IBM Tivoli and Cisco manual

–Security Compliance Manager Client:

i.Runs compliance validation. In this case, violations are found and semaphore does not equal 1, so leave semaphore unchanged.

ii.Since violations are found, client runs remediation handler.

–Remediation handler:

i.Since semaphore is -1, PopUp Remediation Interface.

ii.User can click Fix Now for autoremediation.

iii.Runs compliance validation. In this case, no violations are found, so set semaphore to 1.

–User clicks Next.

–NAC Appliance now finds Security Compliance Manager Client running and semaphore=1, so admit client.

￿Scenario 2: post-admission, Security Compliance Manager not running, noncompliant client

–This is a border case and there is no way to address this state.

–This state can be reached if the user halts the Security Compliance Manager Client after the client has already been admitted to the network and then creates a compliance violation.

–A potential solution would be a background process that is run by the Windows Scheduler or Cron job to check for the Security Compliance Manager Client to be running and start it if it is not running. This would then bring the client to state #6.

￿Scenario 3: pre-admission, Security Compliance Manager not running, compliant client

–This scenario is a subset of scenario 1.

–NAC Appliance detects that Security Compliance Manager Client is not running.

i.Pops up Temporary Access window

ii.User clicks Update button

iii.Starts TSCMAgent.bat

–TSCMAgent.bat:

i.Sets semaphore to -1

ii.Starts Security Compliance Manager Client

iii.Runs statuscheck.exe

–Statuscheck.exe:

•Requests posture from Security Compliance Manager Client

466Building a Network Access Control Solution with IBM Tivoli and Cisco Systems