Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
0
Helpful
3
Replies

NAC questions quick help required

sal_jam82
Level 1
Level 1

‎06-10-2009 03:07 PM - edited ‎02-21-2020 03:30 AM

kindly help me out to understand some concept of NAC as its very urgent:

1) what does actually hapens before the user provide the credentials to NAC, how DHCP handle the host either NAC give it bogus ip....etc

2)if the user is authenticated and scanned how NAC accomodate if the have any virus after it ...in inband and out-of-band both cases?

3)in OOB how server actually work on switch port, how its work, what it does ?

4)is there any alert mechanism in NAC other then profiler?

5)what benefits i have if i use guest server ?

6)is NAC detect new system by mac-address or links-up or by dhcp request ?

7)is mac spoofing for system/printer can mitigate by NAC server ?

8)can we only buy NAC software ?

9)what is the difference b/w NAC agent,trust agent and nessus ? is cca is any other agent ?

thanks in advance i hope sooner reply

0 Helpful
3 Replies 3

greg.washburn
Level 1
Level 1

‎06-10-2009 06:36 PM

1.) depends on out of band vs in band deployment. Out of band typically user is given a /30 network ip and switched once posture assessment and role assignment happen. In band typically the standard dhcp servers give the address out and they are given a valid address. However they are placed in a role that can be set up to restrict traffic as detailed as necessary.

2.) Typically nac would not be looking if the user has a virus or not but rather if the user is running AV software with the latest definitions or not

3.) See answer to question 1

7.) use profiler for that - nac will probably not help you in most situations where a user tries to bypass nac by using a different mac-address (such as whitelisted printer)

9.) the cca agent is software installed on a windows or linux system. nessus is a scanning tool that can be used to do additional scanning of a device (even if not used with / before nac assessment)

0 Helpful

sal_jam82
Level 1
Level 1
In response to greg.washburn

‎06-11-2009 07:41 AM

thanks alot for this greg.washburn for reply can you tell me from where i shuld get answer's of remaining question ?

0 Helpful

halim.abouzeid
Level 1
Level 1

‎06-12-2009 07:00 AM

3) the nac server will modify the switchort vlan assignment by using snmp write

5) it simplifies and adds more options for guest access to the network.

check this for much more details: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd806e98c9.html

6) it can be done by either mac-address or linkup, but we usually use mac-address as when you use ip phones the switchport never goes down and up. but in both cases, a device on nac is identified by its mac address.

7) to mitigate mac spoofing you have to use NAC Profiler.

8) i believe you can. all you need to buy is the nac licenses.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card