Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
4
Replies

Authenticate End User Devices using the NAC

yuchenglai
Level 1
Level 1

‎12-31-2008 07:33 AM - edited ‎02-21-2020 10:22 AM

All,

It is my understanding that the NAC can authenticate users via a back end Domain Controller. But is NAC able to to authenticate workstations?

Labels:
0 Helpful
4 Replies 4

sachinraja
Level 9
Level 9

‎01-05-2009 12:42 PM

NAC can actually authenticate and check securiy policies (like OS, Virus updates etc), for the end station.. It does do a policy review for all the users logging into your corportate network.. NAC on a network layer, operates through NAC appliances (CAS,CAM etc). on a LAN, we have the dot1x complimenting the NAC solution, by authenticating users through a local or external database (AD/LDAP etc) , before letting network access to users.. Refer to CCO.. there are tons of documents on NAC.. let us know if you have any other specific query...

Hope this helps.. all the best..

Raj

0 Helpful

srue
Level 7
Level 7
In response to sachinraja

‎01-05-2009 01:37 PM

i'm not sure what the OP is really asking, but if i take it literally, mac filtering comes to mind.

0 Helpful

yuchenglai
Level 1
Level 1
In response to sachinraja

‎01-05-2009 02:05 PM

Raj,

What if you have a scenario where a handful of users at a company goes home with CAC card readers and accompanying software and installs them on their home PC. Those home PC's could theoretically be able to VPN into the corporate network. How would you stop that from happening using the NAC? I don't think you can unless you install a registry key or file onto the company laptops that clearly identify those assets as company assets. The assets that don't have these registry keys would be identified as non-company asset by the NAC when it interrogates these assets for the registry key. Is this how you would go about preventing rogue administrators from tunneling into the company network using their home machines?

0 Helpful

sachinraja
Level 9
Level 9
In response to yuchenglai

‎01-05-2009 02:08 PM

cheng

You need to have NAC appliance at various entry points in your network.. with regards to VPN, you can have a CAS server inline or outofband between your firewall and internet router.. in this way, any user who is trying to access resources via VPN, will be denied access.. have a look at this URL:

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

similarly you can have NAC for :

1) LAN

2) WAN entry points (Incase of MPLS backbone)

3) Wireless etc

Hope this helps.. all the best..

Raj

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents