Certified Devices and NAC IB w/Agent

timflynn · ‎08-21-2009

I have an IB setup and am requiring all users to use the Clean Access Agent.

Since the Agent will go through the requirements at every login even if the device is already on the certified device list, is it necessary to clear the certified device list?

michael_dean · ‎08-21-2009

Yes it is. If the device is not on the certified list, then posturing is not done. A system could have an out of date AV signature list, or could have un-installed the AV after the first posture and you would not know it.

Clearing the CDL forces the systems to be re-checked and will catch these items.

Mike

timflynn · ‎08-21-2009

Thanks for the reply!

Is this also true if you require the use of Agent?

I'm not trying to be argumentative, but the CAM Install and Config guide states "For Agent users, devices always go through Agent Requirements at each login, even if the device is already on the Certified Devices".

In the CCA reports I am seeing the same devices go through the requirements each time they login, and I have yet to clear the certified device list.

I think the Certified Device list is only beneficial if you are doing the Nessus Scan to certify a device. It speeds up subsequent logins for the device by not requiring a Nessus Scan until that device is cleared certified device list. I just want to verify that is true and I'm not going to run into some issue later on.

koeppend · ‎08-23-2009

Michael, I assume you meant:

If the device is not in the certified list, then the device is forced though a posture check, once it as passed the posture check, it is then placed back into the certified device list, as apposed to 'not done'

By clearing out certified devices list at regular 'quiet' times, its gives the administrator a peace of mind knowing that devices are being forced to keep their posture up to date as per your security policy. It is also to clear our stale entries, e.g. maybe a contractor host that will not be back onsite for 3 months.

But does raise the question, I was under the assumption that while users go though an IN-BAND CAS they are constantly being checked,

e.g. if a user deliberately down graded his virus data file (for arguments sake), isn't the Inline CAS meant to know about this from the CAA because the users traffic always goes though the CAS?.....I thought that was the benefit of in-band over OOB.

I know this wouldn't be the case for an OOB setup as the users are only inband during authentication.

michael_dean · ‎08-24-2009

Dale -- Your are correct, that was a typo on my part.

Tim -- I clear my list on a schedule since I also have OOB servers, which were configured first.

I had *assumed* the CDL worked the same on both types of installations -- meaning that if the device was in the CDL, the requirements were not checked and the system was not (Nessus) scanned.

However, the documentation, as you pointed out, does state that the devices are checked for requirements at every login and the Nessus scan is only done if the device is NOT in the CDL.

So, other than the reasons that Dale metioned, the other benefit to clearing the CDL for IB installations would be to force a Nessus scan, if you have that enabled.