Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
5
Helpful
2
Replies

Difference between NAC profiler/collector and NAC server

gpangallo
Level 1
Level 1

‎06-22-2009 02:57 AM - edited ‎02-21-2020 03:31 AM

Hi,

could anyone tell me the difference between NAC collector and NAC server?

Thank you very much.

Best regards.

Giuseppe

0 Helpful
2 Replies 2

edunn
Level 1
Level 1

‎06-23-2009 10:38 AM

NAC Server is the enfoprcement point and required in all in a NAC deployments. The NAC Collector is a software component that is installed on the NAC Server to be used in conjunction with the NAC Profiler.

0 Helpful

clausonna
Level 3
Level 3
In response to edunn

‎06-23-2009 11:53 AM

Sorry edunn, but your description of the NAC Collector is not particularly helpful. If I may:

The NAC Profiler/collector is OEM'd from Great Bay Software. It performs automatic whitelisting of agentless devices, like IP phones and PBXs, printers, etc. In a NAC deployment without the profiler you'd have to go in to the NAC Server and manually enter the MAC addresses and/or IP addresses of devices that should bypass authentication and/or posture assessment. In a small environment that's not a big deal, but with multiple offices and/or subnets (with lots of phones or printers) this can be a hassle. Its also a big risk: If I know you're whitelisting by mac/IP I'll just go to a printer, print out its config page, set my NIC to have the same settings, and boom - I've just bypassed your $$ NAC solution, thankyouverymuch.

The nice thing about the NAC profiler is that its -not- static: every time a switchport goes up/down, or a new MAC address is detected, an SNMP trap gets sent to the profiler. You can also forward (via ip-helper) all DHCP requests to the profiler (it doesn't respond or issue an IP address, of course, but it does look at what options you requested.) It will look at the MAC vendor address, IP address, DHCP options, network traffic (via Netflow), SPAN port traffic, has an open port (eg. 9100 or 515 for printing) or a combination of the above, and dynamically whitelist agentless devices based on confidence level.

Its sort of like a reverse Turing test: if a device says its 'dumb' (no agent) AND acts the way its supposed to, it gets whitelisted. But if the Profiler starts seeing a supposed printer surf the Internet (or start receiving traffic on a port it should, or whatever), then it dynamically removes it from the whitelist, and now it will need to authenticate and pass posture.

You can define different profile groups and what parameters are required for each, and set which groups get whitelisted.

So basically the NAC Server is the gatekeeper, the NAC Manager is the global policy manager, and the NAC Profiler is the automatic whitelister.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card