One popular request is a list of features that come along with the different versions out. Below is a comparison of all the major code revisions of Cisco NAC Appliance.
Sep 21, 2021 This article describes an issue where Network Connect is disconnected when running Cisco NAC Agent on MAC 10.x. Problem or Goal Cisco NAC Agents prior to 4.8.0.569 deletes routes needed by Network Connect to maintain its connection to the PCS device. Download; Thank you for using our software portal. Use the link below and download Cisco NAC. When users download the Cisco NAC Agent, the installation process also adds the Cisco Log Packager utility to the client machine in the same relative Program File location as Agent files. Cisco NAC Web Agent Logs. Generate Mac OS X Agent Debug Log. MAC OS Automatically Close Message Dialog After Successful Login; MAC OS IP Refresh Support for Out-of-Band Deployments; MAC OS Allow Only One Mac OS Agent to Run on the Client at a Time; 4.1.2. Cisco NAC Appliance Integration with Cisco NAC Profiler/Collector Solution; New Cisco NAC Network Module (NME-NAC-K9) Support; NAC Appliance Platform.
4.8 (LATEST)
Note: Expander is only available as part of the StuffIt Standard Trial download package. If you only use the Expander application, you will not be asked to pay or register. Mac; VPN Client (Cisco AnyConnect) The Cisco AnyConnect VPN (Virtual Private Network) Client allows you to make secure connections to UNC servers from off-campus. Jul 05, 2018 Trusted Windows (PC) download Cisco NAC Agent 4.9.5.10. Virus-free and 100% clean download. Get Cisco NAC Agent alternative downloads.
* Support for Cisco NME-NAC Platforms* Administrator Access Restriction
* Out-of-Band Logoff
* In-Band and Out-of-Band Filter Behavior Enhancements
* Fast-OPSWAT
* RADIUS Session Timeout
* Passive Re-assessment
* Reporting Enhancements
* Agent Customization
* Agent Authorizes CAS
* Field-Replaceable FIPS Card for HP-Based Cisco NAC Appliances
* Cisco NAC Windows Agent Version 4.8.0.32
* Mac OS X Agent Version 4.8.0.569
* Cisco NAC Web Agent Version 4.8.0.4
* Features Optimized/Removed in Release 4.8
* Supported AV/AS Product List Enhancements (Windows Version 83, Mac OS X Version 7)
4.7
* FIPS 140-2 Compliance
* New Hardware Platform Support
* Cisco NAC Appliance WAN Deployment Enhancements
* AD SSO Requirements for Windows 7
* Windows 7 Support on Cisco NAC Agent
4.6
* Posture Assessment Support for 64-Bit Windows Operating Systems
* Agent Localization Support for 'Double-Byte' Languages
* Selective Application Privilege Support for Windows Operating Systems
* Accessibility Support Via the JAWS Screen Reader Interface
* Full UTF-8 Compliance
* Agent Log Recording and Retrieval
* Support for EVDO Client Machines
* Optimized Windows Operating System Support
* Agent Configuration XML File Upload Enhancement
* Cisco Log Packager Agent Log Compiler Application
* Agent Backward-Compatibility
* Agent Upgrade Optional When Upgrading Cisco NAC Appliance
* Cisco NAC Appliance Agent Reports Enhancement
* Cisco NAC Windows Agent Version 4.6.2.113
* Mac OS X Clean Access Agent Version 4.6.0.3
* Cisco NAC Web Agent Version 4.6.0
* Administrator Web Console Enhancements to Support Cisco NAC Agent
* Features Optimized/Removed
* Supported AV/AS Product List Enhancements (Windows Version 78, Mac OS X Version 3)
4.5
* Policy Import/Export
* CAM/CAS SSL Certificate Management Enhancement
* CAM/CAS Software Upload Page Enhancements
* Database Snapshot Upgrade Enhancement
* Clean Access Manager High Availability User Interface Enhancement
* CAM/CAS Support Log Level Settings Enhancement
* CAM/CAS High Availability Configuration Able to Detect Hard-Drive Failure
* Support for Wireless Out-of-Band Deployments
* Assign Restricted VLAN for OOB Client Machines When Disconnected
* Certified Device List/Online User List Enhancements
* Out-of-Band Shield Enhancement
* Out-of-Band Discovered Clients Cleanup
* Pre-Login Banner
* Strong Password Support for Root Admin Users
* External Authentication Server Support for Web Administrator Login
* Support for Cisco NAC Appliance/NME-NAC Platforms Only
* Web Upgrade Support Removed
* Default CAM Web Console Password Removed
* Windows ME/98/NT OS Support Removed
* Policy Import/Export
* CAM/CAS SSL Certificate Management Enhancement
* CAM/CAS Software Upload Page Enhancements
* CAS Fallback Behavior Enhancement
* CAS HA Pair Link-Detect Configuration Enhancement
* DHCP Failover Behavior Enhancement
* Cisco NAC Appliance API Enhancement
