|Q:||How to fix the error, "Network error: SSL certificate rev failed." when trying to log into Clean Access?|
|Q:||What is Clean Access?|
|Q:||What Networks Require Validation?|
|Q:||Why Are We Introducing this Solution Now?|
|Q:||How Does Validation Work?|
|Q:||What is the Clean Access Agent?|
|Q:||What Validation Checks are Being Performed?|
|Q:||How Long Do the Validation Checks Take?|
|Q:||What is the Process for Changing the Minimum Security Requirements?|
|Q:||How Often Will I Be Revalidated?|
|Q:||What Remediation is Available?|
|Q:||What Happens If an "Infected" System Behaves Badly on the Network?|
A: Clean access is a solution provided by Cisco, Inc. that performs network validation. The software performs the following functions:
A: We are deploying the validation solution to the student residential network in the fall semester 2005.
A: Each semester, student machines are introduced to the campus that potentially contains harmful viruses and malware. On move-in weekend in particular, worms and viruses attempt to spread to un-patched/vulnerable machines. USP IT determined that the best way to prevent this from happening is to insure that virus software and Operating System critical update/patches are current and maintained.
A: Similar to the "Computer Registration" form, this solution will redirect any Internet browser request to a web page that instructs the user to download and install the validation client known as the "Cisco Clean Access Agent". Once launched, the client downloads the validation rules and processes them. If the workstation fails the test, it is allowed Internet access only to the remediation sites for a period of about 1 Hour. Once corrected, full network access is provided.
A: Clean Access Agent is the client application that can check certain security settings on any Microsoft Windows PC to make sure that the system is up-to-date with required security patches and report this status to the Clean Access Server. No information about the user or the content of user files is sent to the server. Each user must use Clean Access Agent for his/her Microsoft Windows PC in order to authenticate and use the university network.
A: For Fall semesters, we are configuring Cisco Clean Access to validate the following:
A: In our pilots to date, the checks take between 30 and 60 seconds.
A: As new critical Microsoft updates become available, the security requirements will be updated to reflect the new patches. Typically, we will not immediately set the validation check for the new patches, but allow some time (typically a week) for people to update their systems in due course. If vulnerability is reported or the threat of a virus storm or worm attack emerges, we will update the validation check immediately in reaction to the threat.
Please note that we may cancel all network connections for a particular subnet in response to an attack. Again, we will send email and will only resort to these actions in very urgent conditions.
A: We plan to configure the validation timer for every 7 days. Initial plans are for early Monday mornings.
A: Authentication Failure. If a user's systems fails authentication, the user is instructed to provide the correct university Email username and password. If the user has forgotten his/her password, he/she is instructed to contact USP IT.
Antivirus Failure. University of the Sciences provides McAfee Antivirus Corporate edition free to students. It is required that all PCs connected to the campus network be running Antivirus software. Other allowed Anti-Virus clients include McAfee, AVG and Trend Micro Antivirus, however, limited support is provided. If the user's system fails the check for current Antivirus software, the user is provided a download for Symantec Antivirus.
Windows Patch Failure
If the user's system fails the check for current critical Operating System patches, the user is instructed to click on the URL for the Microsoft Windows update site and follow the instructions.
A: The validation solution can not prevent all infections. Also, we have experienced denial of service attacks originating from within the university network. For those subnets controlled by Clean Access Servers, the process will be to disconnect the offending system using the Clean Access Manager management console. Unless the system is demonstrating a vulnerability for which there is no patch, there should be no need to block the physical switch port, as the user will not be able to reconnect until the problem is corrected.