Q: What is Cisco Clean Access? A: Cisco Clean Access is a network security solution that can prevent infected and vulnerable machines from joining the network, providing a cleaner and safer computing environment. Clean Access is software that scans and assesses devices to assure they meet minimum security standards. Johns Hopkins initial rollout includes a baseline scan of Windows systems to check for anti-virus software and operating system patches. Q: What is Cisco Clean Access Agent? A: Cisco Clean Access Agent is an application that will check certain security settings on your Windows PC, to make sure that your system is up-to-date with required security patches and software. The Agent reports this status to the server. No information about you is sent to the server. You must use Cisco Clean Access Agent for your Microsoft Windows PC in order to authenticate and use the “hopkins” wireless network. Q: Will the Clean Access Agent monitor what I do online? A: No, the Clean Access Agent is only used for the initial scan, validation and authentication. Your internet activities are NOT captured by this Agent. Q: Who is required to use the Cisco Clean Access Agent? A: Windows XP and Vista users are REQUIRED to use the Cisco Clean Access Agent. You will not be able to access the resources on the wireless network until you complete the Agent login. Q: How will I upgrade the Clean Access Agent? A: The Clean Access Agent will be upgraded from time to time. It will be a push from our Clean Access Server. When Cisco releases an update and we are satisfied that is suitable for our environment, we will release this and you will receive a pop-up screen asking for you to upgrade. Click Yes. Q: What if I am running Mac OS X? There is an agent for Mac OS X. We have currently disabled the requirement for Mac, due to some compatibility issues with the new release of Leopard. For now, just launch your favorite web browser and accept the terms and conditions to login. When activated, the agent is used to simplify authentication. We expect the agent to be the foundation for protecting Mac users. When this requirement is re-activated, you can find instructions for the install at http://it.jhu.edu/networking/wireless. Q: What if I am running Linux? A: There is no agent for Linux. You will need to launch a web browser and agree to the terms and conditions to authenticate to the “hopkins” network. Q: Why are we introducing this solution now? A: Johns Hopkins is making every effort to make the wireless network experience productive and secure. With recent virus outbreaks, computers which are not patched or do not run virus scan, are at risk of infecting others and disrupting network services. It has been determined that the best way to prevent this from happening is to ensure that virus software and OS critical updates and patches are current and maintained. Q: What validation checks (posture assessments) are being performed? A: Currently our validation checks are audits. Machines on the “hopkins” wireless network will be required to meet the following criteria: If running Windows XP, it must be Windows XP Service Pack 2. Have the current Windows Operating System Critical Updates & Hot Fixes. Have network bridging disabled. Have turned on Automatic Updates feature for Microsoft Windows on the machine. Have Symantec Antivirus Corporate Edition software running. Have the latest virus definitions for the anti-virus software
Q: How long does the validation take? A: In general, the assessment takes between 10 and 20 seconds. Q: Will using a personal firewall cause a problem? A: Yes, this may cause a problem, if you are using third party software. Be sure to permit Clean Access as an allowed program and/or exception. You may need to refer to your vendor's website for instruction. Windows XP and Vista come with a Firewall which is part of the Operating system. If you are having trouble, you may need to configure the Firewall to allow the Clean Access Program with 'Permit All' option. For example, in case of Windows XP you need to follow the steps below: Windows XP: Start ---> Control panel ---> Windows Firewall Click on the 'Exceptions' tab Click 'Add Program' From the list of programs, select 'Cisco Clean Access' and then press OK Make sure the square box in the program list is checked for Cisco Clean Access
Windows Vista: Start ---> Control panel ---> Windows Firewall Click on 'Change settings' Click on the 'Exceptions' tab Click 'Add Program' From the list of programs, select 'Cisco Clean Access' and then press OK Make sure the square box in the program list is checked for Cisco Clean Access
If the Clean Access Agent is downloaded and installed without any errors, and, the Firewall is configured properly to allow the Clean Access Agent, the Clean Access Agent Login Screen will pop-up instantly for you to login and validate. Typically, if the Firewall is not configured properly, you will see that Clean Access is running either by looking at the right hand corner system tray icon or by double clicking the desktop icon for Clean Access Agent, but the login screen will not appear. Go back and verify the Firewall settings. An additional note: Every time there is a new patch or version upgrade available for Clean Access Agent and you choose to upgrade, please make sure that you allow Clean Access through your Firewall if the message appears from the Firewall software that it had found new software. Q: How do I login to the Clean Access agent? A: You will automatically be logged in to Clean Access by a Single Sign-On mechanism. Your JHED credentials that you entered in your wireless configuration will be used by the Clean Access agent. There is no manual logon. This is an automated process. Q: How do I tell if I am already logged in? A: The best way is to try to go to an Internet site. In most cases, if you are ABLE to access a website such as www.yahoo.com, you are online and logged in. If you check the Clean Access Agent icon in your task bar, it should say "Logged In" and the icon should be turquoise. 
NOTE: Make sure the “Popup Login Window” option is checked. If it is not, you will be unable to fully authenticate and use the “hopkins” wireless network. 
