Currently the Clean Access Agent application is only available for some Windows and Mac OS X operating systems (Windows 98, Windows Me, Windows 2000, Windows XP, Windows XP Media Center Edition, Windows Vista, Windows 7, Windows 8 and Mac OS X); most network administrators allow clients with non-Windows operating systems (such as Mac OS 9, Linux, and Free BSD) to access the network without any security checks (authentication is still required and is usually handled via a Web interface).After successfully authenticating via a web interface, the Clean Access Server will direct new Windows based clients to download and install the Clean Access Agent application (at this time, non-Windows based clients need only authenticate via the web interface and agree to any network terms of service).
Once the Agent application checks the system, the Agent will inform the user of the result – either with a success message, or a failed message.
Failed messages inform the user of what category(s) the system failed (Windows updates, antivirus, etc.), and instruct the user on how to proceed.
Quarantined systems are then typically given a 60-minute window where the user can try to resolve the reason(s) for quarantine.
In such a case, the user is only allowed connectivity to the Windows Update website and a number of antivirus providers (Symantec, Mc Afee, Trend Micro, etc.), or the user may be redirected to a Guest Server for remediation. Once the 60-minute window expires, all network traffic is blocked.
This feature is intended to prevent users from changing identification of their client operating systems through manipulating HTTP information.
Note that this is a "passive" detection technique that only inspects the TCP handshake and is not impacted by the presence of a firewall.
Systems usually need to re-authenticate a minimum of once per week, regardless of their status; however, this option can be changed by the network administrator.
Also, if a system is disconnected from the network for a set amount of time (usually ten minutes), the user will have to re-authenticate when they reconnect to the network.
Any system failing the checks will be denied general access to the network and will probably be placed in a quarantined role (how exactly a failed system is handled depends entirely on how the Clean Access Manager is configured, and may vary from network to network.
For example: a failed system may simply be denied all network access afterward).
The Clean Access Agent makes extensive use of the Windows Script Engine, version 5.6.