some questions about NAC

Unanswered Question
Mar 1st, 2009

I want to deploy NAC in my company, I have some questions about NAC:

1. If I deploy 1 NAC server and 1 NAC manager with IN-BAND:

- When NAC server dies (NAC manager oprates), traffic is bypass or not? what things will happens?

- When NAC manager dies (NAC server operates), what things will happens? Traffic still connect normally ?

Please answer me early.

Thank you for your support.

Duy

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
namnt2604 Tue, 03/03/2009 - 01:20

Hi Duy,


- When NAC server dies, traffic is not bypass, connections between clients with trusted side will be lost.

- When NAC manager dies, you can choose one of 3 cases:

+ traffic is "always bypassed"

+ traffic is "always blocked"

+ certified devices (authenticated user) can go, but not with others (I mean unauthenticated user will be blocked)

You can use this feature in Device Management > CCA Servers > Manage [CAS_IP] > Filter > Fallback.

Hope this help!

mylove142 Tue, 03/03/2009 - 01:23

I think when NAC server dies, only new users can not authenticate, current users still can connect to Internet normally.

That is right?

namnt2604 Tue, 03/03/2009 - 01:30

No, it's wrong. In IB model, when NAC server dies, sure that users can not connect to trusted side.

Just in OOB model, when NAC server dies, authenticated still can connect to trusted side.

I think you should check something like:

+ NAC server is IB or OOB

+ NAC server is Centre or Edge

+ VGW or Real IP GW

mylove142 Tue, 03/03/2009 - 17:26

ok, now I understand. I have one more question about NAC profile: when I deploy NAC that includes NAC profile more advantage than When I only deploy NAC (mean not include NAC profile)?

Thank you for your answer.

Daniel Laden Tue, 03/03/2009 - 20:07

it would be best to post this as a new question as you may get more input.


Some devices do not participate in Cisco NAC (IP Phones, printer) and have to be assigned to roles. The profile has two advantages.

1- In large orginations, it may be time consuming to implement and maintain the device filters. The profiler will populate this information for you based on what the NAC Server/Collector sees on the wire.


2-If someone tries to hijack the MAC address, the traffic pattern may reclassify the device and move it into a more appropiate role.


Thank You,

Dan Laden

Actions

This Discussion