* Supported AV/AS Product List Enhancements (Version 74)
4.1
* CAS Policy Fallback
* Clean Access Agent/ActiveX/Applet DHCP Release/Renew
* Support for GPO Update Trigger
* Online Update to Retrieve Switch OIDs
* Qualified Remediation Program Launch
* Clean Access Agent for Mac OS X Authentication
* Clean Access Agent Installation Options
* Clean Access Agent Language Template Support
* Clean Access Agent Silent Auditing
* Searchable Clean Access Agent Reports
* Certified Devices Timer Enhancements for Periodic Assessment
* DHCP Renewal Enhancements
* DHCP Subnet List Enhancements
* DHCP Global Option Enhancements
* IE 7.0 Support
* Clean Access Agent Enhancements (4.1.0.0)
* Port Profile Management for OOB Users
* Enhancements to Check Parameters
* Daylight Savings Time Support
* Supported AV/AS Product List Enhancements (Version 42)
* Deprecated IPsec/L2TP/PPTP/PPP Features
* Deprecated Roaming Features
* Support for Windows Vista Operating System
* RADIUS Challenge-Response Support
* Layer 2 Traffic Policy Support
* Multiple Active Directory Server Support in AD SSO
* Restricted Administrator Web Console Options Hidden from View
* Proxy Server Basic/Digest/NTLM Authentication Support
* VLAN Profiles
* VLAN Pruning
* Event Logs Enhancement
* Agent Report Retrieval API Operation
* Out-of-Band IP Refresh Enhancement
* Switch Port Configuration Enhancements
* SNMP Receiver Settings Enhancement
* Support for Windows Vista Operating System
* Windows Update Upon Agent Login
* Agent Reports Show System and User Information
* Agent IP Address Refresh/Renew Enhancement
* CAS-Agent Discovery (SWISS) Enhancements
* 4.1.0.x Agent Support on Release 4.1(1)
* MAC OS RADIUS Challenge-Response Support
* MAC OS Automatically Close Message Dialog After Successful Login
* MAC OS IP Refresh Support for Out-of-Band Deployments
* MAC OS Allow Only One Mac OS Agent to Run on the Client at a Time
* Cisco NAC Appliance Integration with Cisco NAC Profiler/Collector Solution
* New Cisco NAC Network Module (NME-NAC-K9) Support
* NAC Appliance Platform Type Display
* Debug Log Download Enhancement
* Active VPN Client Status Page Enhancement
* WSUS Requirement Configuration Display Enhancement
* New 'service perfigo platform' CLI Command
* Web Login Support Using Safari Browser for Mac OS
* Windows Clean Access Agent Language Template Support Enhancement
* Cisco NAC Web Agent
* Support for Clients with Multiple Active NICs
* Clean Access Server HA Heartbeat Link Enhancement
* Clean Access Manager HA Configuration and Heartbeat Link Enhancements
* Guest User Login and Registration Enhancements
* LDAP Authentication Enhancement
* Clean Access Server and WSUS Interaction Enhancement
* Agent Restricted User Access Enhancement
* Device Filter List Display and Import/Export Enhancement
* Agent Report Information Display and Export Enhancement
* VPN SSO Login Enhancement
* VPN SSO Enhancement to Support Existing Clientless SSL VPN Users Launching the AnyConnect Client from a WebVPN Portal
* Syslog Configuration Enhancement
* Debug Log Download Enhancement
* cisco_api.jsp Enhancement
* CSRF Protection
* Proxy Support Enhancements
* ARP Broadcast Packet Handling Improvement
* Clean Access Server HA ARP Broadcast Enhancement
* Deprecated 'Retag Trusted-side Egress Traffic with VLAN (In-Band)' Feature
* Previously-Deprecated Features Removed from CAM/CAS Web Console Pages
* Clean Access Agent Auto Remediation
* Delay Agent Logoff on CAM/CAS
* 64-bit Windows Operating System Agent Support
* Access to Authentication VLAN Change Detection Enhancement
* SNMP Inform Notification Enhancement
* SNMP 'MAC Move Notification' Switch Port Configuration Support
* Trusted Certificate Authority Enhancement for Production Environments
* Enhanced CAM/CAS Web Console Features Certificate Warning Messages
* Ability to View and Remove Certificate Authorities from CAM/CAS Without Rebooting
* Enhanced Security with Server Identity Based Authorization
* JMX Over SSL Secured with Mutual Authentication* HTTPS Connections Enhanced with Mutual Authentication
* Features Optimized/Removed
* CAS Fallback Behavior Enhancement
* CAS HA Pair Link-Detect Configuration Enhancement http://www.cisco.com/en/US/i/templates/blank.gif
* DHCP Failover Behavior Enhancement
4.0
* Support for Active Directory (Windows Domain) Single Sign-On (SSO)
* Corporate Asset Authentication and Posture Assessment by MAC Address
* Support for Layer 3 Out-of-Band (OOB) Deployment
* New Windows Update Requirement Type
