Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Authenticate End User Devices using the NAC

All,

It is my understanding that the NAC can authenticate users via a back end Domain Controller. But is NAC able to to authenticate workstations?

4 REPLIES

Re: Authenticate End User Devices using the NAC

NAC can actually authenticate and check securiy policies (like OS, Virus updates etc), for the end station.. It does do a policy review for all the users logging into your corportate network.. NAC on a network layer, operates through NAC appliances (CAS,CAM etc). on a LAN, we have the dot1x complimenting the NAC solution, by authenticating users through a local or external database (AD/LDAP etc) , before letting network access to users.. Refer to CCO.. there are tons of documents on NAC.. let us know if you have any other specific query...

Hope this helps.. all the best..

Raj

Gold

Re: Authenticate End User Devices using the NAC

i'm not sure what the OP is really asking, but if i take it literally, mac filtering comes to mind.

New Member

Re: Authenticate End User Devices using the NAC

Raj,

What if you have a scenario where a handful of users at a company goes home with CAC card readers and accompanying software and installs them on their home PC. Those home PC's could theoretically be able to VPN into the corporate network. How would you stop that from happening using the NAC? I don't think you can unless you install a registry key or file onto the company laptops that clearly identify those assets as company assets. The assets that don't have these registry keys would be identified as non-company asset by the NAC when it interrogates these assets for the registry key. Is this how you would go about preventing rogue administrators from tunneling into the company network using their home machines?

Re: Authenticate End User Devices using the NAC

cheng

You need to have NAC appliance at various entry points in your network.. with regards to VPN, you can have a CAS server inline or outofband between your firewall and internet router.. in this way, any user who is trying to access resources via VPN, will be denied access.. have a look at this URL:

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a008074d641.shtml

similarly you can have NAC for :

1) LAN

2) WAN entry points (Incase of MPLS backbone)

3) Wireless etc

Hope this helps.. all the best..

Raj

118
Views
0
Helpful
4
Replies