×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Help required for NAC deployment in existing Enterprise Environment

Unanswered Question
Aug 11th, 2012
User Badges:

Dear All,


I'm completely new to NAC solution. We have an urgent requirement coming up from a customer for NAC implementation. It's an Enterprise network consists of DC, scaled down DR, Head office and various Remote offices. They have already purchased NAC manager and single NAC appliance. They want to implement this with minimum changes in the network.


Please suggest some starting points as how to integrate this NAC solution into existing network without disrupting any services. Any help would be greatly appreciated. Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Tarik Admani Sat, 08/11/2012 - 22:45
User Badges:
  • Green, 3000 points or more

Hi,


There is no easy way to turn up an install like this and there are many ways you can deploy clean access:


  • L2 Virtual Gateway In Band
  • L2 Virtual Gateway Out of Band
  • L2 Real IP Gateway In Band
  • L2 Real ip gateway out of band
  • *all of the above but with L3 mode*


Based on the remote users this almost looks like a L3 (layer 3 deployment) which will involve route maps in order to redirect the users traffic to the single CAS on the network.


It really requires extensive knowledge of the NAC product to turn this up.


My question to you is why not use a better solution like ISE which is NAC without major network design changes?


Thanks,



Tarik Admani
*Please rate helpful posts*

nayanpanchal Mon, 08/13/2012 - 06:43
User Badges:

Dear Tarik,


Thanks a lot for your quick response.


I'm also looking for a Customer requirement Gathering document for NAC but not able to find any. I can think of following points to start with:


Why customer wants to deploy NAC?

Will NAC be performing authentication for user? (Only SNMP based, Dot1x not supported with current NAC it is supported with Cisco ISE.)


Should NAC be integrated with AD to validate user credentials?

Should NAC verify AV installation and do remediation if required?

Should NAC monitor any windows service, For eg if you want to disable windows firewall on the workstation that can be done using NAC.


Should NAC verify installed windows patches on the workstation? This can be done using NAC but currently it supports only WSUS and not SCCM.


Please suggest some pointer or feel free to add yours.


Thanks in advance.

Actions

This Discussion