd cca_upgrade-4.1.6./UPGRADE.sh
Note
For more information on the nature and workaround for Patch-CSCsg24153, see the associated Resolved Caveats table entry in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(0).e.
Note
f.
rebootPerform Console/SSH Upgrade on the CAS
Step 5
a.
b.
c.
cd /stored.
tar xzvf cca_upgrade-4.1.6.tar.gz5.
cd cca_upgrade-4.1.6./UPGRADE.sh
Note
For more information on the nature and workaround for Patch-CSCsg24153, see the associated Resolved Caveats table entry in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(0).e.
f.
rebootg.
Upgrading to 4.1(6)—HA Pairs
Note
This section describes the upgrade procedure for upgrading high-availability (HA) pairs of CAM or CAS servers from release 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+/4.1(3)+ to the latest 4.1(6) release.
If you have standalone CAM/CAS servers, refer instead to Upgrading to Release 4.1(6)—Standalone Machines.
Note
Warning
If you are using serial connection for HA, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.
Warning
Note
•
•
Steps for HA 3.6/4.0/4.1(0)+/4.1(1)+/4.1(2)+ Upgrade
The steps to upgrade HA 3.6(x)/4.0(x)/4.1(0)+/4.1(1)+/4.1(2)+ systems are described in the following sections:
•
•
Note
Access Web Consoles for High Availability
If you are upgrading the CAS to release 4.1(6) via the CAM web console where the CAM's available memory is less than 1GB, you may see an HTTP status 500 error message reading "java.lang.OutofMemoryError."
Note
Determining Active and Standby CAM
Access the web console for each CAM in the HA pair by typing the IP address of each individual CAM (not the Service IP) in the URL/Address field of a web browser. You should have two browsers open. The web console for the Standby (inactive) CAM will only display the Administration module menu.
Note
Determining Primary and Secondary CAM
In each CAM web console, go to Administration > CCA Manager > Network & Failover | High Availability Mode.
•
•
Note
Determining Active and Standby CAS
From the CAM web console, go to Device Management > CCA Servers > List of Servers to view your HA-CAS pairs. The List of Servers page displays the Service IP of the CAS pair first, followed by the IP address of the Active CAS in brackets. When a secondary CAS takes over, its IP address will be listed in the brackets as the Active server.
Note
Determining Primary and Secondary CAS
Open the direct access console for each CAS in the pair by typing the following in the URL/Address field of a web browser (you should have two browsers open):
•
•
In each CAS web console, go to Administration > Network Settings > Failover | Clean Access Server Mode.
•
•
Note
Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs
The following steps show the recommended way to upgrade an existing high-availability (failover) pair of Clean Access Managers or Clean Access Servers.
Warning
Step 1
Note
Step 2
Warning
If you are using serial connection for HA, BIOS redirection to the serial port must be disabled for NAC-3300 series appliances, and for any other server hardware platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for more information.
Step 3
Step 4
a.
tar xzvf cca_upgrade-4.1.6.tar.gzb.
c.
./fostate.shThe results should be either "My node is active, peer node is standby" or "My node is standby, peer node is active". No nodes should be dead. This should be done on both boxes, and the results should be that one box considers itself active and the other box considers itself in standby mode. Future references in these instructions that specify "active" or "standby" refer to the results of this test as performed at this time.
Note
•
•
Step 5
shutdown -h nowStep 6
Step 7
cd cca_upgrade-4.1.6Step 8
./fostate.shMake sure this returns "My node is active, peer node is dead" before continuing.
Step 9
a.
b.
./UPGRADE.sh
Note
If you are performing this upgrade on the CAS, the upgrade script prompts you to enter the web console administrator password in addition to the shared secret. (As with the CAM, only the first eight characters of the shared secret are used.)
For more information on the nature and workaround for Patch-CSCsg24153, see the associated Resolved Caveats table entry in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(0).c.
Note
Step 10
shutdown -h nowStep 11
Step 12
Step 13
a.
b.
cd cca_upgrade-4.1.6c.