* SMP Kernel Support for Super CAM
* Support for Assigning VLANs by VLAN Name in OOB Deployments
* Support for 'IGNORE' Global Device Filter for IP Phones in OOB Deployments
* Ability to Change Priority of Wildcard/Range Global Device Filters
* Ability to View or Search Active L2 Devices in Device Filter List
* Ability to Test MAC Addresses Against Device Filters
* Support for Relay IP Class Restrictions on DHCP Server
Www.ccexpert.us › Appliance-server › Nac-agentNAC Agent Download And Login - Appliance Server
* Support for DHCP Global Actions
* New 'service perfigo maintenance' CLI Command for CAS
* Ability of Clean Access Agent to Send IP/MAC for All Available Adapters
* Support for Stub Installation/Update of the Clean Access Agent
* OOB Page Redirection Timers (SNMP Receiver Advanced Settings)
* SNMP Enhancements for CAM
* CAS Host-Based Traffic Policy Enhancements for Proxy Servers
* Enhancements for DHCP Option Configuration Forms
* Authentication Cache Timeout
* Enable L3 Strict Mode
* OOB Support for 3750 NME Modules for Cisco 2800/3800 ISRs
* Link-Failure Based Failover in CAS HA
* Upgrade Enhancements
* CAM Disable Serial Login
* CAM Admin Console Login Enhancements
* Client OS Detection Signature Lookup
* Start Timer Specification for Cisco Updates
* API Enhancements
* Enhancements for Windows XP Media Center Edition/Tablet PC
* Restricted Network Access Option for Clean Access Agent Users
* Daylight Savings Time Support
* Support for Windows Vista Operating System
* License Manager Support for Cisco Clean Access Lite, Standard, and Super Managers
* Improved Memory Footprint for Clean Access Agent Reports
* Broadcast ARP Server Management Option Removed
Cisco Nac Agent Download
* Kernel Upgrade
* Debug Log Download Enhancement
Cisco Network Access Control
* Syslog Configuration EnhancementThe opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
Findings (MAC III - Administrative Sensitive)
Content.cisco.com › ChapterCisco Content Hub - Cisco NAC Appliance Agents
| Finding ID | Severity | Title | Description |
|---|---|---|---|
| V-242605 | High | The Cisco ISE must enforce posture status assessment for posture retired clients defined in the NAC System Security Plan (SSP). | Posture assessments can reduce the risk that clients impose on networks by restricting or preventing access of noncompliant clients. If the posture assessment is not enforced, then access of... |
| V-242606 | High | The Cisco ISE must have a posture policy for posture required clients defined in the NAC System Security Plan (SSP). | Posture assessments can reduce the risk that clients impose on networks. The posture policy is the function that can link requirements to applicable clients. Multiple requirements can be... |
| V-242580 | High | The Cisco ISE must verify host-based IDS/IPS software is authorized and running on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. | Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen only where remote endpoints meet the organization's security... |
| V-242579 | High | The Cisco ISE must verify anti-malware software is installed and up to date on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. | New viruses and malware are consistently being discovered. If the host-based security software is not current then it will not be able to defend against exploits that have been previously discovered. |
| V-242578 | High | The Cisco ISE must verify host-based firewall software is running on posture required clients defined in the NAC System Security Plan (SSP) prior to granting trusted network access. | Automated policy assessments must reflect the organization's current security policy so entry control decisions will happen only where remote endpoints meet the organization's security... |
| V-242577 | High | The Cisco ISE must be configured to profile endpoints connecting to the network. | It is possible for endpoints to be manually added to an incorrect endpoint identity group. The endpoint policy can be dynamically set through profiling. If the endpoint group is statically set but... |
| V-242576 | High | The Cisco ISE must enforce approved access by employing authorization policies with specific attributes; such as resource groups, device type, certificate attributes, or any other attributes that are specific to a group of endpoints, and/or mission conditions as defined in the site's Cisco ISE System Security Plan (SSP). | Successful authentication must not automatically give an entity access to an asset or security boundary. The lack of authorization-based access control could result in the unauthorized network... |
| V-242575 | High | The Cisco ISE must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and the Cisco ISE for the purposes of client posture assessment. | The agent may pass information about the endpoint to the Cisco ISE, which may be sensitive. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway... |
| V-242591 | Medium | The Cisco ISE must send an alert to the system administrator, at a minimum, when endpoints fail the policy assessment checks for organization-defined infractions. | Failing the Cisco ISE assessment, means that an unauthorized machine has attempted to access the secure network. Without generating log records that are specific to the security and mission needs... |
| V-242590 | Medium | The Cisco ISE must generate a log record when the client machine fails posture assessment because required security software is missing or has been deleted. | Failing the Cisco ISE assessment means an unauthorized machine has attempted to access the secure network. Without generating log records that are specific to the security and mission needs of the... |
| V-242593 | Medium | The Cisco ISE must off-load log records onto a different system. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage... |
| V-242592 | Medium | The Cisco ISE must be configured to log records onto a centralized events server. | Without the ability to centrally manage the content captured in the log records, identification, troubleshooting, and correlation of suspicious behavior would be difficult and could lead to a... |
| V-242595 | Medium | The Cisco ISE must provide an alert to, at a minimum, the SA and ISSO of all audit failure events where the detection and/or prevention function is unable to write events to either local storage or the centralized server. | Without an alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.Alerts provide organizations with urgent... |
| V-242594 | Medium | The Cisco ISE must generate a critical alert to be sent to the ISSO and SA (at a minimum) in the event of an audit processing failure. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without an alert, security personnel may be unaware of an impending... |
| V-242597 | Medium | The Cisco ISE must generate a critical alert to be sent to the ISSO and SA (at a minimum) if it is unable to communicate with the central event log. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an... |
| V-242596 | Medium | The Cisco ISE must be configured with a secondary log server in case the primary log is unreachable. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an... |
| V-242599 | Medium | The Cisco ISE must perform continuous detection and tracking of endpoint devices attached to the network. | Continuous scanning capabilities on the Cisco ISE provide visibility of devices that are connected to the switch ports. The Cisco ISE continuously scans networks and monitors the activity of... |
| V-242598 | Medium | The Cisco ISE must continue to queue traffic log records locally when communication with the central log server is lost and there is an audit archival failure. | It is critical that when the network element is at risk of failing to process traffic logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware... |
| V-242604 | Medium | Before establishing a local, remote, and/or network connection with any endpoint device, the Cisco ISE must use a bidirectional authentication mechanism configured with a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the endpoint device. | Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are of greater risk. Currently, DoD requires the use of AES for... |
| V-242601 | Medium | The Cisco ISE must authenticate all endpoint devices before establishing a connection and proceeding with posture assessment. | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. However, failure to authenticate an endpoint does not need to result in... |
| V-242600 | Medium | The Cisco ISE must deny network connection for endpoints that cannot be authenticated using an approved method. | Without identifying devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Identification failure does not need to result in connection termination or... |
