BigFix Client Compliance Cisco NAC

The "BigFix Client Compliance Cisco NAC" Fixlet site provides quarantine capabilities using the BigFix Client Compliance Extension and Cisco Network Access Control (NAC). In this solution, the Cisco Trust Agent (CTA) collects posture credentials from the BES Client, and forwards the information to the Cisco Access Control Server (ACS) to perform posture validation. The Cisco Network Access Device (NAD) then restricts or enables inbound and outbound network connectivity based on the posture validation result.

BigFix Enterprise Suite has met the Cisco Network Admission Control test criteria for interoperability with Cisco Trust Agent. The BigFix Client Compliance API interoperates with other Cisco NAC solutions such as Cisco Clean Access (CCA).

The following content is available in the "BigFix Client Compliance (Cisco NAC)" Fixlet site:

Wizard

  • Cisco Network Admission Control Wizard: Designed to guide you through creating a task that installs CTA 2.0, deploys an existing Cisco Trust certificate, installs the required BES Security Posture Plugins, and AsyncNotifier.exe.

Fixlet Messages:

  • Cisco NAC - Determine Compliance: This Fixlet message determines whether or not a client computer is in compliance with security standards defined in the installed BigFix Client Compliance Document. The Fixlet message becomes relevant periodically (the current setting is every 5 minutes). It is recommended that you deploy this Fixlet message as a policy action so that the compliance status of computers on the network will be periodically evaluated.
  • Cisco NAC - Upgrade CTA - CTA 2.0: This Fixlet message detects and upgrades existing installations of older version of CTA to version 2.0.
  • Cisco NAC - Install BES Security Posture Plugins: This Fixlet message ensures the BES Security Posture Plugins are correctly installed if CTA is present. The BES Security Posture Plugins, when called by the CTA, retrieve the results reported by the BES Client. The CTA then forwards that information to the Cisco ACS Server for evaluation of the client state. If the BES Security Posture Plugins are not installed correctly, this Fixlet message will become relevant and can be used to redeploy the BES Security Posture Plugins.
  • Cisco NAC - Install AsyncNotifier.exe: This Fixlet message installs AsyncNotifier.exe, a utility that will notify the Network Access Device (NAD) if a change of the BigFix Compliance status has occurred. The NAD will then request the Access Control Server (ACS) to do an immediate posture validation. If AsyncNotifier.exe is not installed, it may take longer for ACS to respond to the compliance status changes on the network.
  • Cisco NAC: Windows Firewall is Blocking CTA Traffic: This Fixlet message detects computers configured to block inbound UDP traffic on port 21862 using Windows Firewall and sets up an exception to allow the traffic. CTA uses the EAP over UDP protocol for communication between the endpoint and the NAD (network access device).If inbound UDP traffic on port 21862 is blocked, CTA can not relay information between computers and the Cisco switch or router.

Note: This Fixlet site is designed to be used in conjunction with the "BigFix Client Compliance Configuration" Fixlet site. More Information about BigFix Client Compliance can be found here.