Technology Advice by Ryan Taylor Adams

All About Cisco Clean Access Agent (and Circumventing It)

January 12th, 2008 · 1 Comment · Printer Friendly Version


While I make an effort to update older posts to keep them relevant and technically accurate, the rapidly changing nature of the tech world makes it possible that the content of this post may no longer be relevant, current, or even accurate. Additionally, because of this post's age, adding new comments has been disabled. If you would like to contribute new information to this post, or have questions pertaining to this post, please use the Contact Form.

Cisco Clean Access (CCA), is an access control system that is becoming popular on many school networks. Originally, the system was produced by Perfigo and marketed under the name of Perfigo SmartEnforcer. After being bought out by Cisco, the system was renamed to Cisco Clean Access. Recently, Cisco has renamed its product to Cisco NAC Appliance, though “Clean Access” is still widely used.

The Cisco Clean Access system is comprised of server software and client software. The client software, called Cisco Clean Access Agent, must be installed on each computer before that computer is allowed to use the network. The Clean Access Agent performs two functions. First, it provides authentication by requiring the user of a client computer to provide a log-in name and password. Second, it checks the client computer for required updates and programs (currently Windows patches and a supported antivirus program) and prevents a computer from connecting if it does not meet the standards for the network. Currently the Clean Access Agent application is only available for Windows operating systems (Windows 98 and above), however most network administrators allow clients with non-Windows operating systems to access the network without any security checks.

The Cisco Clean Access is designed to restrict network use to those authorized and to prevent viruses or other malware from spreading over the network. However, many students and employees who are forced to use a network where Clean Access is configured become frustrated because:

  • The client software may not be available for their operating system.
  • The client software must be running constantly (using up system resources).
  • The client software may simply not work, preventing legitimate users access to the network.
  • There are privacy concerns associated with the client software.
  • It’s another “hoop to jump through.”

Network administrators who are forced by management to configure the Clean Access system on a network are also often frustrated because they are responsible for correcting the above issues.

The good news is, there are ways around having to use the Cisco Clean Access Agent. The bad news is they may not work, or there may be penalties for being caught. Some of the proposed loop holes include:

  • Many universities allow a gaming device to be registered via its MAC address, and any device with that MAC address will be allowed to access the network without authentication or review. A user could theoretically submit a fake MAC address claiming it belongs to a gaming system, then use a program like ChangeMAC.exe to change the MAC address of their computer to the fake address. The latest versions of the Clean Access system have protection against this including verifying the MAC address has a legitimate format for a gaming system (for example, Xbox systems have MAC address that begin with 00:50:F2) and performing a port scan to determine the device type associated with a MAC address. With some effort, both of these countermeasures should be easy to overcome.
  • Since the Clean Access system generally allows users with unsupported operating systems to connect, a Windows user may spoof their reported operating system to appear to be an unsupported OS. Originally, this loophole only required a user to change the reported user-agent of their browser. However, the latest versions of Clean Access use javascript and port scans to confirm the operating system. Again, with some work, these countermeasures could be overcome.
  • According to the release notes of one version of Clean Access, the system makes use of Windows Script Engine, version 5.6 and removal or disabling of the scripting engine in Windows will bypass and break posture interrogation by the Clean Access Agent, which will “fail open” and allow devices to connect to a network upon proper authentication.

Again, attempting to exploit any of the above loopholes may result in reprimands.

For more information on Cisco Clean Access check out the official FAQ or the Wikipedia page.

Please leave a comment if you have any questions or suggestions.

1 response so far ↓

  • 1 Bensh // Feb 1, 2009 at 11:32 PM

    Not helpful. All the “loopholes” are merely common sense. If you had posted actual methods on achieving these bypasses, then this post would’ve been helpful, otherwise this was just a waste of time to read.

  • 2 Ryan Adams // Feb 2, 2009 at 9:13 AM

    @Bensh: Due to the vast number of operating systems, versions of Clean Access, and possible configurations, it would be impossible to post detailed methods of exploiting the loopholes. If you happen to find a specific way around CalPoly’s implementation of Clean Access, please post back with the details.