IBM Tivoli and Cisco User Manual

Appendix A. Hints and tips

467

– Security Compliance Manager Client:

•

Runs compliance validation. In this case, no violations are found, so set
semaphore to 1.

•

No violations are found so return.

– User clicks Next button.

– NAC Appliance now finds Security Compliance Manager Client running

and semaphore=1, so admit client.

Scenario 4: post-admission, Security Compliance Manager not running,
compliant client

– This is a border case and is similar to scenario 2.

– This state can be reached if the user halts the Security Compliance

Manager Client after the client has already been admitted to the network
but the client is actually compliant.

– A potential solution would be a background process that is run by the

Windows Scheduler or Cron job to check whether the Security
Compliance Manager Client is running and start it if it is not running. This
would then bring the client to state #8.

Scenario 5 - pre-admission, Security Compliance Manager running,
noncompliant client

– This is the most normal case and is the one that gets demonstrated. It is a

subset of scenario 1.

– NAC Appliance detects that semaphore is not equal to 1.

i.

Pops up Temporary Access window

ii. User clicks Update button
iii. Starts TSCMAgent.bat

– TSCMAgent.bat:

i.

Sets semaphore to -1

ii. Starts Security Compliance Manager Client (if already running, this

step is redundant but not harmful)

iii. Runs statuscheck.exe

– Statuscheck.exe:

•

Requests rescan from Security Compliance Manager Client

– Security Compliance Manager Client

•

Runs compliance scan. In this case, violations are found and
semaphore does not equal 1, so leave semaphore unchanged.

•

Since violations are found, run remediation handler