Network Admission Control

Fisher College of Business has implemented a network admission control (NAC) system using the Cisco Clean Access (CCA). The NAC is aimed to ensure that devices that are connected to the FCOB network meet the Minimum Computer Security Standard (MCSS).

Malicious software such as viruses and worms can cause data loss, data theft, and render a computer unusable. Cisco Clean Access ensures that computers connected to the network are protected, providing all users with a safer, more secure, and reliable network. Currently, devices connected to the Fisher wireless network are not behind the NAC.

Clean Access Agent (CAA)

Clean Access Agent is the client application that can check certain security settings on any Microsoft Windows PC to make sure that the system is up-to-date with required security patches and report this status to the Clean Access Server. No information about the user or the content of user files is sent to the server. Each user must use Clean Access Agent for his/her Microsoft Windows PC in order to authenticate and use the university network.

To use CAA, Windows and MAC users must install the Clean Access Agent software on their computers. The Clean Access Agent ensures that each computer has all necessary security updates, automatic updates enabled, sufficient anti-virus and anti-malware software, and current anti-virus and anti-malware definitions. If the computer fails to meet one or more of these requirements, the Clean Access Agent helps the user acquire and install all necessary components. Computers are granted full access to the network after they have been fully updated.

Clean Access Agent is the client application that can check certain security settings on any Microsoft Windows PC to make sure that the system is up-to-date with required security patches and report this status to the Clean Access Server. No information about the user or the content of user files is sent to the server. Each user must use Clean Access Agent for his/her Microsoft Windows PC in order to authenticate and use the university network.

Clean Access Agent Installation

Resources with detailed instructions for download and install of the CCA is given below:

CCA Agent Install Instructions - Vista (PDF)

CCA Agent Install Instructions - XP (PDF)

Currently there are only agents for Windows and Mac computers. Other operating systems will not have a client and will need to authenticate to the network via a web browser prior to full internet access.Users will require administrative rights to install the Cisco Clean Access Agent, but administrative rights are not required once the CCA Agent is installed.

Logging on Network using Clean Access Agent

When the CCA Agent is installed the client will detect when you are connected behind the FCOB NAC. When you first connect to the network the CCA Agent will detect the connection. On a domain computer the agent will use the Microsoft Active Directory credentials and log in automatically to the FCOB NAC.

On personal computers and computers that are members of the domain, the CCA Agent will prompt for a username and password. Once you have authenticated to the network, the FCOB NAC will check the computer for compliance with minimum computer security rules. If your computer is compliant it will be granted full internet access. A non-compliant computer is moved to temporary internet access to remedy any security checks that failed.

FAQ - Frequently Asked Questions

• Will the Clean Access Agent monitor anything that I do online?
  No. The Cisco Clean Access Agent is only used for posture assessment when the computer is authenticating to the Cisco Clean Access Server. The CCA Agent only checks for operating system patches, automatic updates enabled, current anti-virus and current anti-malware.
• How often will the Clean Access Agent Revalidate my computer?
  We have configured the validation timer for every Thursday morning starting at 3am. This means that all previously authenticated and certified computers will need to be revalidated to ensure that all updates for the past week have been downloaded and installed. Domain computers will perform this automatically. (NOTE: Terminal sessions, such as SSH connections, will be terminated during the revalidation process)
• Will Cisco Clean Access Agent change settings on my computer?
  The Cisco Clean Access Agent is an unobtrusive program that communicates exclusively with the Cisco Clean Access Servers to ensure that your computer is protected from malicious software. The CCA Agent will not alter any settings on your computer, and should not interfere with normal functionality.
• Will my computer still work when I connect to my home network?
  The Cisco Clean Access Agent is only active while your computer is connected to the Fisher network. If you connect your computer to a different network, the CCA Agent will simply lie dormant and will not interfere with your network connectivity.
• Will the agent work with Microsoft Windows?
  Yes.
• What do I do if I have a MAC?
  If you are using a Mac, you need to install the Cisco Clean Access Agent. When you first open up a web browser you will need to log into the Clean Access Server using your Fisher user account and password. You will be required to download and install the Cisco Clean Access Agent.
• What if I have Linux?
  Linux users must authenticate by logging in via a web page. Opening any web browser will cause the browser to be redirected to the NAC authentication page. Users will login using their Fisher username and password. If Linux users are experiencing problems after login, please see ITS for alternate solutions.
• What about PDA, etc.?
  Users with devices such as PDAs or Cell Phones that connect to the Fisher network can register these devices with ITS to gain access to the network.
• Why doesn't the Clean Access Agent remember my username and password when I check the "Remember Me" box?
  As a security precaution, Cisco designed the Clean Access Agent to store the user data in memory (RAM) not on the hard drive. Therefore when you exit the agent, restart, or shut down your computer all data in memory is removed.
• Where do I get Windows updates?
  Windows Updates can be downloaded from the Windows Update website. You must access the Microsoft website using Internet Explorer. To start Windows Update, select "Windows Update" from the "Tools" menu in Internet Explorer. You should install all critical patches for you computer.
• In Windows XP there are no outstanding critical updates but my computer still fails the hotfix requirement?
  Microsoft Windows XP originally shipped with Flash version 6. Newer versions of Flash have been released to deal with known security updates. But Windows Updates does not remove the vulnerable version of Flash. If the Flash 6 file exists on your computer and is active in your computer's registry the hotfix requirement will fail. The Flash 6 issues only affects Windows XP.
• How do I fix the Flash Version 6 Problem?
  Users should delete the Flash 6 file that is vulnerable.Open "My Computer". Navigate to the directory "c:/windows/system32/macromed/flash/". Delete the file "flash.ocx". The requirement should now pass and the "Next" button on the CCA Agent should appear.
• What Anti-Virus software is required?
  Fisher College of Business provides Trend Micro Office Scan anti-virus for all FCOB owned computers. The Ohio State University holds a site-license for McAfee VirusScan for all faculty, staff and students. The FCOB NAC will support most major anti-virus products. The FCOB checks for installed anti-virus and current definition file. OSU site-licensed software can be found at OSU's OIT Site Licenced Software section.
• What Anti-Malware software is required?
  Fisher College of Business installs Windows Defender on all FCOB owned computers. Windows Defender is an anti-malware software provided at no cost by Microsoft. The Ohio State University holds a site-license for McAfee Anti-Spyware for all faculty, staff and students. The FCOB NAC will support most major anti-malware products. The FCOB checks for installed anti-malware software and current definition file. OSU site-licensed software can be found at OSU's OIT Site Licenced Software section.
• I'm leaving campus; How do I uninstall the Cisco Clean Access Agent?
  Uninstalling the Cisco Clean Access Agent can be done through the "Control Panel". In Windows 2000/XP by clicking on "Add/Remove Programs", selecting "Cisco Clean Access Agent", and clicking "Remove". In Windows Vista by clicking on "Programs and Features", selecting "Cisco Clean Access Agent", and clicking "Uninstall".
• What does it mean to have temporary access to the network?
  A computer that has failed one or more of the required security checks is placed in temporary access. In temporary access the computer can access the Windows update site and major anti-virus and anti-malware update sites. When a computer fails a security check a prompt is displayed for the user. The prompts will provide information to assist in the resolution of the failed security check.
• How can I get out of temporary access?
  A computer is placed in temporary access if they have failed a required security check. The user should follow the prompts on the screen to resolve any security checks. Once all security checks are resolved the computer will be granted full internet access.