Cisco NAC Server and Asset Number Check ? Would it work ?

Answered Question
Feb 26th, 2010

Hi all,

A customer directed a question when we presented Cisco NAC today.  They were wondering, lets say, a Cisco NAC agent installed client connects to the network switch. It has all the valid applications and patch levels on his/her machine (posture validation checks pass)

However, even if the client passes all the posture check parameters, they would like to know that if the hostname of the client (mostly Windows Laptops) does not exist in their asset database (this database is an asset number database which is in a .csv or similar format) the posture validation should fail.

Have you encountered such request like this before ? Is there a feature on NAC server which checks a field against an external database such as an asset database ?

Cheers.

I have this problem too.
0 votes
Correct Answer by Faisal Sehbai about 6 years 9 months ago

Dumlu,

Currently that is not possible. You can create checks which can check for values locally, but not against external datastores, so to map this against your thought, NAC would have to know of all the workstation names before hand and then check against that. This is unwieldy and very very difficult to scale.

If this is something you and your client think would be a good addition (and it sounds like a good idea) please engage with your account team and ask them to file a Feature request for you.

Thanks,

Faisal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Faisal Sehbai Fri, 02/26/2010 - 08:52

Hello,

Short answer is no. Longer explanation is that currently CAS only authenticates users and not computers. You can however create custom checks which can check for the existence of Registry keys and/or files on the filesystem, so you could theoratically create a registry key to be deployed on all your assets and then check through NAC for its existence.

As for computer authentication with NAC, this is in the works but a little ways off right now.

HTH,

Faisal

dumlutimuralp Fri, 02/26/2010 - 08:58

Hi,

sorry for the expression however I am not talking about any kind of computer authentication stuff. Like you have mentioned, the things is, eventually, when a computer name is set on an end station that hostname goes into registry key. Lets say I pull that string from registry and copy that number and check it against an external database ?

Is this possible ?

Dumlu

Correct Answer
Faisal Sehbai Fri, 02/26/2010 - 09:05

Dumlu,

Currently that is not possible. You can create checks which can check for values locally, but not against external datastores, so to map this against your thought, NAC would have to know of all the workstation names before hand and then check against that. This is unwieldy and very very difficult to scale.

If this is something you and your client think would be a good addition (and it sounds like a good idea) please engage with your account team and ask them to file a Feature request for you.

Thanks,

Faisal

Actions

This Discussion