NAC by ACS 3.3

Unanswered Question
Oct 17th, 2007

Hi there

Is it posible to implement (wireless) NAC by an ACS ?

Or do I need a NAC appliance ?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Wed, 10/17/2007 - 08:26

Yes it is possible to implement NAC using ACS. You probably want to use v4.1

v3.3 was the 1st rev and not feature rich. v4.0 is buggy as hell. From my sources I hear v4.1 is only just now getting to be stable.

There's white papers and stuff on if you search for NAC and ACS. On its own ACS can implement policy to check basic facts about the state of the endpoint before granting access (eg OS version, service pack etc).

If you want much more (eg virus def state) you probably also need the posture server from your a/v supplier. ACS can "back end" onto quite a few 3rd party solutions.

remco.gussen Wed, 10/17/2007 - 12:05

How does the ACS knows what the "basic facts about the state of the endpoint" are ? Is it somthing like this: If client is Windows XP and SP is less then SP1, then clients must be placed in "update" VLAN ?

andrew.brazier@... Mon, 10/22/2007 - 02:53

That comes from the Cisco Secure Agent (CSA) installed on the client. This, together with the posture configuration on the ACS defines the posture of the client (and if it's 802.1x the VLAN it goes into).

BTW, you really want ACS 4.0 as a minimum and preferably 4.1 for the reasons stated.


This Discussion