Authenticate End User Devices using the NAC

Unanswered Question
Dec 31st, 2008

All,

It is my understanding that the NAC can authenticate users via a back end Domain Controller. But is NAC able to to authenticate workstations?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Mon, 01/05/2009 - 12:42

NAC can actually authenticate and check securiy policies (like OS, Virus updates etc), for the end station.. It does do a policy review for all the users logging into your corportate network.. NAC on a network layer, operates through NAC appliances (CAS,CAM etc). on a LAN, we have the dot1x complimenting the NAC solution, by authenticating users through a local or external database (AD/LDAP etc) , before letting network access to users.. Refer to CCO.. there are tons of documents on NAC.. let us know if you have any other specific query...

Hope this helps.. all the best..

Raj

srue Mon, 01/05/2009 - 13:37

i'm not sure what the OP is really asking, but if i take it literally, mac filtering comes to mind.

yuchenglai Mon, 01/05/2009 - 14:05

Raj,

What if you have a scenario where a handful of users at a company goes home with CAC card readers and accompanying software and installs them on their home PC. Those home PC's could theoretically be able to VPN into the corporate network. How would you stop that from happening using the NAC? I don't think you can unless you install a registry key or file onto the company laptops that clearly identify those assets as company assets. The assets that don't have these registry keys would be identified as non-company asset by the NAC when it interrogates these assets for the registry key. Is this how you would go about preventing rogue administrators from tunneling into the company network using their home machines?

sachinraja Mon, 01/05/2009 - 14:08

cheng

You need to have NAC appliance at various entry points in your network.. with regards to VPN, you can have a CAS server inline or outofband between your firewall and internet router.. in this way, any user who is trying to access resources via VPN, will be denied access.. have a look at this URL:

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

similarly you can have NAC for :

1) LAN

2) WAN entry points (Incase of MPLS backbone)

3) Wireless etc

Hope this helps.. all the best..

Raj

Actions

This Discussion