./UPGRADE.shStep 14
shutdown -h nowStep 15
Step 16
Note
Troubleshooting
This section provides troubleshooting information for the following topics:
•
•
•
•
•
•
•
•
•
•
•
•
•
Note
Vista/IE 7 Certificate Revocation List
Note
The "Network error: SSL certificate rev failed 12057" error can occur and prevent login for Clean Access Agent or Cisco NAC Web Agent users in either of the following cases:
1.
2.
–
–
To resolve the error, perform the following actions:
Step 1
Step 2
a.
b.
Windows Vista Agent Stub Installer Error
When initiating the Agent stub installer on the Windows Vista operating system, the user may encounter the following error message:
"Error 1722: There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor."
The possible cause is that there are remnants of a partial previous Agent stub installation present on the client machine stub. The user must take steps to remove the previous partial installation before attempting to run the Agent stub installer again.
To solve the problem:
Step 1
Step 2
Step 3
Step 4
Step 5
Agent Stub Upgrade and Uninstall Error
To resolve the situation where a user receives an "Internal error 2753:ccaagentstub.exe" message during stub installation:
Step 1
Step 2
Step 3
Note
Clean Access Agent AV/AS Rule Troubleshooting
When troubleshooting AV/AS Rules:
•
•
When troubleshooting AV/AS Rules, please provide the following information:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Generating Windows Installer Log Files for Agent Stub
Users can compile the Windows Installer logs generated by the InstallShield application when the Windows Agent is installed on a client machine using the MSI or EXE installer packages.
MSI Installer
To compile the logs generated by a Windows Agent MSI installer session as the installation takes place, enter the following at a command prompt:
ccaagent.msi /log C:\ccainst.log
This function creates an installer session log file called "ccainst.txt" in the client machine's C:\ drive when the MSI Installer installs the Agent files on the client.
EXE Installer
You can use the Windows Installer /v CLI option to pass arguments to the msiexec installer within CCAAgent_Setup.exe by entering the following at a command prompt:
CCAAgent_Setup.exe /v"/L*v \"C:\ccainst.log\""
This command saves an installation session log file called "ccainst.log" in the client machine's C:\ drive when the embedded msiexec command installs the Agent files on the client.
For more information, refer to the Windows Installer CLI reference page.
Debug Logging for Cisco NAC Appliance Agents
This section describes how to view and/or enable debug logging for Cisco NAC Appliance Agents. Refer to the following sections for steps for each Agent type:
•
•
Copy these event logs to include them in a customer support case.
Cisco NAC Web Agent Logs
The Cisco NAC Web Agent version 4.1.3.9 and later can generate logs when downloaded and executed. By default, the Cisco NAC Web Agent writes the log file upon startup with debugging turned on. The Cisco NAC Web Agent (see Cisco NAC Web Agent Enhancements) generates the following log files for troubleshooting purposes: webagent.log and webagentsetup.log. These files should be included in any TAC support case for the Web Agent. Typically, these files are located in the user's temp directory, in the form:
C:\Document and Settings\<user>\Local Settings\Temp\webagent.log
C:\Document and Settings\<user>\Local Settings\Temp\webagentsetup.log
If these files are not visible, check the TEMP environment variable setting. From a command-prompt, type "echo %TEMP%" or "cd %TEMP%".
When the client uses Microsoft Internet Explorer, the Cisco NAC Web Agent is downloaded to the C:\Documents and Settings\<user>\Local Settings\Temporary internet files directory.
Generate Windows Agent Debug Log
For 4.1.x.x versions of the persistent Clean Access Agent (and 4.0.x.x/3.6.1.0+), you can enable debug logging on the Agent by adding a LogLevel registry value on the client with value "debug." For Windows Agents (see Cisco NAC Appliance Agents), the event log is created in the directory %APPDATA%\CiscoCAA, where %APPDATA% is the Windows environment variable.
Note
To view and/or change the Agent LogLevel setting:
Step 1
Step 2
Step 3
Note
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
a.
b.
