03-17-2007 10:37 PM - edited 02-21-2020 01:27 AM
I have gone through couple of resources about Network Admission Control (NAC)
http://www.cisco.com/en/US/netsol/ns466/netqa0900aecd800fdd6f.html
http://www.ciscopress.com/articles/article.asp?p=662903&seqNum=4&rl=1
http://www.consentry.com/products_features_nac.html
I am looking for a correction to my understanding, because I got little bit confused
There are two admission control solution choices :
1 NAC Appliance (standalone box)
2 NAC Framework
NAC Framework (2) includes the following main components :
a- Endpoint security application
b- Posture agent
c- Network access devices
d- Cisco Policy server [Cisco Secure Access Control Server (CS ACS)]
e- Optional servers that operate as policy server decision points and audit servers
f- Optional management and reporting tools are highly recommended
Q1- NAC Appliance it standalone box ,,,,does that mean that NAC appliance includes (built-in) all the necessary (not optional) components , which are belong to NAC Framework (please see above) ?
Q2- The architecture of NAC Framework includes many different components from Cisco and other vendors (third party),,,,,,What about NAC appliance does it also include same components from other vendors (third party) ?
Q3- How does NAC appliance get updated ? since it is standalone box ? do we have to connect it to net to get the necessary updates ?
Q4- If I am looking to implement (install) NAC Appliance within my network do I need to use CS ACS (I guess we do not need to use CS ACS, see link below) or I have to use other components ?
http://www.cisco.com/en/US/netsol/ns466/netqa0900aecd800fdd6f.html
<quote>
Customers are recommended to consider the NAC Framework only when one of the following applies:
Cisco Secure Access Control Server (ACS) is required as the central policy server in the NAC deployment
</quote>
Q5- The initial release of cisco NAC Framework became available June 2004 ,,,,what about NAC Appliance ? (i.e is it new technology )?
Q6- I could not get what does he mean by : words ? in-band ? and ? inline? in the above quote ?
http://www.cisco.com/en/US/netsol/ns466/netbr0900aecd80355b2f.html
<quote>
NAC Appliance must be deployed as an in-band deployment to support WLANs. In an in-band deployment, the NAC Appliance server is always inline with user traffic-before, during, and after authentication, posture assessment, and remediation.
</quote>
03-22-2007 12:12 PM
In my view NAC appliance is a single device and has all the necessary components in it. NAC framework is good for organizations with some existing security deployment (from partcipating vendors) or a policy that needs multiple vendor infrastructure. NAC appliance incorporates only cisco technology. NAC appliance needs internet connnection for updates and can be connected directly (no need of ACS). NAC appliance is new technology and it monitors the traffic inline (with traffic flow) and sits inband (inside the network).
03-22-2007 01:34 PM
I found it helpful to buy these two Cisco Press books in order to get my arms around the NAC Framework and NAC Appliance vocabulary:
Cisco Network Admission Control Volume 1 and 2.
I usually buy the books and compare them with the User Guides on CCO just to make sure I understand the concepts.
It's also a good idea to try and attend a Cisco led seminar in your area. In that way you can answers to your queries much faster and any follow-up questions that might arise.
Hope this helps.
03-22-2007 04:22 PM
Hi,
Go check Clean Access on CCO for info on NAC Appliance but here are some answers to get you going:
Q1- NAC Appliance it standalone box ,,,,does that mean that NAC appliance includes (built-in) all the necessary (not optional) components , which are belong to NAC Framework (please see above) ?
The NAC Appliance is Clean Access and works differently although Cisco will merge the technologies into the
Appliance. NAC Appliance controls switches by SNMP, not 802.1X and does not use ACS
Q2- The architecture of NAC Framework includes many different components from Cisco and other vendors (third party),,,,,,What about NAC appliance does it also include same components from other vendors (third party) ?
The NAC Framework (Switches, ACS, Trust Agent from Cisco) works with 3rd Applications such as
Anti-Virus Servers from Partners such as Trend. There are 75 partners currently.
Q3- How does NAC appliance get updated ? since it is standalone box ? do we have to connect it to net to get the necessary updates ?
The NAC Appliance gets updated as per configured schedule, in our case, once an hour, via CCO and it can
do this via a Proxy too for preconfigured checks for over 200 products. The actual update and
most of the configuration is done on the Manager Appliance, which controls one or more NAC appliances
The Client can either used Web Based Auth or the Clean Access Agent which can be downloaded. First time
use is invoked by the user trying to browse through the appliance and getting redirected to a sign
on page where they can download the Agent.
Once the Agent is installed, it tries to decover the Manager through the NAC Appliance and that causes it to
pop up and do the posture assessment.
Q4- If I am looking to implement (install) NAC Appliance within my network do I need to use CS ACS (I guess we do not need to use CS ACS, see link below) or I have to use other components ?
http://www.cisco.com/en/US/netsol/ns466/netqa0900aecd800fdd6f.html
Customers are recommended to consider the NAC Framework only when one of the following applies:
Cisco Secure Access Control Server (ACS) is required as the central policy server in the NAC deployment
You don't need Cisco ACS to use NAC Appliance
Q5- The initial release of cisco NAC Framework became available June 2004 ,,,,what about NAC Appliance ? (i.e is it new technology )?
NAC Appliance has been going for about 3 years within Cisco. It was acquired by Cisco (Perfigo)
Q6- I could not get what does he mean by : words ? in-band ? and ? inline? in the above quote ?
http://www.cisco.com/en/US/netsol/ns466/netbr0900aecd80355b2f.html
NAC Appliance must be deployed as an in-band deployment to support WLANs. In an in-band deployment, the NAC Appliance server is always inline with user traffic-before, during, and after authentication, posture assessment, and remediation.
Inline or in-band
For Wireless, the NAC Appliance is deployed inline, between the client and the trusted network which means
it is inline all the time.
We also have done inline deployments with VPN (ASA's SSL/IPSec VPN) and used Single Sign on with
SecurID, Active Directory and other authentication mechanisms.
Out of Band
The other deployments (Virtual Gateway means Bridge mode and Router Mode) can also be deployed
out of band, meaning you can deploy NAC Appliances at the distribution layer that control switches at the
access layer, but in this configuration, users are inline only during authentication.
it works like this...a user is on a restricted access VLAN, once they authentication via discovery of the
NAC Appliance, it does a posture assessment and moves them into an access VLAN and refreshes their IP
There are further complications such as setting up SSO with Active Directory so when the user logs
on, the NAC Agent (runs in systray) auto signs in using the AD credentials.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide