CCA FAQ

Q. What is "Clean Access"?

A. Clean Access is a Cisco network access control mechanism to check that devices connecting to the Edinboro wireless and public wired network meet minimal security criteria so that infected and vulnerable machines will not infect others. Clean Access provides a mechanism to authenticate, and to assess the client machine for conformance to our access policy, providing quarantined access to remediation resources if the machine requires updating, before allowing full access to the network.

 

Q. Who will be using it? Why are we changing the access method?

A. All personally owned non-EUP issued PC's on the Edinboro wireless and public wired network are required to use it. Viruses, worms and vulnerabilities can cause system owners considerable frustration, as well as presenting a risk to all others on the campus network. As mobile systems (laptops, notebooks, PDAs, etc) proliferate, they are more widely exposed to sources of infection. The accepted approach to combat this growing risk is to ensure that virus software and critical system patches are current and maintained.  In general, EUP domain PC's (University owned and managed machines issued to staff and faculty as well as wireless labs) are exempt from certification as they should already be enabled with automatic updates and anti-virus software. In certain circumstances the Clean Access Agent will still be required on EUP domain PC's.

 

Q. What is required?

A. The operating system (Windows, Macintosh, Linux, etc) of the computer will determine mode of access to the network. Windows systems will login using a small agent installed on the machine, while others will use a web login page.

Windows System

The first time you access an external web page on the wireless network, you will be prompted to download and install the Cisco Clean Access Agent, a small resident software component which mediates the authentication and assessment of the system for all subsequent wireless network access. Assessment items are listed below (those designated mandatory will be required at a future date, but during initial deployment they will be treated as warnings).

Antivirus Software (Mandatory)

All systems are required to have an antivrus software package installed and operating. Edinboro provides Sophos Anti-Virus free of charge for employees and students, but Clean Access also recognizes alternative packages. The current vendor list includes: Grisoft  (AVG) commercial (non-free), McAfee, Microsoft, Symantec, others.

Up to date Virus Definition File (Mandatory)

Anti-virus software must be running with current protection against viruses.

Recent Critical Windows Updates Installed (Mandatory)

Windows critical updates are required to be installed on all computers in order to gain network access. During attacks, installing the latest update may become urgent.

Network vulnerabilities

Network scans will be carried out looking for commonly exploited weaknesses, such as missing or weak administrative passwords, and the information returned to the user to correct the problem.

Vista

As of  March 1^st 2006 Vista is not fully supported by Clean Access but will be allowed access with no virus checking or remediation. It is expected to be fully  supported in the next release of Clean Access. In order to connect you must unselect the following setting in IE7:  Tools/Internet Options/Advanced/Check for server certificate revocation AND Check for publisher's certificate revocation in I.E.

Other Systems (Macintosh, Linux)

Nessus scans will be carried out for well-known common vulnerabilites, and information returned to the user. Note that these systems do not require the Cisco Clean Access Agent to be installed. Instead, the first time an external web page is accessed in a wireless session, it is first redirected to an authentication page, and the scan takes place at that time, before the requested web page is displayed. The scan will be repeated periodically (the current default period is set to once per month).

 

Q. How often is the scan carried out? How long does it take?

A. This will vary depending upon whether or not a malware attack is prevalent. The goal of employing Clean Access is to mitigate risk with minimal disruption to productivity. In general, the check should take 15 to 30 seconds. The time span between assessments will be chosen to balance these objectives (mitigating risk to the network versus customer delays and disruption). The current default is a week between assessments.

 

Q. What is Clean Access Agent, and what does it check in order to successfully connect to the Internet?

A. Clean Access Agent is a client application that will check certain security settings on a Microsoft Windows PC to make sure that the system is up-to-date with required security patches and anti-virus software, and report this status to the Clean Access server. No personal information is sent to the server.

 

Q. Where can I go for updates and virus protection?

A. You should keep your system current with Microsoft updates as well as download an antivirus program. Edinboro provides and supports Sophos Anti-Virus. Access to these sites, as well as Edinboro information pages, will be available in the quarantined state that the system is placed in after failing inspection.