Step 11
Note
•
Generate Mac OS X Agent Debug Log
For Mac OS X Agents (see Mac OS X Clean Access Agent Enhancements), the Agent event.log file and preference.plist user preferences file are available under <username> > Library > Application Support > Cisco Systems > CCAAgent.app. To change or specify the LogLevel setting, however, you must access the global setting.plist file (which is different from the user-level preference.plist file).
Because Cisco does not recommend allowing individual users to change the LogLevel value on the client machine, you must be a superuser or root user to alter the global setting.plist system preferences file and specify a different Agent LogLevel.
Note
To view and/or change the Agent LogLevel:
Step 1
Step 2
Step 3
Step 4
Step 5
•
•
•
•
Note
Note
Property List Editor is an application included in the Apple Developer Tools for editing .plist files. You can find it at <CD-ROM>/Developer/Applications/Utilities/Property List Editor.app.
If the setting.plist file is editable, you can use a standard text editor like vi to edit the LogLevel value in the file.
You must be the root user to edit the file.
Creating CAM DB Snapshot
See the instructions in Create CAM DB Backup Snapshot for details.
Creating CAM/CAS Support Logs
The Support Logs web console pages for the CAM and CAS allow administrators to combine a variety of system logs (such as information on open files, open handles, and packages) into one tarball that can be sent to TAC to be included in the support case. Administrators should Download the CAM and CAS support logs from the CAM and CAS web consoles respectively and include them with their customer support request, as follows:
•
•
Note
•
•
Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x)
Use the following procedure to recover the root password for a 4.1/4.0/3.6 CAM or CAS machine. The following password recovery instructions assume that you are connected to the CAM/CAS via a keyboard and monitor (i.e. console or KVM console, NOT a serial console)
1.
2.
3.
4.
root (hd0,0)kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 console=ttyS0,9600n8Initrd /initrd-2.6.11-perfigo.img5.
6.
kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 single7.
8.
9.
No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM
•
Clean Access Server is not properly configured, please report to your administrator
A login page must be added and present in the system in order for both web login and Clean Access Agent users to authenticate. If a default login page is not present, Clean Access Agent users will see the following error dialog when attempting login:
Clean Access Server is not properly configured, please report to your administratorTo resolve this issue, add a default login page on the CAM under Administration > User Pages > Login Page > Add.
Clean Access Server could not establish a secure connection to the Clean Access Manager at <IP/domain>
The following client connection errors can occur if the CAS does not trust the certificate of the CAM, or vice-versa:
•
•
Clean Access Server could not establish a secure connection to the Clean Access Manager at <IPaddress or domain>These errors typically indicate one of the following certificate-related issues:
•
•
•
•
To identify common issues:
1.
(under Administration > CCA Manager > SSL Certificate > Export CSR/Private Key/Certificate | Currently Installed Certificate | Details).2.
To resolve these issues:
1.
2.
3.
4.
5.
Troubleshooting Switch Support Issues
To troubleshoot switch issues, see Switch Support for Cisco NAC Appliance.
Troubleshooting Network Card Driver Support Issues
For network card driver troubleshooting, see Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).
Other Troubleshooting Information
For general troubleshooting tips, see the following Technical Support webpage:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
Documentation Updates
Table 13 Updates to Release Notes for Cisco NAC Appliance, Release 4.1(6)
10/20/08
Minor update to NAC-3310 Required BIOS/Firmware Upgrade
9/29/08
Updates for Version 4.1.7.0 of the Cisco Clean Access Agent:
•
•
•
•
•
•
•
•
Also:
•
9/22/08
•
•
9/12/08
•
•
•
8/8/08
•
8/6/08
•
8/1/08
•
•
7/31/08
Release 4.1(6)
Related Documentation
For the latest updates to Cisco NAC Appliance (Cisco Clean Access) documentation on Cisco.com see:
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
or simply http://www.cisco.com/go/cca
•
•
•
•
•
•
•
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.
This document is to be used in conjunction with the documents listed in the "Related Documentation" section.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
