Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Difference between NAC profiler/collector and NAC server


could anyone tell me the difference between NAC collector and NAC server?

Thank you very much.

Best regards.


New Member

Re: Difference between NAC profiler/collector and NAC server

NAC Server is the enfoprcement point and required in all in a NAC deployments. The NAC Collector is a software component that is installed on the NAC Server to be used in conjunction with the NAC Profiler.


Re: Difference between NAC profiler/collector and NAC server

Sorry edunn, but your description of the NAC Collector is not particularly helpful. If I may:

The NAC Profiler/collector is OEM'd from Great Bay Software. It performs automatic whitelisting of agentless devices, like IP phones and PBXs, printers, etc. In a NAC deployment without the profiler you'd have to go in to the NAC Server and manually enter the MAC addresses and/or IP addresses of devices that should bypass authentication and/or posture assessment. In a small environment that's not a big deal, but with multiple offices and/or subnets (with lots of phones or printers) this can be a hassle. Its also a big risk: If I know you're whitelisting by mac/IP I'll just go to a printer, print out its config page, set my NIC to have the same settings, and boom - I've just bypassed your $$ NAC solution, thankyouverymuch.

The nice thing about the NAC profiler is that its -not- static: every time a switchport goes up/down, or a new MAC address is detected, an SNMP trap gets sent to the profiler. You can also forward (via ip-helper) all DHCP requests to the profiler (it doesn't respond or issue an IP address, of course, but it does look at what options you requested.) It will look at the MAC vendor address, IP address, DHCP options, network traffic (via Netflow), SPAN port traffic, has an open port (eg. 9100 or 515 for printing) or a combination of the above, and dynamically whitelist agentless devices based on confidence level.

Its sort of like a reverse Turing test: if a device says its 'dumb' (no agent) AND acts the way its supposed to, it gets whitelisted. But if the Profiler starts seeing a supposed printer surf the Internet (or start receiving traffic on a port it should, or whatever), then it dynamically removes it from the whitelist, and now it will need to authenticate and pass posture.

You can define different profile groups and what parameters are required for each, and set which groups get whitelisted.

So basically the NAC Server is the gatekeeper, the NAC Manager is the global policy manager, and the NAC Profiler is the automatic whitelister.