Resources

Home

Information

Policies

Services

Staff

Support

CCA Information

Cisco Clean Access

History

Several years ago, there was an epidemic of network worms. Belonging to the phylum Annelida, these worms crawled the network so quickly and caused so much damage that the Internet connection would fail almost every other weekend. These worms only spread because users were browsing unprotected. Without updates and without antivirus clients, these worms burrowed themselves deep within the heart of the residents' computers making it difficult to rectify. The following year, we decided to enforce the installation of Symantec AntiVirus. To do this, we hand-checked every computer for our minimum security requirements. This worked to an extent, but proved to be more difficult than we (and the students) wanted. So we implemented a system called Cisco Clean Access. With it, we have not experienced any network outages due to worms, viruses, and other malicious malware. We additionally stopped receiving reports of virus infections across the network.


What is Cisco Clean Access?

You may ask, "What is Cisco Clean Access?" Well, we're glad you asked. Clean Access is a network authentication system that verifies every user who logs onto the network is a Cal Poly student. In addition, it automatically certifies that machines are protected against the latest threats. It accomplishes this amazing feat by checking each computer for the minimum security requirements. You will interface with Clean Access differently depending upon your operating system. If you already know which platform you will be bringing to campus, you can skip to and read that section. If not, we recommend you read all the notices below.


Microsoft Windows

Authentication

image floated rightIf you are using a Microsoft Windows platform, you will need to download and install the Cisco NAC Agent. The agent will run in your system tray (by the clock), and will be used to login to the network. To get the Cisco NAC Agent, you will start by plugging your computer into the wired residential network. Next, you will open a web browser (like Windows Internet Explorer, Mozilla Firefox, Safari, or Opera). You will be redirected to the University Housing Student Computing Agreement. You will digitally sign the agreement by logging into the network for the first time. After digitally signing the agreement, you will be redirected to a page with the remaining instructions for downloading and installing the Cisco NAC Agent.

Once the Cisco NAC Agent is installed on your computer, you will use it to authenticate with the network. After authenticating, the Cisco NAC Agent will verify that your computer meets the minimum security requirements. If your computer does not meet the minimum security requirements, you will be given temporary network access. This temporary access will only provide you access to the websites necessary to remedy any failed requirements. After you have completed the actions required in the temporary role, you will be given complete network access. With complete network access, you are unrestricted from browsing any content on the web or using any network applications.

Minimum Security Requirements for Microsoft Windows Vista/Windows 7

The following minimum security requirements are for Microsoft Windows Vista-based/Windows 7-based operating systems:

  • AntiVirus - Cal Poly provides a licensed version of Symantec Enpoint Protection for all Cal Poly students using Windows Vista free of charge. The Cal Poly licensed version of Symantec Endpoint Protection must be installed, unless students are already running Symantec Norton AntiVirus, McAfee, or Windows Live OneCare. In addition, antivirus definition files must be kept up-to-date. Up-to-date definitions are any applied antivirus definition files within two weeks of the current date.

The following are highly recommended suggestions for Vista/7 users:

  • Microsoft Windows Update - Microsoft patches critical flaws found in their Windows Vista/7-based operating systems via the built-in Windows Update control panel. This control panel will search your computer for unpatched vulnerabilities and allow you to easily download and install Microsoft Hotfixes (patches). All "critical" and "high priority" updates should be installed. In addition, Windows Update should be scheduled to automatically check for, download, and install the latest "critical" and "high-priority" updates.

  • Microsoft Windows Defender - Microsoft provides a free, real-time antispyware program, Windows Defender. This program is installed on Windows Vista/7 by default. The latest version of Windows Defender should be installed along with the latest definitions.

  • Javacool Software's SpywareBlaster - SpywareBlaster is an antispyware program. Most antispyware programs simply scan and remove spyware infections. Unlike other antispyware programs, SpywareBlaster prevents spyware infections from happening in the first place. It does this by configuring your computer to refuse connections to the spyware servers. The latest version of SpywareBlaster should be installed along with the latest definitions.

Minimum Security Requirements for Microsoft Windows XP and Windows 2000

The following minimum security requirements are for Microsoft Windows 2000 and Windows-XP based operating systems:

  • AntiVirus - Cal Poly provides a licensed version of Symantec Endpoint Protection for all Cal Poly students using Windows XP free of charge. The Cal Poly licensed version of Symantec Endpoint Protection must be installed, unless students are already running Symantec Norton AntiVirus, McAfee, or Windows Live OneCare. In addition, antivirus definition files must be kept up-to-date. Up-to-date definitions are any applied antivirus definition files within two weeks of the current date.

The following are highly recommended for XP/2000 users:

  • Microsoft Windows Update - Microsoft patches critical flaws found in their operating systems via the online Microsoft Update and Windows Update website. This website will search your computer for unpatched vulnerabilities and allow you to easily download and install Microsoft Hotfixes (patches). All "critical" and "high-priority" updates should be installed. The Microsoft Update and Windows Update websites will only work with Windows Internet Explorer. Other than for Microsoft Windows Update, we recommend you use a different, more secure web browser.

  • Microsoft Automatic Updates - The Automatic Updates service should be enabled and set to automatically check for, download, and install the latest "critical" and "high-priority" updates.

  • Microsoft Windows Defender - Microsoft provides a free, real-time antispyware program, Windows Defender. This program is not installed on Windows XP or Windows 2000 by default. The latest version of Windows Defender should be installed along with the latest definitions.

  • Javacool Software's SpywareBlaster - SpywareBlaster is an antispyware program. Most antispyware programs simply scan and remove spyware infections. Unlike other antispyware programs, SpywareBlaster prevents spyware infections from happening in the first place. It does this by configuring your computer to refuse connections to the spyware servers. The latest version of SpywareBlaster should be installed along with the latest definitions.

Preparation

Prior to arriving on campus, be sure to uninstall any antivirus software. In addition, you can install all available Hotfixes by visiting the Microsoft Update or Windows Update website. Also, you can configure the Automatic Updates service to automatically download and install updates. Completing these tasks will dramatically decrease the amount of time required to get online once you arrive. Installing the ResNet Certificate Authority will expedite getting online, and installing Symantec Endpoint Protect will help as well. You can find out how to do these in our Support section.

Periodic Updates

Our Clean Access servers update once a week every Thursday at 4:00 am. At this time, every user (no matter what operating system they are using) is logged off the network. If there have been changes to the security requirements (like new Windows Hotfixes, more up-to-date virus definitions, new version of an application), you will receive temporary access until you update your computer. It is good to note that Microsoft releases new Windows Hotfixes on the second Tuesday of every month. By keeping your computer updated, we can achieve a high level of system stability with virtually no network outages.


Apple Macintosh

image floated rightIf you are using an Apple Macintosh platform with Mac OS X, you will need to download and install the Cisco Clean Access Agent. The agent will run as a menu "extra" (by the clock), and will be used to login to the network. To get the Clean Access Agent, you will start by plugging your computer into the wired residential network. Next, you will open a web browser (like Mozilla Firefox or Safari). You will be redirected to the University Housing Student Computing Agreement. You will digitally sign the agreement by logging into the network for the first time. After digitally signing the agreement, you will be redirected to a page with the remaining instructions for downloading and installing the Clean Access Agent.

Once the Clean Access Agent is installed on your computer, you will use it to authenticate with the network. After authenticating, you will be given complete network access. With complete network access, you are unrestricted from browsing any content on the web or using any network applications. Please take special note that our Clean Access servers update once a week on Thursday at 4:00am. At this time, every user (no matter what operating system they are using) is logged off the network. To get back on the network, you will simply need to re-authenticate using the Clean Access Agent.


UNIX and GNU/Linux

image floated rightIf you are using one of these platforms, you will authenticate with Clean Access using a web browser. You will start by plugging your computer into the wired residential network. Next, you will open a web browser (like Mozilla Firefox or Konqueror). You will be redirected to the University Housing Student Computing Agreement. You will digitally sign the agreement by logging into the network for the first time. After digitally signing the agreement, you will be logged onto the network. At this point, you are unrestricted from browsing any content on the web or using any network applications. The authentication process will require a Java applet to load. This applet will properly determine your specific type of operating system. It will be necessary for users to use a browser that supports a Java applet browser plugin. ResNet has found the 32-bit Mozilla Firefox browser and the Sun Micrososystem's 32-bit Java Runtime Standard Edition to work well. Other alternatives may be possible. If you do not have a compatible Java Runtime Environment or Java capable browser, links to binary downloads will be provided. Please take special note that our Clean Access servers update once a week on Thursday at 4:00 am. At this time, every user (no matter what operating system they are using) is logged off the network. To get back on the network, you will simply need to re-authenticate using a web browser.

Last Update: 10/6/2009
This website best viewed in Safari 4, Firefox 3 & IE 8.
Internet Explorer 6 not supported.