1.) depends on out of band vs in band deployment. Out of band typically user is given a /30 network ip and switched once posture assessment and role assignment happen. In band typically the standard dhcp servers give the address out and they are given a valid address. However they are placed in a role that can be set up to restrict traffic as detailed as necessary.
2.) Typically nac would not be looking if the user has a virus or not but rather if the user is running AV software with the latest definitions or not
3.) See answer to question 1
7.) use profiler for that - nac will probably not help you in most situations where a user tries to bypass nac by using a different mac-address (such as whitelisted printer)
9.) the cca agent is software installed on a windows or linux system. nessus is a scanning tool that can be used to do additional scanning of a device (even if not used with / before nac assessment)
6) it can be done by either mac-address or linkup, but we usually use mac-address as when you use ip phones the switchport never goes down and up. but in both cases, a device on nac is identified by its mac address.
7) to mitigate mac spoofing you have to use NAC Profiler.
8) i believe you can. all you need to buy is the nac licenses.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...