Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAC Appliance and NAC Framework - ambiguous quires

I have gone through couple of resources about Network Admission Control (NAC)

http://www.cisco.com/en/US/netsol/ns466/netqa0900aecd800fdd6f.html

http://www.ciscopress.com/articles/article.asp?p=662903&seqNum=4&rl=1

http://www.consentry.com/products_features_nac.html

I am looking for a correction to my understanding, because I got little bit confused

There are two admission control solution choices :

1 NAC Appliance (standalone box)

2 NAC Framework

NAC Framework (2) includes the following main components :

a- Endpoint security application

b- Posture agent

c- Network access devices

d- Cisco Policy server [Cisco Secure Access Control Server (CS ACS)]

e- Optional servers that operate as policy server decision points and audit servers

f- Optional management and reporting tools are highly recommended

Q1- NAC Appliance it standalone box ,,,,does that mean that NAC appliance includes (built-in) all the necessary (not optional) components , which are belong to NAC Framework (please see above) ?

Q2- The architecture of NAC Framework includes many different components from Cisco and other vendors (third party),,,,,,What about NAC appliance does it also include same components from other vendors (third party) ?

Q3- How does NAC appliance get updated ? since it is standalone box ? do we have to connect it to net to get the necessary updates ?

Q4- If I am looking to implement (install) NAC Appliance within my network do I need to use CS ACS (I guess we do not need to use CS ACS, see link below) or I have to use other components ?

http://www.cisco.com/en/US/netsol/ns466/netqa0900aecd800fdd6f.html

<quote>

Customers are recommended to consider the NAC Framework only when one of the following applies:

Cisco Secure Access Control Server (ACS) is required as the central policy server in the NAC deployment

</quote>

Q5- The initial release of cisco NAC Framework became available June 2004 ,,,,what about NAC Appliance ? (i.e is it new technology )?

Q6- I could not get what does he mean by : words ? in-band ? and ? inline? in the above quote ?

http://www.cisco.com/en/US/netsol/ns466/netbr0900aecd80355b2f.html

<quote>

NAC Appliance must be deployed as an in-band deployment to support WLANs. In an in-band deployment, the NAC Appliance server is always inline with user traffic-before, during, and after authentication, posture assessment, and remediation.

</quote>

3 REPLIES
Silver

Re: NAC Appliance and NAC Framework - ambiguous quires

In my view NAC appliance is a single device and has all the necessary components in it. NAC framework is good for organizations with some existing security deployment (from partcipating vendors) or a policy that needs multiple vendor infrastructure. NAC appliance incorporates only cisco technology. NAC appliance needs internet connnection for updates and can be connected directly (no need of ACS). NAC appliance is new technology and it monitors the traffic inline (with traffic flow) and sits inband (inside the network).

Silver

Re: NAC Appliance and NAC Framework - ambiguous quires

I found it helpful to buy these two Cisco Press books in order to get my arms around the NAC Framework and NAC Appliance vocabulary:

Cisco Network Admission Control Volume 1 and 2.

I usually buy the books and compare them with the User Guides on CCO just to make sure I understand the concepts.

It's also a good idea to try and attend a Cisco led seminar in your area. In that way you can answers to your queries much faster and any follow-up questions that might arise.

Hope this helps.

Community Member

Re: NAC Appliance and NAC Framework - ambiguous quires

Hi,

Go check Clean Access on CCO for info on NAC Appliance but here are some answers to get you going:

Q1- NAC Appliance it standalone box ,,,,does that mean that NAC appliance includes (built-in) all the necessary (not optional) components , which are belong to NAC Framework (please see above) ?

The NAC Appliance is Clean Access and works differently although Cisco will merge the technologies into the

Appliance. NAC Appliance controls switches by SNMP, not 802.1X and does not use ACS

Q2- The architecture of NAC Framework includes many different components from Cisco and other vendors (third party),,,,,,What about NAC appliance does it also include same components from other vendors (third party) ?

The NAC Framework (Switches, ACS, Trust Agent from Cisco) works with 3rd Applications such as

Anti-Virus Servers from Partners such as Trend. There are 75 partners currently.

Q3- How does NAC appliance get updated ? since it is standalone box ? do we have to connect it to net to get the necessary updates ?

The NAC Appliance gets updated as per configured schedule, in our case, once an hour, via CCO and it can

do this via a Proxy too for preconfigured checks for over 200 products. The actual update and

most of the configuration is done on the Manager Appliance, which controls one or more NAC appliances

The Client can either used Web Based Auth or the Clean Access Agent which can be downloaded. First time

use is invoked by the user trying to browse through the appliance and getting redirected to a sign

on page where they can download the Agent.

Once the Agent is installed, it tries to decover the Manager through the NAC Appliance and that causes it to

pop up and do the posture assessment.

Q4- If I am looking to implement (install) NAC Appliance within my network do I need to use CS ACS (I guess we do not need to use CS ACS, see link below) or I have to use other components ?

http://www.cisco.com/en/US/netsol/ns466/netqa0900aecd800fdd6f.html

Customers are recommended to consider the NAC Framework only when one of the following applies:

Cisco Secure Access Control Server (ACS) is required as the central policy server in the NAC deployment

You don't need Cisco ACS to use NAC Appliance

Q5- The initial release of cisco NAC Framework became available June 2004 ,,,,what about NAC Appliance ? (i.e is it new technology )?

NAC Appliance has been going for about 3 years within Cisco. It was acquired by Cisco (Perfigo)

Q6- I could not get what does he mean by : words ? in-band ? and ? inline? in the above quote ?

http://www.cisco.com/en/US/netsol/ns466/netbr0900aecd80355b2f.html

NAC Appliance must be deployed as an in-band deployment to support WLANs. In an in-band deployment, the NAC Appliance server is always inline with user traffic-before, during, and after authentication, posture assessment, and remediation.

Inline or in-band

For Wireless, the NAC Appliance is deployed inline, between the client and the trusted network which means

it is inline all the time.

We also have done inline deployments with VPN (ASA's SSL/IPSec VPN) and used Single Sign on with

SecurID, Active Directory and other authentication mechanisms.

Out of Band

The other deployments (Virtual Gateway means Bridge mode and Router Mode) can also be deployed

out of band, meaning you can deploy NAC Appliances at the distribution layer that control switches at the

access layer, but in this configuration, users are inline only during authentication.

it works like this...a user is on a restricted access VLAN, once they authentication via discovery of the

NAC Appliance, it does a posture assessment and moves them into an access VLAN and refreshes their IP

There are further complications such as setting up SSO with Active Directory so when the user logs

on, the NAC Agent (runs in systray) auto signs in using the AD credentials.

498
Views
0
Helpful
3
Replies
CreatePlease to create content