Hi,
Go check Clean Access on CCO for info on NAC Appliance but here are some answers to get you going:
Q1- NAC Appliance it standalone box ,,,,does that mean that NAC appliance includes (built-in) all the necessary (not optional) components , which are belong to NAC Framework (please see above) ?
The NAC Appliance is Clean Access and works differently although Cisco will merge the technologies into the
Appliance. NAC Appliance controls switches by SNMP, not 802.1X and does not use ACS
Q2- The architecture of NAC Framework includes many different components from Cisco and other vendors (third party),,,,,,What about NAC appliance does it also include same components from other vendors (third party) ?
The NAC Framework (Switches, ACS, Trust Agent from Cisco) works with 3rd Applications such as
Anti-Virus Servers from Partners such as Trend. There are 75 partners currently.
Q3- How does NAC appliance get updated ? since it is standalone box ? do we have to connect it to net to get the necessary updates ?
The NAC Appliance gets updated as per configured schedule, in our case, once an hour, via CCO and it can
do this via a Proxy too for preconfigured checks for over 200 products. The actual update and
most of the configuration is done on the Manager Appliance, which controls one or more NAC appliances
The Client can either used Web Based Auth or the Clean Access Agent which can be downloaded. First time
use is invoked by the user trying to browse through the appliance and getting redirected to a sign
on page where they can download the Agent.
Once the Agent is installed, it tries to decover the Manager through the NAC Appliance and that causes it to
pop up and do the posture assessment.
Q4- If I am looking to implement (install) NAC Appliance within my network do I need to use CS ACS (I guess we do not need to use CS ACS, see link below) or I have to use other components ?
http://www.cisco.com/en/US/netsol/ns466/netqa0900aecd800fdd6f.html
Customers are recommended to consider the NAC Framework only when one of the following applies:
Cisco Secure Access Control Server (ACS) is required as the central policy server in the NAC deployment
You don't need Cisco ACS to use NAC Appliance
Q5- The initial release of cisco NAC Framework became available June 2004 ,,,,what about NAC Appliance ? (i.e is it new technology )?
NAC Appliance has been going for about 3 years within Cisco. It was acquired by Cisco (Perfigo)
Q6- I could not get what does he mean by : words ? in-band ? and ? inline? in the above quote ?
http://www.cisco.com/en/US/netsol/ns466/netbr0900aecd80355b2f.html
NAC Appliance must be deployed as an in-band deployment to support WLANs. In an in-band deployment, the NAC Appliance server is always inline with user traffic-before, during, and after authentication, posture assessment, and remediation.
Inline or in-band
For Wireless, the NAC Appliance is deployed inline, between the client and the trusted network which means
it is inline all the time.
We also have done inline deployments with VPN (ASA's SSL/IPSec VPN) and used Single Sign on with
SecurID, Active Directory and other authentication mechanisms.
Out of Band
The other deployments (Virtual Gateway means Bridge mode and Router Mode) can also be deployed
out of band, meaning you can deploy NAC Appliances at the distribution layer that control switches at the
access layer, but in this configuration, users are inline only during authentication.
it works like this...a user is on a restricted access VLAN, once they authentication via discovery of the
NAC Appliance, it does a posture assessment and moves them into an access VLAN and refreshes their IP
There are further complications such as setting up SSO with Active Directory so when the user logs
on, the NAC Agent (runs in systray) auto signs in using the AD credentials.
