Cisco Support Community
Community Member

NAC Out-Of-Band deployment


Customer wants to implement NAC out-of-band in their organization.

But he has some query:

1. In out-of-band whether CAS will fetch the updates (AV, Patch management etc)from the corresponding servers & push the same to the end user?

2. What will be the configuration in this scenario


Re: NAC Out-Of-Band deployment

The Clean Access Agent can automatically detect numerous AV products and have built in rules for AV Definition Update and Installation

As far as patch management is concerned Clean Access you can leverage the functionality of third party vendors by using various custom checks.

For example if you have BigFix as a patch management solution. You can do checks to make sure that the software is installed on the client and currently running. If it is not you will then be able to have the end user self-remediate using a link or file type requirement.

Many patch management/software distribution clients can then take inventory of the system. If it is missing a requirement the client can then tell the server to push the required software. Once that is finished the CCA agent can check and confirm compliance and bounce the switch port to the Access VLAN

Community Member

Re: NAC Out-Of-Band deployment

Thanks for ur quick reply.

But for remediation purpose, affected client pc has to move bia core network as the remediation servers will be placed in internal segment. In this case the affected pc will travell throught my network & can damage my security policy...

Let me make it clear to you:

1. My AV & PM servers are located into server zone which is connected with core switch.

2. If i implement NAC & any outside user with non updated AV in his/her pc tries to login, then CAS will find this non comliant & will send to remediation zone which is basically a server zone where all AV, PM & remediation servers are located.

3. I want any affected pc say non updated AV, will not travell through my network. They will get an URL & click on that which interims will talk to the AV server a& get the latest updates & push it to the end user.

Whether this is achieveable???


Re: NAC Out-Of-Band deployment

When your users are authenticated but still in the dirty VLAN because they do not meet compliance with network policy they are given temporary access to remediate. You can create filter rules to only allow certain IP's and ports to access the server zone.

So if your AV client needs updated find the apporpiate IP:port and create a rule to allow that type of traffic while blocking the rest. NACA does support alot of anti-virus vendors and many times the CCA can talk to the AV client directly in order to update.

Check out the CAM configuration guide filter setup and checks

CreatePlease to create content