 

Q. How does Windows Validation work?

A. Once installed, the Clean Access agent is used to logon and logoff to the wireless network (right-click the Clean Access icon in the system tray and select the login option). Following authentication, it will process the validation rules in conjunction with the access server. If you have not logged on and reference an external web page, you will be reminded to login using the agent (and directed to a page to download and install the "Clean Access Agent". agent in case you have not done so already).

 

Q. How does Validation work for Linux, Macintosh, and Non-Windows users?

A. Linux, Macintosh and Non-Windows users must authenticate by logging in via a web page (upon referencing an external web page, you are redirected to the authentication page first).

 

Q. When and how often do I have to login?

A. You need to login at the start of a network session, and will be logged off the network automatically if you become disconnected from the network for 15 minutes or longer. For example, if you shut down your machine for more than 15 minutes (it may be configured to 'sleep' when not in use), you will be required to re-authenticate to regain network access. (Validation is unlikely to be required again so soon, but when it is, it may take an additional few moments to process, so please be patient.)

 

Q. How will I know when I am logged out of the network?

A. If you choose "logout" from Clean Access Agent (or your browser in the case of web login for non-Windows systems), you expire your login session. Other indications that your network connection has been terminated include:

Email may fail to send or receive;

Instant messaging fails or suddenly stops working;

File downloads may suddenly stop;

Browser may be redirected to login page.  

Q. How do I log out?

A. In order to manually log out, use the Clean Access Agent "logout" option visible upon right-clicking the Clean Access Agent icon in the system tray. Manually logging out is not mandatory.

 

Q. I use a personal firewell - will this cause a problem?

A. In most cases no - a personal firewall will work fine. Depending upon the firewall product you may receive one or more pop-up windows requesting "ok to proceed". Some of the personal firewalls are:

Windows XP

BlackIce

Zone Alarm

Sygate

 

 

Q. I cannot access the login page. I get the redirection page but then my browser gives an error and stops.

A. This may be caused by an encryption (SSL) problem with your browser. Encryption is required for authentication to complete. Try another browser if you are unable to correct the problem with the first browser. (IE -> Firefox; Firefox -> IE). Usually, Firefox has fewer encryption problems (http://www.firefox.com/). If you are using I.E.7 and having certificate issues unselect the following settings in IE7:  Tools/Internet Options/Advanced/Check for server certificate revocation AND Check for publisher's certificate revocation in I.E.

 

Q. What am I allowed to access when Unauthenticated or Quarantined?

A. For the most part, remediation and help sites such as windowsupdate.microsoft.com and others.

 

Q. I'm on a Macintosh or Linux machine. I've opened my browser but I am not redirected to a login page. What do I do?

A. You must try to go to a non-local site such as http://www.google.com/.

 

Q. How do I know Clean Access Agent is running?

A. Look in the "System Tray" in the lower right corner near the time display for the Clean Access Agent. Right click to see status and options.

 

Q. When Windows Update runs, I get a message stating that the product key for Windows is invalid; what does this mean?

A. Windows Update will fail if your Windows operating system is not properly licensed. You must have a legal copy of the system to connect to the network, and ensure that patches and critical updates are regularly applied.

 

Q. The Clean Access Agent is reporting Too many users using this account when I login, what's wrong?

A. Clean Access allows a maximum of two simultaneous sessions using one MAC ID. When you exceed that, you will be denied access. You must remove the oldest login session using the Agent.

 

Q. I do not see the Clean Access Agent icon in my system tray; what is wrong?

A. Some possible explanations include:

Clean Access Agent has not been installed. -> Please install Clean Access Agent to continue.

Clean Access Agent has been installed but you did not select 'Launch' at the end of the installation. -> From the 'Start' menu, then 'Programs', then 'Clean Access', then 'Clean Access Agent', then 'Clean Access Agent' to launch the program.

Clean Access Agent is 'hidden' in the Systray. -> Please click on '<<' to expand the system tray list and show Clean Access Agent, then login.

Your computer has a problem showing Systray icons. -> You may be able to use 'Task manager' to halt Clean Access Agent and then launch it again.