Search ResNet
Print this Page
Key Terms
- Authentication: The process of verifying your access to the network by confirming your username and password and associating it with your computer.
- Validation: The process of confirming that certain security measures are in place on your computer.
Network Access Procedure: The process of authentication and validation of your computer required for university network access.
| Q: | Why doesn't the Clean Access Agent remember my username and password when I check the "Remember Me" box? |
| Q: | Will I be able to access my computer remotely? |
A: Clean access is a solution provided by Cisco, Inc. that performs network validation. The software performs the following functions:
- Requires authentication to the network
- Validates whether the system connecting to the network meets the minimum security standards.
- Quarantines the system until it meets the minimum security standards.
- Provides access to the remediation sites.
- Once the system is validated as “clean,” allows access to the network.
Q: What Networks Require Validation?
A: We deployed the Clean Access solution to the student residential network in the summer 2005.
Q: Why Are We Introducing this Solution Now?
A: Student machines are introduced to the campus that potentially contain harmful viruses and malware. On move-in weekend in particular, worms and viruses attempt to spread to unpatched/vulnerable machines. Residential Network Services determined that the best way to prevent this from happening is to insure that virus software and Operating System critical update/patches are current and maintained.
A: This solution will redirect any Internet browser request to a web page that instructs the user to download and install the validation client known as the “Cisco Clean Access Agent”. Once launched, the client downloads the validation rules and processes them. If the computer fails the test, it is allowed Internet access only to the remediation sites for a period of about 60 minutes. Once corrected, full network access is provided.
Q: Where do the Cisco Clean Access Servers Fit in the Network?
A: There is a management server, known as “Clean Access Manager” which provides the administration of the Cisco Clean Access-protected network. The enforcement servers are known as “Clean Access Servers.” We are configuring a Clean Access Servers for every 1500-1700 users, or a total of 4 servers. The Clean Access Servers receive the validation instructions from the Clean Access Manager and download these to each client installed on workstations which connect to the network.
We have configured the Clean Access Servers as routers in the residential network. Access to the network is controlled via access control lists on these routers. Thus, unauthenticated access is limited to very few network addresses; once authenticated and validated, Cisco Clean Access modifies the access controls to allow full access to the network. Additionally, these four servers act as our DHCP servers that assign IP addresses within the residential network.
Q: What is the Clean Access Agent?
A: Clean Access Agent is the client application that can check certain security settings on any Microsoft Windows PC to make sure that the system is up-to-date with required security patches and report this status to the Clean Access Server. No information about the user or the content of user files is sent to the server. Each user must use Clean Access Agent for his/her Microsoft Windows PC in order to authenticate and use the university network.
Q: What Validation Checks are Being Performed?
A: For Summer and Fall sessions, we are configuring Cisco Clean Access to validate the following:
- Automatic Updates is enabled and set to Download and Automatically install .
- Check for a current release of Symantec, McAfee, Trend-Micro, or AVG AntiVirus software and current virus definitions.
- Check for current Windows Critical Updates for Windows XP, 2000, ME, and 98 machines.
Q: How Long Do the Validation Checks Take?
A: The checks take between 15 and 30 seconds.
Q: What is the Process for Changing the Minimum Security Requirements?
A: As new critical Microsoft updates become available, the security requirements will be updated to reflect the new patches. Typically, we will not immediately set the validation check for the new patches, but allow some time (typically a week) for people to update their systems in due course. If a vulnerability is reported or the threat of a virus storm or worm attack emerges, we will update the validation check immediately in reaction to the threat. Please note that we may cancel all network connections for a particular subnet in response to an attack.
Q: How Often Will I Be Revalidated?
A: We have configured the validation timer for every 7 days, early Monday morning. This means that all previously certified "Clean Machines" will need to be revalidated to ensure that all updates for the past week have been downloaded and installed.
Q: How Does Validation Work for Macintosh Users?
A: Currently Macintosh users must authenticate by logging in via a web page. At this point there is no client which is downloaded to Macintosh systems. The network connection timer is set for Macintosh systems; however, there is no icon that can be right-clicked to logout and subsequently login again.
Q: How Does Validation Work for Linux Users?
A: Linux users must authenticate by logging in via a web page. There is no client which is downloaded to Linux systems. The network connection timer is set for Linux systems; however, there is no icon that can be right-clicked to logout and subsequently login again.
Q: What About Xboxes, PlayStations, Tivos, IP Phones, etc.?
A: Please visit the registration page to activate your game console. Enter your UCINetID and MAC Address of the console. Your console will be placed in the Gaming Role. The Gaming Role provides network access to console related services ONLY (i.e. if you attempt to register your PC for this role you won't have web, email or IM services).
Q: What Remediation is Available?
A: Authentication Failure. If a user’s system fails authentication, the user is instructed to provide the correct UCINetID and password. If the user has forgotten his/her password, he/she is instructed to set a new password via the password reset tool on NACS's Website.
AntiVirus Failure. UCI Residential Network Services provides McAfee AntiVirus free to all Housing Residents for Windows XP and 2000. It is required that all PCs connected to the campus network be running AntiVirus software. Other allowed Anti-Virus clients include McAfee, AVG and Trend Micro AntiVirus, however, limited support is provided. If the user’s system fails the check for current AntiVirus software, the user is provided a download for McAfee AntiVirus and will be asked to simply remove the old program.
Microsoft Windows Patch Failure. If the user’s system fails the check for current critical Operating System patches, the user is instructed to click on the URL for the Microsoft Windows update site and follow the instructions.
Q: What Happens If an “Infected” System Behaves Badly on the Network?
A: The validation solution cannot prevent all infections. Also, we have experienced denial of service attacks originating from within and from outside the university network. For those subnet's controlled by Clean Access Servers, the process will be to disconnect the offending system using the Clean Access Manager management console. Unless the system is demonstrating a vulnerability for which there is no patch, there should be no need to block the physical switch port, as the user will not be able to reconnect until the problem is corrected.
Q: Why doesn't the Clean Access Agent remember my username and password when I check the "Remember Me" box?
A: As a security precaution, Cisco designed the Clean Access Agent to store the user data in memory (RAM) not on the hard drive. Therefore when you exit the agent, restart, or shut down your computer all data in memory is removed.
Q: Will I be able to access my computer remotely?
A: Yes. Common ports for remote access applications like Remote Desktop, SSH, and VNC are always allowed thru Clean Access.
