IBM Tivoli and Cisco User Manual
Page 484
466
Building a Network Access Control Solution with IBM Tivoli and Cisco Systems
– Security Compliance Manager Client:
i.
Runs compliance validation. In this case, violations are found and
semaphore does not equal 1, so leave semaphore unchanged.
ii. Since violations are found, client runs remediation handler.
– Remediation handler:
i.
Since semaphore is -1, PopUp Remediation Interface.
ii. User can click Fix Now for autoremediation.
iii. Runs compliance validation. In this case, no violations are found, so set
semaphore to 1.
– User clicks Next.
– NAC Appliance now finds Security Compliance Manager Client running
and semaphore=1, so admit client.
Scenario 2: post-admission, Security Compliance Manager not running,
noncompliant client
– This is a border case and there is no way to address this state.
– This state can be reached if the user halts the Security Compliance
Manager Client after the client has already been admitted to the network
and then creates a compliance violation.
– A potential solution would be a background process that is run by the
Windows Scheduler or Cron job to check for the Security Compliance
Manager Client to be running and start it if it is not running. This would
then bring the client to state #6.
Scenario 3: pre-admission, Security Compliance Manager not running,
compliant client
– This scenario is a subset of scenario 1.
– NAC Appliance detects that Security Compliance Manager Client is not
running.
i.
Pops up Temporary Access window
ii. User clicks Update button
iii. Starts TSCMAgent.bat
– TSCMAgent.bat:
i.
Sets semaphore to -1
ii. Starts Security Compliance Manager Client
iii. Runs statuscheck.exe
– Statuscheck.exe:
•
Requests posture from Security Compliance Manager Client