NAC can actually authenticate and check securiy policies (like OS, Virus updates etc), for the end station.. It does do a policy review for all the users logging into your corportate network.. NAC on a network layer, operates through NAC appliances (CAS,CAM etc). on a LAN, we have the dot1x complimenting the NAC solution, by authenticating users through a local or external database (AD/LDAP etc) , before letting network access to users.. Refer to CCO.. there are tons of documents on NAC.. let us know if you have any other specific query...
What if you have a scenario where a handful of users at a company goes home with CAC card readers and accompanying software and installs them on their home PC. Those home PC's could theoretically be able to VPN into the corporate network. How would you stop that from happening using the NAC? I don't think you can unless you install a registry key or file onto the company laptops that clearly identify those assets as company assets. The assets that don't have these registry keys would be identified as non-company asset by the NAC when it interrogates these assets for the registry key. Is this how you would go about preventing rogue administrators from tunneling into the company network using their home machines?
You need to have NAC appliance at various entry points in your network.. with regards to VPN, you can have a CAS server inline or outofband between your firewall and internet router.. in this way, any user who is trying to access resources via VPN, will be denied access.. have a look at this URL:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...