NAC Question

Unanswered Question
May 7th, 2008

We are currently looking into the features of a NAC appliance. From the reading I have done thus far, it seems like an edge architecture is the best architecture to go with. That being said, my question is this:

How many NAC appliances would I need to have for my entire LAN? I suspect the answer is only one, but I am unsure at this point. Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Wed, 05/07/2008 - 08:53

Good question, I began into looking at NAC myself, you can deploy NAC in your edge network or core network perimeters, what it comes down to is what devices throughout your network will be enforcement points, such as wireless, vpn devices, switches , routers , firewalls etc.. to my understanding you need one NAC applience along with its required componets ACS etc.. but I am quite positive a redundant NAC solution can be deployed as well.

Here are some good links, NAC is a monster so bear with me as I am like you looking into this product.

NAC Deployment guide

Architecture overview

You may find some good info on ASK the EXPERTS on NAC.



jesrobbie Thu, 05/08/2008 - 00:49

The real answer is "it depends".

The number of appliances, and here I'm referring to the servers that will enforce your policies or CAS's as they're known, is driven largely by the access method of your users (wireless, vpn, remote site etc), as well as your current infrastructure. VPN and wireless access for example requires an appliance to be inline whereas regular LAN access users (often lots of them) would usually be addressed by an out of band appliance. Both of these may be deployed centrally.

What I'm getting at here is that you may have some in band appliances AND some out of band appliances - it's all dependent upon YOUR particular infrastructure. I would add that with an edge deployment you would likely require many more CAS's than with a central deployment, but that may just work fine in your infrastructure.

gojericho0 Wed, 05/07/2008 - 08:53

You will probably only need 1 CAS for each LAN or 2 if you want HA. How many remote sites do you have. You can also have the CAM and CAS centrally located and use route-maps to direct the traffic back to the core office


This Discussion