Network Admission Control

NAC Questions and Answers

NAC Frequently Asked Questions (FAQ)

Q.  What is Network Admission Control?
Q.  What Networks Require Validation?
Q.  How does Validation Work?
Q.  What is the Clean Access Agent?
Q.  What Validation Checks are Performed?
Q.  How long do Validation Checks Take?
Q.  What is the Process for Changing the Minimum Security Requirements?
Q.  How often will I be Re-validated?
Q.  What About Xboxes, PlayStations, Tivos, IP Phones, etc.?

Q. What is Network Admission Control?
A: Network Admission Control is a Cisco solution that performs network validation. The software performs the following functions:

  • Requires authentication to the network
  • Validates whether a system connecting to the network meets minimum security requirements
  • Quarantines a system until it meets minimum security requirements
  • Provides access to remediation sites
  • Allows access to the network once a system is validated as “clean”

Top of page

Q: What Networks Require Validation?
A: Residential and wireless networks require validation.

Top of page

Q: How does Validation Work?
A: Validation redirects any Internet browser request to a web page that instructs the user to download and install the validation client known as the “Clean Access Agent”. Once launched, the client downloads the validation rules and processes them. If the computer fails to meet the minimum security requirements, it is allowed Internet access only to the remediation sites.  Once remediated, full network access is provided.

Top of page

Q: What is the Clean Access Agent?
A: Clean Access Agent is the client application that checks certain minimum security requirements on Windows and non-Windows clients to make sure the system is up-to-date.  No information about the user or the content of user files is sent to the server. Each user must use Clean Access Agent for his/her computer system in order to authenticate and use the university network.

Q: What Validation Checks are Performed?
A: The Clean Access Agent validates the following:

  • Anti-virus Software Installed
  • Up-to-date Anti-virus Definitions
  • Anti-spyware Software Installed
  • Windows Service Packs Installed
  • Microsoft Critical Updates Installed

Top of page

Q: How long do Validation Checks Take?
A: The validation checks take between 1 and 2 minutes.

Top of page

Q: What is the Process for Changing the Minimum Security Requirements?
A: As new critical updates become available, the security requirements will be updated to reflect the new patches. Typically, we will not immediately set the validation check for the new patches, but allow some time (typically a week) for people to update their systems in due course. If a vulnerability is reported or the threat of a virus storm or worm attack emerges, we will update the validation check immediately in reaction to the threat. 

Top of page

Q: How often will I be Re-validated?
A: The validation timer will reset daily at 4 a.m. This means that all previously certified "Clean” systems must be revalidated to ensure that all updates for the past week have been downloaded and installed.

Top of page

Q: What about Xboxes, PlayStations, Tivos, IP Phones, etc.?
A: Please contact the SSU Help Desk at helpdesk@savannahstate.edu or 912-358-4357 for assistance or register your device at the Gaming Device Configuration link.
Top of page

NAC Troubleshooting Tips

Q.  I cannot access the login page.  I get the redirection page, but then my browser gives an error and stops.
Q.  What am I allowed to access when Un-authenticated or Quarantined?
Q.  How do I logout?
Q.  How do I stop the Clean Access Agent from popping up continuously?
Q.  Can I update Windows before I login?
Q.  When I run Windows Update, I get a message stating that the product key used to install windows is invalid. Why?
Q.  Can I update my Anti-virus program before logging in?
Q.  Do I have to use the Clean Access Agent client?
Q.  What happens if I uninstall the Clean Access Agent?
Q.  I keep trying to install the Clean Access Agent but it tells me that I can either Modify/Repair or Remove the program?
Q.  How do I know Clean Access Agent is running? 
Q.  I do not see the Clean Access Agent icon in my system tray; what do I do?

Q: I cannot access the login page. I get the redirection page but then my browser gives an error and stops.
A: Generally, this is caused by an encryption (SSL) problem with your browser. Encryption is required for authentication to complete. Try another browser if you are unable to correct the problem with the first browser. (IE -> Firefox; Firefox -> IE). Usually, Firefox has fewer encryption problems.

Top of page

Q: What am I allowed to access when Un-authenticated or Quarantined?
A: Un-authenticated users are allowed to access remediation and help sites such as http://windowsupdate.microsoft.com, Anti-virus sites, and Clean Access Support sites.

Top of page

Q: How do I logout?
A: Right-click the Clean Access Agent icon in the system tray and choose Exit.  The Clean Access Agent icon appears as follows in the system tray: 

Top of page

 Q: How do I stop the Clean Access Agent from popping up continuously?
A: Right-click the Clean Access Agent icon in the system tray and remove the check from the Popup Login Window setting.  

Top of page

Q: Can I update Windows before I login?
A: Yes, you can visit http://update.microsoft.com before you login.

Top of page

Q: When I run Windows Update, I get a message stating that the product key used to install windows is invalid. Why?
A: Windows Update will fail if your Windows Operating System is not properly licensed. You must have a legal copy of the operating system to connect to the university network. Please contact Microsoft or your PC manufacturer with questions.

Top of page

Q: Can I update my Anti-virus program before logging in?
A: Yes, you can update supported anti-virus software products before you login.

Top of page

Q: Do I have to use the Clean Access Agent client?
A: All non-Windows and Windows ME/98 clients are required to use the Clean Access Agent for network access.

Top of page

Q: What happens if I uninstall the Clean Access Agent?
A: You will be required to reinstall the client to re-authenticate when your login expires.

Top of page

Q: I keep trying to install the Clean Access Agent but it tells me that I can either Modify/Repair or Remove the program. 

A: The Clean Access Agent is currently installed on your system. You do not need to install it again.
Top of page

Q: How do I know Clean Access Agent is running? 
A: Look for the Clean Access Agent icon in the lower right (Systray) corner near the time display. You may need to select the System tray’s left-facing arrow to expand the list and show the Clean Access Agent.

Top of page

Q: I do not see the Clean Access Agent icon in my system tray; what do I do?
A: There are a few possibilities (for Windows):
1. Clean Access Agent has not been installed.

  • Install Clean Access Agent

2. Clean Access Agent is "hidden" in the Systray.

  • Click the System tray’s left-facing arrow to expand the system tray list and show the Clean Access Agent

3. Your computer has a problem showing Systray icons.

  • You may be able to use "Task Manager" to halt Clean Access Agent and then launch it again

Click Start, Run, and type "taskmgr" Click OK. Look for "NACAgentUI.exe". Highlight "NACAgentUI.exe" and click "End Task".  Re-launch it from the Start Menu.

4.  Clean Access Agent is installed, but not running.

  • Click Start, All Programs, Cisco, Cisco NAC Agent. Click "Cisco NAC Agent" to launch the program

Top of page

Temporary Role

Q: The Cisco Clean Access Agent says I have "Temporary Access." What does that mean?

A.  The Cisco Clean Access Agent will allow you "Temporary Access" if it detects that your system does not meet the minimum security requirements. The Agent will display reasons why your system did not meet the requirements, and will contain instructions on what needs to be done. Until the security requirements are met, your system will not have full access to the network.

What restrictions will be in place when my system is in the Temporary Role?

  • You will not be able to browse any websites, except those listed below in the "Exceptions" category.
  • You will not be able to play any online games.
  • You will not be able to use any Instant Messaging or chat software.
  • You will not be able to access any files stored on the internet, online music, online video, etc.
  • You will not be able to send or receive any e-mail or attachments.

Exceptions: websites and online services you will always have access to, even in Temporary Role.

    • Micorsoft.com sites
    • Supported Anti-virus sites
    • Supported Anti-spam sites
    • Clean Access Agent support sites
    • Other support sites