Q: I do not see the Cisco Clean Access Agent icon in my system tray; what do I do? A. There are a few possibilities: Cisco Clean Access Agent has not been installed. Please install Cisco Clean Access Agent to continue. Cisco Clean Access Agent has been installed but you did not select "Launch" at the end of the installation. From the "Start" menu, then "Programs", then "Cisco", then "Clean Access", then "Clean Access Agent" to launch the program. Cisco Clean Access Agent is "hidden" in the Systray. Please click on "<<" to expand the system tray list and show Cisco Clean Access Agent, then login. Your computer has a problem showing Systray icons. You may be able to use "taskmanager" to halt Cisco Clean Access Agent and then launch it again. Cisco Clean Access Agent is installed but not running. From the "Start" menu, then "Programs", then "Cisco", then "Clean Access", then "Clean Access Agent" to launch the program.
Q: How do I logout? A: When you disable or disconnect your wireless connection, you will be automatically logged out of Cisco Clean Access. There is no manual logout process. Q: I cannot access the login page. I get the redirection page but then my browser gives an error and stops. A: Generally, this is caused by an encryption (SSL) problem with your browser. Encryption is required for authentication to complete. Try another browser if you are unable to correct the problem with the first browser. Also verify the settings in your browser by going into Tools -> Internet Options and then make changes under the following tabs and save the changes upon each execution. General ---> Clear all Temporary Files, and Cookies Security ---> Select 'Default Level' Privacy ---> Select 'Default' Advanced ---> Select 'Restore Defaults'
Q. I get an "SSL certificate REV failed [12057]" error when I try to login to Clean Access. A. This results from having Internet Explorer 7 or Windows Vista. You'll need to change a security setting in Internet Explorer in order to connect via Clean Access. Open Internet Explorer. Open the Tools menu at the upper right and choose "Internet Options". Choose the "Advanced" tab. Find the option for "Check for server certificate revocation" and UNCHECK the box. Click OK to close Internet Options. Close all Internet Explorer windows to finalize the change.
Q: I get a “Network Error 500,” when I try to login to Clean Access. A: Usually this error occurs when there are multiple network cards on the client machine. If the client machine has multiple cards (ethernet and wireless), it is possible that Windows uses the incorrect card to send the information. Disable the ethernet network card, while using wireless. Q: The Cisco Clean Access Agent gives the generic "Network Error" error message while it logs on. Why? A: The Cisco Clean Access Agent shows this error when it is unable to communicate with the Cisco Clean Access Server using HTTPS. This can happen due to multiple reasons: The client time is incorrect. The time on the client machine causes it to not trust the server certificate. For example, client time is set to a time that is earlier than the server time. This causes the certificate time to be in the future from the perspective of the client. Reset your machine to the correct time and date. Third Party software interferes with the Cisco Clean Access Agent and Cisco Clean Access Server communication. It is possible that software such as Cisco VPN Client, CheckPoint© VPN Client, and personal firewalls possibly affect the communication. Try to disable such software to see if the Cisco Clean Access Agent works. Clear the cache. Issue the ipconfig /dnsflush command under the command prompt, or in Internet Explorer under Internet Options > Advanced, deselect Check for server certificate revocation.
Q: I'm on a Macintosh or Linux machine. I've opened my browser but I am not redirected to a login page. What do I do? A: You must try to go to a non-local site such as www.google.com. Q: What happens if I uninstall the Clean Access Agent client? A: You will be required to reinstall the client to re-authenticate when your login expires. Also, please note that if you re-install Clean Access and you are running a Firewall on your machine, then that Firewall must be reconfigured as well to allow Clean Access program. Q: What are general troubleshooting steps or checklist I can follow? A: If you are having trouble connecting to the network, go through this quick checklist to make sure you have not missed anything: Make sure you have enabled your wireless card/connection. Reboot the computer and make sure all services start normally: no error messages or unwanted windows with errors. You should be getting a proper IP address starting with 10.x.x.x. Check the TCP/IP settings. If the output of 'ipconfig' is blank, chances are your wireless card TCP/IP settings are not correct. Normal TCP/IP settings should have 'Obtain IP address automatically' and 'Obtain DNS information automatically' checked. Any IP addresses in the DNS settings will give you 'Network Error'. If you are getting 169.254.xxx address, try 'ipconfig /release' and then 'ipconfig /renew' on prompt. Usually a 169.xx address means you are not getting proper IP from the DHCP server. Make sure to allow Clean Access through the any configured Firewall. You may need to remove anti-virus software and install Symantec. Upon starting your web browser, you are NOT redirected to Johns Hopkins Clean Access Page for authentication. No redirection usually means browser settings. Make sure you restore browser to its default settings. You are taken to the download page for Clean Access Agent. You cannot install the agent. Make sure you have administrator privileges on the system. You have successfully downloaded and installed the Clean Access Agent. Make sure upon completion of installation, your firewall will prompt you to allow/block this program. Always choose the option "Allow" for Clean Access Agent. After installation, the login screen for Clean Access does not appear. No login screen usually means Firewall settings or if you are trying it a different time then it could also means no network connection. It was working fine and then stopped working. Track back and research what changes you recently made on your computer. You open your web browser and nothing is displayed. Please make sure that your browser default home page is set to a valid website such as www.jhu.edu and not 'Blank.'
| 