| V-242603 | Medium | Before establishing a connection with a Network Time Protocol (NTP) server, the Cisco ISE must authenticate using a bidirectional, cryptographically based authentication method that uses a FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to authenticate with the NTP server. | If the NTP server is not authenticated, an attacker can introduce a rogue NTP server. This rogue server can then be used to send incorrect time information to network devices, which will make log... |
| V-242602 | Medium | The Cisco ISE must be configured to dynamically apply restricted access of endpoints that are granted access using MAC Authentication Bypass (MAB). | MAB can be defeated by spoofing the MAC address of a valid device. MAB enables port-based access control using the MAC address of the endpoint. A MAB-enabled port can be dynamically enabled or... |
| V-242588 | Medium | The Cisco ISE must deny or restrict access for endpoints that fail required posture checks. | Devices, which do not meet minimum-security configuration requirements, pose a risk to the DoD network and information assets.Endpoint devices must be disconnected or given limited access as... |
| V-242589 | Medium | The Cisco ISE must generate a log record when an endpoint fails authentication. | Failing the Cisco ISE assessment means that an unauthorized machine has attempted to access the secure network. Without generating log records that are specific to the security and mission needs... |
| V-242586 | Medium | The Cisco ISE must place client machines on the blacklist and terminate the agent connection when critical security issues are found that put the network at risk.Note: The Agent has a TCP connect to ISE when it checks in. This TCP session does not give access to the network. Blacklisting the item should remove the access. When to blacklist an item could be another line item.The Cisco ISE must terminate access to blacklisted endpoints that have been found to have critical security issues. | Since the Cisco ISE devices and servers should have no legitimate reason for communicating with other devices outside of the assessment solution, any direct communication with unrelated hosts... |
| V-242587 | Medium | The Cisco ISE must be configured so client machines do not communicate with other network devices in the DMZ or subnet except as needed to perform an access client assessment or to identify themselves. | Devices not compliant with DoD secure configuration policies are vulnerable to attack. Allowing these systems to connect presents a danger to the enclave.This requirement gives the option to... |
| V-242584 | Medium | The Cisco ISE must send an alert to the Information System Security Manager (ISSM) and System Administrator (SA), at a minimum, when security issues are found that put the network at risk. | Trusted computing should require authentication and authorization of both the user's identity and the identity of the computing device. An authorized user may be accessing the network remotely... |
| V-242585 | Medium | When endpoints fail the policy assessment, the Cisco ISE must create a record with sufficient detail suitable for forwarding to a remediation server for automated remediation or sending to the user for manual remediation. | Failing the NAC assessment means that an unauthorized machine has attempted to access the secure network. Without generating log records that are specific to the security and mission needs of the... |
| V-242583 | Medium | The Cisco ISE must be configured so that all endpoints that are allowed to bypass policy assessment are approved by the Information System Security Manager (ISSM) and documented in the System Security Plan (SSP). | Connections that bypass established security controls should be only in cases of administrative need. These procedures and use cases must be approved by the Information System Security Manager (ISSM). |
| V-242581 | Medium | For endpoints that require automated remediation, the Cisco ISE must be configured to redirect endpoints to a logically separate VLAN for remediation services. | Automated and manual procedures for remediation for critical security updates will be managed differently. Continuing to assess and remediate endpoints with risks that could endanger the network... |
| V-242582 | Low | The Cisco ISE must be configured to notify the user before proceeding with remediation of the user's endpoint device when automated remediation is used. | Notification will let the user know that installation is in progress and may take a while. This notice may deter the user from disconnecting and retrying the connection before the remediation is... |