After successfully authenticating via a web interface, the Clean Access Server will direct new Windows based clients to download and install the Clean Access Agent application (at this time, non-Windows based clients need only authenticate via the web interface and agree to any network terms of service).
In such a case, the user is only allowed connectivity to the Windows Update website and a number of antivirus providers (Symantec, McAfee, Trend Micro, etc.
The Clean Access Server (CAS) determines the client's operating system by reading the browser's user agent string after authentication.
To combat attempts to spoof the OS in use on the client, newer versions of the Server and Agent (3.6.0 and up) also probe the host via TCP/IP stack fingerprinting and JavaScript to verify the machine's operating system: By default, the system uses the User-Agent string from the HTTP header to determine the client OS.
This feature is intended to prevent users from changing identification of their client operating systems through manipulating HTTP information.
It was demonstrated that removal or disabling of the scripting engine in MS Windows will bypass and break posture interrogation by the Clean Access Agent, which will "fail open" and allow devices to connect to a network upon proper authentication.
This segregates unauthorized users from each other and from the rest of the network, and makes wired-sniffing irrelevant and spoofing or cloning of authorized MAC addresses nearly impossible.
Proper and similar implementation in a wireless environment would in fact contribute to a more secure instance of Clean Access.
Timers allow administrators to clear the list of certified MAC addresses on a regular basis and force a re-authorization of devices and users to the Clean Access Server.
Numerous individuals who have experienced this rather blunt manner of security have openly expressed frustration with this software in forums as well as on Facebook with groups and posts.