question about out-of-band when deploying NAC

mylove142 · ‎03-05-2009

1. When I deploy NAC, a PC or user device is on the certified list. If User device is infected by virus, NAC Server can recognize device which is infected and prevent PC or not when I deploy out-of-band (not in-band)?

2. When I deploy out-of-band, cisco nac appliance can configure bandwidth for group users or not?

Thank you for your answer.

Duy Khang

greg.washburn · ‎03-06-2009

I would not think of the NAC server as an antivirus product. Instead think of it as a posture assessment device that verifies the pc has antivirus running and up to date. Therefore, assuming the antivirus software catches the example virus and the pc has went thru the NAC's posture assessment the pc's installed antivirus software will handle the remediation of the virus.

greg.washburn · ‎03-06-2009

To your second question, yes. In out-of-band deployments a role / group of users can be bandwidth controlled.

The principle point is that all users being assessed by the NAC machine must be routed thru the device. Given all users are routed thru the device you are able to control / throttle those users /devices.

michael_dean · ‎03-06-2009

1) Answer: No. Clean Access (NAC Appliance) will not detect when a system is infected with a virus, regardless of which deployment (In-Band or Out of Band) is used.

2) Answer: No. When deployed out of band, once the posture is completed, the client traffic no longer goes through the Clean Access server so there is no way to apply bandwidth or any other controls to it via Clean Access. In order to apply bandwidth or access restrictions via CCA, the CCA server would have to be in-band.

Daniel Laden · ‎03-06-2009

Michael is correct that with an OOB solution, Cisco NAC will no longer manage a device once it authenticate and moves to it user role.

-Dan Laden

mylove142 · ‎03-09-2009

Now I see. Thank you for your all answer.