The goal of the attack described in the advisory is to bypass the
Operating System (OS) detection mechanisms available in the NAC (Network
Admission Control ) appliance software, in order to prevent the
mandatory installation of the Cisco Clean Access (CCA) Agent. If the CCA
Agent is not installed, machines that do not comply with the configured
software policies will not be automatically patched/upgraded or
quarantined on initial access to the network.
While it is possible to bypass the mandatory agent installation by following the steps in the advisory, it should be noted that:
1) Users cannot bypass authentication using the approach described in
the advisory. Accordingly, unauthorized users (i.e., users with no
credentials or invalid credentials) will not be able to gain access to
the network using such approach.
2) If an administrator is concerned that users might attempt to
bypass CCA Agent installation by masquerading a Windows machine as a
non-Windows machine (e.g., Linux, OS/X, etc.), the administrator can
define Network Scanning rules on the CCA Manager and use network scans
to perform additional OS-specific checks. This process should detect
users attempting to masquerade their Windows machines as non-Windows
Additional information on how to configure Network Scanning rules can be found in the Tech Note entitled
Clean Access - Use the Network Scanning Feature to Detect Users Who Attempt to Bypass Agent Checks.
3) If a malicious user installs a personal firewall or similar
software for the purpose of making the network scan time out, CCA
provides options to quarantine such malicious users. Following such
quarantine, administrators can then determine if users are attempting to
masquerade their OS. Alternatively, network administrators can ask
users to configure their personal firewalls to allow any traffic sourced
from the Clean Access Server (CAS) IP address, so that it can
successfully perform network scans.
4) Customers can also manually install either the CCA Agent software
or the CCA Agent Installation stub (available in CCA version 4.0.0 and
above) on end-user Windows machines, instead of using the OS detection
routines. This will completely prevent the agent installation bypass
described in the advisory from Andreas Gal and Joachim Feise.