12-31-2008 07:33 AM - edited 02-21-2020 10:22 AM
All,
It is my understanding that the NAC can authenticate users via a back end Domain Controller. But is NAC able to to authenticate workstations?
01-05-2009 12:42 PM
NAC can actually authenticate and check securiy policies (like OS, Virus updates etc), for the end station.. It does do a policy review for all the users logging into your corportate network.. NAC on a network layer, operates through NAC appliances (CAS,CAM etc). on a LAN, we have the dot1x complimenting the NAC solution, by authenticating users through a local or external database (AD/LDAP etc) , before letting network access to users.. Refer to CCO.. there are tons of documents on NAC.. let us know if you have any other specific query...
Hope this helps.. all the best..
Raj
01-05-2009 01:37 PM
i'm not sure what the OP is really asking, but if i take it literally, mac filtering comes to mind.
01-05-2009 02:05 PM
Raj,
What if you have a scenario where a handful of users at a company goes home with CAC card readers and accompanying software and installs them on their home PC. Those home PC's could theoretically be able to VPN into the corporate network. How would you stop that from happening using the NAC? I don't think you can unless you install a registry key or file onto the company laptops that clearly identify those assets as company assets. The assets that don't have these registry keys would be identified as non-company asset by the NAC when it interrogates these assets for the registry key. Is this how you would go about preventing rogue administrators from tunneling into the company network using their home machines?
01-05-2009 02:08 PM
cheng
You need to have NAC appliance at various entry points in your network.. with regards to VPN, you can have a CAS server inline or outofband between your firewall and internet router.. in this way, any user who is trying to access resources via VPN, will be denied access.. have a look at this URL:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml
similarly you can have NAC for :
1) LAN
2) WAN entry points (Incase of MPLS backbone)
3) Wireless etc
Hope this helps.. all the best..
Raj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide