NAC questions quick help required

Unanswered Question
Jun 10th, 2009

kindly help me out to understand some concept of NAC as its very urgent:

1) what does actually hapens before the user provide the credentials to NAC, how DHCP handle the host either NAC give it bogus ip....etc

2)if the user is authenticated and scanned how NAC accomodate if the have any virus after it ...in inband and out-of-band both cases?

3)in OOB how server actually work on switch port, how its work, what it does ?

4)is there any alert mechanism in NAC other then profiler?

5)what benefits i have if i use guest server ?

6)is NAC detect new system by mac-address or links-up or by dhcp request ?

7)is mac spoofing for system/printer can mitigate by NAC server ?

8)can we only buy NAC software ?

9)what is the difference b/w NAC agent,trust agent and nessus ? is cca is any other agent ?

thanks in advance i hope sooner reply

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
greg.washburn Wed, 06/10/2009 - 18:36

1.) depends on out of band vs in band deployment. Out of band typically user is given a /30 network ip and switched once posture assessment and role assignment happen. In band typically the standard dhcp servers give the address out and they are given a valid address. However they are placed in a role that can be set up to restrict traffic as detailed as necessary.

2.) Typically nac would not be looking if the user has a virus or not but rather if the user is running AV software with the latest definitions or not

3.) See answer to question 1

7.) use profiler for that - nac will probably not help you in most situations where a user tries to bypass nac by using a different mac-address (such as whitelisted printer)

9.) the cca agent is software installed on a windows or linux system. nessus is a scanning tool that can be used to do additional scanning of a device (even if not used with / before nac assessment)

sal_jam82 Thu, 06/11/2009 - 07:41

thanks alot for this greg.washburn for reply can you tell me from where i shuld get answer's of remaining question ?

halim.abouzeid Fri, 06/12/2009 - 07:00

3) the nac server will modify the switchort vlan assignment by using snmp write

5) it simplifies and adds more options for guest access to the network.

check this for much more details: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806e98c9.html

6) it can be done by either mac-address or linkup, but we usually use mac-address as when you use ip phones the switchport never goes down and up. but in both cases, a device on nac is identified by its mac address.

7) to mitigate mac spoofing you have to use NAC Profiler.

8) i believe you can. all you need to buy is the nac licenses.

Actions

This Discussion